Tis the Season for... Accounts?
A blog post on Christmas! That’s unexpected! We’ve got lots of exciting changes for y’all so lets get right into it!
Is what I would say if I didn’t want to apologize for the delay on this one first :p. You see, when I first posted that teaser for the sign up page in November accounts were actually almost done! I was using Firebase authentication to handle all of the user information so setting it up was super easy and I didn’t have to deal with the hard part of storing sensitive data, security. Obviously I was still planning on storing some stuff in my database, Firebase doesn’t have support for everything I wanted to do with accounts but I thought that was an ok compromise. And then the stuff with Sunbird happened (if you don’t know, it was an app that was basically just storing raw unencrypted user data in Firebase). Now, technically Firebase did nothing wrong in this situation, it was just where the data happened to be stored, but it made me re-evaluate my decision to just hand off all of your data to some unknown source. Well, not unknown, but Google. After some deliberation and some frustration with other Firebase issues I decided to build my own authentication system. I understand the general distrust for signing up to some random site, I would certainly feel a little uncomfortable even if they were using a well known provider let alone doing everything themselves. In order to help alleviate those fears, here’s exactly what I’m storing in our database about you and where it can be accessed.
Username
Encrypted: No
Accessible in the Backend*: Yes
Accessible in the Frontend with Access Token**: Yes
Accessible in the Frontend w/out Access Token: Yes
Email
Encrypted: No
Accessible in the Backend*: Yes
Accessible in the Frontend with Access Token**: Yes
Accessible in the Frontend w/out Access Token: No
Password
Encrypted: Yes
Accessible in the Backend*: Yes
Accessible in the Frontend with Access Token**: No
Accessible in the Frontend w/out Access Token: No
Providers (if you signed in with Google for example)
Encrypted: No
Accessible in the Backend*: Yes
Accessible in the Frontend with Access Token**: No
Accessible in the Frontend w/out Access Token: No
* Not exposed in any API route, public or not
** An access token is granted when successfully logging in via email and password or provider
Hopefully that helps make things a little less uncomfortable. Generally if you want to be as secure as possible, sign up using a provider like Github or Microsoft rather than through email and password. When you do this, MCCreations does not gain access to your provider account, we just get some information like your email and profile picture from them. If you’re still uncomfortable, don’t worry! Important features like submitting will always be available without an account. Feel free to reach out with any questions or concerns as well. And with that out the way, onto the features!
Accounts
You can now sign up for an account for MCCreations!
These are completely separate from the original site. If you had one there you’ll have to sign up again.
You can add a banner, icon and about to your account (more coming soon!)
Accounts have profiles!
When commenting while logged in, your username and icon will be auto-filled!
Oh also comments are fixed :p
Search
Search has been fixed
You still need to type the exact query to find what you’re looking for. This will be fixed soon!
I think that’s all the stuff that’s publicly visible. I’ve been making a lot of changes under the hood, most of which still needs to be documented so I apologize for that. The backend has also been significantly updated, although I don’t know if it will do anything for performance. Thank you for sticking with me through this journey! I hope you have a wonderful holiday season and I’ll see you soon!