Set up registration/login

[themightychris]

Login modes

Maybe only support GitHub login?

Other options:

• Email login
• Mobile phone login
• Traditional username+password

All of these but the last one would probably help us out a lot with keeping bots/spammers out

I'm kind of a fan of just doing GitHub login as the one and only way. Some might argue that requiring GitHub creates a barrier to non-techies, but the process of merely registering for a GitHub login is as user-friendly as registering on any other site and then that puts us in a world where it's safe to assume that anyone who has registered on codeforphilly.org is just one more step away from being able to participate in discussion boards on github or comment on issues or use Projects kanban boards. This will enable us to lean hard into leveraging everything GitHub has to offer for fueling projects while positioning us well to be able to automate things and match up activity in GitHub with CfP users (e.g. imagine that while creating a new project on cfp.org you can check a box to have it set up a best-practices github repo to link with the project, or collaborators automatically get added when a project lead accepts a new volunteer)

Migrating old accounts

Unless we do traditional username+password login, we won't be able to do a seamless migration of old user accounts to the new site. The existing user database is full of spam/bot registrations though so that might be a good thing. We could import the entire legacy user database as a secondary table for reference and then maybe have some kind of process to match old accounts on login (maybe automatically via email addresses on file at github)

We could automatically generate user accounts in the new table for anyone who is a creator/updater/author of any objects in the database to maintain referential integrity and credit. Other than comments we've mostly done a good job deleting anything spammy so this should be a pretty clean set of users, and maybe we just leave comments behind entirely or only pull in comments+users for those who have authored literally anything else but a comment in the system

CfP.org is the identity provider for our Slack workspace so that's another consideration. Our username field is the persistent identifier between CfP.org and Slack accounts so that's a really good reason to have a pretty seamless process to match up with existing user accounts when people log in. We could do that totally seamlessly and transparently in any case where someone's existing CfP account has an email address that matches any of the emails on file on their GitHub account. The flow could be:

• Log into the new cfp.org with github
• Detect first login and check legacy user table for matching email address and auto-import
• You're in Slack

The case where this could break down is if someone has an old/alternative email on their CfP.org account that doesn't match any of the ones in their github. To mitigate this we could have a screen you see after your first login that either tells you that your old account was found and migrated, or telling them that no existing account was found and if that's a mistake and they did already have an account give them a little form for looking up and "claiming" an old account that drops a message into an admin slack channel for someone to spot-check and hit approve on

[MooseQuest]

I think Github login is fine. It encourages people to have the one central piece of software that is sort of a requirement for coding collaboration. I would say that we store e-mails for general communications, but not store passwords, hashes or anything else that can be compromised and paired for use in another application.

If passkeys are an option that should be available too, but that's passed via Github OAUTH anyways.

[katjost]

While I don't love the GitHub option for the barrier it may create, I do think it is our best option given all the considerations.

FYI in response to this:
"CfP.org is the identity provider for our Slack workspace so that's another consideration. Our username field is the persistent identifier between CfP.org and Slack accounts so that's a really good reason to have a pretty seamless process to match up with existing user accounts when people log in."

You know that slack usernames are no longer the same as site usernames, right? A while back we enabled the option for users to modify their Slack usernames. Just want to make sure you're aware.

Thanks for putting thought into this!! Appreciate you.

[themightychris]

@katjost you can change your "display name" in slack but the underlying username is still the same and is what links accounts