Authenticate users

[NicolasLM]

The idea is to allow only authenticated users to post comments.

A global work-flow could be:

• Provide an endpoint where users can sign in
• Server side the user is authenticated (query in DB, OAuth... this should be extensible)
• A cookie is issued with the encrypted user name and timeout.
• When a user posts a comment the cookie is checked and the user name is taken from it instead of read from the sent JSON

Using an encrypted cookie removes the need of implementing sessions server side.

One thing to think about is to remove the user name, email and website fields from the showed form.

Also providing a simple way to know if the user is already authenticated or not.

[tasmo]

+1

[dashohoxha]

I think that authentication is important. I want only the registered users (in my application) to be able to post comments. But I don't want a situation where the users first login to my application, and then they have to login again to the commenting system in order to be able to post.

So I would suggest that the first two points above (authentication of the user) can be done by the application. When it comes to generating a cookie or token, the application contacts ISSO (via its API), sends the data of the user (name, email, etc.), and receives an encrypted cookie/token.

Then this cookie/token is sent together with the comment that is to be posted, and guaranties to ISSO that the user is authenticated, and also provides to it the user data (name, email, etc. by decrypting it).

Encryption must ensure that such a token cannot be faked or forged by a spammer.

[nogweii]

See also, #240.

[ix5]

Most recent activity in #240. #261 partially solves this.

Closing in favour of those linked issues/PRs.