Eric
Posts: 17314
Joined: 10/10/2003 From: Seattle, WA Status: offline
|
Just an update. OK, I am getting close. The password reset token stuff required some new pages and infrastructure, but I have it pretty well sorted out now. I may also take an extra day or two to add some optional "biometric" features, namely the ubiquitous question and answer ("What is your first pet's name, What is your mother's maiden name etc.) to add a hurdle to the password reset feature. This protects people if your email is hijacked. That said, since CellarTracker is not a banking website, is not transactional etc, it's not really the same sort of priority as just really securing the password you use on CT. So I may just push ahead and revisit biometrics later as a "nice to have" but far less essential security feature. In fact, I would argue that it is a much higher priority for me to implement OAUTH 2.0 or some other system to allow you to use 3rd party apps like Cor.kz and CellarVU without having to reveal your credentials. (That said, I have added some API features that will allow them to get what they need to access your CT account and not have to RETAIN your password. So that is a useful baby step.) Full on OAUTH etc. is a MUCH bigger undertaking. All that to say, this is getting very close. It's a rich space with plenty of layers of the onion to peel, but I have taken a really good and healthy bite out of the problem space. I have also been testing it like crazy, as it will break "the world" if I screw up.
_____________________________
Cheers! -Eric LeVine http://twitter.com/cellartracker http://facebook.com/cellartracker
|