+ +

User Creation and Authentication

+ +

This feature will allow users to register an account through which they have access to the product. This feature is essential for the product, as the user accounts will be linked to essential information such as game data, payment details and crypto wallets.

Product Requirements

The user can register an account +
- The system requires the user to provide an email address
  +
  - The system enforces that the provided email address is valid according to RFC-5322.
  +
- The system requires the user to choose a passphrase
  +
  - The system requires that the chosen passphrase contains at least: +
    - One upper case letter
    - One lower case letter
    - One number
    - One special character
    +
  - The system requires that the chosen passphrase is at least 16 characters long
  +
+
The system only allows users to login to their account after their email has been verified.
+
- If a user authenticates with correct credentials before their email address has been verified, they are able to request the system to send them another verification email.
+
An email with instructions for email verification is sent to the user directly after account registration is complete.
The user can log into their registered account +
- The system requires the user to enter their email address
- The system requires the user to enter their password
- The system requires the user to have verified their email address before being able to log in
+
If the user provides wrong credentials, the system does not tell the user which part of their credentials was wrong.
On authentication failure, the system does not tell the user whether an account for the provided username exists or not.
The system allows the user to reset their password without logging in by providing the system with their email address.
+
- When a password reset is requested, the user is sent an email with instructions.
- The system does not provide any information about whether an account exists for the given email address.
- The password reset email contains instructions and a special link that the user can click. +
  - The special link is only valid for two hours.
  +
+
The system is able to save, edit and provide the following information about a user: +
- Username/email
- Password
- TOTP information
+
The system is able to pair with a users' TOTP application for additional security. +
- The system requires a one-time-password for every login after the activation and setup of TOTP by a user.
+

Design Requirements

There is a graphical user registration form +
- The user registration form has explanations for each field and how it will be used by the software
- The user is required to enter their password twice before submitting the form. +
  - It is verified that both entered passwords are identical.
  +
- The user registration form interactively validates that the user provides to the form +
  - If the input for one of the form fields is invalid, the software instantly notifies the user through explicit visual cues.
  +
- After registration is completed, the UI explicitly tells the user that they will only be able to login after they have verified their email.
- After registration is completed, the UI explicitly tells the user that an email has been sent to them with instructions for email verification.
+
There is a graphical user authentication form +
- The user authentication form prompts the user to enter their email and password
- The user authentication form has a "register account" button that brings the user to the user registration form.
- The user authentication form has a "login" button that attempts to authenticate the user using their provided credentials.
+
There is a graphical representation for TOTP password login.
If the user successfully authenticates before their email address has been verified, they are presented with a page that explains the email verification requirement. +
- The page also contains a button with which users can request a new verification email.
+
There is a password reset page that the special links in password reset emails lead to. +
- The form on the password reset page requires the user to enter their new password twice.
+
There is a user settings page that allows the user to change their: +
- username
- password
- TOTP settings
+

Engineering Requirements

Email and passphrase are only used to request a JSON Web Token from the system.
+
- The JWT is used as means of authentication for any other interactions with the system.
+
The system needs to be able to save and retrieve users with unique, non-sequential identifiers.

User Stories

This section contains the user stories for this epic. After each user story, the accompanying requirements are defined in bullet point lists.

+ + + + + + + + + + + +

User story	As a user, I want to be able to register a user account using an email address and password so that I can take part in Rise of Rulers gameplay.
Acceptance criteria	+ + Given I am a user, I provide a correct email address and password to the system and click the register button, I am able to successfully register a user account. + Given I am a user, I have to enter my preferred password twice when registering an account and if both entries aren't identical I have to correct this before continuing. + +

+ + + + + + + + + + + +

User story

As a user, I want to be able to verify my account within a reasonable amount of time by following the instructions in the account verification email.

Acceptance criteria

Given I am a user and I click the registration button after correctly filling out the form, the system tells me that my account registration is successful, the account needs to be verified for me to be able to use it and an email has been sent to my email address with verification instructions.
Given I am a user and the system tells me that an email has been sent out, the system has actually sent out the email at that instant so that I can receive it within a reasonable amount of time.

+ + + + + + + + + + + +

User story	As a user, I want to be told that my email needs to be verified when I successfully authenticate through the login form before I have verified my email address.
Acceptance criteria	+ + Given I am a user and I click the login button after providing valid credentials, I am greeted with a message about the required email verification and the option to have the system send a new verification email to my email address. + Given I am a user and I am logged in without my email being verified, the system does not allow me to use its core functionalities. + +

+ + + + + + + + + + + +

User story

As a user, I want to be able to reset my account password by providing the system with the email address I used to register my account and following the instructions in a password reset email sent to my email address.

Acceptance criteria

Given I am a user and I click the reset password button after providing my email address, I am sent an email with instructions and a special link that I can use to change the password for my user account.
Given I am a user and I click the special link in the password reset email, I am presented with the password reset page which requires me to enter my new password twice.
Given I am a user and I do not enter two identical passwords into the password reset form, I am not allowed to continue before I correct this.
Given I am a user, I have correctly filled out the password form and I click the "reset password" button, my password is changed to the one provided in the form.

+ + + + + + + + + + + +

User story

As a user, I want to be able to pair the software with my TOTP application so that I can use one-time passwords for additional security.

Acceptance criteria

Given that I am a user and I click the "enable TOTP" button on the user settings screen, I am able to go through the setup process and configure the system to work with my TOTP application.
Given that I am a user and I login after enabling TOTP for my account, I fill in a correct password and username and the system has verified these credentials, I am required to provide a one-time-password from the TOTP application before I am allowed to continue.

+ + + + + + + + + + + +

User story	As a user, I want to be able to authenticate myself to the system using a username and password configured by me, so that I am able to partake in gameplay and my progress can be saved.
Acceptance criteria	+ + Given that I am a user, I fill in the login form with a correct username and password and I click login, I am able to successfully authenticate to the system. + +

+ +

+ Revision #12
+ + Created 22 February 2022 11:16:51 by Hugo +
+ + Updated 7 March 2022 15:41:02 by Hugo +

Version Control	Gitea
Continuous Integration
Backend	+ + Golang +
Frontend	+ + + Svelte + +