Add user accounts (fully optional)

[bopjesvla]

We've had quite a few requests for user pages with all of their reviews, so I guess it makes sense to add user accounts

No need to make them mandatory given the lack of spam/abuse

[bopjesvla]

User has email, password, username

User page shows user reviews + all Hitchmap reviews made before the user creation date made with that same nickname + all reviews with same Hitchwiki username

For the last two categories, add a disclaimer that these are not necessarily by the same person. Might even consider collapsing them

[tillwenke]

I d advocate using hitchwiki accounts if possible.

[tillwenke]

maybe like this https://www.mediawiki.org/wiki/OAuth/For_Developers

[bopjesvla]

I remember that getting a Hitchwiki account was a hassle, requiring manual verification by an admin.

Hitchwiki also has super aggressive Cloudflare settings, so it might not be usable all around the world. Even regular Cloudflare settings might be too much for our user accounts, as we don't use it ourselves and some users/countries continue to have trouble with it.

[bopjesvla]

Also, like Hitchmap, Hitchwiki isn't funded at all and there's no guarantee it'll outlive Hitchmap. I'm cool with providing Hitchwiki logins as an option, but it shouldn't be the only option.

[bopjesvla]

Flask-Security, https://flask-security-too.readthedocs.io/en/stable/features.html , has recently been picked up by the core Flask team. I think is definitely the way to go now.

[bopjesvla]

In the initial implementation, I suggest:

• Start out using https://flask-security-too.readthedocs.io/en/stable/quickstart.html#basic-flask-sqlalchemy-lite-application
• Ask for username, password, email
• Users can still write reviews without logging in. However, the nickname they choose can't be an existing username.
• Add an optional user_id column to every existing table. On the backend, verify that user_id and nickname aren't both set (neither is fine).
• Use strict Samesite cookies and disable CSRF protection so we can still serve static forms
• The duplicate username error on the user registration page should state that if someone squatted their nickname, they should contact us (not sure if I have a @hitchmap.com email address enabled)

Then, on the front-end:

• Add a user button to the top-right, points to the login page if logged out, shows a logout/change email link if logged in
• Logged in users don't see the nickname field when writing a review
• hitchmap.com/#user:bob should only show reviews by Bob. This will be implemented as part of front-end filtering. Active filters are shown as buttons, like User | Bob X. When the button is clicked, the filter is removed.
• Usernames in the application become clickable, navigating to hitchmap.com/#user:username

[bopjesvla]

hitchmap.com/#user:bob should also show reviews that were made under the nickname Bob (these were necessarily written before the user was registered)

[bopjesvla]

Alternatively, we can ask new users to select which reviews under the same nickname are theirs