Authentification
Players need to be able to authenticate themselves securely to the server in order to play the game.
To do that I am going make my own implementation. I will ask the user its username and password, this will be obiously have to be sent via HTTPS. Then with the std.crypto I will hash and store it in the database. If I have time I will add things like salt and pepper to make it more secure.
Three different endpoints will be at disposal.
POST /auth/register
Will take the username and password as parameters. The server will then receive the request, hash the password and store it with the username in a new player entry. It will also generate a random session_id that will also be stored in the database and will act as a session token to authentificate the future requests of the user without asking its password and username again. The session token will be stored as a cookie. Only one session token will be allowed per user. This session token will be sent back to the user as a cookie if the operation is successful.
POST /auth/login
If the user lost his cookie or connect on a new device, he will provide its username and password. The server will then check if the hash of the password correspond to the one stored in the database and if it is the case replace in the database the old session token by a new one. The new session token will be sent back to the user as a cookie if the operation is successful.
POST /auth/logout
The user will access this endpoint with no needed paramater as he is already authentified by the session token. The server will then delete the session token from the database and from the user's cookie.
Security issues
Since it is not a core concept of my Bachelor Thesis I did not spend too much time on the security aspects so obivously there are a lot of things that could be better like adding Secure, HttpOnly and SameSite=Strict to the cookies. I also did not add any salt or pepper to the hashing of the password. And a few other details as well.