You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
account icon (silhouette of person) next to "online". White for not logged in, green for logged in.
Clicking on account icon takes you to login page, or account page if not logged in.
Login page: username, password.
Login attempts are highly throttled, by IP and attempted username.
Access token and refresh token
access token is comprised of: header-base64(type|version).payload-base64(encrypt(expiration_date|account_name|access_rights|salt)).signature-base64(header64,payload64,secret). Payload is encrypted and signature is a cryptographic hash. If the server can unencrypt it and it matches the signature and the encrypted expiration date is still ok, it is valid.
access token good for 1 hour.
refresh token is same as access token except it also has a unique refresh id. Refresh IDs are stored in the account data.
refresh token good for 60 days.
if the access token is expired, or deleted (by the browser because it expired), the server validates the refresh token and then issues a new access token.
if refresh token will expire within 30 days, issue new refresh token.
logged in pages
Add new "restricted" characteristic for webpage. Webpages have an access right threshold. Trying to access a page with no token / an invalid token / insufficient access rights redirects to 401 not authorized.
Login UI
Access token and refresh token
logged in pages