docs: document register/login and dual authentication model #77

Merged

sneak merged 3 commits from docs/update-readme-auth-model into main

2026-03-17 12:44:48 +01:00

Author	SHA1	Message	Date
clawbot	d91f925483	docs: fix false reclaim implication and wrap long lines All checks were successful check / check (push) Successful in 1m4s Details - Register endpoint: replace 'nick is claimed and can be reclaimed later' with accurate description that login adds clients while session remains active - Wrap line 205 (120 chars) after 'all-client removal.' - Wrap line 2592 (115 chars) after 'never required.'	2026-03-17 02:57:31 -07:00
clawbot	2c6e4673c1	docs: fix false session persistence claim for registered accounts All checks were successful check / check (push) Successful in 1m4s Details The README incorrectly claimed that registered sessions persist across logouts. The actual code (handleQuit and cleanupUser in api.go) deletes ALL sessions unconditionally when the last client disconnects — no check for password_hash. Updated Data Lifecycle, Registered Accounts, Identity & Sessions rationale, flow diagram, and Design Principles to accurately state that both anonymous and registered sessions are deleted on QUIT or last-client-logout. Registration enables multi-client access (login from another device while session is active), not session persistence across all-client removal.	2026-03-17 02:45:43 -07:00
clawbot	0900289af5	docs: document register/login and dual authentication model All checks were successful check / check (push) Successful in 1m8s Details Update README to accurately describe the authentication model: - Anonymous sessions via POST /api/v1/session (no account required) - Optional account registration via POST /api/v1/register (nick + password) - Login to registered accounts via POST /api/v1/login Sections updated: - Identity & Sessions: renamed from 'No Accounts' to 'Dual Authentication Model' - API Reference: added /register and /login endpoint documentation - Security Model: added password hashing (bcrypt) details - Design Principles: changed 'No accounts' to 'Accounts optional' - Schema: updated from outdated 'users' table to actual sessions/clients tables - Session Lifecycle: added registered account flow diagram - Client Development Guide: added register/login curl examples - Multi-Client Model: documented login as the multi-client mechanism - Data Lifecycle: documented session/client persistence behavior	2026-03-17 02:17:59 -07:00

Author

SHA1

Message

Date

clawbot

d91f925483

docs: fix false reclaim implication and wrap long lines

check / check (push) Successful in 1m4s

Details

- Register endpoint: replace 'nick is claimed and can be reclaimed
  later' with accurate description that login adds clients while
  session remains active
- Wrap line 205 (120 chars) after 'all-client removal.'
- Wrap line 2592 (115 chars) after 'never required.'

2026-03-17 02:57:31 -07:00

clawbot

2c6e4673c1

docs: fix false session persistence claim for registered accounts

check / check (push) Successful in 1m4s

Details

The README incorrectly claimed that registered sessions persist across
logouts. The actual code (handleQuit and cleanupUser in api.go) deletes
ALL sessions unconditionally when the last client disconnects — no check
for password_hash.

Updated Data Lifecycle, Registered Accounts, Identity & Sessions rationale,
flow diagram, and Design Principles to accurately state that both anonymous
and registered sessions are deleted on QUIT or last-client-logout.
Registration enables multi-client access (login from another device while
session is active), not session persistence across all-client removal.

2026-03-17 02:45:43 -07:00

clawbot

0900289af5

docs: document register/login and dual authentication model

check / check (push) Successful in 1m8s

Details

Update README to accurately describe the authentication model:
- Anonymous sessions via POST /api/v1/session (no account required)
- Optional account registration via POST /api/v1/register (nick + password)
- Login to registered accounts via POST /api/v1/login

Sections updated:
- Identity & Sessions: renamed from 'No Accounts' to 'Dual Authentication Model'
- API Reference: added /register and /login endpoint documentation
- Security Model: added password hashing (bcrypt) details
- Design Principles: changed 'No accounts' to 'Accounts optional'
- Schema: updated from outdated 'users' table to actual sessions/clients tables
- Session Lifecycle: added registered account flow diagram
- Client Development Guide: added register/login curl examples
- Multi-Client Model: documented login as the multi-client mechanism
- Data Lifecycle: documented session/client persistence behavior

2026-03-17 02:17:59 -07:00

docs: document register/login and dual authentication model #77

3 Commits