SignUp Reqs:

• Captcha
• client-side validation
• Attempt login if user already exists (done)

Login Reqs:

• no client-side validation
• hide wrong field (email/pass) from the client (smarter against robot attacks)

Additionally, an expired authToken should not throw an error on either page, it should just be deleted & treated as if the login attempt never happened.

should an expired token be deleted, or should it trigger reauth as the same user?

I'm thinking token expiration should be validated on the client & deleted if expired. That way, we don't even hit the server for validation, and that way if an attacker somehow gained access to an expired token, he couldn't trade it in for a valid one. You bring up a good point though about renewals. I think token renewal should be a function on the server, since the token's timestamp is on server time & theoretically someone could set their client clock 1 week ahead & that'd trigger an infinite loop of renewals.

For server renewal, there are a few options:

• setInterval, if time remaining is < 6 days, renew
• on socket handshake, if time remaining is < 6 days, renew
• on socket message, if time remaining...

i like option 2 just because it scales a lot better, and i think it's fair to log someone out if they haven't visited the site in tokenLife - tokenAge days, but I'm open to other ideas.