Improve Security

[stayradiated]

• Use login tickets that store user ids, timestamps and IP addresses as well as a secure token. http://lucumr.pocoo.org/2012/9/24/websockets-101/
• The client must request a login ticket before connecting with websockets. Then the client sends the ticket over the socket, and the server validates it and then deletes the ticket.
• This means we would need to store a persistent cookie. Must use HttpOnly and secure flags.
• Hash persistant login tokens so that a database breach doesn't allow an attacker to login to any account.
• [ ] Increase password reset tokens to at least 42 characters long.
• [ ] Hash password reset tokens (same reason as with login tokens).
• Use signed session tokens for authentication, like how Auth0 reccommends.
• Generate password reset tokens by hashing known variables. Like how Ghost does it.
• Use NewBase64 encoding for tokens instead of hex - 4x as many variants per char.
• Rewrite part of nitro-rails to use nitro-server as an api for managing user information.
• Throttle logins and password resets to follow OWASP best practices:

    1 failed attempt = 5 sec delay
    2 failed attempts = 15 sec delay
    3+ failed attempts = 45 sec delay