Currently, when the user goes to change their email, they could potentially be locked out, should they not confirm their new email.

The experience could be:

1. If the user changes their email, they should still be able to login using their old email, until they confirm their new email address.
2. The user changes their email, and is not logged out. They can still login using their old email until they confirm their email.
3. The concept of primary email - their current email stays their mail login, until they confirm and change their email. This new email becomes their primary and any other email is saved as an alternate email.

the loginMapper is confusing. Create a way to clearly tell if the developer is creating a payload to save to the database, or creating a payload for a token or otherwise.

make sure usernames are toLowercase()

currently token is consuming the entire User object. tokenize needed fields only

User emails should be an array of emails. This way, when changing emails, there is still a backup.

• Allow users to link social profiles.

Social login and register routes are currently the same. Meaning if a user tries to login using Facebook, but they do not have an account. it will take them through the registration flow.

Currently, if the user does not confirm their email in the 10 minutes it takes the token to expire, they will have no way of creating a profile with that email. A entry in the database will exist for that email, but they wont be able to log in because they have not confirmed.

options:

• If they miss the signup window, and try and login or signup, prompt them to resend a confirmation email.
• create a cron job to clear emails with expired tokens from the database to allow them to retry later.

Error codes don't match with what they are reporting.

during page reload, the check to see if a user is logged in is not being done.

Users must attach email address to social logins,

• allow them to optionally provide a password for their social logins, allowing them to login using email or social.
• login using email if social login contains existing email.

currently if the user waits 10 minutes to re-request a confirmation email, they are unable because their token has expired.

If a user attempts an email login with an email that is linked to a social profile, and then the profile attempts to login with a DIFFERENT social profile, they will be routed to the complete profile page, but their email will not work.

This becomes a problem if they have logged into a different social media (facebook for example) profile on the device. The passport middleware will automatically assume they want to login to the same profile they previously logged into, EVEN IF they created their Leaderboard profile with the other Social Media profile.

The rate limiter is currently on all requests.
Perhaps just have it on login/auth related requests.

• look into appropriate point limits

The link doesnt work unless the text itself Home is clicked. It will not work when the area around it is clicked