notes on pending improvements to add before merge/release

customize.dist/login.js

@@ -504,7 +504,12 @@ define([
             // Finally, create the login block for the object you just created.
             var toPublish = {};
 
-            toPublish[Constants.userNameKey] = uname;
+// XXX I did some basic testing and searching and could not find this attribute
+// actually being used anywhere. Including it means either supporting arbitrarily
+// large blocks (a DoS vector) or having registration fail for large usernames.
+// Can someone please double-check that removing this doesn't break anything?
+// --Aaron
+            //toPublish[Constants.userNameKey] = uname;
             toPublish[Constants.userHashKey] = userHash;
             toPublish.edPublic = RT.proxy.edPublic;
 

lib/storage/basic.js

@@ -48,6 +48,11 @@ Basic.write = function (Env, path, data, cb) {
     });
 };
 
+// XXX I didn't bother implementing the usual "archive/restore/delete-from-archives" methods
+// because they didn't seem particularly important for the data implemented with this module.
+// They're still worth considering, though, so don't let my ommission stop you.
+// Login blocks could probably be implemented with this module if these methods were supported.
+// --Aaron
 Basic.delete = function (Env, path, cb) {
     if (!path) { return void pathError(cb); }
     Fs.rm(path, cb);

lib/storage/sessions.js

@@ -42,3 +42,9 @@ Sessions.delete = function (Env, id, ref, cb) {
     Basic.delete(Env, path, cb);
 };
 
+// XXX All of a user's sessions should be removed When a user deletes their account
+// The fact that each user is given their own publicKey-scoped directory makes them easy
+// to remove all at once. Nodejs provides an easy way to `rm -rf` since 14.14.0:
+// Fs.rm(dir, { recursive: true, force: true }, console.log)
+// just be careful to validate the directory's path
+// --Aaron