Today we added the ability for players to create accounts. This feature is optional to use but will come in handy for players who would like to resume games at a later date and on different devices.
Up until now, when creating or joining the game, players would have their anonymous session preserved in the browser. As long as they stayed in that browser or as long as the browser history didn't get cleared, they would stay "logged in" to the game.
Some players would like to move between the devices and continue the game there. Additionally, browsers behavior is a bit unpredictable, and sometimes, especially on mobile phones and tablets, the session would get wiped out for no apparent reason.
The journey to add support for user registration was a little more tricky than expected. First, we tried to add support for "passwordless" authentication. This seemed like a great idea with some obvious advantages:
- no password would be needed
- players would only have to provide their email address
- link with authentication token would be sent to them, and players would follow it to get logged in to their account
There is built-in support for this type of authentication in Firebase (the underlying technology for this game) so baking it in was a breeze. The trouble started when testing this functionality on different devices.
On the desktop, everything looked great. When opening the link from within browser or app based email client, a new page in a default browser would be opened, and the player would be successfully logged in.
On mobile devices, things got tricky really quickly. Depending on the email client, users following the link would often be plopped into a "webview" version of the browser that was hosted inside of the email client application itself. This meant the session was only established for that webview experience and not for the player's browser of choice. This would have not made things simpler and would only confuse users.
Quick pivot was needed, and traditional email and password registration was added. This mechanism is both well understood for the majority of internet users (except the countries where the phone number is a primary mode of authentication), and doesn't suffer from the idiosyncrasies described above.
We're happy with how it turned out in the end: