This means some unavoidably breaking changes in the lobby protocol will happen, and lobby clients will need to be updated. It isn't live yet, there will be time to update - this post provides the info of what's coming.
To verify an email address: the server sends a four or eight digit verification code to an email address, and the client must send this code back to the server. Each verification code is valid for 48h, and allows max 3 attempts at verification.
Related breaking changes / new commands:
- REGISTER needs a valid email address. When REGISTRATIONACCEPTED is sent to the client, a verification code will be sent to that email address. This code must be returned inCONFIRMAGREEMENT, or the server will reply with DENIED.
- To change email adress, CHANGEEMAILREQUEST should be sent first. When CHANGEEMAILREQUESTACCEPTED is sent to the client, a verification code will be sent to the new email address. This code must be returned in CHANGEEMAIL, to change the registered address.
- To reset a password, similarly, RESETPASSWORDREQUEST and RESETPASSWORD are used. In this case the user doesn't need to be logged in first. Once the code is returned the user is sent another email informing them of their new, randomly generated, password.
- Verification codes can be resent, up to 3 times, using RESENDVERIFICATION.
After the changes go live, lobby clients that do not update will still be able to log users in (as before) but will become unable to create new user accounts or change email addresses. Instead, they will be sent an error message asking the user to update.
Each new account requires a unique email address. The long term plan is that email addresses will become part of linking lobby/forum/etc accounts. (More work is needed before that can happen, on linking the forum/lobby dbs, etc.)