If you go through oauth with 2 different services, you end up with 2 accounts. There should be a way, when logged in, to add additional accounts.

This was meant to say admin.macaroon, but it warns against uploading invoice.macaroon (which is what we want!)

Configure the frontend and backend to work in a production environment. The flask app should serve up the static assets from yarn build.

Sender/receiver privacy should be maintained to the best of our abilities.

Sender Privacy
Right now, the sender can tip anonymously. The only information we're privy to on that can be tied to the sender is the fulfilled invoice.

Receiver Privacy
Right now, receiving requires signup using one of our OAuth integrations. We also connect to nodes thru IPv4.

We should:

• Enable signup using usernames/emails
• Enable connecting to nodes thru Tor

The above is most likely incomplete, please comment below on other privacy concerns.

Users should be able to remove connections from their account. Removing the final connection should prompt a warning to the user that their account will be deleted. They can sign up again, but we'll wipe out their tip history & their node info.

Steps to reproduce:

1. Go to "Config" tab of profile page
2. Change email
3. Hit submit
4. Click on another tab
5. Go back to "Config" tab
6. Email appears to be unchanged
7. Reload page
8. Email appears to be changed

Expected behavior:

1. Go to "Config" tab of profile page
2. Change email
3. Hit submit
4. Click on another tab
5. Go back to "Config" tab
6. Email appears to be changed
7. Reload page
8. Email appears to be changed

Before we save a user's macaroon and grpc url, we should first make a quick request against it to make sure they work.

Currently we don't verify the auth token / public key combo of users who auth with Blockstack. While there's no out-of-the-box solution for this, there's a Ruby library that we could probably port over for our needs: https://github.com/blockstack/blockstack-ruby/blob/master/lib/blockstack.rb

It's scaffolded out right now, but it'd be great if we actually had a working list view of tips.

We should email the user when the following things happen:

• They receive a tip
• We try to generate an invoice with their node, and it fails

Ideally both cases would have some rate limiting to prevent a user from getting rekt with emails.

It's currently a placeholder, we should probably flesh it out with some detail.

• What the site does
• Who built it
• FAQ?

When OAuth fails, we get redirected to a page with query parameters that contain more information. Here's an example of a GitHub OAuth failure redirect:

/?error=redirect_uri_mismatch&error_description=The+redirect_uri+MUST+match+the+registered+callback+URL+for+this+application.&error_uri=https%3A%2F%2Fdeveloper.github.com%2Fapps%2Fmanaging-oauth-apps%2Ftroubleshooting-authorization-request-errors%2F%23redirect-uri-mismatch&state=azCYm71U9Kg8Fpv85HzaGB94uBNANw

We should handle these and display them to the user. Should also be useful for development.

We should look into Celery or some other way of keeping tabs on Lightning payments going through. Our current methodology of long polling from the client seems pretty error-prone.

The content security policy prevents sign in with Blockstack when running your own gaia hub because it only allows hubs hosted by Blockstack PBC @ *.blockstack.org.

I tried signing in with gaiaview1.id.blockstack https://explorer.blockstack.org/name/gaiareview1.id.blockstack

Currently manifest.json is serving from /static/manifest.json, blockstack needs to be informed that it's there (and not at /manifest.json) or we should setup a flask route directly to it.

None of the links in the emails we send out work yet.

We'll need a page that lets a user preview a tip button embed, and provides them markdown to put in their readme. The embed should include the following:

• A stylish button for a user to click
• The user's node's pubkey, so that tippers can confirm our site isn't foolin' em.

We may add customization features in the future, but those will be separate tasks.

They support it https://docs.gitlab.com/ee/api/oauth2.html so it'd be nice if we supported it!

The user and social connections data should be stored in a database, ideally with SQLAlchemy models. Strongly suggest using http://flask-sqlalchemy.pocoo.org/2.3/ for it.

Provide a form for users that allows them to specify:

• An invoice.macaroon file
• A tls.cert file
• A URL to their node's gRPC endpoint
• (Optional) an email to alert them of new tips & failed requests

Should do as much pre-validation before submitting as possible.

To keep things simple for the hackathon, no redux state was added and all components fetched data as-needed. However to reduce copy-paste and improve auth flow, we should add a redux store. At the moment, all I can think of it needing to keep track of is auth state. But if there's anything else, drop a note here.

We should let folks configure an on-chain fallback address, and watch for sends to that too. Might be nice for large tips, people who don't have nodes, or people who can't route their tips.