There's a bunch of work overflowing from #112 that I'm moving over from the original issue to unblock landing auth work:

author

• Add unit tests to validate behaviors

logging

• Consider adding current user to the serve log
• Consider adding basic login throttling per IP address (each unsuccessful attempt delays the next one by 2x)
• Add a new top level nav target that shows currently logged in user and allows logging out // Decided against that. Top level nav is a very premium real estate and it's better to use bottom of the page for Logout
• Use different symbol for users and admins // Not at the moment

per-user properties

• Consider migrating from local-tags property to user-tags that would be per-user (that means settling on the per-user solution)

don't logout on all devices after logging out on one device

// Decided to keep the current behavior for now

• create new session for each successful new authentication
• separate Logout and Logout on all devices options