What should this even link to/display?

BrowserID will be the main flow on the website (because less effort) but we'll implement LDAP for external auth. This makes sessions a bit awkward, i.e. do we check LDAP credentials each time a request is made? Do we make native apps persist a session?

To unpack every usecase this would be used for, we'd need to run an OAuth provider. Since that is literally a conceptual impossibility, here's my latest pitch:

• External auth sessions are referenced by UUID that can be active, or can expire.
• Other web services that consume fwol.in's API go through a login flow that passes back the code in the query string to the requesting service. This becomes its API key.
• Native apps generate a UUID and poll it with some frequency to check if the user is authenticated. UUIDs that are invalid/no credentials return 401.

So also you'd be able to see active tokens by external apps/cancel them. *.fwol.in shares a session in the cookie, so no need superfluous keys.

This bypasses questions of embedding BrowserID by passing the buck to the browser. The native flow is still weird, sigh, but not the worst.

• Check if there's a key and if it's 200 OK on http://fwol.in/api/me. Else, open auth panel
• User clicks "Log in with fwol.in"
• Auth panel changes to "Waiting for authentication..."
• Web browser opens trying to authenticate a randomly generated UUID.
• (Browserid flow. Verification page says thanks, now check your application. Tries to close window.)
• Application pings http://fwol.in/api/me every 5s or long-polling. Once it sees 200 OK, it closes, and the API key is saved and useable!

If I update my profile, but do not update my avatar picture, my image disappears. I need to then re-update and choose the image I want. This may be the reason for so many blank accounts.

Default shown should be current students, default for alumns/faculstaff should be everyone.

Since

• ohack.us will be a list of cool shit we're doing
• ohack.us is a public-facing github-hosted static page

So, we should port the old list of projects to ohack.us. Keep the style, I like it :). Nothing beats courier new!