tokens.ts:65 - 86

Separating 'Unknown user' and 'Invalid password' would allow for a bad actor to see if usernames/emails are registered without having to know the password

If we shutdown a domain, this one stay return in the place api even after 30 minutes of no hearth beating, and despite the domain.active value that is correctly turn to false after 5 minutes)

This has been tested in the browser with cash refresh.
and in the app it-self (even after a reload content)

Maybe something stopped to process? (cause I'm quite sure it already worked correctly)

When a refresh token is sent to generate a new user scoped session token, it does not expire/delete the old token, resulting in an ever growing table of tokens, and potential security issue

src/routes/oauth/token.ts :: procPostOauthToken()

Incorporate OpenID or ActivityPub to allow option to join Federation.
https://openid.net/connect/
https://github.com/w3c/activitypub

We must be able to use a placename without have this place name published in the explore app.
to be able to use hifiurl, to move between domain, we need at least a placename, but we might not used this placename for advertising. It can be purely for the addressing functionality. (there is not too much other alternative outside IP:port)

Some people want to have a navigability without be listed.

To address this, we would need to:
1- Add a property "published" to the "place" entity. (boolean)
2- Add a checkbox in the Place editor in the metaverse dashboard.
3- Exclude the places where the property "published" would be set to true, from this specific api: GET /api/v1/places (only this one, not any other)

The Domain Token Fetch Login for linking a domain to your account is incorrectly branded Vircadia and needs to be updated.

Url: https://mv.overte.org/server/static/DomainTokenLogin.html