I also see you're using good old username/password combos over plaintext. Please consider using third party authentication such as Persona (https://www.mozilla.org/en-US/persona/) or OpenID. (Persona gives you sign-in with gmail for free, how neat is that?) -- If you don't know why that's a good thing, reply to this comment and I'll be happy to explain.
I am planning on turning on HTTPS soon, but I despise third party authentication as a rule. Feel free to try and convince me, but I have never seen the point in tying my uptime to the uptime of a third party, and allowing a third party to revoke my users account if they so wish.
Couldn't agree more. Which is why I recommended Persona! Persona is decentralized. Third party authentication done right. I highly encourage you to look into it, especially if you already know about the issues oauth2 and co have.
Third party authentication is still the right thing to do in 99 percent of cases. Users should not have to rely on the unknown first party they are sending their credentials to to do things the right way. Moreover, developers should not have to reimplement all these protections every time - 2FA, bcrypt, proper separation of authentication and data, etc etc they are not all cheap to set up and some of them are obscure.
Regarding making decks while logged in - my expectation is that the tool would let me share a URL that is not tied to an account. Something akin to the WoW talent calculators that used to be popular back in the days: http://eu.battle.net/wow/en/tool/talent-calculator
