# High priority

* Build automated acceptance tests
* Setup GitHub repo for plugin, then remove tests from w.org plugin repo


# Medium priority

* Internationalize
	* Can tag 1.0 after this since it's stable and feature-complete
* Get code coverage working for acceptance tests


# Low priority

* verify_login_nonce() - sends 'nonce expired' error if the nonce was invalid. maybe add new error to distinguish between the two. can't return the error code, though, b/c that would evaluate to true. have to return array to verify_original_login(). if array is empty, then they're valid, if not then redirect to login. support case where both errors happen - nonce is invalid and expired? that would leak that the user has a nonce, but is that harmful?
* validate_application_password() - if passed $user is wp_user, then return right away? would let other plugin hook in before us and validate the user. any problems with allowing that?
* any advantage to calling wp_set_current_user() in login_user()? wp_signon() just sets the auth cookie, so they're not logged in during the until after the redirect. they don't need to be logged in before the redirect, though. any reason to do that, or esoteric security risks of doing it?
* better to recreate the nonce than to store it? that's how wp does it