This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Incorporate OpenRCT2 login system #3155
Comments
Would it help if i was to build a design some ui windows / controls, such as a login window with a username / password box? that way you can have the design already there and all you'd need to worry about is plugging in the functionality? |
Just a suggestion for the server side, don't allow email addresses with the + character in them, because you can use the same email 9000 times with that. |
@PFCKrutonium Better, only allow one use of an email address, no matter if it contains “+” or not. |
And for gmail addresses, full stops should be ignored. But e-mail validation is related to the API server and not the game. |
True, but I can't see any other place where bringing it up would help. |
I made this issue mostly so that I could close all of those other issues that were more or less the same problem and to clear up other discussions about how to deal with the problems. I will look at this again when we have released 0.0.4. |
That seems fair. |
Not sure why this should be implemented. People can create new accounts easily, I assume. Although having a central login is nice, it sort-of closes the openness of the project. |
@JarnoVgr |
I understand that @Patrik356b . But I fail to see the exact benefit of moving to centralized accounts. But does it prevent from happening? People can easily recreate an account. |
@JarnoVgr user accounts have lots of other advantages... think about it. It can be linked to the forums, the content submission system, CoasterCloud. It can record statistics against your name, it stops people from spoofing your user name and allows you to transfer that between different computers and devices. You said people can easily re-create an account, but how many accounts will someone create, verify and then get blocked before they get bored? The extra effort they have to go through will put them off (significantly reduce the amount of people who would otherwise).
What stops someone from editing the source code to mock this? |
@IntelOrca I would also like to voice my concerns about having a central login authority, while it would be optional, there is near no question in my mind that it would become the de-facto standard upon deployment. This would put a slight damper on the openness of the project a bit in my eyes. That said, I don't think hardware id would solve the problem either, especially in an open source project, Instead I'd favor a system where each client and server generates a unique id, the server sends their unique id to the client, then client then hashes its own uuid together with the server's and sends it back. Using this hashed token the server can uniquely identify previous clients and be able to set permissions accordingly; however, this system could not be used for banning clients as a client could simply change their uuid (which would also reset their granted permissions to default). To resolve that, ip bans could be added instead. Either way, there seem to be solutions to the problem of identifying clients uniquely for the purposes of saving permissions, verifying identity, or banning, that do not include a central login authority and keep the power more so in the hands of those who run servers. As for why nobody is editing the source to implement such changes, I think the most likely answer is that those who want these changes are simply not able to make such edits. For example, I know that such code is beyond my own abilities (I did give it a shot though!). Regardless, I very much appreciate the massive amounts of work you've put into the project and hate to, essentially, gripe like this. Central server or not, this project already is, and will continue to be a success in my eyes. |
If I may, how does OpenTTD do it? |
@IntelOrca, are you rolling you own login scheme? Or using one of the few already available (ex. OpenID, or one of the closed login schemes like Reddit or Facebook). |
@RollingStar It would have to be our own if we wanted the player to be able enter their credentials within OpenRCT2. Google, Facebook, Microsoft etc. require a web browser and page / frame redirection to login via those mechanisms - we don't want to embed a browser into OpenRCT2. |
What about using OpenRCT2.org accounts for this? Is that something you're ok with @IntelOrca ? Could make API endpoints for both registration and login. |
That would be nice |
That will be nice to add login system, you will need email verification after registering |
Having 1 account per IP makes no sense nowadays. People share IP addresses very often. |
To add to what @JarnoVgr There are entire countries that share 2 or 3 public IP's - So it doesn't make sense as a limit. |
True, OAuth may require a web browser to approve, but it adds other (future) benefits:
The launcher could (optionally?) manage login status and store a token for the game to use. Also, if the project ends up using your self-developed login system and not a hosted users system, please open source it as well. |
Someone is pretending to be me in a server and lying to me now. I think it is a great idea to add a login system to OpenRCT2 and stop using anonymous names to prevent impersonations in the future. I also want the login systems to be added to OpenRCT2 as soon as possible to prevent impostors. |
@birthdaybrian You're not the only one :( there have been 3 other people impersonated this week (me included) |
This will be (partially) fixed with #3699 |
Any chance we could poke this some more? This needs to be rectified asap imho. |
Most server hosts would appriciate :/ |
I think that it would help out a lot, even with banning idiots and trolls |
As the acting owner of a server following a transition resulting from this very issue, I would greatly appreciate this implementation. The problem of username impersonation has hit our community hard, so much that we had to change the name and the ownership. I know that there are issues with this concept, but working it out with server operators will result, in my opinion and from what I have witnessed, in a more tightly-nit community. |
Some of you may have noticed a small change in the server listings this morning. If you look closely, the three WhiskeyStation servers, one of the staple groups of the OpenRCT2 multiplayer community, are not currently visible. This is a small effect of a much larger underlying problem. Anonymity on the internet is a blossoming debate. Being able to hide behind a username enables a user to assume an identity and act in any way they choose, which, in of itself, is not a bad thing. However, being able to change identities and use others’ identities, is, in fact, a crucial issue. Trolling is a known issue on the Open RCT2 servers. Every server deals with it, every multiplayer user has experienced it. A minor annoyance, but is rarely accompanied alone when trolls decide to attack. The owner of WhiskeyStation supports himself by running a business using the aforementioned name. He’s been operating successfully for almost a year now. No other platform has given him nearly as much trouble as his OpenRCT2 servers. Trolls, who will remain nameless, have continuously hijacked him via rapid login/logouts causing desyncing and crashing, verbal harassment, and in extreme cases, Denial of Service attacks on his internet, damaging the reliability of not only his servers, but his entire business. By giving them the ability to assume false identities rapidly, they were able to overwhelm moderators by joining with different names every time they were banned on the previous ones. They have now started to travel to different servers under his name and harass other players. Now, he has had to remove his name and servers for fear of his business’ integrity. This is a serious issue that needs serious consideration. For any further questions, and direct contact to the new operator of the community in question, please contact: arcticx9@gmail.com |
Being an admin for Man Of Teal I agree with all men above me. This feature would be very much appreciated, if only as an option. I request you consider putting this back on the table. |
So anti-griefing is now bigger then privacy policy? we have measures to prevent griefing: a password, kick/ban and possibly whitelist or usergroups. Like in OTTD one might consider banning the GUID of the game and instead of having a playerID, we can move to a globalID that can be generated as other logins have it. stop ruining a perfect game with databases, passwords and users. if i ban player X does that mean X is banned on all servers? will he be auto-blacklisted? if yes then what prevents player Y from mass-banning everyone on his server to just annoy people? aka what does this feature REALLY add? |
@PFCKrutonium I don't think you should tell others to 'poke' this, it wouldn't speed up anything, just create discussions in a thread with nothing about it. |
|
"aka what does this feature REALLY add" so in fact you need an IP ban. no complex login scheme with usernames passwords, you just need a way to prevent user X from rejoining after he got kicked/banned for griefing |
Also you can just delete your keys to get around a ban. @ZxBiohazardZx No. IP bans are just as easily circumvented as keys are. |
Also you can just delete your keys to get around a ban. @ZxBiohazardZx No. IP bans are just as easily circumvented as keys are. then make a non-editable file that logs your "status" with servers (ServerIP, Banned, other multiplayerhased info) and put that in a storage that cant be changed? |
client identification methods can be done in many ways that does not directly require another (easily changable) login. what prevents me from creating 10 accounts to grief with in the new system? an email is as easy to get as a new nickname atm |
You could create alts in the new system but it would take longer, and not be as easy as just deleting the keys then restarting the game and rejoining. |
I will implement this in due course, but I would like to release 0.0.5 first. The team have already decided that central authentication is the best solution to the problems with multiplayer. |
This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
To remedy several issues with multiplayer regarding grief, we shall implement universal authentication via an official OpenRCT2 user login database. Servers can choose to only allow logged in users or anonymous (no login necessary) users.
I have already designed and implemented a secure login protocol with a central server. The work left is implementing the login system and server authentication into the game. This will be for 0.0.5.
The text was updated successfully, but these errors were encountered: