New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Proposal: Single-click inspector authorization #290

shawkinsl opened this Issue Sep 11, 2018 · 1 comment


None yet
1 participant
Copy link

shawkinsl commented Sep 11, 2018

This is a pretty significant redesign of the current model of trust and sign-in flow, but I think it will be worth it. Using this new design will completely remove the beta forums from the authorization process, which is currently the only thing we can't make event driven (have to poll every 5 mins), and causes the most confusion with account creation. (Plus, it might make WotC a little happier with us for not crawling their forums.)

The current model of trust revolves around proving that you own a username in MTGA. (This in itself might even be a flawed assumption, if usernames aren't guaranteed uniqueness in MTGA). In this proposed model of trust, we will instead associate all records with a unique key generated by each machine (or, tracker), then authorize inspector accounts to access records associated with that key.

Play by play:

  • User downloads and runs MTGATracker
  • On first run, MTGATracker generates a cryptographically strong pseudo-random key and stores it. It also requests a signed token from the API identifying itself. The API hashes the key, stored both versions, then responds with a token containing both the key and it's hash.
  • Each time any artifact is uploaded, the hashed version of the key is associated with it (leaking a hashed key isn't ideal, but isn't that big of a deal as it doesn't grant access)
  • User signs in to inspector (or creates an account), and sees they must "authorize" the tracker.
  • MTGATracker offers a link in settings panel to authorize an inspector account with the unhashed key embedded in the url
  • Inspector account is now permanently authorized to view / modify / manage records generated from that machine (can add multiple keys / machines)

Problems (and solutions):
Problem MTGA usernames aren't first-class variables anymore; this change will likely need to coincide with the wipe
- How to prove who owns old records?
- What is an inspector account's "primary key" now?
- What's to stop someone from spoofing logs to insert records to a fake MTGA account?
Solution: go the discord route and use discriminators

Problem: what if a key is lost before a user can claim it?
Solution: user can answer a series of challenges to prove they own the data; we'll associate it with a new key

@shawkinsl shawkinsl changed the title Proposal: Single-click inspector sign in Proposal: Single-click inspector authorization Sep 11, 2018

@shawkinsl shawkinsl referenced this issue Sep 23, 2018


Feature/oauth #3

shawkinsl added a commit that referenced this issue Sep 23, 2018


This comment has been minimized.

Copy link
Member Author

shawkinsl commented Sep 23, 2018

This work is done!



  • Generate unique tracker tokens per machine (main.js)
  • For all requests, use new token instead of user or anon tokens (mainRenderer.js)

  • replace login page with discord and twitch auth buttons (login/index.html)
  • add redirect pages for discord and twitch (discordAuth/index.html and twitchAuth/index.html)
  • send oauth codes to API to get tokens (extAuth.js)

shawkinsl added a commit that referenced this issue Sep 26, 2018

Merge pull request #299 from mtgatracker/feature/oauth
implement changes described in #290 for inspector oauth flows

@shawkinsl shawkinsl removed the help wanted label Sep 26, 2018

@shawkinsl shawkinsl closed this Sep 26, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment