Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove or replace or enhance auth implementation #143

Closed
satoshinm opened this issue May 20, 2017 · 2 comments
Closed

Remove or replace or enhance auth implementation #143

satoshinm opened this issue May 20, 2017 · 2 comments
Milestone

Comments

@satoshinm
Copy link
Owner

satoshinm commented May 20, 2017

Added 3rd and 4th command-line arguments, now used for username and authentication token

Example from the web client:

http://localhost:4081/#++username+6l1211bp08opa42kci3rfkcflk

arguments separated by '+', 1st is server name left blank to connect back to localhost, 2nd is also left blank for default port 4081, 3rd is the username and 4th the authentication token. This was generated by satoshinm/WebSandboxMC#76


original:

Player authentication uses libcurl, which doesn't work under emscripten and I had trouble compiling on Windows with AppVeyor so it is compiled out. It only works on native, limiting its usefulness. Consider removing support, or replacing it with some kind of token-based auth working with WebSandboxMC

@satoshinm
Copy link
Owner Author

https://craft.michaelfogleman.com actually does already use identity tokens. The player signs up on that website with a username and password, then generates an access token named e.g. home and runs /identity username identity_token, where identity_token is a 32-digit hex string generated once. Running this command causes Craft to run the equivalent of curl https://craft.michaelfogleman.com/api/1/identity -d 'username=satoshinm&identity_token=00000000000000000000000000000000, returning another 32-digit hex string, the access token. The Python server server.py posts to https://craft.michaelfogleman.com/api/1/access with username=&access_token=, if returns 200 OK then user_id is set to the response text.

This API would almost be suitable for web usage, if the craft.michaelfogleman.com endpoint set Access-Control-Allow-Origin: *, via CORS, in the header response. Then 3rd party web apps could communicate with it, using standard web APIs (not only native, i.e. curl).

But why tie down to this one specific server, when there are alternative authentications. Accounts players may already have. Yahoo! auth: https://github.com/ritou/opauth-yahoojp ? Meant to be logged in through web. Google, Facebook, meh. Glowstone server chat https://discordapp.com/channels/201529692979855360/201529692979855360 uses discord which has oauth: https://discordapp.com/developers/docs/topics/oauth2 - is that suitable?

And/or push the auth problem down a layer, to each server. For satoshinm/WebSandboxMC#76 an already-logged-in-user on the server could run a command to get a per-user access token, then pass it to the web client for logging in "as if" they were that user. This could be added on top of the current auth system without replacing it, just allowing the token to be directly specified on command-line or document.hash, versus the /identity and /login commands (which contact https://craft.michaelfogleman.com).

satoshinm added a commit that referenced this issue May 27, 2017
* Accept username/access token as additional command-line args

* '-' as 2nd command-line argument uses default port

* Split hash arguments on '+' as well as space (%20)

* Accept empty host and port args for self/default
@satoshinm satoshinm changed the title Remove or replace auth implementation Remove or replace or enhance auth implementation May 27, 2017
@satoshinm
Copy link
Owner Author

Decided to keep curl for now, no reason to break it, but in GH-164 enhanced authentication by allowing the username/token to be given on the command-line. This is used in satoshinm/WebSandboxMC#76.

@satoshinm satoshinm added this to the 3 milestone Jun 8, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant