-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove or replace or enhance auth implementation #143
Comments
https://craft.michaelfogleman.com actually does already use identity tokens. The player signs up on that website with a username and password, then generates an access token named e.g. home and runs /identity username identity_token, where identity_token is a 32-digit hex string generated once. Running this command causes Craft to run the equivalent of This API would almost be suitable for web usage, if the craft.michaelfogleman.com endpoint set Access-Control-Allow-Origin: *, via CORS, in the header response. Then 3rd party web apps could communicate with it, using standard web APIs (not only native, i.e. curl). But why tie down to this one specific server, when there are alternative authentications. Accounts players may already have. Yahoo! auth: https://github.com/ritou/opauth-yahoojp ? Meant to be logged in through web. Google, Facebook, meh. Glowstone server chat https://discordapp.com/channels/201529692979855360/201529692979855360 uses discord which has oauth: https://discordapp.com/developers/docs/topics/oauth2 - is that suitable? And/or push the auth problem down a layer, to each server. For satoshinm/WebSandboxMC#76 an already-logged-in-user on the server could run a command to get a per-user access token, then pass it to the web client for logging in "as if" they were that user. This could be added on top of the current auth system without replacing it, just allowing the token to be directly specified on command-line or document.hash, versus the /identity and /login commands (which contact https://craft.michaelfogleman.com). |
* Accept username/access token as additional command-line args * '-' as 2nd command-line argument uses default port * Split hash arguments on '+' as well as space (%20) * Accept empty host and port args for self/default
Decided to keep curl for now, no reason to break it, but in GH-164 enhanced authentication by allowing the username/token to be given on the command-line. This is used in satoshinm/WebSandboxMC#76. |
Added 3rd and 4th command-line arguments, now used for username and authentication token
Example from the web client:
http://localhost:4081/#++username+6l1211bp08opa42kci3rfkcflk
arguments separated by '+', 1st is server name left blank to connect back to localhost, 2nd is also left blank for default port 4081, 3rd is the username and 4th the authentication token. This was generated by satoshinm/WebSandboxMC#76
original:
Player authentication uses libcurl, which doesn't work under emscripten and I had trouble compiling on Windows with AppVeyor so it is compiled out. It only works on native, limiting its usefulness. Consider removing support, or replacing it with some kind of token-based auth working with WebSandboxMC
The text was updated successfully, but these errors were encountered: