-
Notifications
You must be signed in to change notification settings - Fork 750
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pokemon Showdown should support access through arbitrary third party clients #1264
Comments
This comment has been minimized.
This comment has been minimized.
What does this entail, some sort of whitelisting? What would I need to do to be able to serve my own client at |
[1] e.g. http://digimon-showdown-slayer95.c9users.io:8080/testclient.html?~~digimon-showdown-slayer95.c9users.io:8080 ... WARNING: Its static server is implemented shoddily and isn't meant to be copied by serious deployments. |
Scratch the |
Yeah, that's the whole bit I'm hoping to do away with. Using a third party client shouldn't require an obtuse login experience. If EDIT: Looks like you've beat me to it:
|
PS currently does support CORS if you provide your own passwords, but, like, I don't want to encourage forks to MitM passwords. |
bump |
I would like to write a chat client for pokemon showdown. Is there a way we can support login for third party clients either by allowing CORS or another mechanism that allows users to log in using a third party client? |
This is in progress. |
Originally posted by @Zarel in #1218
Currently, if someone wants to play on PS! with a modded client they can't - they can either attempt to get the code submitted into master (eg. #1218), create an elaborate browser extension, or run their own login server which doesn't interop with the existing PS! login system (so they're arguably not playing on PS! at that point, they're playing in their own parallel system). I believe the login flow could be modified so that users of third party clients could be redirected to PS! to authorize (to avoid leaking the credentials), but then continue to play with the token received on the custom client.
I think OAuth is probably the current best practice here, though its non trivial to implement correctly and has flaws.
Arguably not a client bug or a server bug, because the login server is its own thing, but this is relevant to clients so I'm filing this here to hopefully start a discussion. :)
The text was updated successfully, but these errors were encountered: