Pokemon Showdown should support access through arbitrary third party clients

[scheibo]

Something like OAuth might also work.

Originally posted by @Zarel in #1218

Currently, if someone wants to play on PS! with a modded client they can't - they can either attempt to get the code submitted into master (eg. #1218), create an elaborate browser extension, or run their own login server which doesn't interop with the existing PS! login system (so they're arguably not playing on PS! at that point, they're playing in their own parallel system). I believe the login flow could be modified so that users of third party clients could be redirected to PS! to authorize (to avoid leaking the credentials), but then continue to play with the token received on the custom client.

I think OAuth is probably the current best practice here, though its non trivial to implement correctly and has flaws.

Arguably not a client bug or a server bug, because the login server is its own thing, but this is relevant to clients so I'm filing this here to hopefully start a discussion. :)

[scheibo]

Isn't the current implementation enough so long as all third-party clients are enabled for CORS?

What does this entail, some sort of whitelisting? What would I need to do to be able to serve my own client at play.pkmn.cc that can still auth against the official login server, for example (I don't actually have plans of doing anything special client yet, I'm just offering that as a strawman to see if its possible)? Or, more concretely, how can we let Digimon Showdown host its own client? If it is in fact possible today, can we add information to the README.md about it?

[Slayer95]

The current implementation is a whitelist but it could be changed to Access-Control-Allow-Origin: *. With that, you only need to serve index.html for https://github.com/Zarel/Pokemon-Showdown-Client/, and update the domain settings in js/storage.js.

• On ?act=login, each third party client would get an exclusive HttpOnly sid cookie which is a hash of a string including the origin domain.
• The sid cookie is then sent to the login server in the ?act=upkeep request, and the response is the string that needs to be sent in /trn for the PS Verifier service to validate it.

Even without Access-Control-Allow-Origin: *, they can still serve testclient.html[1], which uses an iframe and manual copy pasting to keep the third party server operators from messing with the logins. To the best of my understanding, that's only safer for browsers without support for HttpOnly

[1] e.g. http://digimon-showdown-slayer95.c9users.io:8080/testclient.html?~~digimon-showdown-slayer95.c9users.io:8080 ... WARNING: Its static server is implemented shoddily and isn't meant to be copied by serious deployments.

[Slayer95]

Scratch the index.html thing, I am missing the big elephant in the room: the login form itself. We do need OAuth !

[scheibo]

which uses an iframe and manual copy pasting to keep the third party server operators from messing with the logins

Yeah, that's the whole bit I'm hoping to do away with. Using a third party client shouldn't require an obtuse login experience. If Access-Control-Allow-Origin: * fixes that then sure, that sounds like a great solution, otherwise I think we would need a better story here.

EDIT: Looks like you've beat me to it:

Scratch the index.html thing, I am missing the big elephant in the room: the login form itself. We do need OAuth !

[Zarel]

PS currently does support CORS if you provide your own passwords, but, like, I don't want to encourage forks to MitM passwords.

[OpenSauce04]

bump

[Async10]

I would like to write a chat client for pokemon showdown. Is there a way we can support login for third party clients either by allowing CORS or another mechanism that allows users to log in using a third party client?

[mia-pi-git]

I would like to write a chat client for pokemon showdown. Is there a way we can support login for third party clients either by allowing CORS or another mechanism that allows users to log in using a third party client?

This is in progress.