Sold characters

[Ydmir]

This is just me having a thought when reading through the CREST documentation, but since the login is built on the SSO someone might get unwanted access if the character is being sold? There is a check for that however, since there is a "CharacterOwnerHash" in the JSON response from the SSO that could be used to detect this.

[Adarnof]

I'm not sure how SSO handles characters being sold. From what I know the character is "disabled" once the transfer has begun, so I doubt SSO would allow a user to authorize as it. Can you log in as the character during transfer? If I remember correctly, no.

Once complete, the previous user would be unable to access either way because they would be unable to select it when authorizing as it would no longer be on their account.

If the character was previously associated with an account via API, next API refresh the character will be removed from the API in the database which triggers an ownership recheck which would then strip its user association.

So yes, there is a possibility of overlap if SSO allows users to authenticate as characters in the process of being transferred. I'll have to ask tweetfleet how that works.

On my radar is collecting ownerhashes but I've never really had a purpose for them.

[Ydmir]

My worry was if the whole system was tied to being able to log in with a specific character, upon which the new owner could get undesired access. And then I thought the ownerhash could be used to detect this and delete access. But I had not thought about it being coupled to the account bound API as well, so then there really is no worry I guess.

[Adarnof]

Hmm. You do have a valid concern, if a main character is sold the auth account goes along with them. I'll have to add owner hash validation.

Crap.

[Ydmir]

Sorry for creating extra work =P

[Adarnof]

Damn you and your thinking!