Bungie-net / api

Resources for the Bungie.net API
Other
1.22k stars 92 forks source link

Scope questions #748

Open ghost opened 6 years ago

ghost commented 6 years ago

Scope question:

If we look at the OAUTH section in the docs, there are 12 scopes listed, but when we log into our application page, we only see 5 that we can select.

app page screenshot

What corresponds to what? Are any not accessible to the public? I feel like this should be documented somewhere, so feel free to point me to a wiki page if one exists.

Why I'm asking:

I'm currently looking into automating recruitment for my clans as much as possible. I was hoping to be able to leave an applicant's current clan if they are in one, have them apply to mine, then use one of my admin account's tokens to accept their application. After that it'd do other things like load them into my database, fix up their discord roles, and change their discord nickname to match our naming conventions.

I was hoping to use GroupV2-RequestGroupMembership with the user account to request to join one of my clans, but that shows it requires a 'BnetWrite' scope. It's that or GroupV2-IndividualGroupInvite to invite them to my clan, but then I dont see a way to accept it with the user's account via the API (Is there??). If I could have their account accept an invite, then I'd be able to switch to invite only on all my clans and I wouldn't need to make a script to decline those who don't meet our standards.

I assume GroupV2-RescindGroupMembership is how I'd leave their current clan, but this also requires that 'BnetWrite' scope.

Thanks!

vthornheart-bng commented 6 years ago

Good question! I'll write up a doc about this shortly.

By default, every application implicitly gets ReadBasicUserProfile. From there, you can choose from the following (that map to the ones in your screenshot above in order):

ReadDestinyInventoryAndVault ReadDestinyVendorsAndAdvisors MoveEquipDestinyItems AdminGroups ReadUserData

We currently don't allow the following to be requested by 3rd party apps:

ReadGroups WriteGroups BnetWrite EditUserData ReadAndApplyTokens AdvancedWriteActions

Part of why some of these features are restricted are to prevent automated scenarios that would easily be abused, such as the ability to automate rating posts en masse, or (in this case) the ability to send group membership requests en masse. While it sounds like your app isn't intending to use the API in that way, providing 3rd party apps with the ability to do so would easily allow less well-intentioned API users to create an undesirable experience in an easily automated way (for instance, by automating RequestGroupMembership requests to every Bungie.Net user in bulk). We can't open up that endpoint to official 3rd party-approved use at this time. Sorry about that!

vthornheart-bng commented 6 years ago

Ah, I went to write an article and realized there already is one, but it was a bit out of date:

https://github.com/Bungie-net/api/wiki/Scopes

I updated it to include AdminGroups, which we'd added more recently to the approved scope list.

vthornheart-bng commented 6 years ago

I should note that, in the case of RequestGroupMembership, that itself couldn't necessarily be used in the malicious way that - for instance - sending group membership invitations could. But right now they're bundled under the same scope, and we'd need to do some work and additional testing to split RequestGroupMembership into its own scope (either an existing one or a new one).

I could see us doing that if it was a hotly requested feature, but I don't know when we'd get around to it with the size of our backlog.

ghost commented 6 years ago

I've been trying to create an alliance kinda thing for my clans. I already have the ability to kick people in any clan from one webpage so that is really nice, but in order to fully automate recruitment I'd need to be able to use some of those endpoints.

My pie in the sky idea was:

1) Have them use a command in my discord that DMs them a link to my website. 2) Have them authenticate with bungie.net. 3) run our prechecks to make sure they have forsaken, privacy settings are off, and they weren't kicked out recently. 4) Detect if they are in a clan already, and if so ask them if they'd like to leave it. If they do, I'd use their account to leave their clan for them. 5) Display my clans and how many slots there are in each, then ask if they have a preference as to which one they want to join. 6) Have their account apply to the clan, then have one of my admin accounts accept it. 7) Download their bungie data and add it to my db, set up their discord roles, and put a welcome message in general chat

So I guess now steps 4 and 6 will have to be manual on their part, or I can change my clan to invite only and send them an invite. I'd just need to log when I invited them and after 24-48 hours I'd need to rescind the invite to make sure things don't get clogged up.

If you ever do allow us to apply to a clan for a user though, it'd make the process a lot nicer! For now though it isn't the end of the world.

vthornheart-bng commented 6 years ago

Aye, unfortunately that'll be the limitations for at least the near term future. But I'm glad we had this conversation - I think it'd be worthwhile for us to look at making the scopes more fine-grained if we ever have the time to make that a priority. (Time is, unfortunately, often the biggest impediment to enhancements at the moment: we've got a large backlog of external and internal-facing projects, and I'm generally the only one working on the Destiny API itself).

Hopefully we can loop back to this in the future! I do think it'd be worthwhile: if we had a bit more staffing on the server side here, I'd love to make quality of life improvements like this.

ghost commented 6 years ago

Kinda wish I could work remotely and part time for Bungie so I can do the quality of life improvements. I think my girlfriend would kill me though. hopefully some of those reqs get filled!

floatingatoll commented 6 years ago

And my axe!

On Thu, Nov 1, 2018 at 6:18 PM Akumati notifications@github.com wrote:

Kinda wish I could work remotely and part time for Bungie so I can do the quality of life improvements. I think my girlfriend would kill me though. hopefully some of those reqs get filled!

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/Bungie-net/api/issues/748#issuecomment-435240221, or mute the thread https://github.com/notifications/unsubscribe-auth/AAFqDLq_7Afo7hsnsH_Ib2zWo_AFdf7sks5uq516gaJpZM4YCLLX .