Open Bonyoze opened 9 months ago
Duplicate/Similar to https://github.com/Facepunch/garrysmod-requests/issues/2232
I don't really see a way to implement this to "minimize abuse".
Tokens could probably be kept hidden from Lua and some option added to HTTP() for sending the token object.
The identity could also be forced to have something prepended to it unique to GMod, perhaps even including the identifier for the currently active gamemode so existing web apis or backends for other gamemodes wouldn't be able to authenticate with those generated tokens.
Though due to how GMod works there's probably not much that can be done for addons overriding what gets sent to the current gamemode's backend. Like the data folder emptying problem, those addons just have to be reported.
Details
Add a method for gamemodes that use web apis to be able to authenticate a client. Something like:
steamworks.GetAuthTicketForWebAPI(identity, callback)
and a way to cancel the ticket when it is no longer needed.There is a Steamworks method for this: ISteamUser::GetAuthTicketForWebApi which a client can call and send their ticket to the gamemode's web api. The backend can check the client's ticket is valid and do something with it.
Can be primarily useful for gamemodes that want to tie data to a specific steam account, such as a global leaderboard or comment leaving system. This would also work well in conjunction with
steamworks.RequestPlayerInfo()
for displaying names of players.Of course this needs to be implemented correctly to minimize abuse. S&box has already implemented their own: Auth Tokens