search

Neodeck / cah-creator-old

The codebase for the old version of CAH Creator.
http://cahcreator.com/
Other
2 stars 0 forks source link

"Add to CAE Game" button #5

Open tjhorner opened 9 years ago

tjhorner commented 9 years ago

Alright here's what I'm thinking:

When the partner thing is activated (you'll see a sweetalert telling you about the website, but that's it right now) it should add a button that lets you add the current deck to your CAE game. It will work either by a window.open to CAE that has a "Select a game to use" selector and will callback with a game's API token (will need to be implemented) OR just send a request to the server via the WebSocket with a game token (which will then send the request to the CAE server).

This is definitely not urgent, since everything works fine right now; but it would make it more user-friendly. You can get some sleep, @Rylius :wink:

Rylius commented 8 years ago

Scenario 1: User is on CAE and clicks a link to create a cah-creator deck CAE can pass along an unique hash that authorizes cah-creator to add exactly one deck to the related game instance. After the deck has been added the hash becomes useless. (This avoids issues where anyone on the internet could add an unlimited amount of decks and crash the CAE server. While CAE should check the request origin to make sure it's coming from cah-creator, DNS/IPs can be spoofed and I don't want to open CAE up to any flaws here.) The hash automatically becomes invalid after a few seconds, so cah-creator should add the deck right away. If the user decides to add another deck, a new hash is generated and sent along.

This is probably the easiest and most reliable way as we can handle most of the communication server-side - no messing with CORS or any of that stuff.

Scenario 2: User is on cah-creator and wants to add a deck to a running CAE game This is kind of a problem as we don't have any idea how to identify the user. CORS seems to allow access to cookies of other domains, but the implementations seem to be fairly spotty (especially regarding IE).

Seems to me like a combination of window.open and window.postMessage seems like the best course of action. I can add a specific view to CAE that just lists all games by the current user and returns a "add a deck" authorization hash to the parent window once they select one.

Thoughts/ideas?

tjhorner commented 8 years ago

Scenario 1 sounds good. I was going to suggest an OAuth2 flow, but this sounds a lot better since:

  1. Most of the users don't sign in with a password, so how would the token be stored?
  2. It would allow infinite deck additions.

Some potential problems I see with the hash method though:

  1. The CAE/CAH Creator server might be overloaded and CAE might not receive the request in the few seconds allowed, maybe extend the time to a minute?
  2. "While CAE should check the request origin..." This wouldn't work. Heroku dynamically allocates IPs I believe. I could make it send over a secret token from a config file (I'll send you it privately somehow) over a header or in the request body.

Scenario 2 looks good to me, user opens window, authorizes game access, window posts message back to parent, sends token to server, CAE authorizes.

Rylius commented 8 years ago

Yeah, CAE doesn't permanently store users unless they register, that won't work.

A minute sounds good for the hash timeout, was thinking of something along the lines of that too.

Secret token sent along with requests is probably the best idea, yeah.

tjhorner commented 8 years ago

Damn it wrong button lol

Anyway, I'll start implementing the button today on my end.