Open tjhorner opened 9 years ago
Scenario 1: User is on CAE and clicks a link to create a cah-creator deck CAE can pass along an unique hash that authorizes cah-creator to add exactly one deck to the related game instance. After the deck has been added the hash becomes useless. (This avoids issues where anyone on the internet could add an unlimited amount of decks and crash the CAE server. While CAE should check the request origin to make sure it's coming from cah-creator, DNS/IPs can be spoofed and I don't want to open CAE up to any flaws here.) The hash automatically becomes invalid after a few seconds, so cah-creator should add the deck right away. If the user decides to add another deck, a new hash is generated and sent along.
This is probably the easiest and most reliable way as we can handle most of the communication server-side - no messing with CORS or any of that stuff.
Scenario 2: User is on cah-creator and wants to add a deck to a running CAE game This is kind of a problem as we don't have any idea how to identify the user. CORS seems to allow access to cookies of other domains, but the implementations seem to be fairly spotty (especially regarding IE).
Seems to me like a combination of window.open
and window.postMessage
seems like the best course of action. I can add a specific view to CAE that just lists all games by the current user and returns a "add a deck" authorization hash to the parent window once they select one.
Thoughts/ideas?
Scenario 1 sounds good. I was going to suggest an OAuth2 flow, but this sounds a lot better since:
Some potential problems I see with the hash method though:
Scenario 2 looks good to me, user opens window, authorizes game access, window posts message back to parent, sends token to server, CAE authorizes.
Yeah, CAE doesn't permanently store users unless they register, that won't work.
A minute sounds good for the hash timeout, was thinking of something along the lines of that too.
Secret token sent along with requests is probably the best idea, yeah.
Damn it wrong button lol
Anyway, I'll start implementing the button today on my end.
Alright here's what I'm thinking:
When the partner thing is activated (you'll see a sweetalert telling you about the website, but that's it right now) it should add a button that lets you add the current deck to your CAE game. It will work either by a
window.open
to CAE that has a "Select a game to use" selector and will callback with a game's API token (will need to be implemented) OR just send a request to the server via the WebSocket with a game token (which will then send the request to the CAE server).This is definitely not urgent, since everything works fine right now; but it would make it more user-friendly. You can get some sleep, @Rylius :wink: