Open EngineerRunner opened 1 year ago
I think that Scratch Auth is the obvious choice. The user_data
array is for testing, we could use SQLite or MySQL when we get Snazzle into production.
but, even with ScratchAuth, we can't do social actions on behalf of the user like posting on the forums. that's what I meant.
Oh, yeah, that's a problem. Hm...
For now, since servers are all locally hosted, it should be fine if someone put in there password and username like normal. That will become a problem once there's public server's though.
What about summoning a Scratch login pop-up, and when the user logs in, extracting the sessionId cookie?
That sounds a little shady. I don't want to do that.
That sounds a little shady. I don't want to do that.
Yeah, I don't know what I was thinking.
not feasible
REOPEN DESCRIPTION (ISSUE IMPORTANT)
We can have the user enter their password and then authorise it by randomly generating a 256-bit random hash which they type into their profile's comments. Else, they can type it into a cloud project which gets accessed by Snazzle to verify and let through the user. The user's password can then be stored to allow future login.
How does that give the user the "WeWontStealYourPassword™" feeling?
How does that give the user the "WeWontStealYourPassword™" feeling?
Uhhhh maybe not enter your scratch password?
REOPEN DESCRIPTION (ISSUE IMPORTANT)
We can have the user enter their password and then authorise it by randomly generating a 256-bit random hash which they type into their profile's comments. Else, they can type it into a cloud project which gets accessed by Snazzle to verify and let through the user. The user's password can then be stored to allow future login.
just give a random string of letters that they should comment, or just use Scratch Auth (yes this is kind of a dumb idea but atleast youre not asking for the users' password of all things)
entering your password is something that barely anyone would be insane enough to trust EDIT: from bottom to top forget i said this
REOPEN DESCRIPTION (ISSUE IMPORTANT)
We can have the user enter their password and then authorise it by randomly generating a 256-bit random hash which they type into their profile's comments. Else, they can type it into a cloud project which gets accessed by Snazzle to verify and let through the user. The user's password can then be stored to allow future login.
why would we need to verify it..? i'm assuming you havent read this issue, since it is about being able to authenticate with the APIs. you'd need to enter your password for that, which is why a public instance is an inherently flawed idea if we want social actions (without the possible extension i mentioned, but that would get us a swift ban from being mentionable on scratch).
REOPEN DESCRIPTION (ISSUE IMPORTANT) We can have the user enter their password and then authorise it by randomly generating a 256-bit random hash which they type into their profile's comments. Else, they can type it into a cloud project which gets accessed by Snazzle to verify and let through the user. The user's password can then be stored to allow future login.
why would we need to verify it..? i'm assuming you havent read this issue, since it is about being able to authenticate with the APIs. you'd need to enter your password for that, which is why a public instance is an inherently flawed idea if we want social actions (without the possible extension i mentioned, but that would get us a swift ban from being mentionable on scratch).
the api doesn't have anything to check passwords, BUT we could make it so that once you enter the password, it will log you out currently, log you in again on scratch if password is correct and also log you in on snazzle? or you could just, ya know make a auth of our own with some auth method
IDEA:
We check the IP Address of a computer and match that to the IP of a Scratch Account
the api doesn't have anything to check passwords, BUT we could make it so that once you enter the password, it will log you out currently, log you in again on scratch if password is correct and also log you in on snazzle? or you could just, ya know make a auth of our own with some auth method
Uhm, there's no way of logging out with the API on specific locations, and the idea of this is to be able to perform social actions from Snazzle, and that forcefully requires you entering your password.
IDEA:
We check the IP Address of a computer and match that to the IP of a Scratch Account
There's no way of doing that since Scratch doesn't store IPs. Also, this could be risky since IPs are not unique identifiers.
@NotFenixio new ideas
IDEA 2:
We send an email to their email address to verify the login. (Permanent login until logout)
IDEA 3:
We send a code to their email and let that IP be logged-in for 6 months.
@NotFenixio new ideas
How do we get the user's email address? Also I think you keep misunderstanding. Yes, there are many ways of verifying the user's identity, like Scratch Auth/Oauth, the ways you said, and others, but what we need is a way to log in into the user's account in order to perform social actions like commenting, posting, sharing projects, etc. That isn't possible without getting the password.
@NotFenixio new ideas
How do we get the user's email address? Also I think you keep misunderstanding. Yes, there are many ways of verifying the user's identity, like Scratch Auth/Oauth, the ways you said, and others, but what we need is a way to log in into the user's account in order to perform social actions like commenting, posting, sharing projects, etc. That isn't possible without getting the password.
OHH I was misunderstanding. I mean are Scratch social actions session-based? So we could get the session ID and then use the ID to perform social actions. Or, a proxy by using the password to login and then something??? I'm all out of ideas.
I'm posting a thread in the AT's for this (using API to perform social actions)
OHH I was misunderstanding. I mean are Scratch social actions session-based? So we could get the session ID and then use the ID to perform social actions. Or, a proxy by using the password to login and then something??? I'm all out of ideas.
Yep lol
Also, if anyone asks why did i reopen this, well authentication is an important thing alright.
UPDATE: AHypnoman on scratch has given some Node.js code to perform social actions.
First, what Scratch T&C's say about these bots:
The code by AHypnoman on scratch is available on https://scratch.mit.edu/discuss/topic/751964/?page=1#post-7899193 and below
The best way to do this is with someone else's library (like mine - shameless plug). If you don't want to use someone else's you'll need to do this. You'll need to get a CSRF token, session ID token and server X-token. You can get your CSRF and sessionid tokens by looking at your Scratch cookies (find scratchcsrftoken and scratchsessionid cookies) (Note that the quotes in scratchsessionid are important and not to be ignored). To get your X-token you'll need to query the Scratch /session API using code similar to this:
//in JS, Node fetch("https://scratch.mit.edu/session/", { "credentials": "include", "headers": { "X-Requested-With": "XMLHttpRequest", "X-token": xToken, "Cookie": "scratchcsrftoken=" + csrfToken + ";scratchsessionsid=" + sessionId + ";" }, "method": "POST", "mode": "cors" }).then(res=>res.json().then(response=>{ const xToken = response.user.token //This is your token! ^^ }))
Now you can query/post to almost all endpoints of the Scratch API using this code (you may need to change the “method”, “body”, and the URL arguement):
//in JS, Node fetch("https://api.scratch.mit.edu/proxy/projects/" + projectId + "/loves/user/" + username, { "credentials": "include", "headers": { "X-Requested-With": "XMLHttpRequest", "X-Token": xToken, "X-csrftoken": csrfToken, "Cookie": "scratchcsrftoken=" + csrfToken + ";scratchsessionsid=" + sessionId + ";" }, "method": "GET", "mode": "cors" })
Also, can we invite @ahypnoman to join authentication of this?
Oh sure, I'll invite him
or them, I don't know
Oh sure, I'll invite him
Great!
or them, I don't know
It's a he.
GUYS I just realized the fact that we could have just used scratchattach...
scratchattach allows you to log in, follow, unfollow, comment, see comments, set bio everything
edit: its in python soooooo i dont understand it so python anybody?
Do you have any existing auth code?
If so, link it and I'll see what I can do.
If not, you can generate a login token through https://scratch.mit.edu/accounts/login
, although this would only be possible and secure if you're running Snazzle with a localhost server as you'll need to spoof the "referer"
header, which can't be done through the browser as web pages aren't able to modify "referer"
. You could proxy the login request through a server, although that comes with a huge security burden (not to mention you'd need a server) - don't use this method, it's not a good idea.
If you don't want username and password inputs you would need the user to provide their scratchsessionid
cookie. You could simply ask them to copy it from the dev tools, or you could provide some sort of mini browser extension which would get the cookie from Scratch and copy it to Snazzle automatically, although it'd be hard to get people to download an extension just for that.
I ran some tests with bookmarklets and unfortunately they don't work as scratchsessionid
is set to HttpOnly
.
If by auth code you mean using Scratch Auth with a handler...
I meant authentication for Scratch - Scratch Auth won't let you perform social actions on Scratch, just verify that you are who you say you are.
I meant authentication for Scratch - Scratch Auth won't let you perform social actions on Scratch, just verify that you are who you say you are.
Yeah I know, that's the only code related to something with authentication/verification of identity. It doesn't really have a point either since it just logs you but it doesn't allow you to perform any other actions.
Should we just use scratchattach for now? then we can make our own in js or something
If you want one in JS, you could use mine or god286's, although given Snazzle has a Python backend it's likely better to use ScratchClient (or scratchAttach).
If you want one in JS, you could use mine or god286's, although given Snazzle has a Python backend it's likely better to use ScratchClient (or scratchAttach).
i wanted js but since snazzle is currently being developed with python, let's go with scratchclient/scratchattach
I think we'll keep Snazzle written in Python. If it ain't broke, don't fix it. (Although there are a ton of things wrong with Snazzle's codebase lol)
We could definitely use a library, it's probably better and would save development time over making our own lib lol. I think we should use scratchattach since scratchconnect hasn't made a new release in a while (>2y!)
I think we'll keep Snazzle written in Python. If it ain't broke, don't fix it. (Although there are a ton of things wrong with Snazzle's codebase lol)
We could definitely use a library, it's probably better and would save development time over making our own lib lol. I think we should use scratchattach since scratchconnect hasn't made a new release in a while (>2y!)
So, the current winner is scratchattach.
am i the only one active on snazzle?
UPDATE: ScratchCommunications by TheCommCraft allows you to login using username and passowrd or using session id and username and is encrypted and in python
i've renamed this back since the original question in OP still hasn't been answered. so we can use the scratch APIs, do we:
- create some kind of browser extension that has access to snazzle and scratch and uses your stored sessionid to carry out requests (since its an extension, this would get us banned from scratch too)
I had a neat idea for this. Maybe it could be integrated with Scratch Addons, so if you use Scratch Addons, it could use your session ID from that to log you in? I wonder if mentioning Scratch Addons in Snazzle would get us banned from Scratch, however. (Not in the Scratch forum post, I mean in Snazzle itself.)
- create some kind of browser extension that has access to snazzle and scratch and uses your stored sessionid to carry out requests (since its an extension, this would get us banned from scratch too)
I had a neat idea for this. Maybe it could be integrated with Scratch Addons, so if you use Scratch Addons, it could use your session ID from that to log you in? I wonder if mentioning Scratch Addons in Snazzle would get us banned from Scratch, however. (Not in the Scratch forum post, I mean in Snazzle itself.)
nahh, we let them login with their password and get banned from scratch
Idea! (inspired by @EngineerRunner )
Create a browser extension which is available on the Chrome Web Store called Snazzle Log-In, which accesses a session-id from Scratch continuously. This session-id is then sent to Snazzle's webapp or whatever platform app at this point and gets a log in, WITHOUT HAVING TO TYPE IN ANYTHING!!
Idea! (inspired by @EngineerRunner )
Create a browser extension which is available on the Chrome Web Store called Snazzle Log-In, which accesses a session-id from Scratch continuously. This session-id is then sent to Snazzle's webapp or whatever platform app at this point and gets a log in, WITHOUT HAVING TO TYPE IN ANYTHING!!
would get us instantly banned from being mentioned on scratch
Idea! (inspired by @EngineerRunner ) Create a browser extension which is available on the Chrome Web Store called Snazzle Log-In, which accesses a session-id from Scratch continuously. This session-id is then sent to Snazzle's webapp or whatever platform app at this point and gets a log in, WITHOUT HAVING TO TYPE IN ANYTHING!!
would get us instantly banned from being mentioned on scratch
rip. We could try and make a login-password type thing and get Scratch's Stamp of Safety™ on it.
Idea! (inspired by @EngineerRunner ) Create a browser extension which is available on the Chrome Web Store called Snazzle Log-In, which accesses a session-id from Scratch continuously. This session-id is then sent to Snazzle's webapp or whatever platform app at this point and gets a log in, WITHOUT HAVING TO TYPE IN ANYTHING!!
would get us instantly banned from being mentioned on scratch
rip. We could try and make a login-password type thing and get Scratch's Stamp of Safety™ on it.
that will never happen for multiple reasons
Idea! (inspired by @EngineerRunner ) Create a browser extension which is available on the Chrome Web Store called Snazzle Log-In, which accesses a session-id from Scratch continuously. This session-id is then sent to Snazzle's webapp or whatever platform app at this point and gets a log in, WITHOUT HAVING TO TYPE IN ANYTHING!!
would get us instantly banned from being mentioned on scratch
rip. We could try and make a login-password type thing and get Scratch's Stamp of Safety™ on it.
that will never happen for multiple reasons
We could always try? There is a chance if ST's mood is good and other stuff?
Idea! (inspired by @EngineerRunner ) Create a browser extension which is available on the Chrome Web Store called Snazzle Log-In, which accesses a session-id from Scratch continuously. This session-id is then sent to Snazzle's webapp or whatever platform app at this point and gets a log in, WITHOUT HAVING TO TYPE IN ANYTHING!!
would get us instantly banned from being mentioned on scratch
rip. We could try and make a login-password type thing and get Scratch's Stamp of Safety™ on it.
that will never happen for multiple reasons
We could always try? There is a chance if ST's mood is good and other stuff?
Idea! (inspired by @EngineerRunner ) Create a browser extension which is available on the Chrome Web Store called Snazzle Log-In, which accesses a session-id from Scratch continuously. This session-id is then sent to Snazzle's webapp or whatever platform app at this point and gets a log in, WITHOUT HAVING TO TYPE IN ANYTHING!!
would get us instantly banned from being mentioned on scratch
rip. We could try and make a login-password type thing and get Scratch's Stamp of Safety™ on it.
that will never happen for multiple reasons
We could always try? There is a chance if ST's mood is good and other stuff?
- the st doesn’t like bots doing social actions, tis would make it much easier for that to happen. They also don’t like interaction with the servers that aren’t from an official client.
- Letting people advertise a service that asks for your scratch password would lead to impersonation and other scams to get peoples passwords
- They can’t trust anyone else with the passwords
- Given the outright ban on extensions/userscripts and refusal to make exceptions they probably won’t make exceptions for any other rules
Asking for the session token isn’t as bad as a password but it still has most of the same problems
Asking for the session token isn’t as bad as a password but it still has most of the same problems
We could, as mentioned, somehow integrate this with Scratch Addons, that's already banned from Scratch, and we could just not mention how we implemented login when posting about it on the Scratch website :P
if we want to add uploading, leaving comments, changing profile picture, we need to be able to log somebody into scratch's api. but how will that integration work? we'd have to: