how are we gonna handle authentication?

[EngineerRunner]

if we want to add uploading, leaving comments, changing profile picture, we need to be able to log somebody into scratch's api. but how will that integration work? we'd have to:

• assume it is always running locally and have the user input their username and password
• go along with the massive security holes (and ban from scratch) by having it hosted publicly and asking for scratch logins
• use a browser extension that the website communicates with to do the actions?
• or just not have any of that functionallity at all.

[redstone-dev]

I think that Scratch Auth is the obvious choice. The user_data array is for testing, we could use SQLite or MySQL when we get Snazzle into production.

[EngineerRunner]

but, even with ScratchAuth, we can't do social actions on behalf of the user like posting on the forums. that's what I meant.

[redstone-dev]

Oh, yeah, that's a problem. Hm...

[Darth-Ness]

For now, since servers are all locally hosted, it should be fine if someone put in there password and username like normal. That will become a problem once there's public server's though.

[NotFenixio]

What about summoning a Scratch login pop-up, and when the user logs in, extracting the sessionId cookie?

[redstone-dev]

That sounds a little shady. I don't want to do that.

[NotFenixio]

That sounds a little shady. I don't want to do that.

Yeah, I don't know what I was thinking.

[redstone-dev]

not feasible

[dynamixbot]

REOPEN DESCRIPTION (ISSUE IMPORTANT)

We can have the user enter their password and then authorise it by randomly generating a 256-bit random hash which they type into their profile's comments. Else, they can type it into a cloud project which gets accessed by Snazzle to verify and let through the user. The user's password can then be stored to allow future login.

[NotFenixio]

How does that give the user the "WeWontStealYourPassword™" feeling?

[dynamixbot]

How does that give the user the "WeWontStealYourPassword™" feeling?

Uhhhh maybe not enter your scratch password?

[ghost]

REOPEN DESCRIPTION (ISSUE IMPORTANT)

We can have the user enter their password and then authorise it by randomly generating a 256-bit random hash which they type into their profile's comments. Else, they can type it into a cloud project which gets accessed by Snazzle to verify and let through the user. The user's password can then be stored to allow future login.

just give a random string of letters that they should comment, or just use Scratch Auth (yes this is kind of a dumb idea but atleast youre not asking for the users' password of all things)

entering your password is something that barely anyone would be insane enough to trust EDIT: from bottom to top forget i said this

[EngineerRunner]

REOPEN DESCRIPTION (ISSUE IMPORTANT)

We can have the user enter their password and then authorise it by randomly generating a 256-bit random hash which they type into their profile's comments. Else, they can type it into a cloud project which gets accessed by Snazzle to verify and let through the user. The user's password can then be stored to allow future login.

why would we need to verify it..? i'm assuming you havent read this issue, since it is about being able to authenticate with the APIs. you'd need to enter your password for that, which is why a public instance is an inherently flawed idea if we want social actions (without the possible extension i mentioned, but that would get us a swift ban from being mentionable on scratch).

[dynamixbot]

REOPEN DESCRIPTION (ISSUE IMPORTANT) We can have the user enter their password and then authorise it by randomly generating a 256-bit random hash which they type into their profile's comments. Else, they can type it into a cloud project which gets accessed by Snazzle to verify and let through the user. The user's password can then be stored to allow future login.

why would we need to verify it..? i'm assuming you havent read this issue, since it is about being able to authenticate with the APIs. you'd need to enter your password for that, which is why a public instance is an inherently flawed idea if we want social actions (without the possible extension i mentioned, but that would get us a swift ban from being mentionable on scratch).

the api doesn't have anything to check passwords, BUT we could make it so that once you enter the password, it will log you out currently, log you in again on scratch if password is correct and also log you in on snazzle? or you could just, ya know make a auth of our own with some auth method

[dynamixbot]

IDEA:

We check the IP Address of a computer and match that to the IP of a Scratch Account

[NotFenixio]

the api doesn't have anything to check passwords, BUT we could make it so that once you enter the password, it will log you out currently, log you in again on scratch if password is correct and also log you in on snazzle? or you could just, ya know make a auth of our own with some auth method

Uhm, there's no way of logging out with the API on specific locations, and the idea of this is to be able to perform social actions from Snazzle, and that forcefully requires you entering your password.

IDEA:

We check the IP Address of a computer and match that to the IP of a Scratch Account

There's no way of doing that since Scratch doesn't store IPs. Also, this could be risky since IPs are not unique identifiers.

[dynamixbot]

@NotFenixio new ideas

IDEA 2:

We send an email to their email address to verify the login. (Permanent login until logout)

IDEA 3:

We send a code to their email and let that IP be logged-in for 6 months.

[NotFenixio]

@NotFenixio new ideas

How do we get the user's email address? Also I think you keep misunderstanding. Yes, there are many ways of verifying the user's identity, like Scratch Auth/Oauth, the ways you said, and others, but what we need is a way to log in into the user's account in order to perform social actions like commenting, posting, sharing projects, etc. That isn't possible without getting the password.

[dynamixbot]

@NotFenixio new ideas

How do we get the user's email address? Also I think you keep misunderstanding. Yes, there are many ways of verifying the user's identity, like Scratch Auth/Oauth, the ways you said, and others, but what we need is a way to log in into the user's account in order to perform social actions like commenting, posting, sharing projects, etc. That isn't possible without getting the password.

OHH I was misunderstanding. I mean are Scratch social actions session-based? So we could get the session ID and then use the ID to perform social actions. Or, a proxy by using the password to login and then something??? I'm all out of ideas.

I'm posting a thread in the AT's for this (using API to perform social actions)

[NotFenixio]

OHH I was misunderstanding. I mean are Scratch social actions session-based? So we could get the session ID and then use the ID to perform social actions. Or, a proxy by using the password to login and then something??? I'm all out of ideas.

Yep lol

[dynamixbot]

Also, if anyone asks why did i reopen this, well authentication is an important thing alright.

[dynamixbot]

UPDATE: AHypnoman on scratch has given some Node.js code to perform social actions.

First, what Scratch T&C's say about these bots:

• These proxy bots cannot be purely controlled by AI or can't be modified into bots to perform social actions for malicious use.
• These proxy bots should not cause disturbance to normal Scratch users and spam to slow down servers or cause damage to servers.
• These proxy bots are not allowed to like, love, follow, comment or post without authorization from user
• And of course, any vulgar, discriminatory or sexual content cannot be posted by the bot and the bot can't be AI/sentient so moderation++

The code by AHypnoman on scratch is available on https://scratch.mit.edu/discuss/topic/751964/?page=1#post-7899193 and below

The best way to do this is with someone else's library (like mine - shameless plug). If you don't want to use someone else's you'll need to do this. You'll need to get a CSRF token, session ID token and server X-token. You can get your CSRF and sessionid tokens by looking at your Scratch cookies (find scratchcsrftoken and scratchsessionid cookies) (Note that the quotes in scratchsessionid are important and not to be ignored). To get your X-token you'll need to query the Scratch /session API using code similar to this:

//in JS, Node
fetch("https://scratch.mit.edu/session/", {
"credentials": "include",
"headers": {
"X-Requested-With": "XMLHttpRequest",
"X-token": xToken,
"Cookie": "scratchcsrftoken=" + csrfToken + ";scratchsessionsid=" + sessionId + ";"
},
"method": "POST",
"mode": "cors"
}).then(res=>res.json().then(response=>{
const xToken = response.user.token
//This is your token! ^^
}))

Now you can query/post to almost all endpoints of the Scratch API using this code (you may need to change the “method”, “body”, and the URL arguement):

//in JS, Node
fetch("https://api.scratch.mit.edu/proxy/projects/" + projectId + "/loves/user/" + username, {
"credentials": "include",
"headers": {
"X-Requested-With": "XMLHttpRequest",
"X-Token": xToken,
"X-csrftoken": csrfToken,
"Cookie": "scratchcsrftoken=" + csrfToken + ";scratchsessionsid=" + sessionId + ";"
},
"method": "GET",
"mode": "cors"
})

[dynamixbot]

Also, can we invite @ahypnoman to join authentication of this?

[NotFenixio]

Oh sure, I'll invite him

[NotFenixio]

or them, I don't know

[dynamixbot]

Oh sure, I'll invite him

Great!

or them, I don't know

It's a he.

[dynamixbot]

GUYS I just realized the fact that we could have just used scratchattach...

scratchattach allows you to log in, follow, unfollow, comment, see comments, set bio everything

edit: its in python soooooo i dont understand it so python anybody?

[ahypnoman]

Do you have any existing auth code?

If so, link it and I'll see what I can do.

If not, you can generate a login token through https://scratch.mit.edu/accounts/login, although this would only be possible and secure if you're running Snazzle with a localhost server as you'll need to spoof the "referer" header, which can't be done through the browser as web pages aren't able to modify "referer". You could proxy the login request through a server, although that comes with a huge security burden (not to mention you'd need a server) - don't use this method, it's not a good idea.

If you don't want username and password inputs you would need the user to provide their scratchsessionid cookie. You could simply ask them to copy it from the dev tools, or you could provide some sort of mini browser extension which would get the cookie from Scratch and copy it to Snazzle automatically, although it'd be hard to get people to download an extension just for that.

I ran some tests with bookmarklets and unfortunately they don't work as scratchsessionid is set to HttpOnly.

[NotFenixio]

If by auth code you mean using Scratch Auth with a handler...

[ahypnoman]

I meant authentication for Scratch - Scratch Auth won't let you perform social actions on Scratch, just verify that you are who you say you are.

[NotFenixio]

I meant authentication for Scratch - Scratch Auth won't let you perform social actions on Scratch, just verify that you are who you say you are.

Yeah I know, that's the only code related to something with authentication/verification of identity. It doesn't really have a point either since it just logs you but it doesn't allow you to perform any other actions.

[dynamixbot]

Should we just use scratchattach for now? then we can make our own in js or something

[ahypnoman]

If you want one in JS, you could use mine or god286's, although given Snazzle has a Python backend it's likely better to use ScratchClient (or scratchAttach).

[dynamixbot]

If you want one in JS, you could use mine or god286's, although given Snazzle has a Python backend it's likely better to use ScratchClient (or scratchAttach).

i wanted js but since snazzle is currently being developed with python, let's go with scratchclient/scratchattach

[redstone-dev]

I think we'll keep Snazzle written in Python. If it ain't broke, don't fix it. (Although there are a ton of things wrong with Snazzle's codebase lol)

We could definitely use a library, it's probably better and would save development time over making our own lib lol. I think we should use scratchattach since scratchconnect hasn't made a new release in a while (>2y!)

[dynamixbot]

I think we'll keep Snazzle written in Python. If it ain't broke, don't fix it. (Although there are a ton of things wrong with Snazzle's codebase lol)

We could definitely use a library, it's probably better and would save development time over making our own lib lol. I think we should use scratchattach since scratchconnect hasn't made a new release in a while (>2y!)

So, the current winner is scratchattach.

[dynamixbot]

am i the only one active on snazzle?

[dynamixbot]

UPDATE: ScratchCommunications by TheCommCraft allows you to login using username and passowrd or using session id and username and is encrypted and in python

[EngineerRunner]

i've renamed this back since the original question in OP still hasn't been answered. so we can use the scratch APIs, do we:

• assume that Snazzle is always running on a user's local system, so they enter their password in the server code.
• go along with the massive security holes (and inevitable ban from scratch) by having a public instance where users enter their passwords, to be sent to the snazzle server
• do all the API interactions client-side
• create some kind of browser extension that has access to snazzle and scratch and uses your stored sessionid to carry out requests (since its an extension, this would get us banned from scratch too)
• or not have any other functionality and have it be a viewer akin to Ocular

[redstone-dev]

• create some kind of browser extension that has access to snazzle and scratch and uses your stored sessionid to carry out requests (since its an extension, this would get us banned from scratch too)

I had a neat idea for this. Maybe it could be integrated with Scratch Addons, so if you use Scratch Addons, it could use your session ID from that to log you in? I wonder if mentioning Scratch Addons in Snazzle would get us banned from Scratch, however. (Not in the Scratch forum post, I mean in Snazzle itself.)

[dynamixbot]

• create some kind of browser extension that has access to snazzle and scratch and uses your stored sessionid to carry out requests (since its an extension, this would get us banned from scratch too)

I had a neat idea for this. Maybe it could be integrated with Scratch Addons, so if you use Scratch Addons, it could use your session ID from that to log you in? I wonder if mentioning Scratch Addons in Snazzle would get us banned from Scratch, however. (Not in the Scratch forum post, I mean in Snazzle itself.)

nahh, we let them login with their password and get banned from scratch

[dynamixbot]

Idea! (inspired by @EngineerRunner )

Create a browser extension which is available on the Chrome Web Store called Snazzle Log-In, which accesses a session-id from Scratch continuously. This session-id is then sent to Snazzle's webapp or whatever platform app at this point and gets a log in, WITHOUT HAVING TO TYPE IN ANYTHING!!

[EngineerRunner]

Idea! (inspired by @EngineerRunner )

Create a browser extension which is available on the Chrome Web Store called Snazzle Log-In, which accesses a session-id from Scratch continuously. This session-id is then sent to Snazzle's webapp or whatever platform app at this point and gets a log in, WITHOUT HAVING TO TYPE IN ANYTHING!!

would get us instantly banned from being mentioned on scratch

[dynamixbot]

Idea! (inspired by @EngineerRunner ) Create a browser extension which is available on the Chrome Web Store called Snazzle Log-In, which accesses a session-id from Scratch continuously. This session-id is then sent to Snazzle's webapp or whatever platform app at this point and gets a log in, WITHOUT HAVING TO TYPE IN ANYTHING!!

would get us instantly banned from being mentioned on scratch

rip. We could try and make a login-password type thing and get Scratch's Stamp of Safety™ on it.

[davidtheplatform]

Idea! (inspired by @EngineerRunner ) Create a browser extension which is available on the Chrome Web Store called Snazzle Log-In, which accesses a session-id from Scratch continuously. This session-id is then sent to Snazzle's webapp or whatever platform app at this point and gets a log in, WITHOUT HAVING TO TYPE IN ANYTHING!!

would get us instantly banned from being mentioned on scratch

rip. We could try and make a login-password type thing and get Scratch's Stamp of Safety™ on it.

that will never happen for multiple reasons

[dynamixbot]

Idea! (inspired by @EngineerRunner ) Create a browser extension which is available on the Chrome Web Store called Snazzle Log-In, which accesses a session-id from Scratch continuously. This session-id is then sent to Snazzle's webapp or whatever platform app at this point and gets a log in, WITHOUT HAVING TO TYPE IN ANYTHING!!

would get us instantly banned from being mentioned on scratch

rip. We could try and make a login-password type thing and get Scratch's Stamp of Safety™ on it.

that will never happen for multiple reasons

We could always try? There is a chance if ST's mood is good and other stuff?

[davidtheplatform]

Idea! (inspired by @EngineerRunner ) Create a browser extension which is available on the Chrome Web Store called Snazzle Log-In, which accesses a session-id from Scratch continuously. This session-id is then sent to Snazzle's webapp or whatever platform app at this point and gets a log in, WITHOUT HAVING TO TYPE IN ANYTHING!!

would get us instantly banned from being mentioned on scratch

rip. We could try and make a login-password type thing and get Scratch's Stamp of Safety™ on it.

that will never happen for multiple reasons

We could always try? There is a chance if ST's mood is good and other stuff?

• the st doesn’t like bots doing social actions, tis would make it much easier for that to happen. They also don’t like interaction with the servers that aren’t from an official client.
• Letting people advertise a service that asks for your scratch password would lead to impersonation and other scams to get peoples passwords
• They can’t trust anyone else with the passwords
• Given the outright ban on extensions/userscripts and refusal to make exceptions they probably won’t make exceptions for any other rules

[dynamixbot]

Idea! (inspired by @EngineerRunner ) Create a browser extension which is available on the Chrome Web Store called Snazzle Log-In, which accesses a session-id from Scratch continuously. This session-id is then sent to Snazzle's webapp or whatever platform app at this point and gets a log in, WITHOUT HAVING TO TYPE IN ANYTHING!!

would get us instantly banned from being mentioned on scratch

rip. We could try and make a login-password type thing and get Scratch's Stamp of Safety™ on it.

that will never happen for multiple reasons

We could always try? There is a chance if ST's mood is good and other stuff?

• the st doesn’t like bots doing social actions, tis would make it much easier for that to happen. They also don’t like interaction with the servers that aren’t from an official client.
• Letting people advertise a service that asks for your scratch password would lead to impersonation and other scams to get peoples passwords
• They can’t trust anyone else with the passwords
• Given the outright ban on extensions/userscripts and refusal to make exceptions they probably won’t make exceptions for any other rules

1. okay, that is an issue for us
2. i mean like, we aren't storing the passwords ourselves. we're just getting session-id's so that we can log a user in, and this would be sso.
3. again, not storing nobody's passwords
4. okay, second issue for us again.

[davidtheplatform]

Asking for the session token isn’t as bad as a password but it still has most of the same problems

[redstone-dev]

Asking for the session token isn’t as bad as a password but it still has most of the same problems

We could, as mentioned, somehow integrate this with Scratch Addons, that's already banned from Scratch, and we could just not mention how we implemented login when posting about it on the Scratch website :P