Web API

[Fyrsta]

For some information, like online players and whatnot, it's better to get the information from the server than to rely on a database.

I think using NanoHTTPd would be the best option for implementing this, it'll provide a web server in which we can easily extend with modules much like the system we've got here.

JSON would be the best way to output the data, making appropriate use of arrays and whatnot to display the information in the best way possible.

The ability to extend on this feature externally like the module system here would be good, but it's not a requirement. The same goes for SSL.

For information that only authenticated people should access, I'm thinking about utilising an API key system for this, but I'll let @Kent55 decide on the most secure and optimal way of working with this since he's the most knowledgeable.

[Kent55]

I agree that an API key would be the best option in this case, we just need to make sure we properly validate the origin of the request, which to be honest should be done already with the built in CSRF protection.

[Wild1145]

If its an API, providing you have no intentions for you to be able to control the server in any way, surly there is no reason to restrict the data access? Everything stored would be in the public domain anyway, and I dont think you really need to keep secret how many blocks have been mined :P

[Fyrsta]

@Wild1145 This could contain more sensitive information like server load and information. Not strictly needed to be private but worthwhile either way. The statistics are stored in a database, which this API will have no access to. That's up to Matt if there's a public facing API for that.

This is more for displaying on the website, control panels, etc.

Also, there will most likely be a way that the client can interface with the server. It'll be handy for the control panels to do server stuff without using somewhat hacky solutions.

[Wild1145]

@WickedGamingUK Stuff like server load and similar really makes no difference to be public or otherwise. I may be mis-understanding this issue, but is this not for the MC Server its self, in which case again any information about it may as well be publicly accessible anyway.

[Fyrsta]

@Wild1145 Yeah, I guess. For receiving data anyone can do it (perhaps with a throttle for non-authorised users) and only authorised people can send data (as in, do stuff on the server).

[Fyrsta]

Upon further research, I think that using RESTlet would be a good way to implement this feature.