search

loicteixeira / gj-unity-api

[MOVED] Game Jolt API wrapper for Unity.
https://github.com/InfectedBytes/gj-unity-api/
MIT License
16 stars 13 forks source link

Send username & token via POST body instead of GET query param #77

Closed loicteixeira closed 7 years ago

loicteixeira commented 7 years ago

Once #76 (enabling HTTPS) is done, it would be good to take advantage of it and hide the username and token in the POST body (and potentially all variables) instead of the GET params.

I'm unsure at this stage how the signature should be created for POST requests (the documentation mention passing parameters in POST body, but not how the signature is then generated). If the same mechanism was to be used the signature would be the same for everybody because both the username and token would be removed from the URL. So any call could be replayed by another user, swapping its own credentials in the request body.

As a compromise, it might be possible to only move the token to the POST body, so the url would be unique per user/action.

loicteixeira commented 7 years ago

Actually, I was tired when I wrote this issue because GET parameters aren't visible with HTTPs.