Automatically handle Simtropolis authentication

[sebamarynissen]

I'm not sure whether you tackled this problem already during the development of the gui, but I've wanted to share an idea that I had for handling the Simtropolis authentication in a smoother way.

My idea is to add an sc4pac login simtropolis command, which would start a server on localhost:51515 and then open a link of the type https://community.simtropolis.com/auth?return_to=http://localhost:51515/callback in the browser. This page on Simtropolis can then simply redirect to http://localhost:51515/callback?provider=simtropolis&data= where you can read in the cookie data in the route handler for /callback and then store it somewhere - preferrably set it as an environment variable for the test of the session. If other providers ever require authentication as well, it should be easy too add them to if they implement a similar redirection mechanism.

While this approach does require a little bit of programming on the ST side, it isn't much more than performing a simple http redirection if the user is logged in, which can even be achieved with <meta> tags if need be. If you're interested, I could reach out to the staff to see if we can get something like this to work.

[sebamarynissen]

Probably not a good idea though to just rawdog the cookie into the url, doesn't feel really secure. A full OAuth flow would be ideal, where the localhost/callback route has to exchange a code for the cookie, but that requires a lot more programming on the ST side. Doesn't look like this os really viable on the short term then...

[memo33]

Yes, following a standard OAuth flow would be ideal because that's standard. I haven't really looked much into this yet, as the current cookie method works ok-ish. I'm not sure how much work this would be on the ST end or whether we could supply much of the implementation, so getting in touch with ST staff would be good if it's clear what needs to be done.

Also, localhost is not https, which might be a problem, and the website on GH pages is static. I think that's not an issue, but I'm not certain.

[memo33]

It looks like the ST forums software, Invision Community, does have support for OAuth at least, but I'm not sure if it's included in their plan.

Invision Community itself can now also serve as an OAuth 2.0 server so you can set up other sites to be able to facilitate logins using credentials from your community. This works in conjunction with our REST API, allowing you to make API calls as an authenticated member, which will return just the information that user has access to.

See Using Invision Community as an OAuth Server.