Open CloudMax94 opened 8 years ago
peppy
commented
8 years ago Are you saying you want /api/get_current_user or /api/get_user_for_key?lookup=0000000000?
Hint: First is a possibility; second is no way in hell.
Also a better solution would be providing a proper auth endpoint.
Also please don't have users putting their API key into your website like that.
omkelderman
commented
8 years ago Also a better solution would be providing a proper auth endpoint
aka #1 :P
CloudMax94
commented
8 years ago Yes, /api/get_current_user.
And I do agree that a proper auth endpoint would be a better solution, but I figured that it would also be one that requires much more time and effort to implement. I looked at previous issues regarding it, which is how I reached the suggestion I presented here, as I thought it may be something that can be implemented much quicker.
I'll start looking into re-writing my application to only use my own key, although the initial idea was to avoid having to send requests and store data on my own server, which is a requirement if I am to do all requests from my own key, since I'd be caching responses on the server-side, but that's something I'll have to live with.
And I guess, if I should refrain from asking users to provide their key, having an endpoint to get the owner of the key isn't really necessary, at least not in my situation.
peppy
commented
8 years ago I'm hesitant to implement this call as it would likely be removed for security reasons once a proper authentication method was implemented, so I'll do my best to get OAtuh setup instead (#1).
Does that sound fair?
CloudMax94
commented
8 years ago That sounds great.
Good luck!
I'd like to be able to retrieve the user an API Key belongs to. Possibly even allowing API Key to be specified as user parameter for the various API requests, or have the API key owner set as default if no user is specified. This way you'd be able to easily verify a user, removing the need for custom-made verification methods such as Bancho IRC bots. Setting up an IRC bot seems a bit far-fetched and isn't really viable for applications that do not run their own account system (or any database at all for that matter) to store the verification.
One could argue that asking users to provide their own API Key is be a security problem, but some applications are already doing it, such as osu!profile, and my own web application I'm working on, which runs entirely on the client-side, sending all requests directly to the osu!api, storing absolutely nothing on the server. This would be a simple solution for such applications.