User verification code

[thehowl]

Although #1 already exists, that will take some time. A more easy way to make something like that, to make sure that the user who is actually signing up on a website really is his, would be using a "verification code". Let's make an example:

• third party website gives the user a verification code.
• user goes to the osu.ppy.sh settings, where there is a field where to paste the verification code
• user goes back on the third party website.
• the website checks the API of that user. The attribute of the dictionary with the user data has the "verification code" key. The website checks that key, and makes sure it's the same as the provided one
• now the website knows that the user really is what he says to be.

This is already a thing... or kind of. Not officially. Some applications use file_get_contents to the user's profile to check the identity across the user's location, and that's clearly an unsupported dirty way. While there's not an oauth API, this should make it somehow easier.

[Tillerino]

Just verify via IRC :) On Jan 16, 2015 8:50 PM, "Howl" notifications@github.com wrote:

Although #1 https://github.com/peppy/osu-api/issues/1 already exists, that will take some time. A more easy way to make something like that, to make sure that the user who is actually signing up on a website really is his, would be using a "verification code". Let's make an example:

• third party website gives the user a verification code.
• user goes to the osu.ppy.sh settings, where there is a field where to paste the verification code
• user goes back on the third party website.
• the website checks the API of that user. The attribute of the dictionary with the user data has the "verification code" key. The website checks that key, and makes sure it's the same as the provided one
• now the website knows that the user really is what he says to be.

This is already a thing... or kind of. Not officially. Some applications use file_get_contents to the user's profile to check the identity across the user's location, and that's clearly an unsupported dirty way. While there's not an oauth API, this should make it somehow easier.

— Reply to this email directly or view it on GitHub https://github.com/peppy/osu-api/issues/85.

[thehowl]

That would require:

• An IRC socket (if you're using a programming language such as php that might not be too easy)
• The user to be online
• Eventually send the messages every 5 minutes while the user haven't yet confirmed his account.

And sincerely, I don't want to build all this on my side while it could require minimal changes on the other side.

[Tillerino]

You don't have to send them the code. Have them send the code to Tillerino ingame. Set up a receiver in Tillerinobot, which calls a URL on your site with the user name and code and verify that bot.tillerino.org resolves to the calling IP address.

I don't think that we should push for a half-assed solution if we're ultimately looking at OAuth.

On Sat, Jan 17, 2015 at 2:28 PM, Howl notifications@github.com wrote:

That would require:

• An IRC socket (if you're using a programming language such as php that might not be too easy)
• The user to be online
• Eventually send the messages every 5 minutes while the user haven't yet confirmed his account.

And sincerely, I don't want to build all this on my side while it could require minimal changes on the other side.

— Reply to this email directly or view it on GitHub https://github.com/peppy/osu-api/issues/85#issuecomment-70366908.

[Repflez]

On a test app I made, I used the "Pass a beatmap" route. It expects the user to pass a beatmap so it gets on the recent events and use it as an account verification. The beatmap selection is up to the coder and is simple to do.

[Tillerino]

Building on the original idea: just have the user paste the code onto their user page. On Jan 18, 2015 7:40 PM, "Amadeo Cortez" notifications@github.com wrote:

On a test app I made, I used the "Pass a beatmap" route. It expects the user to pass a beatmap so it gets on the recent events and use it as an account verification. The beatmap selection is up to the coder and is simple to do.

— Reply to this email directly or view it on GitHub https://github.com/peppy/osu-api/issues/85#issuecomment-70419732.

[comentarinformal]

This would block any non-supporter, though.

[Tillerino]

Oh nvm didn't know that was a supporter thing. On Jan 18, 2015 8:01 PM, "Comentarinformal" notifications@github.com wrote:

This would block any non-supporter, though.

— Reply to this email directly or view it on GitHub https://github.com/peppy/osu-api/issues/85#issuecomment-70420546.

[MillhioreF]

I've seen apps that have you put the code into your "Interests" field on your profile. It's a bit hacky, but it is a solid verification if you can't go through IRC or aren't supporter.

Ultimately OAuth would be better, but I don't know if that's coming any time soon.

[marcostudios]

"Building on the original idea: just have the user paste the code onto their user page"

What if a user (like me) don't have a userpage?

[thehowl]

@MillhioreF: "I've seen apps that have you put the code into your "Interests" field on your profile. It's a bit hacky, but it is a solid verification if you can't go through IRC or aren't supporter."

I've even mentioned it on the OP. That is indeed a solution, but let's suppose an application gets a lot of traffic, and as so it requires to check a lot of profiles to verificate the users. Now, the problem is that the osu! website uses cloudflare. As so, with a lot of requests that aren't to the API (I guess there's set a cloudflare rule for /api/* or something), cloudflare could be suspicious and guess that it's a threat. As so, it would break it.

@marcostudios: they've already said it's not a solution because non-supporters don't have it :P

@Repflez: "On a test app I made, I used the "Pass a beatmap" route. It expects the user to pass a beatmap so it gets on the recent events and use it as an account verification. The beatmap selection is up to the coder and is simple to do."

Never thought about it. Nice! That might be a solution.

[iebb]

I am using 'Location' field for this A test I made: http://a.wa.vg/