search

ppy / osu-web

the browser-facing portion of osu!
https://osu.ppy.sh
GNU Affero General Public License v3.0
970 stars 381 forks source link

Missing Restricted Details on API Endpoint /api/v2/me #7526

Closed Coderbora closed 3 years ago

Coderbora commented 3 years ago

Hello.

As the title mentions, this issue is about the /api/v2/me endpoint does not show is the user is restricted or not. Day by day, the API v2 usage is increasing; especially for tournaments with OAuth login. The issue is that restricted users can also use OAuth with their osu! account and that leads to problems on systems which has integration with osu! OAuth login.

For instance, we are using osu! API v2 for the Turkish community in osu! - helping link their osu! and Discord account to enter the community Discord server for now, and also planned to extend with tournaments, news, and events sections which make everything about the community organized and easy to reach. However, we do not want restricted users to get authenticated on the system, so we need to check if they are restricted or not on callback. If we try using the /api/v2/me scope, which we already use to gather information about users, we cannot reach information about restriction detail. As a solution, we can try using the /api/v2/users/:user endpoint but in this way, we are actually sending more requests to osu! and also now need to request public scope too to use that endpoint.

Also, I am sure that tournaments will need to check if the user is restricted or not for more accurate results on registrations, and reducing the load on the screening team.

cl8n commented 3 years ago

feels like an oversight as I'm sure most people assume restricted users can't authenticate like that... if not, there should also be clear documentation in the authentication and /me sections

Coderbora commented 3 years ago

feels like an oversight as I'm sure most people assume restricted users can't authenticate like that... if not, there should also be clear documentation in the authentication and /me sections

For me that was like it too; especially at my first sight about restricted users logged in with OAuth, I was shocked. Then, I searched about it on API v2 docs and found the is_restricted attribute on User object with the description of:

In addition, following attributes are always included:

But I saw that's not the reality when trying to access the /api/v2/me scope, although didn't try it on the /api/v2/users/:user. Also, I found some references about the is_restricted attribute on this repository but don't think they are actually on the return side of functions.

notbakaneko commented 3 years ago

Also, I am sure that tournaments will need to check if the user is restricted or not for more accurate results on registrations, and reducing the load on the screening team.

Keep in mind that if you need an up to date status of the user at some point in the future, you'll still need to query /api/v2/users/:user to see if the user is present or not.

Coderbora commented 3 years ago

Also, I am sure that tournaments will need to check if the user is restricted or not for more accurate results on registrations, and reducing the load on the screening team.

Keep in mind that if you need an up to date status of the user at some point in the future, you'll still need to query /api/v2/users/:user to see if the user is present or not.

We are running a refresh task that updates each user's details with a query on /api/v2/me for every midnight to keep up-to-date daily, so I think that should do it.