search

satoshinm / NetCraft

Web-based fork of fogleman/Craft ⛺
https://satoshinm.github.io/NetCraft/
MIT License
57 stars 13 forks source link

Remove or replace or enhance auth implementation #143

Closed satoshinm closed 7 years ago

satoshinm commented 7 years ago

Added 3rd and 4th command-line arguments, now used for username and authentication token

Example from the web client:

http://localhost:4081/#++username+6l1211bp08opa42kci3rfkcflk

arguments separated by '+', 1st is server name left blank to connect back to localhost, 2nd is also left blank for default port 4081, 3rd is the username and 4th the authentication token. This was generated by https://github.com/satoshinm/WebSandboxMC/pull/76

original:

Player authentication uses libcurl, which doesn't work under emscripten and I had trouble compiling on Windows with AppVeyor so it is compiled out. It only works on native, limiting its usefulness. Consider removing support, or replacing it with some kind of token-based auth working with WebSandboxMC

satoshinm commented 7 years ago

https://craft.michaelfogleman.com actually does already use identity tokens. The player signs up on that website with a username and password, then generates an access token named e.g. home and runs /identity username identity_token, where identity_token is a 32-digit hex string generated once. Running this command causes Craft to run the equivalent of curl https://craft.michaelfogleman.com/api/1/identity -d 'username=satoshinm&identity_token=00000000000000000000000000000000, returning another 32-digit hex string, the access token. The Python server server.py posts to https://craft.michaelfogleman.com/api/1/access with username=&access_token=, if returns 200 OK then user_id is set to the response text.

This API would almost be suitable for web usage, if the craft.michaelfogleman.com endpoint set Access-Control-Allow-Origin: *, via CORS, in the header response. Then 3rd party web apps could communicate with it, using standard web APIs (not only native, i.e. curl).

But why tie down to this one specific server, when there are alternative authentications. Accounts players may already have. Yahoo! auth: https://github.com/ritou/opauth-yahoojp ? Meant to be logged in through web. Google, Facebook, meh. Glowstone server chat https://discordapp.com/channels/201529692979855360/201529692979855360 uses discord which has oauth: https://discordapp.com/developers/docs/topics/oauth2 - is that suitable?

And/or push the auth problem down a layer, to each server. For https://github.com/satoshinm/WebSandboxMC/pull/76 an already-logged-in-user on the server could run a command to get a per-user access token, then pass it to the web client for logging in "as if" they were that user. This could be added on top of the current auth system without replacing it, just allowing the token to be directly specified on command-line or document.hash, versus the /identity and /login commands (which contact https://craft.michaelfogleman.com).

satoshinm commented 7 years ago

Decided to keep curl for now, no reason to break it, but in GH-164 enhanced authentication by allowing the username/token to be given on the command-line. This is used in https://github.com/satoshinm/WebSandboxMC/pull/76.