Closed mia-pi-git closed 1 year ago
Probably oauth should get its own file rather than being stuffed into actions.ts
?
If I understand this correctly, the actual login code has nothing to do with this mechanism. All of this token stuff is so that PS staff can revoke certain clients from logging in, whether manually by deleting their client from the table, or automatically after a certain period of time. Is that right?
Mostly - largely it means side clients can get whitelisted to use the loginserver without a horribly messy hack that makes people's login info insecure. Us being able to revoke that access is just an added benefit.
It seems OK to me, if it works for you in testing.
It seems OK to me, if it works for you in testing.
Can confirm it does.
General flow here:
client site opens page
play.pokemonshowdown.com/api/oauth/authorize?client_id=foo
, with challstr provided. -> Page checks if the user has a token stored. If they do, it takes the challstr and makes an assertion (the token verifies they've logged in/authorized it). If they don't, it asks for authorization and makes a token. -> Page gets assertion, redirects to client url with a querystring parameter containing the assertion.I put all the actual actions under the hood in
base_url/oauth/api/
so that the intuitive, front-facing API serves the needed page/etc, willing to change that though.