Zarel
commented
1 year ago Probably oauth should get its own file rather than being stuffed into actions.ts?
Closed mia-pi-git closed 1 year ago
Zarel
commented
1 year ago Probably oauth should get its own file rather than being stuffed into actions.ts?
mia-pi-git
commented
1 year ago If I understand this correctly, the actual login code has nothing to do with this mechanism. All of this token stuff is so that PS staff can revoke certain clients from logging in, whether manually by deleting their client from the table, or automatically after a certain period of time. Is that right?
Mostly - largely it means side clients can get whitelisted to use the loginserver without a horribly messy hack that makes people's login info insecure. Us being able to revoke that access is just an added benefit.
monsanto
commented
1 year ago It seems OK to me, if it works for you in testing.
mia-pi-git
commented
1 year ago It seems OK to me, if it works for you in testing.
Can confirm it does.
General flow here:
client site opens page
play.pokemonshowdown.com/api/oauth/authorize?client_id=foo, with challstr provided. -> Page checks if the user has a token stored. If they do, it takes the challstr and makes an assertion (the token verifies they've logged in/authorized it). If they don't, it asks for authorization and makes a token. -> Page gets assertion, redirects to client url with a querystring parameter containing the assertion.I put all the actual actions under the hood in
base_url/oauth/api/so that the intuitive, front-facing API serves the needed page/etc, willing to change that though.