User authentication

[GoogleCodeExporter]

Hello,

I'd like to ask about your opinion on creating user authentication system for 
multiplayer game, so users could register their nickname in order to have 
statistics for games played in the past (i.e. total number of games, wins, 
loses, escapes).

I'm aware it might be a lot of things to take care of in order to enable this 
feature, however I can offer my help as it comes to the programming part. It 
may require having some additional VPS server where the API would be running, 
but I can offer you my own VPS (hosted in France).

Basically what would have to be done is the API (json || xml output), so you 
could implement it in the game and implementing this on the website (i.e. 
profiles.kamremake.com/nickname) would show user's stats.

In the future it might be possible to store data like: stats for most played 
maps, average game time.

Regards,
Lukasz

Original issue reported on code.google.com by luk...@klis.pl on 13 Mar 2013 at 12:24

[GoogleCodeExporter]

That would be great, but we are very concerned about security. Since the game 
is open-source we need to be extra-confident that noone will steal anyones 
password or other private data, and also protect from fake/fraud data (so noone 
could submit he won in 1000 games or something like that).

Original comment by kromster80@gmail.com on 13 Mar 2013 at 12:32

[GoogleCodeExporter]

Original comment by kromster80@gmail.com on 13 Mar 2013 at 12:32

• Changed state: Accepted
• Added labels: Type-Enhancement
• Removed labels: Type-Defect

[GoogleCodeExporter]

I'm aware of the security requirements, obviously feature like that cannot be 
implemented without a proper planning. ;)

I just wanted to get some feedback from you and Lewin about the idea and if 
it's positive, how we could cooperate in order to deliver it for the players.

Original comment by luk...@klis.pl on 13 Mar 2013 at 12:40

[GoogleCodeExporter]

I'm interested to see Lewins opinion too.

I think we can setup and try to run a test system after we release current 
version (~1 month)

Original comment by kromster80@gmail.com on 13 Mar 2013 at 12:44

[GoogleCodeExporter]

It would be nice to have but it would be a lot of work. Any private data like 
passwords should not be sent over unsecured connections, so we'd probably need 
to use something like HTTPS for all of the transfers. We need to ensure there's 
no security holes in the client side and server side code. Preventing people 
from submitting that they won 1000 games would be quite hard in an open source 
project since people can look at how it works and recompile the code if 
necessary.

To be honest I'd prefer it if someone else had to worry about it, e.g. if we 
could use Steam (Age of Empires HD is being released on Steam soon, I wonder 
how hard it would be to convince the KaM publishers to help us do something 
like that...).

Original comment by lewinjh@gmail.com on 14 Mar 2013 at 12:01

[GoogleCodeExporter]

Using Steam or alike would solve only the server part security, but we still 
would need to secure the client part (incl. stats). We could as well try with 
Lukas in a test-mode and see how it goes. (via wrapper class) I'm sure that 
will be a useful experience (and possibly we could adapt that wrapper class to 
something else if we need to).

Original comment by kromster80@gmail.com on 14 Mar 2013 at 4:58