Request for changing auth flow

[FriendsOfGalaxy]

"start_uri": "https://tylerbrawl.github.io/Galaxy-Plugin-Rockstar/index.html"

From external user point of view, this is insecure. We cannot allow opening self-hosted pages outside the plugin code. If you need to execute some javascript, please use add your js files to src and use js keyword argument on rockstar login page https://galaxy-integrations-python-api.readthedocs.io/en/latest/galaxy.api.html#galaxy.api.types.NextStep Alternatively, if current workaround for pasting fingerprint cookie before loading rockstar login page is required, local host can be setup to open local html file. Example is available in guild wars plugin: https://github.com/FriendsOfGalaxy/galaxy-integration-gw2/blob/8accba3139f8d89a575bc3b5132c5522bf51ad61/gw2_api.py#L26

Previously I've missed this, but this is important.

[tylerbrawl]

I have pushed a new version that is completely independent of this website. When I was initially working on re-authentication, I admittedly had no idea as to how to best incorporate JavaScript, so this was my "solution." As can be seen in #36, I ended up doing something similar to @Mixaill. (I tried using the JavaScript functionality for NextStep, but I could not get it working on URLs which should have worked via regular expressions. I may have just been doing something wrong, but not even simple JavaScript alert messages would appear.) If there are any additional issues, then please let me know.

[FriendsOfGalaxy]

Ideally we should generate proper cookie with Python and then just push it to NextStep.

(I tried using the JavaScript functionality for NextStep, but I could not get it working on URLs which should have worked via regular expressions. I may have just been doing something wrong, but not even simple JavaScript alert messages would appear.)

I have also some issues with getting it work, especially for regex matching. Finally I got this (js files are put in src/js) and it works without setting up the server. As rockstar login has few redirections, alert(location.href) is good for debuging

    async def authenticate(self, stored_credentials=None):

        def loads_js(filename):
            with open(os.path.join(__file__, '..', 'js', filename), 'r') as f:
                return f.read()

        try:
            self._http_client.create_session(stored_credentials)
        except KeyError:
            log.error("ROCKSTAR_OLD_LOG_IN: The user has likely previously logged into the plugin with a version less "
                      "than v0.3, and their credentials might be corrupted. Forcing a log-out...")
            raise InvalidCredentials()
        if not stored_credentials:
            SCRIPTS = []
            for script_name in ['GenerateFingerprint.js', 'HashGen.js', 'fingerprint2.js']:
                SCRIPTS.append(loads_js(script_name))
            return NextStep("web_session",
                auth_params={
                    "window_title": "Login to Rockstar Games Social Club",
                    "window_width": 700,
                    "window_height": 600,
                    "start_uri": "https://www.rockstargames.com/auth/scauth-login",
                    "end_uri_regex": r"https://www.rockstargames.com/auth/get-user.json.*",
                }, js={
                    ".*rockstargames.*": SCRIPTS
                }
            )

[FriendsOfGalaxy]

Another things:

• if you are using 3rd party js libs, do not modify them. It will allows us for fast comparison between file shipped with plugin and the original one.
• do not minify files js files as you did in index.html. It is harder to read and people are scared about such unknown blobs of javascript (and they are right). Not huge gain in download size though.

Thanks!

[tylerbrawl]

Your implementation for this works wonderfully, and has been incorporated with commit 05ea07b98c585789fb9b66cc2d1eb8a928818c9b. (Do not worry about incompatibility with semantic versioning guidelines, as I revised the version number to v0.3.3 with commit 2767937967b7a3987d820af54e935ce1df487f98.) I initially tried doing something similar to this (reading the JavaScript file and returning it as a string), but I was unable to do so correctly because I thought that I would need to remove newline characters like this:

def loads_js(filename):
    with open(os.path.join(__file__, '..', 'js', filename), 'r') as f:
        return f.read().replace('\n', '')

As it turns out, this prevents the file from being read correctly, and thus the JavaScript never ran. I also figured out that I needed to use https://www.rockstargames.com/ instead of https://www.rockstargames.com if I wanted to explicitly reference that site alone, so the regular expression detection is not as broken as I thought.

Lastly, I do not believe that I ever got to express my gratitude for your assistance. This plugin was the first time that I ever worked with HTTP requests, authorization protocols (OAuth in particular), and user authentication, and you have been extremely helpful in too many ways to list. It goes without saying that without your efforts, this plugin would be nowhere near as feature complete as it is today, and I would still probably be working on re-authentication (that was a true pain).

[FriendsOfGalaxy]

Modern browsers use newlines to put ";" at the end of each line that is why ";" is not strictly required. Manual removing \n is bad idea for js.

I also figured out that I needed to use https://www.rockstargames.com/ instead of https://www.rockstargames.com

good catch!

without your efforts, this plugin would be nowhere near as feature complete as it is today, and I would still probably be working on re-authentication (that was a true pain).

Auth and owned games are really akward and you're doing great job so I decided to support you. Not so much things from my side though. Keep rocking and try to keep things as simple as possible :)