These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

EVE Information Portal

 
  • Topic is locked indefinitely.
 

Dev blog: API spring cleaning

First post
Author
Previous Topic Next Topic
Captain Thunk
Explode. Now. Please.
Alliance. Now. Please.
#21 - 2012-09-19 17:36:04 UTC
Promiscuous Female wrote:

that's an awful lot of :words: for "i'm too lazy to update my application"

also i guess you missed the locations, charactername, and contracts api stuff that they added after announcing crest


I remember back when Goons could troll well Sad

Now it's all generic paint-by-numbers nonsense.
Steve Ronuken
Fuzzwork Enterprises
Vote Steve Ronuken for CSM
#22 - 2012-09-19 17:37:58 UTC
Hatsumi Kobayashi wrote:
CCP illurkall wrote:
Hey

I'll try to make my next DevBlog look a little bit more happy with pictures and all.Smile
The reason for doing this is mainly an effort to keep the legacy to a minimum and making it easy for us to move forward. Because if we can move forward more freely that just means more stuff for you guys in the end.


CAKs are a step backward.



You mean how they introduced functionality that the legacy keys didn't have? Namely the ability to limit what you're handing someone, so, for example, you don't need to give your killboard a key that has access to anything other than your kill data?

Yes, Captain Thunk is right that it removed one bit of functionality. But it's one that's /easily/ simulated, with 4 keys. What it added was impossible with the legacy system.

Woo! CSM XI!

Fuzzwork Enterprises

Twitter: @fuzzysteve on Twitter
Promiscuous Female
GBS Logistics and Fives Support
#23 - 2012-09-19 17:44:09 UTC
you can hardly call "3 ceo characters on one account" to be typical usage and worth stringing along an old, insecure system whose only other redeeming feature was making it easy to determine whether a person is worth scamming
Promiscuous Female
GBS Logistics and Fives Support
#24 - 2012-09-19 17:45:18 UTC
and the new system is just as easy because you can just hand them a CreatePredefined link and 90% of people won't bother looking at the checkboxes
Promiscuous Female
GBS Logistics and Fives Support
#25 - 2012-09-19 17:45:50 UTC
but seriously you've had how many months? to cut your system over and you're choosing just now to complain
Captain Thunk
Explode. Now. Please.
Alliance. Now. Please.
#26 - 2012-09-19 17:48:27 UTC
You like posting don't you?

I can tell.
Andski
Science and Trade Institute
Caldari State
#27 - 2012-09-19 18:00:49 UTC
too bad thunk is actually right since getting corp data requires a corp director key, as opposed to being able to use, say, a junior accountant key to get wallet data through the API, which was possible with the legacy keys

Twitter: @EVEAndski

"It's easy to speak for the silent majority. They rarely object to what you put into their mouths."    - Abrazzar
Kearl
Sniggerdly
Pandemic Legion
#28 - 2012-09-19 18:43:55 UTC
Id say the dev working on this project is a bit better at lurking then actually responding.

+1 for Thunk

This change makes it easier for scammers/crooks and harder for people trying to catch them.
Liang Nuren
No Salvation
Divine Damnation
#29 - 2012-09-19 19:37:23 UTC
CCP illurkall wrote:
Hey

I'll try to make my next DevBlog look a little bit more happy with pictures and all.Smile
The reason for doing this is mainly an effort to keep the legacy to a minimum and making it easy for us to move forward. Because if we can move forward more freely that just means more stuff for you guys in the end.


Hey, fantastic blog and good changes. Thanks!

-Liang

I'm an idiot, don't mind me.
87102-6
Doomheim
#30 - 2012-09-19 21:43:36 UTC
Oh dear. It appears to me someone (likely multiple people) at CCP haven't thought this all the way through. I see this time and time again in the actual IT industry as a whole, so I'm not too surprised. I'm a UNIX SA / NA by profession (almost 20 years worth) so I hope what I say holds some weight.

Before I get started, I want to make something crystal clear: I'm not here to talk about the API semantics or the actual API protocol. I know nothing of it therefore am staying away from that topic. What I am going to talk about pertains to 1) use of HTTPS, and 2) the redirections proposed circa 2012/10/04.

1. Use of HTTPS (that is HTTP + SSL) has one major drawback which many administrators overlook: things like caching proxies cannot cache the data. Instead, it then becomes the HTTP client's responsibility to handle caching. This means quite simply that every HTTP request has to return data; things like ETag negotiation (used for caching) don't work well with HTTPS. Combine that with the added SSL overhead and you've got something that uses a lot more bandwidth for something that's probably doesn't need SSL.

And don't even get me started on the SSL cert ordeal -- CCP has historically forgotten to renew their certificates many times in the past:

http://community.eveonline.com/ingameboard.asp?a=topic&threadID=791627
http://www.eve-search.com/thread/909495-0/page/1

Basically whenever people start advocating use of SSL without providing full 100% justification up front, I am left with the impression that there is probably no justification for it. Instead it's "security through paranoia".

What exactly gets transmit, API-wise, between client and server that mandates use of SSL? All I'm able to tell from the official API Functions wiki document is that the client's HTTP GET params connsist of a "userID" and "apiKey". So let's say there's a MITM attack going on, or someone capturing plaintext HTTP packets. They can get a user's user ID and API key. And what exactly does that get them? The API Key management page states quite clearly the following:

Quote:
Is this safe? Can someone steal my account?

It is safe to provide your API key to applications and web sites as long as you are prepared to allow the application or web site to see your character and corporation information. You can specify which information is accessible for each customizable API key.

Sharing an API key does NOT give people access to your account while sharing your account password would. Therein lies the whole purpose of API keys. An API key only allows the recipient to view your character and corporation data but gives them NO control over it. They are NOT able to log in to the game or post on the forums with the API information. No part of the API key information is in any way generated from your account password - there is no way to calculate your password using this information.


So based on this, it appears to me that about all a person could do is then gain access to the information provided by the API -- none of which involves transactions of money/finances, or ability to change character data, nor does it have anything to do with actual EVE accounts (as in the accounting part).

So again: why SSL? Politely: justify it. Unless you plan on extending the API to allow people to make changes in some way, I just don't see the point.

Now for the 2nd item:

2. Redirections. The dev blog post specifically states, quote:

Quote:
... http://api.eve-online.com and http://api.eveonline.com will be permanently redirected to https://api.eveonline.com ...


This is a very, very bad idea from a protocol perspective. You are making a blind assumption that the clients using the HTTP (non-SSL) semantics have support for SSL. That is a very, VERY bad assumption. Let me expand:

If you redirect clients blindly from a plaintext HTTP protocol (on TCP port 80) to an encrypted HTTP protocol (on TCP port 443), and the client does not support SSL, the client submitting the API request will break. Badly. Very, very badly. The same problem applies if the client does not honour HTTP 3xx redirection status codes (for example, libcurl can be adjusted to not follow these, and things like perl's LWP do not necessarily follow redirections blindly.). In either case, the client will throw back a generic protocol error to the user (assuming the client has error checking code in it that's even remotely decent -- others might just downright crash).

Then there's the issue of CommonName support (SSL cert-wise) when doing an HTTP-to-HTTPS redirect. Client which supports SSL visits http://api.eveonline.com/ and gets redirected to https://api.eve-online.com/ (note the hyphen). The client's SSL library may result in a certificate verification failure, since the requesting Host of api.eveonline.com does not match the CommonName of api.eve-online.com. What the client sends and what the server's SSL cert contains CommonName-wise need to match: ALWAYS.

My professional recommendation: don't redirect anything. Just simply shut down the non-SSL services (disable them in your load balancer, etc.) entirely. This will result in a clean failure for clients which need to be upgraded. Don't respond to the TCP SYN that comes in to TCP port 80 (or if you want, return TCP RST / ICMP port unreachable). Let the client handle that situation cleanly, and force the client authors to switch the API URL in their software. It's really the best choice here.

Hope this gives you and your SAs something to think about, because from what I can tell, someone didn't think this through all the way.
Dersen Lowery
The Scope
#31 - 2012-09-19 21:54:09 UTC
87102-6 wrote:
So again: why SSL? Politely: justify it. Unless you plan on extending the API to allow people to make changes in some way, I just don't see the point.


CCP has discussed this as a possibility, particularly in terms of corp management and updating the skill queue. Nothing has been (revealed as) decided yet, but if SSL keeps the option open then that's explanation enough, for now.

Proud founder and member of the Belligerent Desirables.

I voted in CSM X!
Steve Ronuken
Fuzzwork Enterprises
Vote Steve Ronuken for CSM
#32 - 2012-09-19 22:01:26 UTC
I don't /want/ people to cache the data. As I've seen too many caching proxies screw stuff up.

And I'd prefer not to send credentials, even read only ones, clear text.

Woo! CSM XI!

Fuzzwork Enterprises

Twitter: @fuzzysteve on Twitter
Dawiid BenAimaic
Dasa Fern Valley Jamaican Rum Transport Corp
#33 - 2012-09-20 00:15:32 UTC
Big smileI like the API, I use it with several 3rd party applications, phone apps, websites and with Google docs I have 10 spreadsheets with 10 to 20 pages each that make extensive use of the ImportXML command.

SadLegacy keys can be a personal choice. I choose not to use them. It does not seem prudent to alienate your customers who do choose to use them.

EvilConverting to HTTPS for read only data which is authenticated only by a token pair does not make sense, there is zero benefit and much harm. Your API server does not enjoy 100% uptime, the downtime translates to a demand for caching proxie servers. I do not use a caching proxie server but when the API is down, I am unable to play the game for i am unable to make informed decisions. Setting up a caching proxie server was on my to do list because of your unreliability.

TwistedIf you have future plans to allow making changes in game using the API, I would respectfully suggest that you use the client user interface to make changes to in game values.

IdeaI appreciate your letting me lookup names by TypeID but it would be nice to have an API that returns TypeId for names. My current workaround is using an SQL Query on data in EveHQ.
Kaaletram Lothyrawir
Trust Brothers LLC.
The Veyr Collective
#34 - 2012-09-20 00:48:04 UTC
This might just be a pipe dream but is there any chance of adding access to War Reports to the API? or be able to compile them for viewing via 3rd party apps?
CCP Explorer
C C P
C C P Alliance
#35 - 2012-09-20 01:51:18 UTC
Tanaka Aiko wrote:
I clicked on devblog link hoping for CREST news, left disappointed.
This was indirectly CREST news, we are cleaning up legacy to be able to deploy the initial CREST framework and start the long transition from the API to CREST.

Erlendur S. Thorsteinsson | Senior Development Director | EVE Online // CCP Games | @CCP_Explorer
Kossaw
Body Count Inc.
Mercenary Coalition
#36 - 2012-09-20 03:46:52 UTC
Promiscuous Female wrote:
but seriously you've had how many months? to cut your system over and you're choosing just now to complain


Well I'm really pleased for you that you've had the luxury of writing your own high quality object orientated code, have been able to keep it completely up to date and now only need to change 3 lines of code.

For the rest of us, stuck with maintaining ****** legacy code written by inbred morons (who think an object is something they hit with a hammer) and who have been quietly working away for the last 6 months aware that this issue was coming....

Well WE WOULD APPRECIATE SOME MORE F*CKING NOTICE THAN 2 WEEKS.

We would also like CCP to fix the MASSIVE functionality hole that allows a user to change their CAK after they registered it with our web sites, thereby completely gimping a host of security precautions. (and yes, it was bug reported and commented on extensively with a few weeks of the "new" API Key system being released)

https://forums.eveonline.com/default.aspx?g=posts&t=17150&p=2

WTB : An image in my signature
Kossaw
Body Count Inc.
Mercenary Coalition
#37 - 2012-09-20 03:49:43 UTC
Promiscuous Female wrote:
you can hardly call "3 ceo characters on one account" to be typical usage and worth stringing along an old, insecure system whose only other redeeming feature was making it easy to determine whether a person is worth scamming


The "old" system is in NO WAY insecure. It is however more functional if you are the guy writing the application code.

WTB : An image in my signature
Magic Crisp
Amarrian Micro Devices
#38 - 2012-09-20 06:55:13 UTC  |  Edited by: Magic Crisp
Just a sidenote. I know that consistency is not really CCP's cup of tea, but you should use the ISO8601 timezone format, like the website does on most place. It'd make it a lot more consistence, and readable. these randomly ordered formats are a pain, that's why we've got a wordwide standard for it.
Golden Gnu
Lobach Inc.
#39 - 2012-09-20 07:48:59 UTC
@CCP Explorer

Transition:
The process or a period of changing from one state or condition to another

So you want to kill the API as well? Sad

I do not understand why on earth you continue to invalidate all the work the community have put into improving the eve experiences.
A lot of older applications, that are no longer maintained, will be useless after you remove the old API keys.
If you move away from the current API, even more will follow.

IMHO 3rd party apps adds value to eve. You should support us - not fight us...

jEveAssets already moved to CAKe, but, I still get people who can not figure out they need a separate corporation key.

@Magic Crisp
Do not ask that kind of question - do you have any idea how much trouble it would cause if they changed the time format Roll

Creator of jEveAssets - the asset manager

"Download is the meaning of life, upload is the meaning of intelligent life"
Captain Thunk
Explode. Now. Please.
Alliance. Now. Please.
#40 - 2012-09-20 08:50:18 UTC
Golden Gnu wrote:


jEveAssets already moved to CAKe, but, I still get people who can not figure out they need a separate corporation key.


This is the problem (not the altering of code).

Explaining to people that they've just entered a key but it's detected that it needs more just to maintain the same level of service they are used to with Legacy keys.

And you have to check the validity of the key on every use because the user might have gone back to the Eve website and changed the privileges for the key.