These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

EVE Technology Lab

 
  • Topic is locked indefinitely.
 

[API Request]Additional Security

First post First post
Author
Previous Topic Next Topic
Station Sitter
Heavy Star Industries
#1 - 2014-05-16 03:48:51 UTC
I would like to see a feature added to the API, where a player could obtain a public API token, that is unique and tied to a specific website address, that the player could provide to other players to add to their API Key generation, which would generate a unique key for a given website, so that the website that accepts that API key, will know that it was validated ONLY for that specific website.

For instance.

My API enabled website, a forum in this case, for example, http://forum.mycorpforum.com/index.php (not a real website) provides proprietary marketing information that I only want members of my corporation to have access to (with the understanding that after registration all bets are off). Knowing that several of my corporation members have put their API keys out there for various other sites (EVEMon, et.al.), I want to ensure that the key is unique for my site.

So I go to the API support site and register my forum's home page, obtaining a public globally unique ID (GUID) that I provide to my corp members.

They, in turn, go to API support site, and create an API key, providing that GUID to the form, and the new ID/Key combination that is generated will provide not only the access mask, but will validate the GUID associated with it by passing the GUID in as a third parameter to the API call.

If the corp member (or anyone else) tries to use a key that doesn't have that GUID associated with it, or has a different one that has been farmed from somewhere like EVEMon, my application will know that the key is invalid for my website and will deny access, and the API server will log the invalid request

This will HELP with meta-gaming spoofing. It will not 100% prevent it, but it will make it less easy.

Thanks!
Louis Vitton
Viziam
Amarr Empire
#2 - 2014-05-16 05:13:38 UTC
I don't see this as an option.
I see one day Crest been active with read and write access via SSO and the API not having major changes such as this made to it as this will take a fair bit of work.
Also this plays against CCP's butterfly effect idea where you don't know who your letting in or what they are doing.
This is alt
Center for Advanced Studies
Gallente Federation
#3 - 2014-05-16 08:34:12 UTC
While this is not exactly what you want, the vCode is just a generated string. You can force your user to replace for example 9 sequential letters in the string with 'mywebsite' and then only accept vCodes into your application with that string inside.

That way you make sure that it is not possible to steal API keys from for example Evemon or any other place and use them as your own to gain intel and such. It is a way to make sure the API key was specifically generated for your application, since it requires the users to edit the vCode when making it.
CCP FoxFour
C C P
C C P Alliance
#4 - 2014-05-16 08:38:40 UTC
SSO and CREST solve this, but sorry we wont be doing anything like this for the EVE API. It would take a fairly large amount of work, would be confusing the users, and this doesn't really seem to solve a whole lot. In any case though, the SSO and CREST solve this so lets just push for that! :D

@CCP_FoxFour // Technical Designer // Team Tech Co

Third-party developer? Check out the official developers site for dev blogs, resources, and more.
Sentient Blade
Crisis Atmosphere
Coalition of the Unfortunate
#5 - 2014-05-16 10:00:04 UTC
I hear where you're coming from, application-specific APIs would be nice.

I use a different method of authenticating users on my site; generate a random 10 digit code, tie it to there login, and then require them to donate 1 ISK to a specified account, and poll your journal for that reason and from that user.

Social engineering aside, it's fairly solid.
Steve Ronuken
Fuzzwork Enterprises
Vote Steve Ronuken for CSM
#6 - 2014-05-16 12:11:39 UTC
If you want to make sure that their code is specific to your site, you can at least make sure they haven't used it elsewhere.

The vcode is just a string of text which can be set by the user.

So you can tell them 'use this vcode' and hand them a randomly generated string. Or require a prefix on it.

Doesn't stop them going on and using it elsewhere though.

Woo! CSM XI!

Fuzzwork Enterprises

Twitter: @fuzzysteve on Twitter