These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

EVE Technology Lab

 
  • Topic is locked indefinitely.
Previous page123
 

CREST - Ship info

First post First post
Author
Previous Topic Next Topic
Atreyu Kouvo
Industrial Mining and Mayhem
Sigma Grindset
#41 - 2016-08-27 00:02:19 UTC
+1
Trenzalore Fields
OpSec.
Wrong Hole.
#42 - 2016-08-27 02:32:31 UTC
+1
Dominous Nolen
The Graduates
The Initiative.
#43 - 2016-09-05 19:53:25 UTC  |  Edited by: Dominous Nolen
+1. This is vital for wormhole corps to know details about hole life.

Crest needs to be fleshed out before the IGB is completely removed, otherwise WH space players are going to have a fun time calculating mass.

@dominousnolen

"Fly dangerously, Fly safe, Fly whatever, just keep Flying." - Lee Blackwood
Bellerian
State War Academy
Caldari State
#44 - 2016-09-10 11:21:11 UTC  |  Edited by: Bellerian
+1

This is a very important feature for wormhole living as this will let the FC know who is in the chain and in what ship types. Also useful to calculate the mass on holes. It also helps Corp mates to not roll out other corp members that may not be on comms.
Ezio Dicostanzo
State War Academy
Caldari State
#45 - 2016-09-10 11:54:38 UTC
+1 for sure
Snehova Boure
Imperial Academy
Amarr Empire
#46 - 2016-09-14 15:17:02 UTC
Anyone from CCP can make statement to this ?
Steve Ronuken
Fuzzwork Enterprises
Vote Steve Ronuken for CSM
#47 - 2016-09-16 13:21:50 UTC
I'm not CCP, and I can't commit them to anything, but the concern is one that's been noted.

Woo! CSM XI!

Fuzzwork Enterprises

Twitter: @fuzzysteve on Twitter
CCP Bartender
C C P
C C P Alliance
#48 - 2016-09-16 16:00:29 UTC
Hey all, here's the status drop:

I've just written up the CREST endpoint providing this info on a 5 second cache timer, essentially identical to the location endpoint. I might tweak that cache timer after we've done some performance testing, but I want to keep it as short as possible. It might end up in the ballpark of 10-30 seconds, or it might be fine; we'll see.

That'll be on Singularity fairly Soon™, but it may be disabled when it arrives on Tranquillity. This is due to concerns we have with authorizations granted to third party apps that users have forgotten to revoke[1].

Combining the low-cache-time location endpoint with a low-cache-time ship type endpoint dramatically lowers the barrier of entry for a malicious developer to abuse old and forgotten refresh tokens for near real-time intelligence. Because of this, we want to pre-emptively protect our players.

We're looking at a few ways to do this: Mandatory refresh token expiry for highly sensitive scopes is one option, and we're also considering the merits of a quarterly security review mail. We're actively working on this problem, but until we have mechanisms in place that we feel are adequate we will not be opening this endpoint on TQ.

More as it happens!

[1] You can do this at https://community.eveonline.com/support/third-party-applications/, go do a spring cleaning! Big smile
Sentient Blade
Crisis Atmosphere
Coalition of the Unfortunate
#49 - 2016-09-16 17:22:51 UTC
CREST is sufficiently tied into the proxies that it's able to send notifications isn't it? Seems like a pretty easy solution would be to use them to inform a player that something is afoot.

"Simply" give your CREST layer a table (character_id, application_id>, last_access). Check it each time a call to the location is made, if it's been more than (for example) 60 minutes since the last call to that character, from that application, fire off a bottom-right notification to the client "Your position is being monitored by XYZ application".

Have it appear in the notification groups too.
Kniht
#50 - 2016-09-16 19:56:35 UTC  |  Edited by: Kniht
CCP Bartender wrote:
This is due to concerns we have with authorizations granted to third party apps that users have forgotten to revoke.

Combining the low-cache-time location endpoint with a low-cache-time ship type endpoint dramatically lowers the barrier of entry for a malicious developer to abuse old and forgotten refresh tokens for near real-time intelligence. Because of this, we want to pre-emptively protect our players.

We're looking at a few ways to do this: Mandatory refresh token expiry for highly sensitive scopes is one option, and we're also considering the merits of a quarterly security review mail. We're actively working on this problem, but until we have mechanisms in place that we feel are adequate we will not be opening this endpoint on TQ.

When granting access through SSO, display a time limit. Default to forever, one year, or six months. Allow players to manually select "until revoked" (if not the default), and additionally provide at least "one month" and "one week" options. "One day" may even be useful. If a "sensitive" scope is requested, default to a shorter option. Simply presenting the option reminds players, every time they login anywhere with SSO, that these things can last a long time after they have stopped using that app.

For an example consumer of these endpoints, an area where I have some experience is wspace mapping tools. I would find it a pain to require SSO once a month, there, and would happily choose a longer option. Since I would have several extra characters as scouts, each one needs to login when auth expires. Even mandatory one week limits could translate to many required logins, once per char, each day that I'm playing.

Both defaulting to lower time limits and allowing longer limits works better overall, with the main benefit being increased awareness to players. If the concern is "malicious developers", I doubt this time limit should even be available for apps to view. Once expired, non-malicious apps only need players to SSO again, and potentially-malicious apps (that is, all of them) shouldn't be able to discriminate against players who choose a shorter time.

o/ fly crazy
Salgare
Center for Advanced Studies
Gallente Federation
#51 - 2016-09-16 20:09:32 UTC
I've also noticed that for the average pilot, the reject currently accepted scopes page is buried and somewhat hard to find. This should be linked to way up in the users account section where things like dual authorization etc. are found.
Salgare
Center for Advanced Studies
Gallente Federation
#52 - 2016-09-17 18:29:06 UTC
CCP Bartender wrote:
I've just written up the CREST endpoint providing this info on a 5 second cache timer, essentially identical to the location endpoint.


What is the endpoints url?
CCP Bartender
C C P
C C P Alliance
#53 - 2016-09-19 12:09:11 UTC  |  Edited by: CCP Bartender
Salgare wrote:
CCP Bartender wrote:
I've just written up the CREST endpoint providing this info on a 5 second cache timer, essentially identical to the location endpoint.


What is the endpoints url?


It's not out yet, still in code review, but it'll be linked from the character page, same as the location endpoint Smile

(/ship/ instead of /location/)

edit: Just committed, keep an eye on singularity for the next update Big smile
Exodus 4D
Ministry of War
Amarr Empire
#54 - 2016-09-26 16:16:36 UTC
Awesome! I´m looking forward to implement this in Pathfinder

PATHFINDER the next generation mapping tool for EVE ONLINE

> "Open Source", Free, Join Now
Elnia Arthie
Signature Unknown
#55 - 2016-10-04 20:30:03 UTC
Yeah, looking forward to integrating that in our own mapper to get mass tracking back. Thanks CCP Bartender!
Jack Tronic
borkedLabs
#56 - 2016-10-11 13:12:34 UTC  |  Edited by: Jack Tronic
CCP Bartender wrote:
Hey all, here's the status drop:

I've just written up the CREST endpoint providing this info on a 5 second cache timer, essentially identical to the location endpoint. I might tweak that cache timer after we've done some performance testing, but I want to keep it as short as possible. It might end up in the ballpark of 10-30 seconds, or it might be fine; we'll see.

That'll be on Singularity fairly Soon™, but it may be disabled when it arrives on Tranquillity. This is due to concerns we have with authorizations granted to third party apps that users have forgotten to revoke[1].

Combining the low-cache-time location endpoint with a low-cache-time ship type endpoint dramatically lowers the barrier of entry for a malicious developer to abuse old and forgotten refresh tokens for near real-time intelligence. Because of this, we want to pre-emptively protect our players.

We're looking at a few ways to do this: Mandatory refresh token expiry for highly sensitive scopes is one option, and we're also considering the merits of a quarterly security review mail. We're actively working on this problem, but until we have mechanisms in place that we feel are adequate we will not be opening this endpoint on TQ.

More as it happens!

[1] You can do this at https://community.eveonline.com/support/third-party-applications/, go do a spring cleaning! Big smile


1.
Why not a new permission + new endpoint that includes both?
Otherwise I'll be hitting you two queries at the same time with stupid amounts of overhead for what's just an extra key:value pair. I have no problem murdering CREST with 1k requests every 10 seconds multiplied by two otherwise, not my servers that'll be crying ;) Yes, siggy has a legitimate reason to query 1k requests, the total monitored characters is quite up there.

2.
Some of the security issues is because you guys squirrel the stupid SSO and API pages in the one place nobody looks (Support, but it's not really a "Support" item). It should be linked from Account Management and the Launcher. It should be named "EVE SSO / Crest" not "Third Party Applications". Your average player won't see a third party site calling itself "Third Party Application". They'll see "EVE SSO" or "CREST", they'll make the association easier if they see the same words.
I'm not saying a "security review email" is not a bad idea though.
Bluedagger
New Jovian Exploration Department
New Jovian Collective
#57 - 2016-10-12 23:42:08 UTC
+1
erittainvarma
Fistful of Finns
#58 - 2016-10-26 07:23:22 UTC
So what's the status with ship info? Are we going to get it in November?
Also, do we get 5s cache time?

I support Jack Tronic's both points. New endpoint for getting both ship and location would be great (especially for CCP servers) because almost all use cases that I have in my mind includes getting them both.

I hope that you don't go to mandatory token expiry route, as that is going to be pain in the ass for valid users.
Previous page123