These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

EVE Technology Lab

 
  • Topic is locked indefinitely.
12Next page
 

How to request permissions
Author
Previous Topic Next Topic
Eep Eep
Aliastra
Gallente Federation
#1 - 2012-01-29 01:11:43 UTC
Hello,
I posted this somewhere else but I found the correct place now. Shocked

Anyway, I was trying to make a registration system similar to that of SOMER BLINK. I want to require that you be logged into eve and that you are using that browser to register a new character. How do I achieve this and how do I request permissions like SOMER Blink does on their registration process.

Also, where do I find the correct API guide? I seem to find so many online and don't know which one is correct.
Steve Ronuken
Fuzzwork Enterprises
Vote Steve Ronuken for CSM
#2 - 2012-01-29 02:29:05 UTC  |  Edited by: Steve Ronuken
http://wiki.eveonline.com/en/wiki/IGB_Javascript_Methods

Should be most of what you need.

specifically
http://wiki.eveonline.com/en/wiki/IGB_Javascript_Methods#requestTrust_Method

You'll probably also want
http://wiki.eveonline.com/en/wiki/IGB_Headers

for the character id (can be spoofed easily. have passwords too)

Woo! CSM XI!

Fuzzwork Enterprises

Twitter: @fuzzysteve on Twitter
Eep Eep
Aliastra
Gallente Federation
#3 - 2012-01-29 02:35:06 UTC
Would it be a good idea to require someone to give an account key that shows a system the characters that the account has and use that list of characters as the only characters that the user can add to their account in the system?

This would mean they would have to actually own the character right?
Steve Ronuken
Fuzzwork Enterprises
Vote Steve Ronuken for CSM
#4 - 2012-01-29 02:37:37 UTC
I'd say, no. Worst case, you'd get someone registering as someone else.

That thrid party can easily prove they are who they say they are, by sending a mail to you, and you having it plucked out of the mail api.

Requiring an api key from your users is a good way of reducing your pool of users. Of course, this depends on your actual use conditions.

Woo! CSM XI!

Fuzzwork Enterprises

Twitter: @fuzzysteve on Twitter
Eep Eep
Aliastra
Gallente Federation
#5 - 2012-01-29 02:41:16 UTC
Can't someone disable javascript to disallow the trust request?
And to make sure, the trust request can only be utilized in the browser in eve?
Steve Ronuken
Fuzzwork Enterprises
Vote Steve Ronuken for CSM
#6 - 2012-01-29 02:53:36 UTC
The trust request only happens with the IGB. Any other browser should throw a javascript error, as it's a method that doesn't exist.

If you really want to keep it clean, you only include that javascript if the appropriate header is sent with the request.

All that trust does is:
Add a few more things into the headers for your server to see
Make a few more of the javascript calls actually do something.

Woo! CSM XI!

Fuzzwork Enterprises

Twitter: @fuzzysteve on Twitter
Eep Eep
Aliastra
Gallente Federation
#7 - 2012-01-29 02:53:50 UTC
Steve Ronuken wrote:


That thrid party can easily prove they are who they say they are, by sending a mail to you, and you having it plucked out of the mail api.
.


What you are saying is I can have them mail me, and then I pluck the mail out of my own inbox using the API?
Eep Eep
Aliastra
Gallente Federation
#8 - 2012-01-29 02:54:37 UTC
I understand a whole lot more =]
Eep Eep
Aliastra
Gallente Federation
#9 - 2012-01-29 02:55:03 UTC
So with all of these javascript methods, I can make different windows appear? Is that what it is?
Steve Ronuken
Fuzzwork Enterprises
Vote Steve Ronuken for CSM
#10 - 2012-01-29 02:58:17 UTC
Eep Eep wrote:
Steve Ronuken wrote:


That thrid party can easily prove they are who they say they are, by sending a mail to you, and you having it plucked out of the mail api.
.


What you are saying is I can have them mail me, and then I pluck the mail out of my own inbox using the API?


Exactly.

There's a limitation on how frequently you can do this though. It caches for a while (15 minutes?). Just get them to mail you/specific alt, with a specific code in the subject, that you can watch for with code. Needs a cronjob or similar. Depends on the host you are using for the site. (I have a dedicated server, so I'm a little spoilt)



Somer use an API check to pull in people adding money. It's similar.

Woo! CSM XI!

Fuzzwork Enterprises

Twitter: @fuzzysteve on Twitter
Steve Ronuken
Fuzzwork Enterprises
Vote Steve Ronuken for CSM
#11 - 2012-01-29 02:58:39 UTC
Eep Eep wrote:
So with all of these javascript methods, I can make different windows appear? Is that what it is?



Pretty much.

Woo! CSM XI!

Fuzzwork Enterprises

Twitter: @fuzzysteve on Twitter
Eep Eep
Aliastra
Gallente Federation
#12 - 2012-01-29 03:00:46 UTC
Is there any way for someone to falsify the headers?
I noticed SOMER Blink does not require you message them. They simply check if you are in the browser by you granting trust. When a user grants trust, would it be good enough as a security measure, to trust they are the character they say they are? Especially if I detect that the browser is in game?
Eep Eep
Aliastra
Gallente Federation
#13 - 2012-01-29 03:09:34 UTC
Another question, when permission is provided for a URL, does it mean I can always run these javascript functions?

Also, are the headers sent by the ingame browser always sent, even without permission granted?

Thanks for the help by the way ;)
Steve Ronuken
Fuzzwork Enterprises
Vote Steve Ronuken for CSM
#14 - 2012-01-29 03:09:55 UTC  |  Edited by: Steve Ronuken
Well, Somer still require a password when logging in.

The reason is, it's pretty simple to falsify headers, when you're not in game. Tamperdata, for example, is a firefox plugin that makes it dead easy.

It all comes down to how sensitive things are. If they're not, then it's not important.


Edit -

Once trust is granted, it stick around till revoked.

Some headers are sent anyway. More are when a site is trusted. I think the header page notes which.

Woo! CSM XI!

Fuzzwork Enterprises

Twitter: @fuzzysteve on Twitter
Eep Eep
Aliastra
Gallente Federation
#15 - 2012-01-29 03:12:28 UTC
It will be sensitive.
So sending a message to me that I pluck will really ensure things a lot won't it?
Eep Eep
Aliastra
Gallente Federation
#16 - 2012-01-29 03:19:34 UTC
And another quick question,
the headers page does not say which are shown before trust is given.
How do I know that a person is looking at my page through the In Game Browser?
Steve Ronuken
Fuzzwork Enterprises
Vote Steve Ronuken for CSM
#17 - 2012-01-29 03:54:21 UTC
Using an alternate method of validation is generally a good idea. It's why a fair number of sites required you to 'activate' by clicking a link in an email. Using the API for pulling a mail would do it, without requiring them to create a key for you.


As for if they're using the browser or not, HTTP_EVE_TRUSTED isn't a bad one to check.

Woo! CSM XI!

Fuzzwork Enterprises

Twitter: @fuzzysteve on Twitter
Eep Eep
Aliastra
Gallente Federation
#18 - 2012-01-29 04:12:51 UTC
The e-mail where the link they click, will that be sent to the character? Or to their actual e-mail. I am assuming you mean the character.
Eep Eep
Aliastra
Gallente Federation
#19 - 2012-01-29 04:17:51 UTC
But, if it is to the character, how would I send an e-mail to them?
Eep Eep
Aliastra
Gallente Federation
#20 - 2012-01-29 04:27:03 UTC
Well I found out how to mail a user, but the javascript isn't working... Oops
12Next page