New account page, disconnect link
Nabrok.9023:
I noticed that on the security section of the new account page it lists the IP address of every recent API query using one of your keys, along side your game client connections.
There’s a “disconnect” link next to each one. What will that link do for API related IPs?
Moturdrn.2837:
Pressing disconnect seems to remove access for that key (at least from that IP address) for a few minutes (until the next API cache refresh?)
Tested: Created new key and called the TokenInfo
Array (
[0] => HTTP/1.1 200 OK
[1] => Content-Length: 100
[2] => Content-Type: application/json; charset=utf-8
[3] => Server: Microsoft-IIS/7.5 [4] => Access-Control-Allow-Origin: *
[5] => X-Content-Type-Options: nosniff
[6] => Date: Tue, 28 Jul 2015 08:34:43 GMT
[7] => Connection: close
[8] =>
[9] => {
"id":"id-goes-here",
"name":"My Test Key",
"permissions":["account"]
}
)
Disconnected via https://account.arena.net/security/settings and re-ran the call to TokenInfo
Array (
[0] => HTTP/1.1 403 Forbidden
[1] => Content-Length: 43
[2] => Content-Type: application/json; charset=utf-8
[3] => Server: Microsoft-IIS/7.5
[4] => Access-Control-Allow-Origin: *
[5] => X-Content-Type-Options: nosniff
[6] => Date: Tue, 28 Jul 2015 08:36:12 GMT
[7] => Connection: close
[8] =>
[9] => {
"text":"endpoint requires authentication"
}
)
Called using a different key
Array (
[0] => HTTP/1.1 200 OK
[1] => Content-Length: 100
[2] => Content-Type: application/json; charset=utf-8
[3] => Server: Microsoft-IIS/7.5
[4] => Access-Control-Allow-Origin: *
[5] => X-Content-Type-Options: nosniff
[6] => Date: Tue, 28 Jul 2015 08:37:47 GMT
[7] => Connection: close
[8] =>
[9] => {
"id":"id-goes-here",
"name":"My Test Key 2",
"permissions":["account"]
}
)
Tried again using the original key
Array (
[0] => HTTP/1.1 403 Forbidden
[1] => Content-Length: 43
[2] => Content-Type: application/json; charset=utf-8
[3] => Server: Microsoft-IIS/7.5
[4] => Access-Control-Allow-Origin: *
[5] => X-Content-Type-Options: nosniff
[6] => Date: Tue, 28 Jul 2015 08:38:33 GMT
[7] => Connection: close
[8] =>
[9] => {
"text":"endpoint requires authentication"
}
)
A few minutes later using the original key again
Array (
[0] => HTTP/1.1 200 OK
[1] => Content-Length: 100
[2] => Content-Type: application/json; charset=utf-8
[3] => Server: Microsoft-IIS/7.5
[4] => Access-Control-Allow-Origin: *
[5] => X-Content-Type-Options: nosniff
[6] => Date: Tue, 28 Jul 2015 08:39:36 GMT
[7] => Connection: close
[8] =>
[9] => {
"id":"id-goes-here",
"name":"My Test Key",
"permissions":["account"]
}
)
Edit:
Okay I’ve had the chance to test with another IP address, one local and one remote.
I connected to the API with the remote server, then connected to the API with the local server. The IPs for the remote server appeared in the Current Log-Ins.
I disconnected the remote server via the page, and tested the API on both servers. Neither server could authenticate against the TokenInfo endpoint until the refresh.
Lawton Campbell.8517:
Those sessions shouldn’t be appearing in the list on the security page; they’re internal OAuth2 sessions created for the API keys for internal use.
Moturdrn.2837:
Not sure if you’ve done anything, but doesn’t look to be happening any more.
Just created several new keys to test on both the local and remote server, and no additional Current Log-ins are appearing.
Cheers!
Lawton Campbell.8517:
Yeah we just pushed out a handful of bugfixes, including that one 