Web registration using keys?
Slyfer.6478:
So, i’ve been thinking how to make use of the new keys and this is what i have so far. This is my first time using API authorization so if i’ve skipped something essential please point it out.
*"Please enter your API key to proceed to registration"
*User enters key, proceeds to make an account on successful get request.
*Once registered, the data is stored in a database in this form:
id, account_name, email, password, api_key
*User gets to see basic info provided by …v2/account endpoint
Now my question is, what precautions should i take in the case where user deletes their key by accident, logs into their account, goes to view basic info but gets an error due to key no longer being valid. So far i’ve thought of letting the account update their key in their account settings (makes sense regardless, in case people want to change their permissions) but i feel there are some possible nuances that could arise. For example what if they enter another accounts api-key, i’d have to make sure the account from the key request matches the account in database. Am i over-thinking or does the rabbit hole go deeper?
If anyone has come up with an application/registration system that involves pulling data of the account for reviewing, please enlighten me
Possible applications: armory-style website, easing guild applications (no longer will people have to fill what gear, consumables, alts and builds they specifically use), some sort of rankings websites.
smiley.1438:
How would you know that the API key belongs to the user who is about to register with your site? I already pointed out that the API key system makes User authentication (e.g. like login with google, twitter, github etc.) for 3rd party websites pretty impossible.
https://forum-en.guildwars2.com/forum/community/api/HEADS-UP-OAuth2-being-replaced-next-week/5049146
Slyfer.6478:
You don’t, i could technically fetch the valid existing API keys of random users and use them at my whim on any third party application(say someone has created an API key with all permissions, i use a script to test randomly a plethora of keys and save the successful ones, then continue to fetch all of their data – say specifically their transaction history). Then if i have malicious intent i could filter out a specific account name (albeit this will still only be possible if they have a valid key in existence).
However, even though i agree this is pretty full of holes for registration, you could still get away with it. For example if malicious user uses valid users key to register, he can. If a valid user generates new key and uses the key to register, it could override the available info this is also true vice versa in case the malicious user comes across your key (make an FAQ or something on your app, because i think this problem might become common if anyone decides to run some public service tied to registration). That’s one way of fixing the hole but it’s a pretty big gaping hole .. I also think that currently guild applications and guild forums would be compromised, just need one individual with too much time and proxies on their hand to send out guild applications on behalf of valid users and cause headache for both the guild and the valid users.
TL;DR
I pretty much reached the same conclusion after thinking about it..
I really don’t know what to use the keys for now, there’s sort of a glaring security issue which seems to render all permissions null, unless you’re okay with reading the permissions as ‘Are you sure you want all your transaction history be available to not just the third party application of your choice but also X amount of mooks that happened to come across your key?’.