Pages: [1] :: one page |
|
Author |
Thread Statistics | Show CCP posts - 0 post(s) |
Andre Vauban
Quantum Cats Syndicate
32
|
Posted - 2012.09.10 13:16:00 -
[1] - Quote
I'm looking for some best practices around the optimal ways to register Eve players in your corporation/alliance/block into your forums/voice comms/etc. We've gotten some complaints about the registration system we used taking to long (due to API cache) and I'm trying to figure out how to make it better. I'm sure the larger groups have already run into problems. Any advice?
Here is some background information on our current system. We run a Drupal based website that contains forums, wiki, fitting, etc. We currently authenticate a user by having them send an eve-mail with a external email address to a certain eve character. The system then check that characters evemail every hour (due to the API cache). If it finds an evemail with an email address in it, it registers that user and sends them an email with a one-time login URL. This ensures that every account on the system is 100% guaranteed to belong to the human that has access the Eve account that owns that character.
We then assign various roles to the account based on which corp/alliance they belong to. These roles are dependent on the character belonging to a certain corp/alliance. We also have a bunch of roles that are manually assigned that are a dependent on a base role described previously. If the person leaves a permitted corp/alliance, their base role is removed which would then trigger any roles dependent on that role to also be removed. The result is we don't have to touch anything and peoples roles will be added/removed within the API cache time when they join/leave corps/alliances.
The biggest complaint about the system is that it is too complicated to register and it takes to long (ie not instant) to register. I really don't see away around this until we can send Eve-mail via the API. Using just an API key to register an account is flawed, as the API is intended to be given to third parties. Just because I have an API key for an account doesn't mean I own that account. Most alliance websites I looked at either accept this limitation, do something manually, or rely on some other two factor authentication such as a authorization key given when a person is accepted into corp, etc. Most of the services we are trying to run is for militia, which is a really loose affiliation. We cannot really do any of these two factor authentication schemes as we are dealing with 50+ indepenedent corporations. QCATS is recruiting https://forums.eveonline.com/default.aspx?g=posts&t=146180
|
Bath Sheeba
Another Success Story
57
|
Posted - 2012.09.10 18:15:00 -
[2] - Quote
I don't really see where you can get around that.
You can mitigate the time though.
You could have them send some small amount of ISK, say 0.10 ISK to the corp and then check the corp wallet journal, which is on a 15 minute cache versus the 1380 mins on the evemail header cache timer. That may be why it takes so goldarned long. :)
I mean they would have to send you some ISK, but at least it would not take 23 hours.
Something tells me the evelopedia entry may be a bit out of date.
and my search has borne this out: http://wiki.eve-id.net/APIv2_Char_MailMessages_XML
seems to indicate that every 30 mins you can get new message headers......hmmmm. |
Steve Ronuken
Fuzzwork Enterprises
625
|
Posted - 2012.09.10 19:55:00 -
[3] - Quote
I'm waiting for CREST.
Because it should allow auth with oauth2. Should help. FuzzWork Enterprises http://www.fuzzwork.co.uk/ Blueprint calculator, invention chance calculator, isk/m3 Ore chart-á and other 'useful' utilities. |
Andre Vauban
Quantum Cats Syndicate
32
|
Posted - 2012.09.10 20:01:00 -
[4] - Quote
Steve Ronuken wrote:I'm waiting for CREST.
Because it should allow auth with oauth2. Should help.
Can you elaborate? I don't see how that will help unless they also expand the IGB in some way to support oauth2 for exactly this sort of thing. Right? QCATS is recruiting https://forums.eveonline.com/default.aspx?g=posts&t=146180
|
Cyerus
Galactic Dominion Eternal Strife
51
|
Posted - 2012.09.10 20:03:00 -
[5] - Quote
I would have to say that even with your approach you can't garuantee a 100% safe environment. Regardless of how many boundries you set, everything stands with human stupidity outside of your control. One not-so-nice-person inside one of those 50 corporations and all the information is leaked anyway.
I assume you use /eve/CharacterInfo.xml.aspx to check whether or not that character is still part of that corporation/alliance, which is an hour cached aswell.
There is no other way of determining if the user is accountholder of that character. Still there's the posibility of account sharing, so you can never be 100% sure. But I'll grant you that that is less likely than somebody using somebody else's API key. |
Andre Vauban
Quantum Cats Syndicate
32
|
Posted - 2012.09.10 20:11:00 -
[6] - Quote
Cyerus wrote:I would have to say that even with your approach you can't garuantee a 100% safe environment. Regardless of how many boundries you set, everything stands with human stupidity outside of your control. One not-so-nice-person inside one of those 50 corporations and all the information is leaked anyway.
I assume you use /eve/CharacterInfo.xml.aspx to check whether or not that character is still part of that corporation/alliance, which is an hour cached aswell.
There is no other way of determining if the user is accountholder of that character. Still there's the posibility of account sharing, so you can never be 100% sure. But I'll grant you that that is less likely than somebody using somebody else's API key.
Good points, but having them eve-mail (or send isk as suggested above) does guarantee that the person registering knows the eve client PW for that account. Whether or not the account has been hacked or is being shared is really CCP Sreegs problem.
Yes, I am using eve/CharacterInfo to determine corp/alliance affiliation. Its not perfect, but it's the best that I know of. Are you implying there is something faster? If so, care to share your secret method? :) QCATS is recruiting https://forums.eveonline.com/default.aspx?g=posts&t=146180
|
Steve Ronuken
Fuzzwork Enterprises
625
|
Posted - 2012.09.10 20:30:00 -
[7] - Quote
Andre Vauban wrote:Steve Ronuken wrote:I'm waiting for CREST.
Because it should allow auth with oauth2. Should help. Can you elaborate? I don't see how that will help unless they also expand the IGB in some way to support oauth2 for exactly this sort of thing. Right?
CREST is the new API system they've been working on.
It depends on OAuth2 for authorizing access to resources.
Twitter/facebook/et al use OAuth to handle their federated ID system.
It should be possible, once CREST goes live, to use the OAuth2 system to have a sign in system that:
person clicks a link on your site. This sends them to CCP's auth server, with a request for access to something relatively public (corp membership, alliance membership, that kind of thing) They login there (if they're not already logged in), and approve the access request. They're then sent back to your site with a token You use that token to talk to CCPs servers to find out who there are (in the backend)
They're now authenticated with you, without any requirement for giving you a username or password.
No need for changes to the IGB. It's all pretty standard HTTP FuzzWork Enterprises http://www.fuzzwork.co.uk/ Blueprint calculator, invention chance calculator, isk/m3 Ore chart-á and other 'useful' utilities. |
|
|
|
Pages: [1] :: one page |
First page | Previous page | Next page | Last page |