|
|
| Author |
Thread Statistics | Show CCP posts - 9 post(s) |
Tonto Auri
Center for Advanced Studies
   |
Posted - 2007.06.18 22:32:00 -
[1]
Edited by: Tonto Auri on 18/06/2007 22:39:09
Im my mind, really wanted addition is:
1. Universe browser by system (or constellation) - orbit items (planets, moons, gates, NPC stations and player outposts) and jumplinks (or even downloadable starmap for oog usage - ingame map totally unusable. Dunno who may use it, I cannot separate 2 systems resides 20 jumps away from each other and displayed both at 1px distance in best view position. Do You devs have any experience using Autocad or 3Dmax? Looks like no).
2. Items database browser - each item by id, linked to main site's Items Database and providing up-to-date infornation to both players viewing database from EVE-o and corporations web services accumulating it for their own usage.
--
. |
Tonto Auri
Center for Advanced Studies
|
Posted - 2007.06.19 10:27:00 -
[2]
Yep, after a good night of sleep I have some clues about API.
Great thanks to Keiko Kobayashi for that blog link, it was highly appreciated by me and was pointed to right idea.
 Originally by: Keiko Kobayashi
Authentication
The EVE API does not use standard HTTP authentication. Instead, it passes the authentication information via POST parameters. It is however better to use the built-in HTTP authentication functionality, primarily because many HTTP applications and stacks have built-in support for it.
Totally agree with this words.
HTTP/1.1 401 Unauthorized and 403 Forbidden much more understandable and easy handled (and in many applications have internal handlers requiring only small overhead to detect exact type of error) than any custom error handling which require deep investigation of returned result to detect at least error presence.
Using native HTTP authorization methods, You may (and in some cases must) use HTTPS to secure Your connection. I'd recommend to use explicit SSL to access EVE API.
Let we swing to other theme before I return back to authorization and security.
Quote:
Pretty URLs
Part of REST is good URL design. This is actually not really really important, but it's one of the things that is usually the first things that people notice.
Yep, they are may be pretty... and nice.
I agree with Grauw without any comments. His explanation have enough stability and allows expansion to any level, which I have to demonstrate in next part.
This part will be...
Access Control based on pretty URL's
As Mantalari Altis said,
Originally by: Mantalari Altis
[if someone give me his ApiKey] I can even check to see what other characters they have on the same account and see corp membership of each character [...]
It's definitely a hole in security, but it also may be used as starting point to gain security too.
Example sends us back to pretty URL's.
In /char/ root tree we have
Quote:
/char/<characterID>/charactersheet
/char/<characterID>/accountbalance
/char/<characterID>/walletjournal
/char/<characterID>/walletjournal/<accountKey>
/char/<characterID>/walletjournal/<accountKey>/<beforeRefID>
/char/<characterID>/wallettransactions
/char/<characterID>/wallettransactions/<accountKey>
/char/<characterID>/wallettransactions/<accountKey>/<beforeRefID>
But we exactly missed one feature.
/char/<characterID>
Basic character info, almost publicly available through EVE interface.
Now, we have one subroot - /char/<characterID> and different subtrees - charactersheet, accountbalance, walletjournal, wallettransactions and we ready to improve our security to new level.
At first, let's look at subtrees. We clearly see one way to improve scalability and reduce number of subtrees. Sheme may be:
/char/<characterID> <- special meaning
/char/<characterID>/charactersheet <- skills
/char/<characterID>/charactersheet/skillTraining <- skill currently in training
/char/<characterID>/wallet <- balance
/char/<characterID>/wallet/journal
/char/<characterID>/wallet/journal/<beforeRefID>
/char/<characterID>/wallet/transactions
/char/<characterID>/wallet/transactions/<beforeRefID>
(I remove accountKeyId as unusual for personal wallet)
After that, we may have one main apiKey for whole /char/<characterID>/* tree and 2 restricted subkeys - to access charactersheet and wallet.
After all, we have one additional thing mentioned above.
Let's take a look at...
Securing IGB
How we can use all that stuff to check real IGB against falsifications? Let EVE client get special session apiKey each login and send it to trusted sites along with current information.
Site can check validity by sending request to /char/<charId> using charId/apiKey and check if there are real character or 401 Unauth... And of course get additional charinfo as well.
--
. |
Tonto Auri
Center for Advanced Studies
|
Posted - 2007.06.19 16:53:00 -
[3]
Small clarification...
Originally by: Tonto Auri
Access Control based on pretty URL's
...
At first, let's look at subtrees. We clearly see one way to improve scalability and reduce number of subtrees. Sheme may be:
/char/<characterID> <- special meaning
/char/<characterID>/charactersheet <- skills
/char/<characterID>/charactersheet/skillTraining <- skill currently in training
/char/<characterID>/wallet <- balance
/char/<characterID>/wallet/journal
/char/<characterID>/wallet/journal/<beforeRefID>
/char/<characterID>/wallet/transactions
/char/<characterID>/wallet/transactions/<beforeRefID>
(I remove accountKeyId as unusual for personal wallet)
After that, we may have one main apiKey for whole /char/<characterID>/* tree and 2 restricted subkeys - to access charactersheet and wallet.
I found "main apiKey" useless. It must be simple two keys:
apiKey to access /char/<characterID>/charactersheet subtree
and
apiKey to access /char/<characterID>/wallet subtree
Also, first (name it General) apiKey may be used in all other interactions, such as viewing other characters info from the web (/char/<characterID>) or accessing public database.
We still have 3 apiKey's.
1. Session key paired with charId instead of accountId, generated for IGB: valid for acessing /char/<charId>, revoked at DT.
2. General key: valid for all top-level access: /map/<mapType>, /char/<charId>, /corp/<corpId>, /eve/*.
Also valid for retrieving /char/<charIdOfMyOwnChar>/charactersheet subtree.
3. Wallet access key: valid for accessing /char/<charIdOfMyOwnChar>/wallet and /corp/<corpIdCharBelongTo>/wallet/<walletDivision>/
--
. |
Tonto Auri
Center for Advanced Studies
|
Posted - 2007.06.19 16:54:00 -
[4]
Originally by: Amida Ta
Is there any specific reason why to not make this a web-service
This is cool as hell already, but as web-service it would be even better 
/me is for web-service 
It IS a web-service. Open Your eyes, dear...
--
. |
Tonto Auri
Center for Advanced Studies
|
Posted - 2007.06.19 19:12:00 -
[5]
Originally by: Amida Ta
Then where are the WSDL-Files?
Moreover the output doesn't look very Web-Service like.
And the input seems to be a normal HTTP post. No Web-Service style either (at least not using SOAP)...
Why You think that SOAP is only one way to operate with web-based services? :)
I think that EVE devs have much cleaner look at web-services.
No overhead, only real work. Yup, it MAY have no overhead, as explained in Grauw's blog.
--
. |
Tonto Auri
Center for Advanced Studies
|
Posted - 2007.06.19 19:16:00 -
[6]
Originally by: DevAmarr Null
Hello everyone,
I am looking at this API, but didn't see how can one get characterID easily. As till now, you can get it manually checking the links under My Character section, but that's kind of not good. It would be easier if we would have some sort og XML/CSV that would give back all charatersID connected to userID and API key. Or am I just missing that information?
cu
If You pay a little attention reading patchnotes and this topic, You may see that there's a plan to make easy converter service "Char name" => "Char Id", "Corp Name" => "Corp ID" etc.
--
. |
Tonto Auri
Center for Advanced Studies
|
Posted - 2007.06.19 20:49:00 -
[7]
It only looks like we need it.
But in reality it's just a security hole and should be avoided as possible.
Imagine:
Scene 1. You giving out Your login and password so someone may do anything with Your accout (in example - enumerating characters on it, but not only that)
Scene 2. You giving out Your userid and apiKey. someone may... what? Close to nothing. He can't find Your login or understand Your password, can't easy find any characters exists on Your account (of course, he can enumerate through all characters, but that way takes incredible long amount of time).
With that Name->id converter, You not really need to know Your CharID. If we take EVEmon as example, You give 'em userId, apiKey and character name.
They convert charname to charid using userid and apikey provided. 2 results at once. Checking apiKey validity and understanding charId.
--
. |
Tonto Auri
Center for Advanced Studies
|
Posted - 2007.06.19 21:38:00 -
[8]
You missed that it's not my account.
It's someone other's account, who gave me his apiKey and charname.
--
. |
Tonto Auri
Center for Advanced Studies
|
Posted - 2007.06.20 11:45:00 -
[9]
Originally by: 45thTiger 002
The main useabililty issue is directing users wanting to provide the data for a corp web site, or a site that generates sig blocks, is that a lot of players have no idea what the character id they wish to use actually is.
The way its implemented now, you need to direct them to two / three places to do it for dumb users.
1st to the API Key page and then to a custom IGB site to get the active character id.
No.... nooo... Why You can't read whole topic? :(
You not need to get You charId personally.
What You only need - provide Your userId, apiKey and charName.
Service can convert charname to charId itself.
Quote:
And even then, to link them into a clan portal you'd need to re-auth them against user id on the portal site and the portal may or may not work in the IGB.
It already suggested before, but making portal working in IGB is a easy task, really easy.
Quote:
It would be preferable if the API Key page at least provided a list of characters on the account and the associated character IDs for the user to cut and paste.
Agree, it will be useful, but not required.
Quote:
Even simpler would be to expose the userid and apikey to the IGB when a user trusts a site. (Yeah yeah I know!)
Not as it done now! Read whole topic!
Quote:
Regarding corp wallet access, I would suggest that the API Key site once again be upgraded to generate a corpid / apikey for users with director role. Accessing corp data through user is dangerouse as mentioned earlier.
Nope if all done properly, because API does same role chacks as EVE server.
Quote:
Regarding re-requesting transaction history, to reduce load it would be best to allow a parameter that specified the max record to retreive, otherwise each call will fetch 1000 rows, only a few of them may be applicable depending on activity.
Already suggested as afterRefId.
Quote:
That being said, the API is an excellent step forward for EVE and the EVE Community. (Maybe one day it will accept data so corp management can be done on the portal and the changes fed back to Eve - HAHAHHA!
Sure it will never be implemented.
--
. |
Tonto Auri
Center for Advanced Studies
|
Posted - 2007.06.20 11:46:00 -
[10]
Originally by: Ovno ConSyquence
does anyone know if this data will be availble through the myeve web interface as well or am i going to have to write some code just to get hold of my wallet exports in csv?
It will be available from MyEVE as part of account management functionality, IIRC.
--
. |
|
|
Tonto Auri
Center for Advanced Studies
|
Posted - 2007.06.20 11:51:00 -
[11]
Originally by: Crescend
Hangar dump, with basic item stats for each item (especially BPCs) and numbers of each item would be very, very appreciated. As is, managing multiple major factory locations and keeping track of multiple R&D and supply chains is a gigantic hassle.
Better to implement it as optional "Export" context menu function for cargobays, hangars and cans inside client.
--
. |
Tonto Auri
Center for Advanced Studies
|
Posted - 2007.06.20 19:10:00 -
[12]
Originally by: CCP Garthagk
After some discussion, we've decided to slightly change the way the API keys work. Notably, there will be two keys going forward: a low security one and a high security one.
Glad to see that something changed in a good way.
What about other suggestions? RESTful model as one of them. Or IIS is too stupid to allow URL maping like normal webservers does? 
--
. |
Tonto Auri
Center for Advanced Studies
|
Posted - 2007.06.20 23:37:00 -
[13]
Edited by: Tonto Auri on 20/06/2007 23:39:19
Originally by: FlashFF
I honestly dont see that the RESTful model is massively important. In fact, given the choice I'd personally go without it.
Noone said that is important, and on IIS, I think, it cannot be fully implemented anyway.
But at least moving authorisation to HTTP level (supported by all servers and most clients) and using HTTPS for API calls (supported by most servers and already exists on EVE-o) would be significant benefit to interaction.
One real change I'll be pleased to see - it's removal of
/account/Characters.xml.aspx - characters on your account
I do NOT need to expose all my alts (even if they exists or not).
--
. |
Tonto Auri
Center for Advanced Studies
|
Posted - 2007.06.21 08:47:00 -
[14]
Originally by: Amida Ta
HTTPS is probably not a good idea to use. With the supposed usage model (LOTS of atomic calls) it would put gigantic stress onto the server.
HTTPS is a generally good idea and I know servers working explicitly over SSL with lots of clients.
--
. |
Tonto Auri
Center for Advanced Studies
|
Posted - 2007.06.23 23:55:00 -
[15]
Perin Ashedge, I can try to help You if You show Your code.
EVEmail me in game.
--
. |
Tonto Auri
Center for Advanced Studies
|
Posted - 2007.06.24 03:28:00 -
[16]
I see at least 3 major mistakes in Your code.
1.
<?php
2.
set_time_limit(0); even longer than any number You can provide.
3.
You use GET method, not defined in API doc.
--
. |
Tonto Auri
Center for Advanced Studies
|
Posted - 2007.06.24 08:15:00 -
[17]
Edited by: Tonto Auri on 24/06/2007 08:15:44
Originally by: Neonemesis
jeez u dont need <?php, <? will do it is exactly the same^^
Sure?
Add
Quote:
php_flag short_open_tagOff
to .htaccess and "feel the difference" (c)
Rule #0 of compatible coding: NEVER use functions marked as "obsolete" or "deprecated".
So...
allow_call_time_pass_referenceOff
asp_tagsOff
session.bug_compat_42Off
short_open_tagOff
P.S.
Using <? instead of classified tag causing XML validity check error too.
--
. |
Tonto Auri
Center for Advanced Studies
|
Posted - 2007.06.24 18:33:00 -
[18]
Originally by: Ashoka TG
Why is it that I can access my wallet only once every so many minutes? Moreover, why isn't this limit documented anywhere.
It is documented(sic!) 1-hour cache time.
Quote:
Secondly, is a market export coming? I don't mind CCP saying no, I just want an answer, we've all been waiting too long.
No and never. May be Your orders (accessible from wallet), but not for regional market. Go in game and press "export" button.
--
. |
Tonto Auri
Center for Advanced Studies
|
Posted - 2007.06.24 19:42:00 -
[19]
Originally by: TornSoul
I only wish the 1 hour cache was per char, and not per account.
Pulling all wallets from 3 chars, you have to wait an hour betweeen each...
Could we please have this changed to a per char basis.
Damn.. Why I ask to DAMN REMOVE the ability to list characters on account.
As they introduce open-level of access to characters, it should be the same level as in game, without accidental nor implied disclosure of information You do not wish to disclose!
Add CharName<->CharId converter and REMOVE THAT DAMN CHARLIST!!
--
. |
Tonto Auri
Center for Advanced Studies
|
Posted - 2007.06.24 22:21:00 -
[20]
Originally by: Ray McCormack
Tbh, it's not the i-win button for traders everyone thinks it will be. It will simply be another tool in this great dynamic that is the EVE market. It will give no advantage that it doesn't counter-measure in itself.
Don't roll Your eyes, You know that NPC trading now is enough close to exploit to not boost it to new level.
--
. |
|
|
Tonto Auri
Center for Advanced Studies
|
Posted - 2007.06.25 00:31:00 -
[21]
Originally by: Jaabaa
2) The characters list.
The characters on an account "/account/Characters.xml.aspx" should only be accessible with the full key. It might even be a better idea to have a limited key per character, so that people can't guess at (and confirm) your alts on an account.
It is absolutely NOT need. Small tool to convert char name to charID (or even accept charname instead of charID) will be enough.
/account/Characters.xml.aspx - IS A SECURITY VIOLATION AND MUST BE REMOVED
--
. |
Tonto Auri
Vhero' Multipurpose Corp
|
Posted - 2007.07.11 12:44:00 -
[22]
Eight Ace, why not using cURL?
Code will be so much simple and understandable, even using cURL itself or PEAR wrapper.
Initialization (common part):
Quote:
<?php
$auth = array(
'userID' => 'nnnnnn',
'apiKey' => 'insertapikeyoverhere',
'characterID' => 'nnnnnnn'
);
$api_url = 'http://api.eve-online.com/corp/MemberTracking.csv.aspx';
?>
Native cURL code:
Quote:
<?php
$ch = curl_init($api_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, false);
$_req = '';
foreach($auth as $key => $value)
{
$_req .= (strlen($_req) ? '&' : '') . urlencode($key) . '=' . urlencode($value);
}
curl_setopt($ch, CURLOPT_POSTFIELDS, $_req);
$rc = curl_exec($ch);
?>
Or using PEAR (You need PEAR and net_cURL package installed)
Quote:
<?php
require_once('Net/Curl.php');
$ch = new Net_Curl();
$ch->url = $api_url;
$ch->fields = $auth;
$rc = $ch->execute();
?>
After all, You can do
Quote:
<pre>
<?php
print(htmlspecialchars($rc));
?>
</pre>
P.S.
"Host: ..." header is a HTTP/1.1 notation. You not need it if You not using proxy.
--
. |
Tonto Auri
Vhero' Multipurpose Corp
|
Posted - 2007.07.11 20:41:00 -
[23]
Originally by: DeTox MinRohim
Because CURL is not necessarily enabled on every hosts
But it is part of main PHP package (while PEAR and PECL is not) and typically available in most professonal hosting plans (and surely available for Your own host).
BTW, when using PHP 5 version, native code can be simplified to
Quote:
<?php
$ch = curl_init($api_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, false);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($auth));
$rc = curl_exec($ch);
?>
--
. |
Tonto Auri
|
Posted - 2007.07.19 20:09:00 -
[24]
Originally by: Luf Yu'Wong
<?php
file_get_contents($path);
?>
This should be faster if using PHP 5 as it uses streams.
php_flag allow_url_fopen Off
Let check Your construction this way.
Quote:
And since we are getting an XML document then we have no issues in getting everything.
Please explaint this statement. What You mean "no issues in getting everything"?
--
Thanks CCP for cu<end of sig> |
Tonto Auri
|
Posted - 2007.07.28 16:48:00 -
[25]
Originally by: Jalf
Could just be something like the following:
<error code="101">Wallet exhausted: retry after <time>2007-07-26 22:34:07</time></error>
It already there. Any such thing should contain
<cachedUntil>2007-06-18 23:42:00</cachedUntil>
--
Thanks CCP for cu<end of sig> |
Tonto Auri
|
Posted - 2007.07.30 02:29:00 -
[26]
EVE API badly designed and have too many "issues" which ***** people heads each time they try to get it to real work.
--
Thanks CCP for cu<end of sig> |
Tonto Auri
|
Posted - 2007.07.30 02:32:00 -
[27]
Eeerm.. does word "сraсk" mean something special why it filtered out?
--
Thanks CCP for cu<end of sig> |
Tonto Auri
|
Posted - 2007.08.08 04:25:00 -
[28]
Originally by: Iachrites Archveult
The thing to notice here is that the skillpoints count is correct. 633568 is right for level 4. Yet the API says the level is 3.
Seems to be some kind of error in the API at some level.
Is it a skill which is just finalized and You still not logged in to get skill completion message?
Theres' one quirk used by EVE devs to provide such login alert to us... In that ugly way :((
Originally by: Iachrites Archveult
IA
There's a signature option in settings. No need to waste messages body.
--
Thanks CCP for cu<end of sig> |
Tonto Auri
|
Posted - 2007.08.09 16:37:00 -
[29]
Edited by: Tonto Auri on 09/08/2007 16:37:37
Originally by: Lord Choronic
I'm sorry. but I still have no clue on how to get a hold of the information :( I'm seriously a noob when it comes to Internet Explorer and that jazz, help would be appriciated
That means You do not need any help in case You do not need to know anything about EVE API.
It just not required to play EVE as You doing it.
P.S.
And, please, STOP YOUR OVERQUOTING!!
--
Thanks CCP for cu<end of sig> |
Tonto Auri
|
Posted - 2007.10.01 03:30:00 -
[30]
Originally by: Vulcar Dumas
Why is this not working, it outputs a blank page-
<?php
$data = array(
'userID' => "xxx",
'apiKey' => "xxxx"
);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "http://api.eve-online.com/char/WalletJournal.xml.aspx");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, false);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
WalletJournal API call requires CharacterID parameter to be passed with API key information.
Just add it to $data structure.
--
Thanks CCP for cu<end of sig> |
|
|
|
|
| |
|