Official Everybody Edits Forums
Do you think I could just leave this part blank and it'd be okay? We're just going to replace the whole thing with a header image anyway, right?
You are not logged in.
- Topics: Active | Unanswered
#26 Before February 2015
Re: EEAuth - EE login for every website.
Hexagon wrote:anch159 wrote:Mhhhh maybe the account Authbot (I think it was called) can have like a really large amount of worlds then it can make it visible true and visible false so only you can enter it.
Like once you enter the world it turns visible false then when you put in the code, it makes it visible true then it kicks you.That's an interesting idea. Building upon this, if there was one special authbot room, with a bot running (24/7) that kicks everyone except the user who needs to authenticate (and of course authbot), that might work too. However, having a bot running all the time just to kick users is a bit wasteful.
The current implementation can support 500 users authenticating at the same time. I'd rather not introduce a limit to this.
I had another idea, that there would be a special authroom, where the bot would kick you with a number that you have to enter to login. In fact, this was my initial implementation. The problem with this method is that people might be able to see the kick messages of others by joining over and over multiple times. The 5 minute kick period is annoying as well.
Anyway, why are we looking into alternative methods? Is the current one broken?
No, but it could be made better!
Offline
#27 Before February 2015
- Hexagon
- Member
- Joined: 2015-04-22
- Posts: 1,213
Re: EEAuth - EE login for every website.
No, but it could be made better!
That comment encapsulates my thoughts as well.
The current method works quite well (500 users authenticating at one time) is plenty, there haven't been any reported security breaches, but there are always improvements to be made.
Maybe if you had to enter your EE username in the website first, then when you chat the code, it would have to be from the same username. This suggestion may be unnecessary, partly because I didn't look at the architecture/code of the application beforehand.
Offline
#28 Before February 2015
- Anch
- Member
- Joined: 2015-02-16
- Posts: 5,447
Re: EEAuth - EE login for every website.
Maybe if you had to enter your EE username in the website first, then when you chat the code, it would have to be from the same username. This suggestion may be unnecessary, partly because I didn't look at the architecture/code of the application beforehand.
I don't know what the other half of the second sentence means, but I think inputting your username is a great idea!
Offline
#30 Before February 2015
- Processor
- Member
- Joined: 2015-02-15
- Posts: 2,246
Re: EEAuth - EE login for every website.
How about it using /visible false when the first player joins the room, then /visible true when that player leaves?
Because the rooms are technically visible in the lobby (you can see them with a client that has no bad words filter), this could allow trolls to join the room before you and prevent the real person from logging in.
Maybe if you had to enter your EE username in the website first, then when you chat the code, it would have to be from the same username. This suggestion may be unnecessary, partly because I didn't look at the architecture/code of the application beforehand.
If this would add more security, I'd implement this. However, currently, there is no reason to do this and it makes the already-complicated auth even more complicated.
There is yet someone to point out a security flaw since the update and I don't think we should make the process more obscure, unless there is a reason to. (there was initially one small flaw mentioned by atilla which I was already aware of, this flaw has already been patched)
I'm very open to suggestions that simplify the login process, that's where EEAuth might need a few improvements. Copy pasting a string between two tabs isn't something straightforward. 
I have never thought of programming for reputation and honor. What I have in my heart must come out. That is the reason why I code.
Offline
#31 Before February 2015
- Anch
- Member
- Joined: 2015-02-16
- Posts: 5,447
Re: EEAuth - EE login for every website.
How about it using /visible false when the first player joins the room, then /visible true when that player leaves?
I just said that ._.
Offline
#32 Before February 2015
- Hexagon
- Member
- Joined: 2015-04-22
- Posts: 1,213
Re: EEAuth - EE login for every website.
There may be a simpler method, but it may reduce the security of your application.
1. Log onto the website. Website says to go to a specific room (which is loaded in an iframe on your website, to avoid the switching tabs scenerio) and type your username into the website. However, as you said, typing in your username may complicate things too much.
2. You join that room, and the bot says (in the room, something similar to): "If you would like to verify your account with EEAuth, type 849383 in the chat". If the user does not have chat, they may be able to use a series of quickchat commands.
3. If the user types that message in, then their account is verified. The iframe can then close/disappear.
However, the user is responsible for NOT typing in the code if they see that message, and do not recognize its origin.
Offline
#33 Before February 2015
- Buzzerbee
- Forum Admin
- Joined: 2015-02-15
- Posts: 4,578
Re: EEAuth - EE login for every website.
Only the EE.com swf can be embedded, right? So it would be useless for FB/Kong users
Plus, that would be up to the person who utilizes this tool. Processor's only responsible for the actual authorization process, his test website doesn't really have anything to do with it
Last edited by BuzzerBee (Jan 11 2015 1:37:35 pm)
Offline
#34 Before February 2015
- Hexagon
- Member
- Joined: 2015-04-22
- Posts: 1,213
Re: EEAuth - EE login for every website.
Only the EE.com swf can be embedded, right? So it would be useless for FB/Kong users
Oops, didn't think about that.
While kongregate users comprise a small portion of the user base (and one can justify leaving them out in the cold so to speak), FB users are a problem. Possibly something with the OAUTH api can be devised, but I'm not sure.
Offline
[ Started around 1743863324.7281 - Generated in 0.057 seconds, 10 queries executed - Memory usage: 1.53 MiB (Peak: 1.69 MiB) ]