And to all the “API-Key-Hater” (for a lack of better wording), you really should look how EVE and CCP do it. It is an awesome system and they have ran with it for years and never had any big problems.
XML API
…well, nobody’s perfect (glad they also offer JSON). However, as already pointed out, it also uses OAuth – for some good reasons, i guess. Hey, they even offer “Login with EVE Online” buttons on the bottom of that page!
The sites that do want to steal you account info wont even care and just still link to their login page instead (you expect the user to know how the authentication process work?)
Anyway it seems you are set on the change so i better just get on with the annoying process of writing/recording tutorials
Fun fact: this was a point i made in the #gww IRC yesterday, transscript below:
[20:30] <Smiley_> the problem with the oauth redirect actually isn’t that a 3rd-party redirects to a login-page but that the owner of the login page has to make sure that the users can easily identify phishing attempts (ssl server certificate)
[20:31] <Smiley_> (by owner of the login page i mean anet)
[20:32] <Smiley_> so when you see a green “Arenanet, Inc.” on the left side of your address bar, you can be pretty sure, you’re not getting phished
[20:33] <relic> I would not rely on users paying attention to the certificate
[20:34] <Smiley_> thats what i meant with “you cannot mitigate PEBCAK” – there are still people who click links on spam emails
[20:34] <Smiley_> natural selection
[20:37] <relic> API keys means that never happens in the first place though
[20:38] <Smiley_> i could easily make up a site which looks exactly like the gw2 account management
[20:38] <Smiley_> in fact, it’s even worse this way
[20:39] <relic> what, so the application links to a faux official site to login to for an api key?
[20:40] <Smiley_> the same which would redirect to a faux official site to login for oauth2 authorization
[20:40] <Smiley_> now tell me whats worse?
[20:43] <relic> both seem equally bad to me
[20:43] <Smiley_> right
[20:43] <Smiley_> so now what’s the advantage of api keys over oauth2?
[20:46] <relic> the user is only vulnerable at the one point they go in to generate an api key right? rather than every app authorization?
[20:47] <Smiley_> ideally you’d have to create a different key for each application, so the risk is potentially the same
[20:49] <relic> sec, I should check the management page lol
[20:51] <relic> but you are doing it from the official website
[20:52] <relic> A faux website couldn’t replicate the keys you manage as well even if they got everything else right
[20:52] <Smiley_> you still have to get there first – how many users do have it open in a tab all the time and how many would just click the lazy link on the 3rd party site “go here to create an api key”
[20:52] <Smiley_> you don’t need to create the key
[20:53] <Smiley_> as a phisher you want the login data
[20:53] <Smiley_> the damage is done in the moment you click “log in” on a faux login site
[20:57] <relic> with oauth, if you are already logged in with a session key, you can authorize immediately
[20:57] <relic> having the person login to a fauz official website seems much harder to phish with
[20:59] <relic> I think that method would happen just as much whether you use oauth or api key :/
[21:00] <Smiley_> right, thats why verified ssl certificates matter
[21:02] <relic> how does that make a difference?
[21:02] <Smiley_> that green thing in the address bar jumps at you
[21:03] <Smiley_> see: https://github.com/
[21:03] <relic> no kitten, what is the difference in regards to oauth and api key methods?
[21:04] <Smiley_> oauth is user friendly, also the token exchange happens between the servers
[21:05] <Smiley_> you have to keep in mind that the api key is basically the access token in oauth2 which noone would see (except the database owner maybe)
Plus: API keys are useless for user authorization, which may be pretty handy for e.g. character websites
instead of registering an app and going through the OAuth2 code flow, users simply create and copy-paste an API key into your client.
I doubt that this would make anything better for the users. There are a lot of people out there who hardly know to start a pc and run their game – imagine these to create and use an API key. Despite of it’s flaws, OAuth2 is being used all over the web for way more sensitive applications and most users are used to it. I mean, we’re talking about an API account which reveals little sensitive data, not actual user account info (e.g. real names, address, billing info).
So the only thing you might mitigate is that a user gets their login data scammed (which also happens in so many different ways) at the cost of making the login flow less user friendly. You cannot mitigate PEBCAK.
so, if i understand this right… i would have to be using the app, and then log in to my account on guildwars2.com… and then grant permission. so if i never use any apps, then they’ll never gain access to any of my information.
You will know, however, if an app is requesting access to your credentials before you even allow it since you’ll get a page like this: http://i.imgur.com/E9XKVy3.png which actually sits on ANet’s servers.
After the login screen you’ll get a screen which will be similar like the following (similar as in: the wording will be clarified). Note the URL, the login and the authorization will always happen on Anet’s servers.
HANDY…. I see it is limited to API items (tested it against some old pvp skins). Since this is http, do you have a way to do a search for something that includes a space?
So where’s the problem then? (We’re talking about ~38k items and ~150MB DB size)
I’ve a very slow connection, so i can only estimate – there have been reports from like a couple seconds to a few minutes. However, it also depends on the amount of languages you pull from the DB.
We’ll work on making those strings a little more specific, if anyone has any examples of sites that do a really good job of describing OAuth scopes in consumer-friendly language I’d love a link. Most in my experience has been similarly-generic text.
but at the end of the callback method I now know that the browser I’m talking to is that person, and I could (kind of) use it authenticate users into my website without having to have my own user/pass system.
That’s basically what the “Login with Google/Facebook/Twitter” button on many websites does.
Great to hear that it’s a desktop API (sorry, I’m a web developer by trade so I am hardwired to think APIs are for remote locations, so I wanted to clarify).
Aw, now that is a shame. Maybe a new API for more “realtime tracking”? I would really like to get my hands on something like that; the possibilities are grand. Not only would I be able to do this thing with my keyboard, but I’m sure there could be some widgets made that do some very nice things, like enhanced alerts (for low hp or low stamina), or some neat conditional display based on race / profession.
Maybe if the map location were also put in this theoretical API, you could do a heatmap of the world too, to see where the players using this widget are, currently.
Of course, I’m not familiar with a codebase as complex as GW2 (probably) is, so I don’t really understand the level of effort something like this would take. Surely there isn’t a whole lot of data that people would want, though.
Actual search endpoints is definitely something I’ve been looking into. The way we pull content data right now is to basically load stuff from the dat file — which is designed for semi-random access and doesn’t really yield itself to indexing. So I’m trying to pull all the data into a more normalized format so we can load it into search indexes and index all the things (not just items/recipes, but also future endpoints like skills and maps and whatnot). Still a ways from being production ready though ;_;
Pretty please with sugar on top! Especially a search endpoint for the maps API (POIs and stuff) would be extremely helpful to create maps for the Wikis.
After some deep thoughts and a quick huddle over here we’re disabling /v2/floors, we’re not happy with how it looks and want to revisit it before anyone writes code to depend on it.
What can i say? Yay, go for it! Help us to create shiny maps, especially on the Wikis! Everyone wants them but the floors API isn’t handy at all.
I stand with the people who want the discovered MF recipes in the API. There’s actually no reason to disclose them, since these are (mostly) documented in the Wiki anyway.
If people from different time zones have access to the same schedule, they have to do some calculation to work out the time on the schedule to there time.
It is most likely the wrong place to ask. This subforum discusses the API for external uses. I think your question is more appropirate in the main GW2 discussion forum.
According to the colors API it doesn’t seem to have changed. The base color values are:
rgb(0, 0, 8) on cloth
rgb(15, 21, 24) on leather
rgb(1, 17, 23) on metal
Note that the color’s outcome also depends on the base color value of the armor piece to be dyed, so mileage may vary. Maybe they’ve changed the base color of that armor piece when the vault was introduced?
But on the other hand, it also looks “brighter” in the color list, maybe confused it with Midnight Blue dye?
)
