Web Apps

I wonder if there is some info available for the custom apps.

As far as I can see it exposes two variables: checksum and user (we also have password).

user is a base64 encoded serialized PHP array.

$user_data = unserialize(base64_decode($user));

checksum contains 40 hexadecimal characters. It looks like SHA1.

Anyone already found out how to verify the submitted "user" data?

$checksum = hash_hmac('sha1', $base64string, $appKey);

Thank you.

So it's impossible to rely on valid data, makes the checksum kind of pointless. I was hoping for some kind of external verification/authentication.

dont know about that... but let user register on you site as before and give them personalized app key for ingame purpose.

People are lazy. I wouldn't register at someone's website just for a small app, which keeps minimal personal data but still I wouldn't want someone to fake-login with my account and see this data.

There seems to be a misconception with the custom apps. The user should not be able to generate valid checksums.

One option is to use external authentication as before.

Another option could be to keep things as they are now for simple/small apps and at the same time add an "Advanced authentication" option. This option could work as follows:

1. User adds app and selects the "Advanced authentication (App needs to support this)".
2. Ryzom server tries to contact the app.

a)
3. Ryzom server submits an unique password (App URL + some unknown salt).
3. App saves this password.
4. Ryzom generates checksums based on this password.
5. App can verify data with that checksum while user can't generate valid checksums.

b)
3. Connection times out.
4. User receives an error message: App at http://xyz does not respond, please try again later.
5. App not added.

c)
3. App does respond but not the expected keyword. (ideally some header to save traffic/avoid downloading the body)
4. User receives error message: App at http://xyz does not seem to support the Advanced authentication.
5. App not added.