Hello modders and Uber team! I wanted to ask really quick if there was a way (preferrably using REST) to authenticate users? This is because I want data submitted from my plugin to be from a valid user. I have seen that the user is assigned a session ticket on login. Is there a way to validate this session ticket using e.g. a POST request with the uber id and the session ticket? // nordbjerg
Have a look in the various UI files within PA\media\ui\alpha\, there are many times that POST calls are made which include the session ticket (eg. joining a game in the server browser). Part of an ajax call from server_browser.js, for joining a game: Code: $.ajax({ type: "POST", url: "http://" + self.uberNetHost() + "/GameAcquisition/Matchmake", headers: { "X-Authorization": self.sessionTicket() }, ...
Yes, I saw that. The question is what the matchmaking logs and whether or not I can use that temporarily to check if the ticket is valid, without doing anything else. I don't want to start matchmaking, I just want to validate the ticket =)
You can use it to see what it returns with a valid vs invalid session ticket though. If you want to avoid any side effects, you could try the login url instead of the matchmaking one, assuming that doesn't change the session ticket. Otherwise I suggest doing a search for "self.uberNetHost()" across the UI directory to see all the valid POST urls, and maybe there's a test one. EDIT: maybe a GET would better serve you: Code: $.ajax({ type: "GET", url: "https://" + self.uberNetHost() + "/GameAcquisition/CurrentGames", headers: { "X-Authorization": self.sessionTicket() }, contentType: "application/json", You can just check to see if it returns anything or not, and since it's a GET, in theory it shouldn't be modifying anything. EDIT2: Something like this: Code: $.ajax({ type: "GET", url: "https://" + self.uberNetHost() + "/GameAcquisition/CurrentGames", headers: { "X-Authorization": self.sessionTicket() }, contentType: "application/json", success: function (data, textStatus) { <Valid Ticket> } error: function (data, textStatus, errorThrown) { <Possibly invalid ticket (may be a different error too)> }, complete: function (data, textStatus) { } });
As long as session ticket used for many actions with game I doubt Uber will happy if you will send it to some external server. I sure it's wasn't designed to work like that.
I am not going to store it. I just want to make sure that it isn't someone sending "fake" data. I will look at the GET requests when I come home, at work currently
If a session ticket is somehow linked to an IP, "leaking" a session ticket shouldn't be a concern. That's a purely hypothetical "if", btw, I have no idea if that is true. If it's not, then there is the possibility of sharing session tickets being a problem. Given you have to use a mod though, it's not like someone can steal your session ticket without your input. Except back when you could see all current sessions (now fixed)...
I don't mean that you want to store or steal it, I mean it's bad when something designed for internal usage used by external server.
Just checked (I got dynamic IP), it's not binded to IP. If it was binded that idea with mod just won't work, because nordbjerg want to send request with this ticket from his server, not from client. Also check PM please, I have some question for you.
I think Nordbjerg was asking for ways to validate the user from within the mod, using client-side code. e.g. Code: If (IsValidUbernetLogin) <post game stats to aggregation server> Else <tell user to login> For the alpha, they will have to be a valid login since that's the only way to play, and this will continue through beta until the server code is released (which may be on actual release, or just before). I'd say that prior to (server) release you can safely assume the user is already validated, because we have to be to play. By that time, there may be far more mod-friendly ways to check validation status for Ubernet inside the client, although I can't guarantee that of course
You can't validate submission of data to external server on client. No you can't do that as long as any user can grab mod code and submit fake request with somebody else credentials. As long as I see there is none currently
Okay, right now I can only say you that: just don't sessionticket. It's very sensitive information. How you can bypass it currently: Make special download page with registration form Ask them to add their UberNet ID (forum userid) like mine: 1896020 Or just ask them to put link to their forum profile. Now ask them to add some random validation string in forum profile. Now grab profile page and check string. Give user mod archive with unique ECDSA public key inside, leave . Now you can sign submissions with public key on javascript with lib like this: http://kjur.github.io/jsrsasign/ It's not so easy, but it's good temporary solution before Uber make some proper auth interface for mods. And it's also easy and safe for user.
