DeletedUser
Guest
First of all, if this is in the wrong section then I apologise - I have never submitted such a technical idea before... I considered putting it in the Community based projects forum but nothing there seemed to suggest Ideas... If anyone moves it then please PM me with where it was moved to.
Proposal:
To develop a web service, accessible to external applications, which ensures that the user who is registering on an external app is, indeed, who they say they are, and another one to check if a user is a leader of their alliance.
Reason
Currently external apps are able to do an awful lot - but everything is publicly accessible; there is no way for them to check that a player is who they say they are. I believe this would take us to a new level of external apps - secure apps! Apps where you are within an area which you know only your alliance can access...
Details:
The basic concept of the application
So basically I am thinking of writing an external app myself, which will be alliance-based. It is not meant to replace in-game forums, but is a tool to be used alongside them. To start with security will not be a problem - it will only be for my alliance. However in the long-term I would ideally like to open it up to all players / alliances. This is where the problem is.
The problem
The problem here is authorization. What is to stop a player in alliance A from registering under another players username and being able to view the site as seen by alliance B?
The solution
Technically there is more than one solution, as listed below, and maybe more. One web service will be common to both solutions - this will check if the user is a leader of their alliance.
I believe that, if this were to be implemented, external apps would be capable of doing a whole lot more than they are currently limited to. Through solution #2 they would never, EVER have access to personal details such as the email address they're registered with, password, etc etc. Players would *only* be able to access the app if they have access to the email address stored in the Grepolis database for the username they entered.
Obviously this idea is still only at concept stage - but from what I know about web services, and the techniques I have talked about, this would achieve security within external apps.
Regards,
ClarkeyBoy1987
Proposal:
To develop a web service, accessible to external applications, which ensures that the user who is registering on an external app is, indeed, who they say they are, and another one to check if a user is a leader of their alliance.
Reason
Currently external apps are able to do an awful lot - but everything is publicly accessible; there is no way for them to check that a player is who they say they are. I believe this would take us to a new level of external apps - secure apps! Apps where you are within an area which you know only your alliance can access...
Details:
The basic concept of the application
So basically I am thinking of writing an external app myself, which will be alliance-based. It is not meant to replace in-game forums, but is a tool to be used alongside them. To start with security will not be a problem - it will only be for my alliance. However in the long-term I would ideally like to open it up to all players / alliances. This is where the problem is.
The problem
The problem here is authorization. What is to stop a player in alliance A from registering under another players username and being able to view the site as seen by alliance B?
The solution
Technically there is more than one solution, as listed below, and maybe more. One web service will be common to both solutions - this will check if the user is a leader of their alliance.
- There is another web service which accepts their username and password and returns whether or not they're the correct combination. The problem here is that external apps using this web service will be able to store the password and ultimately the owner of the app will have access to that players account. One way around this is for Grepolis to change the users password and email it to them - but this is not ideal. The next solution is an attempt to resolve this.
- In brief
There is another web service which accepts just their username but this time sends a verification email to that players email address (without ever revealing the email address to the external app).
How it will work
Now this is going to get rather complex but I am confident that, if this reached the devs, the devs would be able to understand it.
The app also submits a redirect URL which contains a unique ID. We will call this unique ID "ID1". ID1 is stored against the username in the external apps' database. The redirect URL is stored in Grepolis' database.
Grepolis then generates a 2nd unique ID (ID2) which is attached to the end of the link in the verification email. This link will point to something like http://en13.grepolis.com/verify.php?ID={ID2}. On visiting this page, the ID in the query string is checked against ID2, which is stored in the database next to the redirect URL. If they match then the user will be redirected to the redirect URL specified by the external app and the external app will then verify the ID in the URL they're taken to to ID1.
I believe that, if this were to be implemented, external apps would be capable of doing a whole lot more than they are currently limited to. Through solution #2 they would never, EVER have access to personal details such as the email address they're registered with, password, etc etc. Players would *only* be able to access the app if they have access to the email address stored in the Grepolis database for the username they entered.
Obviously this idea is still only at concept stage - but from what I know about web services, and the techniques I have talked about, this would achieve security within external apps.
Regards,
ClarkeyBoy1987
