Pages: 1 [2] 3 4 :: one page |
|
Author |
Thread Statistics | Show CCP posts - 21 post(s) |
Miss Teri
Bullet Diplomacy Art of War Alliance
|
Posted - 2011.05.26 18:47:00 -
[31]
More fine-tuned access: nice. But...
Why keep the key in two parts? (Before: userid+key, now: keyid+vcode)
In fact, why allow custom vcodes? That would only decrease security, as people will be bound to select bad (easy to remember, short) vcodes.
Why not make it a single, auto-generated string? Easy to copy and paste into programs (single copy/paste instead of two, like it is now).
|
darius mclever
|
Posted - 2011.05.26 19:08:00 -
[32]
awesomeness. =)
|
Aineko Macx
|
Posted - 2011.05.26 19:08:00 -
[33]
Cool, something I can approve of for a change. ________________________ CCP: Where fixing bugs is a luxury, not an obligation. |
|
CCP Stillman
|
Posted - 2011.05.26 19:29:00 -
[34]
Originally by: Marcel Devereux Edited by: Marcel Devereux on 26/05/2011 16:30:49 Can we please get a link for each key on the key management page that has the key info embedded as arguments in the URL (i.e. http://api.eve-online.com/key/?keyID=42&vCode=VERYSECRET)? I would like to register as a handler for that link and the user can chose to open the link with my application. This would allow for easy key entry into applications.
Is what you're asking for a button that will say "Copy API Key to clipboard", which people can click and then paste into the requesting application?
|
|
SencneS
Rebellion Against Big Irreversible Dinks
|
Posted - 2011.05.26 19:29:00 -
[35]
Originally by: Marcel Devereux Whey limit it to directors and CEO's? If you have access to a corp wallet (or any corp data) in game you should be able to have key for allows you to access this information out of game. CEO's and directors have can use access controls in game to restrict access to this data. The API server should be honoring the access controls set in game.
I agree with this, it is an oversight on CCP side. I can see issues with this like you give you low members Jr. Accountant so they can view the wallet etc, they generate a non-expiration key and post it on every EVE Related forum.
So some security needs to be in place at the Director/CEO level to allow ANY corporate key generated by ANY member of the corp to be deleted/expired.
This way if the above does happen, the CEO/Directors can go out, login, look at the corp keys generated for for the corp and expire/delete the one that was spammed across 50 different forums.
Amarr for Life |
Sable Blitzmann
Minmatar Massively Dynamic
|
Posted - 2011.05.26 19:31:00 -
[36]
Edited by: Sable Blitzmann on 26/05/2011 19:32:08
Originally by: CCP Stillman
Originally by: Marcel Devereux Edited by: Marcel Devereux on 26/05/2011 16:30:49 Can we please get a link for each key on the key management page that has the key info embedded as arguments in the URL (i.e. http://api.eve-online.com/key/?keyID=42&vCode=VERYSECRET)? I would like to register as a handler for that link and the user can chose to open the link with my application. This would allow for easy key entry into applications.
Is what you're asking for a button that will say "Copy API Key to clipboard", which people can click and then paste into the requesting application?
Can you please address the more pressing matters of corp API only accessible to CEOs? Directors need full access, and members need access to the APIs that they have roles for, just like it currently is.
The current way is nerfed to hell and back and will make managing APIs extremely difficult for those of us with CEO's away from game or otherwise not very interested in APIs.
Other than this major oversight, this seems to be a great improvement of the API system
|
|
CCP Stillman
|
Posted - 2011.05.26 19:32:00 -
[37]
Originally by: Everseeker Is it safe to assume that, If I create a request string for a user, asking for specific information, that the user will see an "english-readable" warning, telling them specificly what the Recruiter/whoever will be receiving if you comply (perhaps with a check-box based format, to allow partial compliance with the request....)
The way the dev blog mentions you can create a "predefined" key basically just fills out the things specified in the URL. The user will be able to see all the checkboxes before he submits it, and he will need to provide a bit of extra information.
We could add an extra warning if people are creating a pre-defined key, if people think this is a good idea
|
|
|
CCP Stillman
|
Posted - 2011.05.26 19:33:00 -
[38]
Originally by: SencneS It doesn't say it anywhere but if we create a non-expiring key can we delete the key? I haven't created one yet because I am uncertain I will be able to delete it.
You can edit and delete an API key at any time you like!
Originally by: SencneS
I also assume the old API keys will continue to work as expected?
Yes.
|
|
|
CCP Stillman
|
Posted - 2011.05.26 19:35:00 -
[39]
Originally by: Two step Only CEOs can create corporation keys? Why not directors as well?
We hear you, and all others who have commented on only CEOs being able to create corp keys. We'll investigate lowering that requirement to Director.
Originally by: Two step
What happens to a corporation key if the CEO leaves corp? Is it still valid?
No, that will invalidate it.
|
|
Sable Blitzmann
Minmatar Massively Dynamic
|
Posted - 2011.05.26 19:37:00 -
[40]
Originally by: CCP Stillman
Originally by: Two step Only CEOs can create corporation keys? Why not directors as well?
We hear you, and all others who have commented on only CEOs being able to create corp keys. We'll investigate lowering that requirement to Director.
Thank you. But how about members with roles, such as corp wallet and whatnot? Or does the new underlying system not allow for something like this?
|
|
|
CCP Stillman
|
Posted - 2011.05.26 19:41:00 -
[41]
Originally by: mkint
1) I like how customizable it is, but the added complexity means it's gonna be a pain in the ass for rookies to set it up for evemon/eft. A link like the 'all' 'none' links for 'basic' 'full' would be pretty awesome (especially if it automatically filled in the 'name' field as well.)
We still want to investigate implementing pre-defined templates from our end. We've provided application developers with a way of sending an user to the API page with a predefined key. But we want to provide at least some of the most "common" things people want to do, as templates you can pick on the create key page.
Originally by: mkint
2) it would be pretty awesome to have a button next to the verification code field labeled 'generate' to automatically create a new key similar to the classic API page.
3) I'm still fuzzy on how any programs will associate any particular API key with any particular account. I assume it still uses a user ID? That is no longer shown on the page. If it's not still associated to a user ID, then I'm fuzzy on what happens if there ends up being keys with duplicate names/verification codes (unless neither of those are supposed to be meaningful to the user, which I'd have to say right now would be extremely bad.)
also bonus points for not having the new API key being attached to spacebook. Holy jeebus, thank you for not having it be attached to spacebook. That gawdawful piece of crap website needs to be rebuilt from the ground up before I trust it to do anything important, and it still upsets me that it's linked to my account at all.
edit: after re-reading the original blog, the keyID concept is a little more clear. It's kinda weird that you could have a 2 digit keyID, but whatever. I assume you just need the keyID and the verification code, and I still maintain that it would probably be a smart idea to have an auto generate button for that 20 character password that the nag box keeps popping up for.
Also, for usability, the first time I logged in, I was taken directly to a create page without any of the explanations you see on the management page. For usability it would probably be a good idea to already have a 'basic' and 'full' key automatically generated when first signing in and being taken to the management screen instead of the creation screen.
The UserID had to go in order to allow for partial access to an account, i.e only giving access to a single character, as the userID could otherwise give away who you really are. So the userID is implicit in the keyID, but only the API can find out what the userID is.
And as said earlier, we'll investigate a "Auto generate" button for the verification code for a strong verification code
|
|
|
CCP Stillman
|
Posted - 2011.05.26 19:42:00 -
[42]
Originally by: James Arget
One of my members also asked how the Corp keys are going to work in regards to granularity. Could we make keys that restrict access to only member applications, or only to POS information?
That's the idea, yes. Creating a corporation key works exactly like creation a character key. You can select and de-select every single page you want, giving you granularity down to the specific API page you want to expose on a key.
|
|
|
CCP Stillman
|
Posted - 2011.05.26 19:47:00 -
[43]
Originally by: Vessper Nice work on the API changes, looking forward to using it! Some quick questions at this point:
1. What is going to happen with the account related APIs, namely the Characters.xml.aspx and AccountStatus.xml.aspx?
They'll be possible to select and de-select as all other calls on both bound and un-bound character keys. So we're not special casing those.
Originally by: Vessper
2. Am I correct in assuming that CharacterInfo under Public Info is the same as what is available with the current Limited API and under Private Info is what is available with the Full API?
Spot on sir!
Originally by: Vessper
3. Are these changes something you are aiming to release in conjunction with Incarna 1.0 in June, or more likely scheduled for some later patch? Just trying to gauge if I need to start panicking
No, we will definitely not be releasing this with Incarna 1.0. It will be later than that.
|
|
|
CCP Stillman
|
Posted - 2011.05.26 19:50:00 -
[44]
Originally by: Miss Teri More fine-tuned access: nice. But...
Why keep the key in two parts? (Before: userid+key, now: keyid+vcode)
In fact, why allow custom vcodes? That would only decrease security, as people will be bound to select bad (easy to remember, short) vcodes.
Why not make it a single, auto-generated string? Easy to copy and paste into programs (single copy/paste instead of two, like it is now).
In order to not be easy to bruteforce, we're keeping it to two variables needed to access any API key. As for custom vCodes, we'll implement an auto-generate button. But for those who wants a custom vcode, we will allow that.
It is possible to create an insecure vcode, yes. But we will respond to bruteforce attacks on the API servers. And it's just nice to have it be generated by the user, should they decide to.
If you create an "insecure" vCode, you also get a pop-up when you create it, informing you that you might want to consider a more secure vCode.
|
|
|
CCP Stillman
|
Posted - 2011.05.26 19:54:00 -
[45]
Originally by: Sable Blitzmann Edited by: Sable Blitzmann on 26/05/2011 19:32:08
Originally by: CCP Stillman
Originally by: Marcel Devereux Edited by: Marcel Devereux on 26/05/2011 16:30:49 Can we please get a link for each key on the key management page that has the key info embedded as arguments in the URL (i.e. http://api.eve-online.com/key/?keyID=42&vCode=VERYSECRET)? I would like to register as a handler for that link and the user can chose to open the link with my application. This would allow for easy key entry into applications.
Is what you're asking for a button that will say "Copy API Key to clipboard", which people can click and then paste into the requesting application?
Can you please address the more pressing matters of corp API only accessible to CEOs? Directors need full access, and members need access to the APIs that they have roles for, just like it currently is.
The current way is nerfed to hell and back and will make managing APIs extremely difficult for those of us with CEO's away from game or otherwise not very interested in APIs.
Other than this major oversight, this seems to be a great improvement of the API system
I was just going down the list of all posts and trying to respond to them.
I've already discussed with Elerhino for allowing directors to create keys, and he seemed onboard with that. I'll discuss going all the way down to people with roles, to allow to create keys with a limited subset of access with Elerhino tomorrow. Till then, I don't want to promise anything, as I can imagine it's a fairly complex thing.
|
|
TheLostPenguin
|
Posted - 2011.05.26 19:55:00 -
[46]
Looks very nice, so long as app developers make sure they can handle any and all oddball selections of calls being returned by a key, without throwing an error because you didn't include some group/call they assumed everyone would this should work great
One small thing I'm wondering right away is how many seperate keys can we have active/ready made at any given time? There's bound to be a limit but is it 10, 20, 50 or some huge number that nobody in their right mind will ever trouble?
|
Herschel Yamamoto
Agent-Orange Nabaal Syndicate
|
Posted - 2011.05.26 20:16:00 -
[47]
Originally by: Marcel Devereux Whey limit it to directors and CEO's? If you have access to a corp wallet (or any corp data) in game you should be able to have key for allows you to access this information out of game. CEO's and directors have can use access controls in game to restrict access to this data. The API server should be honoring the access controls set in game.
I know you said you'll look into it, but I'll second this post. This is what it really ought to do, and it'd be awesome if you could pull it off.
|
Mr LaForge
|
Posted - 2011.05.26 20:54:00 -
[48]
Will the current limited API key setup still be around for things like Evemon and EFT? |
TornSoul
BIG Gentlemen's Agreement
|
Posted - 2011.05.26 21:19:00 -
[49]
Christmas - Already? (well.. it's not deployed yet but.. )
1: +1 for director keys
2: Let the vCode *default* to a 64 char random mash of chars/numbers - If people then *really* want to change it, they can.
3: I think (hope!) the following is the case, but please confirm : - "oldschool" userid/apikey calls to the API will still be possible? (aka I won't have to update all my existing code with new paramnames)
BIG Lottery |
Squizz Caphinator
Woopatang Primary.
|
Posted - 2011.05.26 21:58:00 -
[50]
Originally by: CCP Stillman
Originally by: Marcel Devereux Edited by: Marcel Devereux on 26/05/2011 16:30:49 Can we please get a link for each key on the key management page that has the key info embedded as arguments in the URL (i.e. http://api.eve-online.com/key/?keyID=42&vCode=VERYSECRET)? I would like to register as a handler for that link and the user can chose to open the link with my application. This would allow for easy key entry into applications.
Is what you're asking for a button that will say "Copy API Key to clipboard", which people can click and then paste into the requesting application?
Yes please. After generating a key my first thought was "OK, how do I share this?" -- EveChatter |
|
ivar R'dhak
Minmatar
|
Posted - 2011.05.27 05:32:00 -
[51]
Am I the only one who confused API with UI and thus got indecently exited about the blog?
That¦ll teach me to read DevBlogs in the mornin. ______________ Mal-¦Appears we got here just in a nick of time. What does that make us?¦ Zoe-`Big damn heroes, sir.` Mal-¦Aint we just.¦ |
Avraham Avinu
Children of Noah
|
Posted - 2011.05.27 06:15:00 -
[52]
Edited by: Avraham Avinu on 27/05/2011 06:16:25
When I Update a vCode, I get an "Authentication failure" using the updated vCode, yet my old vCode still works. It only started to work a couple minutes later. I suspect a server-side cache issue. This will confuse people and lead to the dark side.
HTTPS does not work, yet you use it as an example in your dev blog. This will hinder your testers who are eager to help.
http://apitest.eveonline.com/eve/CharacterID.xml.aspx?names=Avraham%20Avinu works fine and so does http://apitest.eveonline.com/account/APIKeyInfo.xml.aspx?keyID=123&vCode=secretpassword but when I try to access the actual key http://apitest.eveonline.com/char/CharacterSheet.xml.aspx?keyID=123&vCode=secretpassword , I get an error: "Illegal page request! Please verify the access granted by the key you are using!"
Json is popular
|
Vaerah Vahrokha
Minmatar Vahrokh Consulting
|
Posted - 2011.05.27 07:13:00 -
[53]
Edited by: Vaerah Vahrokha on 27/05/2011 07:13:42 I found a bug that could be related with lack of re-entrance. Steps to reproduce on IE 9:
Access Mask starts at 0 (of course)
Check "CharacterInfo" (others do that as well) Uncheck it: it reverts to 0 (duh!).
Now check / uncheck it fast, even double click it several times.
Soon, the process will not revert the number to 0 but will start cycling and showing 3-4 different numbers, even negative ones. From now on, that attribute is borked till you happen to be lucky and guess click it so it gets a 0 again.
--------------------------------------------------------------------------
Could I make a statement about design as well?
I have seen using a bitmap of attributes since when I used VAX.
And since I used VAX, it was a short sighted solution that later on required to be switched into a proper Name => Value associative array later on, with monetary and time costs.
I am posting it here as reference. In 2015 when CCP will have to rework the attributes since it's happening since 30+ years, someone will find this post and link it.
Auditing | Research | 3rd Party | Collateral Holding | EvE RL Charity |
Tonto Auri
Vhero' Multipurpose Corp
|
Posted - 2011.05.27 07:54:00 -
[54]
Originally by: CCP Stillman In order to not be easy to bruteforce, we're keeping it to two variables needed to access any API key.
Go ahead, bruteforce sha1 hash... >.> I want to see someone trying that. However, there's more to this issue than bruteforce. Keeping key in two parts has it's pros, it's right for manual overview (relatively short, human-readable key ID) and there's a number of other cases, but. But question is - why keep it in two variables? We on EVEMon forums have persistent issues with people, who can't see the "userID" line in API key block, and trying to insert their account name into it. Please, for all that holy, make it single string. :/ auth=<keyId>:<vCode> will work just good. For all purposes - from visual inspection to copypaste, and it's not like it is imposible task of splitting request variable into two before continuing with script. As for custom vCodes, there's really no need for it. Make it sha1 or any other appropriate hash function of what-you-deem-good salt, and be done with it. -- Thanks CCP for cu |
Golden Gnu
Gallente The Golden Gnu Corp
|
Posted - 2011.05.27 09:10:00 -
[55]
I can not access: https://supporttest.eveonline.com (http as well) It redirects me to https://supporttest.eveonline.com/Pages/KB/
Also, awesome change... _________________ Download is the meaning of life, upload is the meaning of intelligent life EVE.NiKR.NET - home of jEveAssets |
Hel O'Ween
Men On A Mission EVE Trade Consortium
|
Posted - 2011.05.27 10:39:00 -
[56]
Originally by: CCP Stillman
I've already discussed with Elerhino for allowing directors to create keys, and he seemed onboard with that. I'll discuss going all the way down to people with roles, to allow to create keys with a limited subset of access with Elerhino tomorrow. Till then, I don't want to promise anything, as I can imagine it's a fairly complex thing.
+1 for at least allow directors to create API keys.
The optimal solution, of course, would be to mimic a character's corp roles. There are so many "grunt jobs" (POS fueler, logistic) whih could make good use of "their" corporation key.
Question 1): This might be obvious, but better have it spelled out in written than all of us assuming something which's not true: personal and corporation keys are completely separated in the new system?
Example: assuming I'm a CEO or director, my full API key granted me complete access to both personal and corp API data. With the new system I would need to create two keys (personal and corporation) to achieve the some thing? I assume that's the case, but I rather have that confirmed.
Question 2): Will there be a replacement for the AccountStatus API?
Suggestions:
1) Move the AssetLists on the "Create key" page away from "Personal information" either to "Account and market" or "Science and industrie". I think I know where you're comming from with those categories (assets are considered to be a personal/sensitive thing), but in reality the assets API is mostly used in relation with trading or production.
2) Change the dropdown "Type" to checkboxes [] Character [] Corporation, making it possible to easily create two keys (char + corp) for the same purpose. Perhaps even just create one key with appropriate flags. -- EVEWalletAware - an offline wallet manager |
Kidzukurenai Datael
Imperial Collective Celestial Shadows
|
Posted - 2011.05.27 10:47:00 -
[57]
CCP Stillman is now officially my new favourite Dev. Look at all those replies!! (...and no, that was not sarcasm.)
|
|
CCP Spitfire
C C P C C P Alliance
|
Posted - 2011.05.27 13:43:00 -
[58]
Originally by: Golden Gnu I can not access: https://supporttest.eveonline.com (http as well) It redirects me to https://supporttest.eveonline.com/Pages/KB/
Also, awesome change...
There should be a drop-down menu on the left ("My API Keys").
Spitfire Community Representative CCP Hf, EVE Online |
|
Marcel Devereux
Aideron Robotics
|
Posted - 2011.05.27 14:05:00 -
[59]
Originally by: CCP Stillman
Originally by: Marcel Devereux Edited by: Marcel Devereux on 26/05/2011 16:30:49 Can we please get a link for each key on the key management page that has the key info embedded as arguments in the URL (i.e. http://api.eve-online.com/key/?keyID=42&vCode=VERYSECRET)? I would like to register as a handler for that link and the user can chose to open the link with my application. This would allow for easy key entry into applications.
Is what you're asking for a button that will say "Copy API Key to clipboard", which people can click and then paste into the requesting application?
Only if it can work across all browsers and does not require flash to do it (i.e bit.ly's copy url to clipboard requires flash). What reservations do you have about providing the link?
|
Taureau
Innovia Innovia Alliance
|
Posted - 2011.05.27 18:13:00 -
[60]
Apologies if I'm incorrect about this, but if I try this URL with various parameters it fails: http://apitest.eveonline.com/API/APIKeyInfo.xml.aspx?keyID=1&vCode=VERYVERYSECRET
I have not yet been able to access the above page, but if you're going to completely hide other characters, for the sake of recruiting can you put an integer attribute on the APIKeyInfo.xml.aspx OR Characters.xml.aspx page which will show a 1, 2 or 3 depending how many characters they have on the account for that key? No names, just 1 2 or 3, that way you know if they are hiding characters.
|
|
|
|
|
Pages: 1 [2] 3 4 :: one page |
First page | Previous page | Next page | Last page |