An authorization module for a site using the Wargaming.net Public API
Since the release of the WG P API in beta test, the most popular question has become “how to make authorization on the site”.
It so happened - a man being lazy.
In order to simplify the lives of other participants of the Wargaming Developer Partner Program, I want to share my experience in creating an authorization module for the site.
Option two.
1. Use OpenID
The logic of the authorization process wargaming has already described, articles on OpenID on Habré is also enough.
2. Using API methods to create an authorization module.
I will not describe plug-ins for all popular CMS - I will describe only the general scheme and give an example of code.
For user authentication, at the moment, the WG API has three methods:
auth / login - the method is used to authenticate the user - getting access_token.
auth / prolongate - using this method, you can extend the access_token without user intervention
auth / logout - method for killing access_token
access_token is used to obtain private information about a player's account - information about the equipment that is in the hangar, identifiers of accounts of friends of the player and so on.
')
To obtain access_token, as already mentioned above, the auth / login method is used, which sends information about the authorization status to the address specified in the redirect_uri parameter
One of the WG developers said:
Let's return to the theory.
First of all, you need to contact the auth / login method with a request to generate a URL for further redirecting the user.
For this helmet request to
where <application_id> is the application_id of the application for which you need to register in the developer’s office ;
<redirect_uri> - URL of the script handler;
The value of the parameter nofollow = 1, so that the method would return the URL in the response body instead of the redirect.
Our auth.php will perform two tasks at once: generate a link and redirect it, or authorize if the user returns after the redirect.
In the example, the script itself redirects the user after generating the link.
Changing a couple of lines of code, you can muddle it with javascript, in order to write “Loading ...” (or insert loader.gif) after clicking on the “Enter” button - it always looks beautiful.
While the user admires with an inscription (or a picture), js will send a request to the script, he will send a request to api, api will answer the script, the script will return the link, and finally, js will redirect the user to it.
Directly send a request to the API js-th is not possible, since the rules of WG DPP, it is forbidden to disclose application_ application
After a player logs into the WG site and allows our site to view his detailed statistics, he will be redirected to
<redirect_uri> ? & status = ok & access_token = <access_token> & nickname = <_nickname> & account_id = <account_id> & expires_at = <expires_at>
If there are no mistakes ...
Thus, our script will receive the data:
status access_token nickname account_id expires_at
But while this data can not be trusted!
If we plan to do authorization, then we must be sure that the data obtained is true and transmitted from the WG site, and not recorded manually.
It is precisely because of this moment that the work of the method will be redone - at the moment, we cannot know for sure whether the player came, with these parameters, from the wargaming site or he typed them in the address bar.
$ _SERVER ['HTTP_REFERER'] does not give a full guarantee.
In order to verify the veracity of the data we use the auth / prolongate method
This is one of the options. In addition to prolongation, we can also make a request for account / info with the received token - if you can get private data, then everything is ok.
Using it we will be able to check whether the access_token was valid, and to whom (account_id) it belongs.
If everything is in order, we will write the necessary data in the database, set the user a cookie - we will do everything that needs to be done with standard authorization by entering the login / password.
Demo
It so happened - a man being lazy.
In order to simplify the lives of other participants of the Wargaming Developer Partner Program, I want to share my experience in creating an authorization module for the site.
Option two.
1. Use OpenID
The logic of the authorization process wargaming has already described, articles on OpenID on Habré is also enough.
2. Using API methods to create an authorization module.
I will not describe plug-ins for all popular CMS - I will describe only the general scheme and give an example of code.
Theory
For user authentication, at the moment, the WG API has three methods:
auth / login - the method is used to authenticate the user - getting access_token.
auth / prolongate - using this method, you can extend the access_token without user intervention
auth / logout - method for killing access_token
access_token is used to obtain private information about a player's account - information about the equipment that is in the hangar, identifiers of accounts of friends of the player and so on.
')
To obtain access_token, as already mentioned above, the auth / login method is used, which sends information about the authorization status to the address specified in the redirect_uri parameter
One of the WG developers said:
The decision was made to expand the capabilities of the auth / login method and a partition will be introduced (with successfully entered information):
1) A user will be redirected to one URL;
2) Authorization information will be sent to the second (POST or GET method).
Let's return to the theory.
Work algorithm
Generate link to redirect user
First of all, you need to contact the auth / login method with a request to generate a URL for further redirecting the user.
For this helmet request to
api.worldoftanks.ru/wot/auth/login/?application_id=<application_id>&redirect_uri=<redirect_uri>&nofollow=1where <application_id> is the application_id of the application for which you need to register in the developer’s office ;
<redirect_uri> - URL of the script handler;
The value of the parameter nofollow = 1, so that the method would return the URL in the response body instead of the redirect.
Our auth.php will perform two tasks at once: generate a link and redirect it, or authorize if the user returns after the redirect.
Redirect user to WG site
In the example, the script itself redirects the user after generating the link.
Changing a couple of lines of code, you can muddle it with javascript, in order to write “Loading ...” (or insert loader.gif) after clicking on the “Enter” button - it always looks beautiful.
While the user admires with an inscription (or a picture), js will send a request to the script, he will send a request to api, api will answer the script, the script will return the link, and finally, js will redirect the user to it.
Directly send a request to the API js-th is not possible, since the rules of WG DPP, it is forbidden to disclose application_ application
User return
After a player logs into the WG site and allows our site to view his detailed statistics, he will be redirected to
<redirect_uri> ? & status = ok & access_token = <access_token> & nickname = <_nickname> & account_id = <account_id> & expires_at = <expires_at>
If there are no mistakes ...
Thus, our script will receive the data:
status access_token nickname account_id expires_at
But while this data can not be trusted!
Validation of data received after returning user
If we plan to do authorization, then we must be sure that the data obtained is true and transmitted from the WG site, and not recorded manually.
It is precisely because of this moment that the work of the method will be redone - at the moment, we cannot know for sure whether the player came, with these parameters, from the wargaming site or he typed them in the address bar.
$ _SERVER ['HTTP_REFERER'] does not give a full guarantee.
In order to verify the veracity of the data we use the auth / prolongate method
This is one of the options. In addition to prolongation, we can also make a request for account / info with the received token - if you can get private data, then everything is ok.
Using it we will be able to check whether the access_token was valid, and to whom (account_id) it belongs.
If everything is in order, we will write the necessary data in the database, set the user a cookie - we will do everything that needs to be done with standard authorization by entering the login / password.
Practice
<? define('URL','http://example.com/WGDPPAuth.php');// define('APPLICATION_ID','demo');//application_id if(empty($_GET['status'])){// $context = stream_context_create( array('http' => array( 'method' => 'POST', 'header' => 'Content-type: application/x-www-form-urlencoded', 'content' => http_build_query( array( 'nofollow' => 1, 'expires_at' => 300, 'redirect_uri' => URL, 'application_id' => APPLICATION_ID ) ) ) ) ); $data=json_decode(@file_get_contents('https://api.worldoftanks.ru/wot/auth/login/', false, $context),true); if($data['status']=='ok'){ header ('Location: '.$data['data']['location']); exit(); }else{ exit(' .'); } }elseif(isset($_GET['status']) && isset($_GET['access_token']) && isset($_GET['nickname']) && isset($_GET['account_id']) && isset($_GET['expires_at'])){// , auth/login if($_GET['status']!="ok"){ $error_code=500; if(preg_match('/^[0-9]+$/u', $_GET['code'])){ $error_code=$_GET['code']; } exit(" . : $error_code"); }elseif($_GET[expires_at]<time()){ exit(" . access_token ."); }else{ $context = stream_context_create( array('http' => array( 'method' => 'POST', 'header' => 'Content-type: application/x-www-form-urlencoded', 'content' => http_build_query( array( 'expires_at' => 14*24*60*60, 'access_token' => $_GET['access_token'], 'application_id' => APPLICATION_ID ) ) ) ) ); $data=json_decode(@file_get_contents('https://api.worldoftanks.ru/wot/auth/prolongate/', false, $context),true);// if($data['status']=="ok"){ $access_token=$data[data][access_token]; $expires_at=$data[data][expires_at]; $account_id=$data[data][account_id]; // , , , . exit(' id <b>'.$account_id.'</b><br /> <b>'.$access_token.'</b>, <b>'.date("dmY H:i:s",$expires_at).'</b>'); }else{ exit('access_token '); } } }else{ $error_code=500; if(preg_match('/^[0-9]+$/u', $_GET['code'])){ $error_code=$_GET['code']; } exit(" . : $error_code"); } ?> Demo
Source: https://habr.com/ru/post/233957/
All Articles