open All Channels
seplocked EVE Information Portal
blankseplocked New Dev Blog: Customizable API keys goes live for testing
 
This thread is older than 90 days and has been locked due to inactivity.


 
Pages: 1 [2] 3 4

Author Topic

Miss Teri
Art of War Alliance
Posted - 2011.05.26 18:47:00 - [31]
 

More fine-tuned access: nice. But...

Why keep the key in two parts? (Before: userid+key, now: keyid+vcode)

In fact, why allow custom vcodes? That would only decrease security, as people will be bound to select bad (easy to remember, short) vcodes.

Why not make it a single, auto-generated string? Easy to copy and paste into programs (single copy/paste instead of two, like it is now).

darius mclever
Posted - 2011.05.26 19:08:00 - [32]
 

awesomeness. =)

Aineko Macx
Posted - 2011.05.26 19:08:00 - [33]
 

Cool, something I can approve of for a change.

CCP Stillman

Posted - 2011.05.26 19:29:00 - [34]
 

Originally by: Marcel Devereux
Edited by: Marcel Devereux on 26/05/2011 16:30:49
Can we please get a link for each key on the key management page that has the key info embedded as arguments in the URL (i.e. http://api.eve-online.com/key/?keyID=42&vCode=VERYSECRET)? I would like to register as a handler for that link and the user can chose to open the link with my application. This would allow for easy key entry into applications.

Is what you're asking for a button that will say "Copy API Key to clipboard", which people can click and then paste into the requesting application? Smile

SencneS
Rebellion Against Big Irreversible Dinks
Posted - 2011.05.26 19:29:00 - [35]
 

Originally by: Marcel Devereux
Whey limit it to directors and CEO's? If you have access to a corp wallet (or any corp data) in game you should be able to have key for allows you to access this information out of game. CEO's and directors have can use access controls in game to restrict access to this data. The API server should be honoring the access controls set in game.


I agree with this, it is an oversight on CCP side. I can see issues with this like you give you low members Jr. Accountant so they can view the wallet etc, they generate a non-expiration key and post it on every EVE Related forum.

So some security needs to be in place at the Director/CEO level to allow ANY corporate key generated by ANY member of the corp to be deleted/expired.

This way if the above does happen, the CEO/Directors can go out, login, look at the corp keys generated for for the corp and expire/delete the one that was spammed across 50 different forums.

Sable Blitzmann
Minmatar
Massively Dynamic
Posted - 2011.05.26 19:31:00 - [36]
 

Edited by: Sable Blitzmann on 26/05/2011 19:32:08
Originally by: CCP Stillman
Originally by: Marcel Devereux
Edited by: Marcel Devereux on 26/05/2011 16:30:49
Can we please get a link for each key on the key management page that has the key info embedded as arguments in the URL (i.e. http://api.eve-online.com/key/?keyID=42&vCode=VERYSECRET)? I would like to register as a handler for that link and the user can chose to open the link with my application. This would allow for easy key entry into applications.

Is what you're asking for a button that will say "Copy API Key to clipboard", which people can click and then paste into the requesting application? Smile


Can you please address the more pressing matters of corp API only accessible to CEOs? Directors need full access, and members need access to the APIs that they have roles for, just like it currently is.

The current way is nerfed to hell and back and will make managing APIs extremely difficult for those of us with CEO's away from game or otherwise not very interested in APIs.

Other than this major oversight, this seems to be a great improvement of the API system

CCP Stillman

Posted - 2011.05.26 19:32:00 - [37]
 

Originally by: Everseeker
Is it safe to assume that, If I create a request string for a user, asking for specific information, that the user will see an "english-readable" warning, telling them specificly what the Recruiter/whoever will be receiving if you comply
(perhaps with a check-box based format, to allow partial compliance with the request....)


The way the dev blog mentions you can create a "predefined" key basically just fills out the things specified in the URL. The user will be able to see all the checkboxes before he submits it, and he will need to provide a bit of extra information.

We could add an extra warning if people are creating a pre-defined key, if people think this is a good idea Smile

CCP Stillman

Posted - 2011.05.26 19:33:00 - [38]
 

Originally by: SencneS
It doesn't say it anywhere but if we create a non-expiring key can we delete the key? I haven't created one yet because I am uncertain I will be able to delete it.

You can edit and delete an API key at any time you like!

Originally by: SencneS

I also assume the old API keys will continue to work as expected?


Yes. Smile

CCP Stillman

Posted - 2011.05.26 19:35:00 - [39]
 

Originally by: Two step
Only CEOs can create corporation keys? Why not directors as well?


We hear you, and all others who have commented on only CEOs being able to create corp keys. We'll investigate lowering that requirement to Director.
Originally by: Two step

What happens to a corporation key if the CEO leaves corp? Is it still valid?

No, that will invalidate it.

Sable Blitzmann
Minmatar
Massively Dynamic
Posted - 2011.05.26 19:37:00 - [40]
 

Originally by: CCP Stillman
Originally by: Two step
Only CEOs can create corporation keys? Why not directors as well?


We hear you, and all others who have commented on only CEOs being able to create corp keys. We'll investigate lowering that requirement to Director.


Thank you. But how about members with roles, such as corp wallet and whatnot? Or does the new underlying system not allow for something like this?

CCP Stillman

Posted - 2011.05.26 19:41:00 - [41]
 

Originally by: mkint

1) I like how customizable it is, but the added complexity means it's gonna be a pain in the ass for rookies to set it up for evemon/eft. A link like the 'all' 'none' links for 'basic' 'full' would be pretty awesome (especially if it automatically filled in the 'name' field as well.)


We still want to investigate implementing pre-defined templates from our end. We've provided application developers with a way of sending an user to the API page with a predefined key. But we want to provide at least some of the most "common" things people want to do, as templates you can pick on the create key page.
Originally by: mkint

2) it would be pretty awesome to have a button next to the verification code field labeled 'generate' to automatically create a new key similar to the classic API page.

3) I'm still fuzzy on how any programs will associate any particular API key with any particular account. I assume it still uses a user ID? That is no longer shown on the page. If it's not still associated to a user ID, then I'm fuzzy on what happens if there ends up being keys with duplicate names/verification codes (unless neither of those are supposed to be meaningful to the user, which I'd have to say right now would be extremely bad.)

also bonus points for not having the new API key being attached to spacebook. Holy jeebus, thank you for not having it be attached to spacebook. That gawdawful piece of crap website needs to be rebuilt from the ground up before I trust it to do anything important, and it still upsets me that it's linked to my account at all.

edit: after re-reading the original blog, the keyID concept is a little more clear. It's kinda weird that you could have a 2 digit keyID, but whatever. I assume you just need the keyID and the verification code, and I still maintain that it would probably be a smart idea to have an auto generate button for that 20 character password that the nag box keeps popping up for.

Also, for usability, the first time I logged in, I was taken directly to a create page without any of the explanations you see on the management page. For usability it would probably be a good idea to already have a 'basic' and 'full' key automatically generated when first signing in and being taken to the management screen instead of the creation screen.

The UserID had to go in order to allow for partial access to an account, i.e only giving access to a single character, as the userID could otherwise give away who you really are. So the userID is implicit in the keyID, but only the API can find out what the userID is.

And as said earlier, we'll investigate a "Auto generate" button for the verification code for a strong verification code Smile

CCP Stillman

Posted - 2011.05.26 19:42:00 - [42]
 

Originally by: James Arget

One of my members also asked how the Corp keys are going to work in regards to granularity. Could we make keys that restrict access to only member applications, or only to POS information?

That's the idea, yes. Creating a corporation key works exactly like creation a character key. You can select and de-select every single page you want, giving you granularity down to the specific API page you want to expose on a key.

CCP Stillman

Posted - 2011.05.26 19:47:00 - [43]
 

Originally by: Vessper
Nice work on the API changes, looking forward to using it! Some quick questions at this point:

1. What is going to happen with the account related APIs, namely the Characters.xml.aspx and AccountStatus.xml.aspx?


They'll be possible to select and de-select as all other calls on both bound and un-bound character keys. So we're not special casing those.

Originally by: Vessper

2. Am I correct in assuming that CharacterInfo under Public Info is the same as what is available with the current Limited API and under Private Info is what is available with the Full API?


Spot on sir! Smile

Originally by: Vessper

3. Are these changes something you are aiming to release in conjunction with Incarna 1.0 in June, or more likely scheduled for some later patch? Just trying to gauge if I need to start panicking Razz


No, we will definitely not be releasing this with Incarna 1.0. It will be later than that.

CCP Stillman

Posted - 2011.05.26 19:50:00 - [44]
 

Originally by: Miss Teri
More fine-tuned access: nice. But...

Why keep the key in two parts? (Before: userid+key, now: keyid+vcode)

In fact, why allow custom vcodes? That would only decrease security, as people will be bound to select bad (easy to remember, short) vcodes.

Why not make it a single, auto-generated string? Easy to copy and paste into programs (single copy/paste instead of two, like it is now).



In order to not be easy to bruteforce, we're keeping it to two variables needed to access any API key. As for custom vCodes, we'll implement an auto-generate button. But for those who wants a custom vcode, we will allow that.

It is possible to create an insecure vcode, yes. But we will respond to bruteforce attacks on the API servers. And it's just nice to have it be generated by the user, should they decide to.

If you create an "insecure" vCode, you also get a pop-up when you create it, informing you that you might want to consider a more secure vCode.

CCP Stillman

Posted - 2011.05.26 19:54:00 - [45]
 

Originally by: Sable Blitzmann
Edited by: Sable Blitzmann on 26/05/2011 19:32:08
Originally by: CCP Stillman
Originally by: Marcel Devereux
Edited by: Marcel Devereux on 26/05/2011 16:30:49
Can we please get a link for each key on the key management page that has the key info embedded as arguments in the URL (i.e. http://api.eve-online.com/key/?keyID=42&vCode=VERYSECRET)? I would like to register as a handler for that link and the user can chose to open the link with my application. This would allow for easy key entry into applications.

Is what you're asking for a button that will say "Copy API Key to clipboard", which people can click and then paste into the requesting application? Smile


Can you please address the more pressing matters of corp API only accessible to CEOs? Directors need full access, and members need access to the APIs that they have roles for, just like it currently is.

The current way is nerfed to hell and back and will make managing APIs extremely difficult for those of us with CEO's away from game or otherwise not very interested in APIs.

Other than this major oversight, this seems to be a great improvement of the API system

I was just going down the list of all posts and trying to respond to them.

I've already discussed with Elerhino for allowing directors to create keys, and he seemed onboard with that. I'll discuss going all the way down to people with roles, to allow to create keys with a limited subset of access with Elerhino tomorrow. Till then, I don't want to promise anything, as I can imagine it's a fairly complex thing.

TheLostPenguin
Posted - 2011.05.26 19:55:00 - [46]
 

Looks very nice, so long as app developers make sure they can handle any and all oddball selections of calls being returned by a key, without throwing an error because you didn't include some group/call they assumed everyone would this should work greatVery Happy

One small thing I'm wondering right away is how many seperate keys can we have active/ready made at any given time? There's bound to be a limit but is it 10, 20, 50 or some huge number that nobody in their right mind will ever trouble?

Herschel Yamamoto
Agent-Orange
Nabaal Syndicate
Posted - 2011.05.26 20:16:00 - [47]
 

Originally by: Marcel Devereux
Whey limit it to directors and CEO's? If you have access to a corp wallet (or any corp data) in game you should be able to have key for allows you to access this information out of game. CEO's and directors have can use access controls in game to restrict access to this data. The API server should be honoring the access controls set in game.


I know you said you'll look into it, but I'll second this post. This is what it really ought to do, and it'd be awesome if you could pull it off.

Mr LaForge
Posted - 2011.05.26 20:54:00 - [48]
 

Will the current limited API key setup still be around for things like Evemon and EFT?

TornSoul
BIG
Gentlemen's Agreement
Posted - 2011.05.26 21:19:00 - [49]
 

Christmas - Already? (well.. it's not deployed yet but.. ) RazzRazzRazz

1: +1 for director keys

2: Let the vCode *default* to a 64 char random mash of chars/numbers - If people then *really* want to change it, they can.

3: I think (hope!) the following is the case, but please confirm :
- "oldschool" userid/apikey calls to the API will still be possible? (aka I won't have to update all my existing code with new paramnames)




Squizz Caphinator
Woopatang
Posted - 2011.05.26 21:58:00 - [50]
 

Originally by: CCP Stillman
Originally by: Marcel Devereux
Edited by: Marcel Devereux on 26/05/2011 16:30:49
Can we please get a link for each key on the key management page that has the key info embedded as arguments in the URL (i.e. http://api.eve-online.com/key/?keyID=42&vCode=VERYSECRET)? I would like to register as a handler for that link and the user can chose to open the link with my application. This would allow for easy key entry into applications.

Is what you're asking for a button that will say "Copy API Key to clipboard", which people can click and then paste into the requesting application? Smile


Yes please. After generating a key my first thought was "OK, how do I share this?"

ivar R'dhak
Minmatar
Posted - 2011.05.27 05:32:00 - [51]
 

Am I the only one who confused API with UI and thus got indecently exited about the blog? Embarassed

That´ll teach me to read DevBlogs in the mornin. Razz

Avraham Avinu
Children of Noah
Posted - 2011.05.27 06:15:00 - [52]
 

Edited by: Avraham Avinu on 27/05/2011 06:29:25
Edited by: Avraham Avinu on 27/05/2011 06:16:25


  1. When I Update a vCode, I get an "Authentication failure" using the updated vCode, yet my old vCode still works. It only started to work a couple minutes later. I suspect a server-side cache issue. This will confuse people and lead to the dark side.


  2. HTTPS does not work, yet you use it as an example in your dev blog. This will hinder your testers who are eager to help.


  3. Json is popular


Vaerah Vahrokha
Minmatar
Vahrokh Consulting
Posted - 2011.05.27 07:13:00 - [53]
 

Edited by: Vaerah Vahrokha on 27/05/2011 07:18:22
I found a bug that could be related with lack of re-entrance. Steps to reproduce on IE 9:

Access Mask starts at 0 (of course)

Check "CharacterInfo" (others do that as well)
Uncheck it: it reverts to 0 (duh!).

Now check / uncheck it fast, even double click it several times.

Soon, the process will not revert the number to 0 but will start cycling and showing 3-4 different numbers, even negative ones. From now on, that attribute is borked till you happen to be lucky and guess click it so it gets a 0 again.

Edit: before you tell me why I used IE9 and not a proper browser: I also tested it on latest Firefox and the bug does NOT happen here.

--------------------------------------------------------------------------

Could I make a statement about design as well?

I have seen using a bitmap of attributes since when I used VAX.

And since I used VAX, it was a short sighted solution that later on required to be switched into a proper Name => Value associative array, with monetary and time costs.

I am posting it here as reference. In 2015 when CCP will have to rework the attributes since it's happening since 30+ years, someone will find this post and link it.

Tonto Auri
Vhero' Multipurpose Corp
Posted - 2011.05.27 07:54:00 - [54]
 

Originally by: CCP Stillman
In order to not be easy to bruteforce, we're keeping it to two variables needed to access any API key.

Go ahead, bruteforce sha1 hash... >.> I want to see someone trying that.
However, there's more to this issue than bruteforce.
Keeping key in two parts has it's pros, it's right for manual overview (relatively short, human-readable key ID) and there's a number of other cases, but.
But question is - why keep it in two variables?
We on EVEMon forums have persistent issues with people, who can't see the "userID" line in API key block, and trying to insert their account name into it. Please, for all that holy, make it single string. :/
auth=<keyId>:<vCode> will work just good. For all purposes - from visual inspection to copypaste, and it's not like it is imposible task of splitting request variable into two before continuing with script.
As for custom vCodes, there's really no need for it. Make it sha1 or any other appropriate hash function of what-you-deem-good salt, and be done with it.

Golden Gnu
Gallente
The Golden Gnu Corp
Posted - 2011.05.27 09:10:00 - [55]
 

I can not access: https://supporttest.eveonline.com (http as well)
It redirects me to https://supporttest.eveonline.com/Pages/KB/

Also, awesome change...

Hel O'Ween
Men On A Mission
EVE Trade Consortium
Posted - 2011.05.27 10:39:00 - [56]
 

Originally by: CCP Stillman

I've already discussed with Elerhino for allowing directors to create keys, and he seemed onboard with that. I'll discuss going all the way down to people with roles, to allow to create keys with a limited subset of access with Elerhino tomorrow. Till then, I don't want to promise anything, as I can imagine it's a fairly complex thing.


+1 for at least allow directors to create API keys.

The optimal solution, of course, would be to mimic a character's corp roles. There are so many "grunt jobs" (POS fueler, logistic) whih could make good use of "their" corporation key.

Question 1):
This might be obvious, but better have it spelled out in written than all of us assuming something which's not true: personal and corporation keys are completely separated in the new system?

Example: assuming I'm a CEO or director, my full API key granted me complete access to both personal and corp API data. With the new system I would need to create two keys (personal and corporation) to achieve the some thing? I assume that's the case, but I rather have that confirmed.

Question 2):
Will there be a replacement for the AccountStatus API?

Suggestions:

1) Move the AssetLists on the "Create key" page away from "Personal information" either to "Account and market" or "Science and industrie". I think I know where you're comming from with those categories (assets are considered to be a personal/sensitive thing), but in reality the assets API is mostly used in relation with trading or production.

2) Change the dropdown "Type" to checkboxes [] Character [] Corporation, making it possible to easily create two keys (char + corp) for the same purpose. Perhaps even just create one key with appropriate flags.

Kidzukurenai Datael
Imperial Collective
Celestial Shadows
Posted - 2011.05.27 10:47:00 - [57]
 

CCP Stillman is now officially my new favourite Dev. Look at all those replies!! Shocked
(...and no, that was not sarcasm.)

CCP Spitfire


C C P
C C P Alliance
Posted - 2011.05.27 13:43:00 - [58]
 

Originally by: Golden Gnu
I can not access: https://supporttest.eveonline.com (http as well)
It redirects me to https://supporttest.eveonline.com/Pages/KB/

Also, awesome change...


There should be a drop-down menu on the left ("My API Keys").


Marcel Devereux
Aideron Robotics
Posted - 2011.05.27 14:05:00 - [59]
 

Originally by: CCP Stillman
Originally by: Marcel Devereux
Edited by: Marcel Devereux on 26/05/2011 16:30:49
Can we please get a link for each key on the key management page that has the key info embedded as arguments in the URL (i.e. http://api.eve-online.com/key/?keyID=42&vCode=VERYSECRET)? I would like to register as a handler for that link and the user can chose to open the link with my application. This would allow for easy key entry into applications.

Is what you're asking for a button that will say "Copy API Key to clipboard", which people can click and then paste into the requesting application? Smile


Only if it can work across all browsers and does not require flash to do it (i.e bit.ly's copy url to clipboard requires flash). What reservations do you have about providing the link?

Taureau
Gallente
Innovia
Innovia Alliance
Posted - 2011.05.27 18:13:00 - [60]
 

Edited by: Taureau on 27/05/2011 18:36:19
Apologies if I'm incorrect about this, but if I try this URL with various parameters it fails: http://apitest.eveonline.com/API/APIKeyInfo.xml.aspx?keyID=1&vCode=VERYVERYSECRET

Can you give another access mask value for if the key is set to show "ALL" characters?


Pages: 1 [2] 3 4

This thread is older than 90 days and has been locked due to inactivity.


 


The new forums are live

Please adjust your bookmarks to https://forums.eveonline.com

These forums are archived and read-only