Sythe API -- for third party apps/developers

To any developers,

We've put together an API which will let sythe.org users authenticate themselves in third party apps without entering their password.

The system works via tokens which are one use automatically generated passwords.

A user get a token from Quick Links like so:







Then the user copy pastes their token into the third party app which you (developer) have made. You then check that they are who they say they are with the script at http://www.sythe.org/checktoken.php?token=token_here

When a token is run with the script above it is 'used up'. These are one use passwords. The user can generate a new one by repeating steps above.

Output of the check token script is json, like so:

Code:

{"userid":"1","username":"Sythe","usergroupid":"6","joindate":"1114082940","posts":"3819","usertitle":"Director","icq":"","aim":"","yahoo":"","msn":"","skype":"","simple_username":"Sythe"}

Simple_username field is username with annoying characters stripped (for example if you want a simple version of their username for a chat name or something.) Other fields are self explanatory. Joindate is unixtimestamp, you can look up how to convert those.

We will be adding more info (such as donation amount/status) later.

Let me know what you think!

Cheers,
Richard

 

The tokens are not for logging in to sythe.org.

 

Its easy enough for the app developer to remember who you are once you're authenticated. They just leave a cookie or file (depending on the type of app) and that's that.

If the tokens weren't one-use then it'd be a massive security flaw.

Lets say I write an IRC daemon where you can 'prove' you are X on sythe.org by submitting your token. If the token doesn't get used up, then I could record all the tokens the users submit, then go use them on other third party apps.

 

This is a good idea. If you want to throw something suitable together I'll put it up. I assume you don't want it to look ugly since you'd be embedding it in your app.

 

Thanks

If you (developer) could grab a token for any user without that user's consent then it would defeat the purpose. The token is supposed to be a one use password that proves the user is who they say they are to a third party app.

And if you mean why not have the token jump from the iframe into the app by itself -- you can't. Violates XSS browser rules.

As to just having a button in an iframe that says "Authorize", that's oAuth type stuff. We might put that in later. Tokens are easier to implement for the moment for many apps.

For most apps you should only need the user to put in a token once (i.e. on signup) then keep your own records and user accounts.

 

No. Similar idea but different implementation.

 

Cookies do not work this way.

Almost every website on the internet uses cookies including this one (hence not having to login every 3 seconds). And they do ok.

That is true. So some level of trust should exist between the user and app developer. Tokens expire automatically after 30 minutes.

 

Grave: http://sythe.org/gettoken.php

 

Here's an example for anyone nosy or curious:

http://servicepanelpro.com/panel/

Note: Your login attempts will fail since you don't have an account. But it illustrates the concept.

 

That's actually more complicated than you would think because a lot of browser's handle the clipboard differently. I did already make it so when you click the token it highlights automatically...