These are chat archives for arenanet/api-cdi

18th
Apr 2016
Robert Logiewa
@Ruhrpottpatriot
Apr 18 2016 10:55 UTC
I want to mak a suggestion regarding the two factor authentification, where’s the best place to put it?
@queicherius literally not a clue; my understanding was that commerce went through and purged all listings for untradeable items
Pat Cavit
@tivac
Apr 18 2016 17:09 UTC
@Ruhrpottpatriot forums, presumably
@Ruhrpottpatriot 2FA for the API or the game?
I'm assuming the game -- probably the general forums.
(or reddit)
David Reeß
@queicherius
Apr 18 2016 19:15 UTC
@lye there are still so many in there tho D: 4x reward chests (which people told me they cant be listed), 10x guild decorations I can see when I just look for "flag", pvp salvage kits?, ...
maybe they just removed all the listings that are just below vendor price
I'll have to ask them
@queicherius while I've got you here, RE: the malformed API key. Did they happen to give you a screenshot? I kind of find it hard to believe it's not just some wacky copy-paste issue or a browser extension gone berserk or something
like the API keys are two guids concatenated and I can't think of any reason why it would truncate the last 4 characters
David Reeß
@queicherius
Apr 18 2016 19:19 UTC
I asked him for one before I posted here, but he didn't want to take one ("would be uncomfortable for me")
even if it's cropped to just show the box? :/
David Reeß
@queicherius
Apr 18 2016 19:19 UTC
First time I heard of that case too, tho. Might just be a random issue.
I dunno, see if you can get the browser version and ideally a list of extensions/plugins
David Reeß
@queicherius
Apr 18 2016 19:20 UTC
I'll ask nicely again.
I have a feeling it's a rogue extension/plugin
or maybe a CSS issue and the key is getting truncated (and they're manually copy'ing or something)
David Reeß
@queicherius
Apr 18 2016 19:26 UTC
Alright, wrote him another mail. Also asked him to try in incognito mode (so without extensions). Maybe that'll help.
Eearslya Sleiarion
@Eearslya
Apr 18 2016 21:23 UTC
{"error":"endpoint broken"}
My favorite
I hope to one day see it
I've got it on my local stack for /v2/guild/:id/stash
because I can't figure out how to give my guild the post-HoT upgrade for a stash
Eearslya Sleiarion
@Eearslya
Apr 18 2016 21:24 UTC
You should make it return an HTTP 418
that sounds hard to debug
also I bet IIS will complain that it doesn't have enough hot water
Eearslya Sleiarion
@Eearslya
Apr 18 2016 21:25 UTC
Aw, c'mon, how is "I am a teapot" hard to debug? It's extremely informative.
okay team I have bad news
the local websocket client thing is basically dead with this: https://bugs.chromium.org/p/chromium/issues/detail?id=418482
the client won't have a cert so it can't use a secure websocket, which means you'd have to connect to a local websocket from a non-HTTPS page
which is incredibly stupid in so many ways I don't even know where to begin
it doesn't really preclude the implementation, it just makes the usage thereof significantly more involved than I care to support (e.g., you can't just connect to a running client from a webpage -- you still have to download a native application)
windwarrior
@windwarrior
Apr 18 2016 22:09 UTC
If there is truly a need to have a web page communicate with a locally installed application, our recommendation is the native messaging API.
good every browser implemented that
-.-"
yeah but here's the catch
the native messaging API requires a hardcoded whitelist of 2nd-level domains
so you can't do "*" or "*.com"
so each bloody application would needs its own extension for each browser
it's so stupid
windwarrior
@windwarrior
Apr 18 2016 22:17 UTC
*.gw2apps.com?
the only real solutions are (1) require all sites served over HTTPS to talk use HTTP, or (2) proxy websocket traffic through an SSL ANet server or (3) use a CF-style SSL challenge oracle to provide SSL in-client
David Reeß
@queicherius
Apr 18 2016 22:18 UTC
This is pretty dumb. I love when bugreports get answered with "lol sucks for you, do it in this shitty way".
right that'd be (2) or (3) which extends the development time by at least a month
I really don't get why localhost is unprivileged; CORS (which WS supports) should fix that perfectly fine
why do I care about mixed-content when it's not going across a network
that's literally the only time you care about mixed-content, when parts may be sent over a network unencrypted
I'm really upset.
sorry.
windwarrior
@windwarrior
Apr 18 2016 22:20 UTC
well, constructively, you can maybe present the chromium developers with your reasoning
Pat Cavit
@tivac
Apr 18 2016 22:20 UTC
based on past experience that's unlikely to change anything
it's not chromium, it's the standards body
in that issue they're basically saying "the standard requires this"
and even if I had a magic wand to get the standards changed
that would still push the timeline back years
windwarrior
@windwarrior
Apr 18 2016 22:21 UTC
right
I'm gonna try running the CF-style SSL challenge oracle by some server people at some point; I have a feeling they'll say "that's insane let's avoid that" because it's kind of insane
windwarrior
@windwarrior
Apr 18 2016 22:22 UTC
whats CF-style? I havent heard about it yet
basically how cloudflare handles SSL if you don't want to give them your key
you provide a challenge oracle which their servers use to start SSL connections with your key
it's basically the same thing as giving them the key, but you can revoke it a lot easier than with CRLs and OCSP stapling
because both of those are an absolute cluster
because TLS is an absolute cluster
(revocation with a challenge oracle is as simple as just turning off the challenge oracle)
windwarrior
@windwarrior
Apr 18 2016 22:24 UTC
awesome, was looking for that
IMO it's kind of stupid; it's just to get around stupid bureaucratic issues w.r.t key handling
anyway if anyone's got a better idea let me know
because this is still something I'd love to see happen despite the internet-only nearsightedness of the standards committee
darthmaim
@darthmaim
Apr 18 2016 22:30 UTC
add local.api.guildwars2.com -> 127.0.0.1 to /etc/hosts and have a valid cert for it :fire:
it would have to be on a subdomain
not on a subdomain, on a completely different domain
like *.lyesgw2api.com
there's too much fishy business you can get into with CORS and a valid cert for a subdomain
because the web is a goddamn tinderbox
and we should burn it to the ground
https://www.youtube.com/watch?v=hUOzEthA_yU
(to remove the not-quite-NSFW thumbnail)
David Reeß
@queicherius
Apr 18 2016 22:32 UTC
thanks for that link, TIL
Archer is a really good show.
David Reeß
@queicherius
Apr 18 2016 22:34 UTC
I want a "sadface" smiley reaction on github. Not a "confused" one. :<
Eearslya Sleiarion
@Eearslya
Apr 18 2016 22:35 UTC
I don't suppose a long-polling webserver embedded in the GW2 client would be much better
@queicherius we could repurpose :laughing: to mean crying but it would be non-obvious.
@Eearslya AFAIK it doesn't fix the mixed-content issue
reading the spec it seems a webpage can request a "don't care" policy so this may be a non-issue
Eearslya Sleiarion
@Eearslya
Apr 18 2016 22:37 UTC
You can't make a local HTTPS webserver in the client?
where would we put the cert?
Eearslya Sleiarion
@Eearslya
Apr 18 2016 22:37 UTC
...Right. Derp.
darthmaim
@darthmaim
Apr 18 2016 22:37 UTC
afaik http://localhost/ is considered secure for most stuff (i know serviceworkers work for non https localhost)
if a local https server would work, a local wss server would work too
Eearslya Sleiarion
@Eearslya
Apr 18 2016 22:37 UTC
I mean..hmm
I tested with chrome, it definitely does not work
there's an open chrome issue marked wontfix
darthmaim
@darthmaim
Apr 18 2016 22:37 UTC
:/
Eearslya Sleiarion
@Eearslya
Apr 18 2016 22:38 UTC
Is it really so important that the cert stays private for this purpose, though?
We're not -really- transmitting sensitive data, just satisfying a spec
Technically no, but I'm gonna need some serious buy-in to distribute a cert
also our websocket implementation does not currently support TLS
Eearslya Sleiarion
@Eearslya
Apr 18 2016 22:39 UTC
What do you mean?
like, there has to be a chain of responsibility to manage the cert/DNS entries for the cert and a bunch of other hassles
since the cert will need to be renewed periodically and such
darthmaim
@darthmaim
Apr 18 2016 22:40 UTC
but you would still need a valid cert to make the browser happy, and no ca will give you one for localhost?
no CA will give you one for the "localhost" domain, no
but you can set up "lyesexcellentadventure.com" which has an A record that points to "127.0.0.1" and get a cert for that.
Eearslya Sleiarion
@Eearslya
Apr 18 2016 22:40 UTC
Would it be possible to have ANet's DNS server resolve an entry to--yeah
windwarrior
@windwarrior
Apr 18 2016 22:40 UTC
diginotar would :fire:
yeah it's definitely do-able but it's a huge amount of hassle compared to a non-TLS WS server
also it completely shuns the whole "you shouldn't distribute keys" bit which might get us in trouble with the CA
Eearslya Sleiarion
@Eearslya
Apr 18 2016 22:42 UTC
Really? Why do they care?
because it's something you really shouldn't do
realistically they probably won't
darthmaim
@darthmaim
Apr 18 2016 22:43 UTC
self signed certs really should be valid for localhost...
Eearslya Sleiarion
@Eearslya
Apr 18 2016 22:43 UTC
You really shouldn't need certs for localhost..
agreed
if you're connecting to localhost
it's not going across a network -_-
windwarrior
@windwarrior
Apr 18 2016 22:44 UTC
who would MitM then lol
Eearslya Sleiarion
@Eearslya
Apr 18 2016 22:44 UTC
Now, this is going out on a limb here, but can Javascript open and read files live?
no, not without a plugin
Eearslya Sleiarion
@Eearslya
Apr 18 2016 22:45 UTC
Curses.
PRETTY MUCH
windwarrior
@windwarrior
Apr 18 2016 22:45 UTC
well dnd'ed files
the spec allows user-agents to allow pages to opt-out of blocking mixed-content resources
but it highly recommends user-agents to not implement it
David Reeß
@queicherius
Apr 18 2016 22:45 UTC
:fire: :fire: :fire: :fire: :fire: THE INTERNET WORKS EXACTLY AS INTENDED :fire: :fire: :fire: :fire: :fire: :fire:
so I'm pretty sure chrome/firefox don't support it
@queicherius :fire: :fire: EVERYTHING WORKS FINE IF IT'S ALL IN THE CLOUD :fire: :fire:
problem es solved
so all we need to do is cloud-host the clients rather than having them run on your machine
windwarrior
@windwarrior
Apr 18 2016 22:46 UTC
that was a thing
onlive?
Eearslya Sleiarion
@Eearslya
Apr 18 2016 22:46 UTC
I have played GW2 through 2 layers of RDP and let me tell you
no
darthmaim
@darthmaim
Apr 18 2016 22:47 UTC
:D
David Reeß
@queicherius
Apr 18 2016 22:47 UTC
Well, clouds = water. Water + Fire = More clouds?
anyway I'm gonna check later tonight whether Content-Security-Policy can actually be disabled
if that can be disabled to turn off strict content blocking then this is a non-issue
Eearslya Sleiarion
@Eearslya
Apr 18 2016 22:47 UTC
I-Can-Do-What-I-Want: true
darthmaim
@darthmaim
Apr 18 2016 22:48 UTC
--disable-web-security
yes that works too, technically
Eearslya Sleiarion
@Eearslya
Apr 18 2016 22:48 UTC
Is that actually a flag chrome has?
darthmaim
@darthmaim
Apr 18 2016 22:48 UTC
yes
yes
windwarrior
@windwarrior
Apr 18 2016 22:48 UTC
yes
I use it locally
it pops up a "HEY YOU'VE GOT THAT FLAG STILL" every time I start chrome
"CLICK HERE TO TURN IT OFF"
Eearslya Sleiarion
@Eearslya
Apr 18 2016 22:49 UTC
speaking of chrome, mine is yelling at me to update
actually that might be the one to allow locally-packed extensions
windwarrior
@windwarrior
Apr 18 2016 22:49 UTC
I use it sometimes when building apps or something
uhh js apps
literally we should burn down all things computing and start over
and this time try to make at least some good decisions
windwarrior
@windwarrior
Apr 18 2016 22:49 UTC
I think because otherwise chrome doesnt want to load assets from your filesystem from javascript or something
Eearslya Sleiarion
@Eearslya
Apr 18 2016 22:50 UTC
I'm writing a MUD server for no particular reason; I could cannibalize it and make the new world's webserver
darthmaim
@darthmaim
Apr 18 2016 22:50 UTC
--unsafely-treat-insecure-origin-as-secure=http://lyereallywantssecureunsecureapis.com should work too
windwarrior
@windwarrior
Apr 18 2016 22:50 UTC
which is sensible, but well, impractical
@Eearslya we need to also burn down x86/x64
literally go back to hand-wrapping wires
because this house of cards is unsustainable
Eearslya Sleiarion
@Eearslya
Apr 18 2016 22:50 UTC
I'll get the punchcards
windwarrior
@windwarrior
Apr 18 2016 22:51 UTC
what technology can stay?
Eearslya Sleiarion
@Eearslya
Apr 18 2016 22:51 UTC
the transistor
the P/N junction is probably fine yeah
but pretty much all software (and all software implemented in silicon)
Eearslya Sleiarion
@Eearslya
Apr 18 2016 22:52 UTC
NEW WORLD ORDER :fire:
okay team we're putting off further API updates until I can re-invent the last 50 years of computational development using only modern methods
Eearslya Sleiarion
@Eearslya
Apr 18 2016 22:53 UTC
rm -rf /
and once I'm down with that we'll have better methods and should probably throw out what I create with a replacement written from scratch using the new methods
David Reeß
@queicherius
Apr 18 2016 22:53 UTC
I read "... using only modems" at first
darthmaim
@darthmaim
Apr 18 2016 23:06 UTC
What happens when I connect from a service worker (or any web worker) to an unsecured websocket and postMessage proxy it back to the page?
if the service worker's context is set to block mixed content (which is a setting inherited from the parent context and AFAIK locked to "on" with content served over a secure connection) then any websocket connections to an unsecured URI will be denied.
The converse is true if the service worker's context is not set to block mixed content.
David Reeß
@queicherius
Apr 18 2016 23:33 UTC
That moment when all servers suddenly forget how to DNS :fire: