Integrating BZLeague with the spawn groups list

Improvements, Problems, or Questions on the Forum format or software go here ( not about the game )
Post Reply
Longhair
Private First Class
Private First Class
Posts: 330
Joined: Tue Feb 08, 2005 6:06 pm
Location: Lancaster, PA
Contact:

Integrating BZLeague with the spawn groups list

Post by Longhair » Mon Oct 13, 2008 5:44 pm

I'm working on some PHP code for the upcoming Pillbox League pick-up tournament. What I'd like to be able to do is make it so that I get a bzmail in the Pillbox website whenever a player signs up for the tournament, but is not on the PBLEAGUE.PLAYERS list so that I can add them and they can spawn on the match servers.

Is there a MYSQL user for this forum that has read only permissions that external websites could use, or is there an even better way to do this that I'm unaware of? (like, how does the actual bzflag client do this in a secure way?)

User avatar
blast
General
General
Posts: 4741
Joined: Fri Mar 21, 2003 3:49 pm
Location: playing.cxx
Contact:

Post by blast » Mon Oct 13, 2008 6:15 pm

Link them to the weblogin.php page, and give it a URL to return to on your site. You can then check the token you get, and ask the list server if they are in that group. That's how the BZFlag client/server do it (well, not with weblogin, but with the same overall process).

Example:
URL you want to return to, where %USERNAME% gets replaced with their callsign, and %TOKEN% with their token by our script:

Code: Select all

http://yourwebsite.com/checklogin.php?username=%USERNAME%&token=%TOKEN%
You have to URL encode that URL, so you would end up linking your users to:

Code: Select all

http://my.bzflag.org/weblogin.php?url=http%3A%2F%2Fyourwebsite.com%2Fchecklogin.php%3Fusername%3D%25USERNAME%25%26token%3D%25TOKEN%25
You can then use the returned values and, for examle, our checktoken.php file to see if that was a valid login, and if they are in the group you are wondering about.
"In addition to knowing the secrets of the Universe, I can assure you that I am also quite potty trained." -Koenma (Yu Yu Hakusho)

Image

Longhair
Private First Class
Private First Class
Posts: 330
Joined: Tue Feb 08, 2005 6:06 pm
Location: Lancaster, PA
Contact:

Post by Longhair » Tue Oct 14, 2008 3:34 am

Well, that's something anyway. The thing I'm confused about is what to do with this token once I get it back to me.

I tried setting up a test server with the -dddd switch on. It looks like the server sends a string that includes what groups the server wants to check against. In my case, it was EVERYONE, VERIFIED and PBLEAGUE.PLAYERS in return, it looks like the server gets a line:

Code: Select all

Got line: "MSG: checktoken callsign=longhair, ip=72.70.136.118, token=1543465772  group=EVERYONE group=PBLEAGUE.PLAYERS group=VERIFIED"
How do I test this token for group membership, since using the method as you outlined, I only get a token back as part of the $_GET array, no matter what I feed the weblogin.php page. Is there some other web based interface that takes a token?

Honestly, I don't really need to have the user authenticate in this case. All I'd need to do is something like (guessing table names here)

Code: Select all

SELECT users.id FROM users,users_groups,groups WHERE users.callsign=<callsign> AND users.id=users_groups.userid AND users_groups.groupid=groups.id AND groups.groupname=PBLEAGUE.PLAYERS
If I get a row, I'd know that there would be no need to send a bzmail about it, since they'd already be in the PBLEAGUE.PLAYERS group. It would save users from a confusing experience where they have to leave the Pillbox League website, log in at my.bzflag.org/weblogin.php, and then end up back at the Pillbox League site.

If the weblogin.php script is all we have for the moment, that's fine, and I'll make do another way. If there IS a better way, though, I'd like to use it :)

User avatar
JeffM
Staff Sergeant
Staff Sergeant
Posts: 5173
Joined: Fri Dec 13, 2002 4:11 am
Location: https://discord.gg/NN9uAvx
Contact:

Post by JeffM » Tue Oct 14, 2008 3:40 am

Take a look at checktoken.php in the misc dir of the source code. it lets you verify the token and query for group membership. it is the side of weblogin that you run on your site. It is very important that you not run your own copy of weblogin, but redirect them to ours. Your website should NEVER ask for or get the user's password.

This is not what we have 'for now'. this is what we will always use. For security and privacy reasons we do not allow third party access to our users list or database.

The weblogin system should be able to do everything you need, other sites are using it for group membership checks just fine.

Post Reply