Ryzom API/AppZone

From EncyclopAtys

< Ryzom API
Revision as of 10:43, 23 July 2020 by Dorothée (talk | contribs) (Created page with " User authentication for apps registered in AppZone == Usage == ;URL values :<code>user</code> -- base64 encoded php serialized array :<code>checksum</code> -- sha1 hash_hmac...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

User authentication for apps registered in AppZone

Usage

URL values
user -- base64 encoded php serialized array
checksum -- sha1 hash_hmac with app secret key from AppZone

Because of php serialize, checksum must be validated before user value can be safely used.
A validating checksum will also give a strong guarantee that the user is who he claims to be.

Example how the response is created:

$userArray = [
  'timestamp' => "0.9696200 1503915319",
  'app_url' => 'http://...',
  'id' => "1",
  'char_name' => 'player',
  'race' => 'tryker',
  'cult' => 'neutral',
  'civ' => 'neutral',
  'organization' => 'marauder',
  'guild_id' => '105906000',
  'guild_icon' => '17',
  'guild_name' => 'guild',
  'grade' => 'Leader',
  'lang' => 'en'
];

$user = base64_encode(serialize($userArray));
$checksum = hash_hmac('sha1', $user, $appKey);

timestamp contains microseconds and seconds when the response was created and should be checked to prevent replaying the same response multiple times.
app_url must be checked to prevent same AppZone response to be used in other apps.

PHP interface

ryzom_app_authenticate(&$user)

This function verifies AppZone user and checksum url parameters. Uses $_GET['user'] and $_GET['checksum'] directly.
Function returns boolean true if successful. $user variable will contain info from AppZone or an error message if there was an error

$_SESSION['app.user']
is set for future requests. PHP session is required.

Constants that should be defined :
RYAPI_AUTH_KEY
secret key in AppZone
if empty, then user info is not verified (not recommended)
RYAPI_APP_URL
app url in AppZone
if empty, then automatic best guess url is tried
if false, then app url is not verified
RYAPI_APP_MAXAGE
max age in seconds for AppZone url to be valid
if 0, then timestamp is not verified
<?php
  require_once "ryzomapi_lite.php";

  define('RYAPI_AUTH_KEY', 'secret-key');
  define('RYAPI_APP_URL', 'http://app.url/');
  define('RYAPI_APP_MAXAGE', 30);

  session_start();

  $user = false;
  if (ryzom_app_authenticate($user)) {
    $charName = htmlspecialchars($user['char_name']);
    echo "Hello {$charName}!";
  } else {
    $error = htmlspecialchars($user);
    echo "Authentication failure ({$error}).";
  }