Re: New Patch 1.6.1 for our MMORPG Ryzom
Posted: Sun Oct 18, 2009 12:34 pm
iceaxe68 wrote:I haven't had a chance to check out the new features yet (dirty rotten RL too busy this week) but if it's true that you need only the api key to access these features, and from the grand old insecure internet at that, I am concerned.[...]
kiakaha wrote:It seems that they have addressed it. There is now a login with your pw instead of the Full API key.
Sending my account password instead of an API key isn't exactly what I'd call addressing security concerns.
It seems this is just a frontpage for various web applications (mail and notes for the time being), but this isn't what a public API is for -- with this approach you could just as well develop all your "web" apps in-house and have no need for giving out insecure API keys.
Granted, that way a third party is unlikely to get acccess to my in-game mail, but neither am I, unless I log in via this front page, which in turn makes it unusable through other web apps.
So what you've given us is a way to check in-game mails through a web interface. Nice, but then why do I have to log into yet another site, if and when I'm already logged into the ryzom.com site, and the forum? Would be nice if this could be somehow centralised, through one secure login process, not spread over dozens of separate logins, one less secure than the next.
On the other hand, this hasn't given much "power to the players" - we still can't access our in-game notes and mail from any other app, web or standalone. While it's nice that I can now read my mail from my l33t iPhone, it doesn't offer any actual value to the third party developers out there.
A possible solution might be to have separate keys for separate applications, where an app first offers me its ID that I can enter into my profile page which in turn generates a key for that app only. In a perfect world I would even be able to select individually for each app what character information it may see, or whether it may send mail to me, or read it.