Page 41 of 82 FirstFirst ... 31 39 40 41 42 43 51 ... LastLast
Results 401 to 410 of 814

Thread: Dota 2 Match History WebAPI

  1. #401
    Basic Member
    Join Date
    Dec 2011
    Posts
    83
    Quote Originally Posted by walkingcarpet View Post
    What? I think you are confused on some basic concepts. The user would never see the API key, it would not be able to be abused or extracted. Every user should not get their own API key.
    I you missed the first post about this and the earlier replies on it;
    Quote Originally Posted by d07.RiV View Post
    What if I wanted to add a match browser to a non-web-based tool? Not like I could include my key there, and even if I did, its surely bound to a domain name..
    He's talking about an application which every can download/install/use/whatever, so the API calls are going to be made through users own internet connection. They are all responsible for their own amount of API calls.

  2. #402
    Quote Originally Posted by Arie View Post
    I you missed the first post about this and the earlier replies on it;


    He's talking about an application which every can download/install/use/whatever, so the API calls are going to be made through users own internet connection. They are all responsible for their own amount of API calls.
    Yes, I understand. This is not a concern though, because the user is identifiable through an IP address, and if the user is hammering the API by refreshing something in the application (as pointless as that would be) then Valve could restrict the offending IP.

    The API key itself is to identify the application. Users should not each have their own API key.

  3. #403
    Basic Member
    Join Date
    Dec 2011
    Posts
    83
    Well I still think it is the API key what matters, IP addresses can change or one person could easily have multiple addresses at his disposal. However they can remove or block access to an API key which only can be created through a steam account. The whole point of an API key is to make calls identifiable - doesn't make sense to get IP addresses in that story. Also an API key shouldn't be bound to a type of application. For all we know he will be putting his code on github for anyone to use. Even if its a compiled program you can still filter out the key out of the application or by capturing your internet traffic. By the logic of API keys being blocked instead of IP addresses, simply ruining the key would ruin the application for everyone who uses it. In anyway I look at it, the API key should never be shared, public and is probably not even allowed.

  4. #404
    Basic Member d07.RiV's Avatar
    Join Date
    Sep 2012
    Location
    The Clock Tower
    Posts
    1,160
    Yes, I understand. This is not a concern though, because the user is identifiable through an IP address, and if the user is hammering the API by refreshing something in the application (as pointless as that would be) then Valve could restrict the offending IP.

    The API key itself is to identify the application. Users should not each have their own API key.
    My application is on google code, so the source is publicly available. Even if I hide the api key in resource files, or conceal it in any other way, its not hard to extract it by debugging or capturing packets.

    It makes sense to use the same api key for the application, for tracking purposes etc, but since its bound to by steam ID, I don't think its a good idea at all, since users will have access to it. Also, a web application could use caching to limit the amount of api requests, while its not possible for a client application.

  5. #405
    Quote Originally Posted by d07.RiV View Post
    My application is on google code, so the source is publicly available.
    This is very simple.

    Remove your key from your source... anyone compiling something can add their own key.

    However if your users download a pre-compiled binary then generate one key for your application.

    edit: My statement to embed your key in a downloadable binary is incorrect. A binary can still be debugged/decompiled to discover your key.
    Last edited by walkingcarpet; 09-15-2012 at 11:22 AM. Reason: correction

  6. #406
    Quote Originally Posted by walkingcarpet View Post
    This is very simple.

    Remove your key from your source... anyone compiling something can add their own key.

    However if your users download a pre-compiled binary then generate one key for your application.
    That would not solve his problem, as the api key could still be extracted from the binary.

    You have 2 options:
    a) have your own querying server with the api key there
    advantages:
    -No one knows your key;
    disadvantages:
    -Queries would still be on your key, and at risk of getting your key penalized. You could mitigate by caching, throttling, and maybe query ahead on low usage times;
    -Your server down = your application down;
    b) ask the user his own api key
    advantages:
    -Your key is for your usage only;
    disadvantages:
    -Users would be required a steam account and an api key;
    -Users would be required to trust your aplication with their key;

  7. #407
    Basic Member
    Join Date
    Dec 2011
    Posts
    83
    It's amazing how walkingcarpet continues to keep saying the same thing instead of going into arguments.. I feel being trolled. Clearly you can't put your own API key in a downloadable application. API keys are user based, not application based. And no not some end-user of some stats website, but the API user who is responsible for making the API calls.

  8. #408
    After doing some research it does appear that it is not currently possible to securely store a confidential API key inside of a downloaded binary. I will edit my posts to address my erroneous statements.

    My initial statements were assuming that his downloaded application would connect to his remote server which performed the calls, and my subsequent posts were based on incorrect assumptions around hardcoded data in a binary.
    Last edited by walkingcarpet; 09-15-2012 at 11:25 AM.

  9. #409
    Basic Member
    Join Date
    Dec 2011
    Posts
    83
    Alright man no hard feelings

    But to get back to the api, I wonder when it gets back up. A while back I've been able to fetch one match and made my parser, but would like to gather some more data now.

  10. #410
    Basic Member d07.RiV's Avatar
    Join Date
    Sep 2012
    Location
    The Clock Tower
    Posts
    1,160
    After doing some research it does appear that it is not currently possible to securely store a confidential API key inside of a downloaded binary. I will edit my posts to address my erroneous statements.

    My initial statements were assuming that his downloaded application would connect to his remote server which performed the calls, and my subsequent posts were based on incorrect assumptions around hardcoded data in a binary.
    Well, I don't have the resources to pull up a server for this. Not to mention it is quite weird to use a server just for duplicating api calls (even if it does caching and whatnot). That's what valve's servers are for.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •