#1 Posted by takua108 (1578 posts) -

So I thought of this kind of cool idea for a Giant Bomb metagame-ish thing tonight, almost entirely out of nowhere. In order for it to work, though, I'd have to have some sort of user authentication system that would allow Giant Bomb users to log in using their Giant Bomb account. 
This is obviously not a feature of the Giant Bomb API, so I pondered how I could go about doing something like this. Then, I remembered the changes Garry Newman made to garrysmod.org awhile ago; basically, in order to download from it, you had to prove that you were a legitimate Garry's Mod owner. To do this, the website asks you to put a small bit of text (basically an MD5 hash) into your Steam profile. Once this is done, garrysmod.org can look at the profile, see the text (to confirm that the person trying to make the garrysmod.org account is, in fact, the owner of that Steam account), and then use Steam APIs or something to see that the user owns Garry's Mod. The user can then go back and delete that text; it was just a one-time-use thing. It's quite ingenious, in my opinion.
So I got to thinking... what if I did the same thing? How does this scenario sound: 
I, takua108 (on Giant Bomb) could register an account with the username "takua108" on this website (let's just call it gbthing [which is what I'm actually calling it until I get a better name]). During the registration process, to confirm that it's really "takua108" from Giant Bomb, it asks me to put a short bit of text into my Giant Bomb "About Me" page. This bit of text is just an MD5 hash that is generated based on the attempted username and the current time. It is committed to gbthing's database with an expiration timestamp (now + a few minutes). I edit my "About Me" page and paste the code in, hit "Save," then tab back over to gbthing's registration page and hit the "Next" button. gbthing looks at the (publicly-viewable) "About Me" page for the user in question, sees the text, and now knows that this must really be that user. The user then goes on to fill out the rest of the registration page, including passwords and so forth, and that all gets stored on gbthing's servers. (The user would be warned that they should probably use a different password than their Giant Bomb password; even though I'm obviously going to store the passwords as hashes, they should have no reason to believe that.) 
I just wrote some code to do this, and it works. I'm just asking here if it's OK to do this sort of thing. I'm following the rules of the Giant Bomb API, and I'm not trying to phish or create an impostor website or anything stupid like that; I just want to try and make a cool little metagame based around data that would be pulled from the API, but using your Giant Bomb identity. 
So, bottom line: is this OK?

#2 Posted by ThatFrood (3460 posts) -

wow hey, that is pretty cool. I obviously don't know if it's allowed or not, but that's a neat trick!

#3 Edited by takua108 (1578 posts) -

Here's a quick sample of another use for something like this (again, I'll take it down if it's something I shouldn't be doing): 
Go to http://rezich.com/gbxp/?takua108 (insert your username where mine is) to see your quest XP. 
Source is here if you're curious.

#4 Posted by ThatFrood (3460 posts) -


#5 Posted by LordAndrew (14588 posts) -
TUSC does the same sort of thing too. I should think it's fine for one-time verification of a user's identity. However, I'd recommend setting a user agent string that properly identifies your program. If they think what you're doing is inappropriate, they can block that user agent from accessing the site.
#6 Posted by takua108 (1578 posts) -
@LordAndrew: Any idea how I should form the user agent string? I was going to do this earlier, but I couldn't figure out anything about how to make a "proper" user agent.
#7 Edited by LordAndrew (14588 posts) -
@takua108: I don't know if there are any standards for user agent string well-formedness or anything. Wikimedia gives User-Agent: MyCoolTool (+http://example.com/MyCoolToolPage/) as an example. So the tool's name and a link to the site should be acceptable, I think.
#8 Edited by takua108 (1578 posts) -
@LordAndrew: Alright, thanks for the info. Looking around on the Internet for awhile, user agents appear to be a bigger mess than I'd ever known.
I have what I hope is a fully-functioning demo for registering users at http://rezich.com/ugbauth/, if anyone wants to give it a go. I haven't made logging into your account or anything yet, but the registration process should work relatively well. 
EDIT: Fixed a bug, but It's still not helping with the "having to wait like five minutes for the website to acknowledge that you did, in fact, put the snippet in your profile." I think it might be my host's fault?
#9 Posted by mosdl (3387 posts) -

Just make sure you respect robots.txt

#10 Posted by takua108 (1578 posts) -