So I thought of this kind of cool idea for a Giant Bomb metagame-ish thing tonight, almost entirely out of nowhere. In order for it to work, though, I'd have to have some sort of user authentication system that would allow Giant Bomb users to log in using their Giant Bomb account.
This is obviously not a feature of the Giant Bomb API, so I pondered how I could go about doing something like this. Then, I remembered the changes Garry Newman made to garrysmod.org awhile ago; basically, in order to download from it, you had to prove that you were a legitimate Garry's Mod owner. To do this, the website asks you to put a small bit of text (basically an MD5 hash) into your Steam profile. Once this is done, garrysmod.org can look at the profile, see the text (to confirm that the person trying to make the garrysmod.org account is, in fact, the owner of that Steam account), and then use Steam APIs or something to see that the user owns Garry's Mod. The user can then go back and delete that text; it was just a one-time-use thing. It's quite ingenious, in my opinion.
So I got to thinking... what if I did the same thing? How does this scenario sound:
I, takua108 (on Giant Bomb) could register an account with the username "takua108" on this website (let's just call it gbthing [which is what I'm actually calling it until I get a better name]). During the registration process, to confirm that it's really "takua108" from Giant Bomb, it asks me to put a short bit of text into my Giant Bomb "About Me" page. This bit of text is just an MD5 hash that is generated based on the attempted username and the current time. It is committed to gbthing's database with an expiration timestamp (now + a few minutes). I edit my "About Me" page and paste the code in, hit "Save," then tab back over to gbthing's registration page and hit the "Next" button. gbthing looks at the (publicly-viewable) "About Me" page for the user in question, sees the text, and now knows that this must really be that user. The user then goes on to fill out the rest of the registration page, including passwords and so forth, and that all gets stored on gbthing's servers. (The user would be warned that they should probably use a different password than their Giant Bomb password; even though I'm obviously going to store the passwords as hashes, they should have no reason to believe that.)
I just wrote some code to do this, and it works. I'm just asking here if it's OK to do this sort of thing. I'm following the rules of the Giant Bomb API, and I'm not trying to phish or create an impostor website or anything stupid like that; I just want to try and make a cool little metagame based around data that would be pulled from the API, but using your Giant Bomb identity.
So, bottom line: is this OK?
Accessing Giant Bomb without the API: is it OK?
Here's a quick sample of another use for something like this (again, I'll take it down if it's something I shouldn't be doing):
Go to http://rezich.com/gbxp/?takua108 (insert your username where mine is) to see your quest XP.
Source is here if you're curious.
I have what I hope is a fully-functioning demo for registering users at http://rezich.com/ugbauth/, if anyone wants to give it a go. I haven't made logging into your account or anything yet, but the registration process should work relatively well.
EDIT: Fixed a bug, but It's still not helping with the "having to wait like five minutes for the website to acknowledge that you did, in fact, put the snippet in your profile." I think it might be my host's fault?
Please Log In to post.
Log in to comment