Forum QuickConnect simpleRegister - Duplicate Email and Special Authentication

Discussion and help relating to PlayerIO's QuickConnect feature, including Facebook Connect and Kongregate Connect.

simpleRegister - Duplicate Email and Special Authentication

Postby AK712 » June 24th, 2018, 4:37 pm

I've seen in some of the previous user questions that PlayerIO.quickConnect.simpleRegister will return an error if the username entered already exists; however, does it also check to see if the email already exists? I certainly don't want a single email to register multiple users.

I'd also like to know if there's a way to input another form of authentication besides just the username and password; I could put something in the extraData object when they register, but the Authenticate function after registering only asks for username/email and password without an option to input anything that could be searched for in extraData. I would send a message to the server with the extra authentication, but from the code I've seen it looks like you can't pass server messages (GotMessage) until a user is actually logged in.

Thanks,
AK712
User avatar
AK712
 
Posts: 32
Joined: May 2nd, 2012, 12:43 am

Re: simpleRegister - Duplicate Email and Special Authenticat

Postby Emalton » June 29th, 2018, 8:03 pm

I think you're looking for is Basic Authentication.
Emalton
 
Posts: 69
Joined: June 28th, 2013, 3:49 am

Re: simpleRegister - Duplicate Email and Special Authenticat

Postby Henrik » July 3rd, 2018, 11:31 pm

Hey AK712,

Yes, Simple Users requires that both the username and email is unique.

There's a bunch of different Authentication schemes available, but SimpleUsers is only username/password.

If you want to construct your own authentication scheme, you would have to use Basic Authentication, but to use that securely you would have to have a server somewhere that handles authentication, and can calculate the secure auth needed.

You can of course use Basic Authentication without the secure hash, but that means anyone can authenticate as anyone else. Calculating the secure hash clientside also means that anyone can authenticate as anyone else.
Henrik
.IO
 
Posts: 1822
Joined: January 4th, 2010, 1:53 pm

Re: simpleRegister - Duplicate Email and Special Authenticat

Postby Emalton » July 5th, 2018, 3:26 pm

As Henrik mentioned, it would be best to not calculate this on the client side. An alternative to his method, you can create a new connection in the PlayerIO admin panel, join a room, calculate the hash server sided, send the ConnectUserId and hash to the client and then disconnect the user. Then, re-authenticate with the ConnectUserId and hash that you were sent.
Emalton
 
Posts: 69
Joined: June 28th, 2013, 3:49 am

Re: simpleRegister - Duplicate Email and Special Authenticat

Postby AK712 » July 9th, 2018, 2:47 am

I'm a bit confused. How will the server pass the user's username and password from the server without the client? Or maybe I just can't find where the Basic Authentication documentation for AS3 is listed. This is what I thought would happen:

Client: Get username, password, and 2nd authentication
Server: Encrypt, then check username, password, and 2nd authentication with encrypted username, password, and 2nd authentication on server
Server: If everything is equal, pass back successful connect; otherwise, pass back incorrect username/password error
Client: Receive one of the above

Am I supposed to first connect the user to the server with no authentication, and then when they're inside the server, have them log in?

Thanks,
AK712
User avatar
AK712
 
Posts: 32
Joined: May 2nd, 2012, 12:43 am

Re: simpleRegister - Duplicate Email and Special Authenticat

Postby Henrik » July 10th, 2018, 11:26 am

What's this second authentication in your example? How is it validated? How is it generated? Is it something the user knows, or where does is come from?
Henrik
.IO
 
Posts: 1822
Joined: January 4th, 2010, 1:53 pm

Re: simpleRegister - Duplicate Email and Special Authenticat

Postby AK712 » July 11th, 2018, 2:07 am

It's user-generated - it's an answer to a security question.

Thanks,
AK712
User avatar
AK712
 
Posts: 32
Joined: May 2nd, 2012, 12:43 am

Re: simpleRegister - Duplicate Email and Special Authenticat

Postby Henrik » July 11th, 2018, 12:52 pm

Ok, so you need a place that is not the client where you can validate that the answer to the security question is correct, and generate something that you can use to securely authenticate the user with PlayerIO.

Basically, you need a service that takes username + password + security question answer, validates all of it, and returns connectuserid + auth, which you can then feed into PlayerIO. You can't do it through our Simple Users service, because it can only validate username + password, there's no support for arbitrary security schemes.

An alternative would be to use username + password to authenticate with PlayerIO Simple Users, connect to a Multiplayer service room, send the security question answer to the room, validate it there, and if it's the wrong answer, disconnect the user and tell the client to show an error message to the user.
Henrik
.IO
 
Posts: 1822
Joined: January 4th, 2010, 1:53 pm

Re: simpleRegister - Duplicate Email and Special Authenticat

Postby AK712 » July 11th, 2018, 9:25 pm

So far, this is what I've gathered from the documentation:
First, my client has the user register, with the following code:
Code: Select all
PlayerIO.quickConnect.simpleRegister(
            stage,
            "icanbuildit-okvwisrgookgvjkk3xrfbw",
            usernamebox.text, //Username
           passwordbox.text, //Password
            emailbox.text, //Email
            "",//CaptchaKey
            "",//CaptchaValue
            { phrase=phrasebox.text },//Extra data
            null,//Partner
            null,//PlayerInsight
            goodReg,
            badReg)

The username, password, email, and extra data is then sent to an empty BigDB object (or is it an empty PlayerObject?) that can be loaded based on the username using the following code, with userInput2 being the password and userInput3 being the passphrase:
Code: Select all
PlayerIO.BigDB.Load("users","ExampleUser",delegate(DatabaseObject result) {
    result.Set("password", hash(userInput2));
    result.Set("phrase", hash(userInput3));
}, delegate(PlayerIOError error) {
   
});

Then, when they log in the next time, I do the following on the client:
Code: Select all
PlayerIO.authenticate(
      stage,
      "icanbuildit-okvwisrgookgvjkk3xrfbw",
      "public",
      { userId: usernamebox.text, password: passwordbox.text, phrase: phrasebox.text },
      null, //PlayerInsight segments
      goodLogin,
      badLogin
     )

And then do the following on the server, having userInput1 as the username, userInput2 as the password, and userInput3 as the passphrase:
Code: Select all
PlayerIO.BigDB.Load("users",userInput1,delegate(DatabaseObject result) {
    if (result.Get("password") == hash(userInput2) && result.Get("phrase") == hash(userInput3)){
    //Successful login
}
}, delegate(PlayerIOError error) {
   
});

So, if this is what happens, then I'm left with three questions:
1) How do I get the client-side input (usernamebox.text) to the server (userInput1)? Do I create a Room Type "Login" and have the messages sent through there?
2) Does the playerIO.quickConnect.simpleRegister create a PlayerIO.BigDB object right when the user registers?
3) Is all of the information from quickConnect.simpleRegister automatically added to the BigDB object that's created, or do I have to add it myself, and if so, how?
Thanks,
AK712
User avatar
AK712
 
Posts: 32
Joined: May 2nd, 2012, 12:43 am

Re: simpleRegister - Duplicate Email and Special Authenticat

Postby Henrik » July 14th, 2018, 1:19 pm

Hey,

No, that's not how it works unfortunately. There's no connection between BigDB and Simple Users. The extra data goes into the QuickConnect database and can only really be accessed through the Control Panel. We had an idea when Simple Users was created that the data should go to BigDB in the future, but it didn't work out.

So when you register a Simple User, you can only really input username, email, and password. And when you authenticate a Simple User, you can only use username or email + password.


But if you're thinking about storing some sort of security question with the user on registration, does that mean the user would need to enter the answer to that question every single time they wanted to log in? The same answer every time?
Henrik
.IO
 
Posts: 1822
Joined: January 4th, 2010, 1:53 pm

Re: simpleRegister - Duplicate Email and Special Authenticat

Postby AK712 » July 16th, 2018, 2:14 am

Yes, the user will enter the same answer every login.

If I used Basic Authentication instead of Simple User, would that have the data sent to BigDB? Or what authentication should I use so that the extra data would be sent to a new BigDB object, and how would I register the user in the AS3 side? I haven't found any other register calls in the AS3 library so far.

Thanks,
Nathan
User avatar
AK712
 
Posts: 32
Joined: May 2nd, 2012, 12:43 am

Re: simpleRegister - Duplicate Email and Special Authenticat

Postby Henrik » July 16th, 2018, 10:08 am

If it's the same answer every time, you haven't added any security, you've just added a lot of work for yourself.

You can't store data in BigDB, or check data, during authentication with PlayerIO. You would have to first authenticate, and then either store something in the player's PlayerObject, or check that what the user entered matches what's stored. But it's trivially bypassed by a determined hacker, and it doesn't really add any security.
Henrik
.IO
 
Posts: 1822
Joined: January 4th, 2010, 1:53 pm

Re: simpleRegister - Duplicate Email and Special Authenticat

Postby AK712 » July 17th, 2018, 1:03 am

Now I'm even more confused. If data isn't stored in BigDB when a user authenticates, where does the user's data (username/email, password, extra authentication data) go to? What place in the PlayerIO server handles the authentication request?

Basically, if I authenticate with username "Bob", password "NaN", and extra data "Fish", where does "Bob", "NaN", and "Fish" go to in the server? Or does the server automatically make sure the username and password match an existing user, and then logs them in, without me having to do anything?

Thanks,
AK712
User avatar
AK712
 
Posts: 32
Joined: May 2nd, 2012, 12:43 am

Re: simpleRegister - Duplicate Email and Special Authenticat

Postby Henrik » July 18th, 2018, 3:07 pm

Authentication is handled by whatever authentication provider you've setup for your connection.

For example, if you're using Facebook, then the data PlayerIO receives during authentication is sent over to Facebook for verification, and if everything is fine, the client library returns an authenticated client object.

If you use Basic authentication, we perform no check, or just a simple hash check if you've configured it, and return an authenticated client object.

If you use Simple Users, then PlayerIO stores a user database for you containing username, email, and password. And when you authenticate against it, we check that the username and password matches before returning an authenticated client object.

BigDB is not involved in any Authentication, access to BigDB comes after the user has authenticated.
Henrik
.IO
 
Posts: 1822
Joined: January 4th, 2010, 1:53 pm

Re: simpleRegister - Duplicate Email and Special Authenticat

Postby AK712 » July 18th, 2018, 11:04 pm

Okay, now I understand.

If I'm using Simple Authentication, PlayerIO will handle the username, email, and password for both registration and authentication; for registration, it'll also make sure that the username and email are not already used.

Basic Authentication, on the other hand, requires that the game developer has their own server and own way of authentication, and PlayerIO doesn't really do anything with it.

I'm certainly not able to run and maintain my own servers, so it looks like Simple Users is the way I'll go.

Thanks,
AK712
User avatar
AK712
 
Posts: 32
Joined: May 2nd, 2012, 12:43 am


Return to QuickConnect



cron