Improve testclient-key retrieval

Chrome makes it much harder to grab keys now. I've set up a way to make it easy (since we're going to be doing it once a week). Chrome did make it hard on purpose, so I'm a little paranoid, but I think probably these warnings will be enough. If we develop a phishing problem I'll revisit this.
2026-03-21 17:50:29 -05:00 · 2025-04-12 23:14:49 +00:00 · 2025-04-12 23:14:49 +00:00 · 9040d41fb3
commit 9040d41fb3
parent bfae3543e4
3 changed files with 117 additions and 4 deletions
--- a/README.md
+++ b/README.md
@ -62,12 +62,13 @@ contents:
    const POKEMON_SHOWDOWN_TESTCLIENT_KEY = 'sid';

 Replace `sid` with the contents of your actual PS `sid` cookie. You can quickly
-access this on Chrome through the URL bar:
+grab it from:

-![image](https://user-images.githubusercontent.com/551184/53414680-def43480-3994-11e9-89d0-c06098c23fa0.png)
-![image](https://user-images.githubusercontent.com/551184/53414760-119e2d00-3995-11e9-80f8-ecd17467310a.png)
+> https://play.pokemonshowdown.com/testclient-key.php

-(This is the only supported method of logging in on the beta Preact client.)
+Make sure to put it in `config/` and not `play.pokemonshowdown.com/config/`.
+
+(This is the only supported method of logging in on the beta Preact testclient.)

  [5]: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS

--- a/play.pokemonshowdown.com/src/client-connection.ts
+++ b/play.pokemonshowdown.com/src/client-connection.ts
@ -62,6 +62,11 @@ PS.connection = new PSConnection();

 export const PSLoginServer = new class {
 	rawQuery(act: string, data: PostData): Promise<string | null> {
+		// commenting out because for some reason this is working in Chrome????
+		// if (location.protocol === 'file:') {
+		// 	alert("Sorry, login server queries don't work in the testclient. To log in, see README.md to set up testclient-key.js");
+		// 	return Promise.resolve(null);
+		// }
 		data.act = act;
 		let url = '/~~' + PS.server.id + '/action.php';
 		if (location.pathname.endsWith('.html')) {
--- a/play.pokemonshowdown.com/testclient-key.php
+++ b/play.pokemonshowdown.com/testclient-key.php
@ -0,0 +1,107 @@
+<?php
+
+header('Cache-Control: no-store, no-cache, must-revalidate');
+header('Pragma: no-cache');
+header('Expires: 0');
+header('X-Frame-Options: DENY');
+header('X-XSS-Protection: 1; mode=block');
+header('X-Content-Type-Options: nosniff');
+
+?>
+<!DOCTYPE html>
+<meta charset="UTF-8" />
+<meta name="viewport" content="width=device-width" />
+
+<style>
+  html, body {
+    margin: 0;
+    padding: 0;
+  }
+  html, body, button {
+    font-family: Verdana,Helvetica,sans-serif;
+    font-size: 12pt;
+  }
+
+  html {
+    background: #f0f0f0;
+    color: #333333;
+  }
+  body {
+    padding: 20px;
+    max-width: 900px;
+    margin: 0 auto;
+  }
+  strong {
+    color: red;
+  }
+  textarea {
+    min-height: 100px;
+    field-sizing: content;
+    padding: 20px;
+    width: 100%;
+    box-sizing: border-box;
+  }
+  @media (prefers-color-scheme: dark) {
+    html {
+      background: #000;
+      color: #ddd;
+      color-scheme: dark;
+    }
+    a {
+      color:rgb(99, 174, 209);
+    }
+    a:visited {
+      color:rgb(177, 123, 195);
+    }
+  }
+</style>
+
+<p>IF SOMEONE ASKS FOR THIS KEY, THEY ARE TRYING TO <strong>STEAL YOUR ACCOUNT</strong>. THEY ARE <strong>PHISHING</strong>.</p>
+<p>Admins do not need this key to update your account. Do not give it to anyone who asks. You should ONLY use this to set up the testclient.</p>
+
+<hr />
+
+<button id="showbutton" onclick="showCookie()">I swear I'm ONLY using this to set up the testclient</button>
+
+<!-- probably this is excessive -->
+<!-- Run this in the dev console: <code>showCookie()</code> -->
+
+<script>
+  function getSid() {
+    if (self !== top) {
+      throw new Error("no way");
+    }
+    const entry = document.cookie.split('; ').map(part => part.split('=')).find(([k]) => k === 'sid');
+    if (!entry) {
+      throw new Error("No cookie found. Please log in to PS and try again.");
+    }
+    return decodeURIComponent(entry[1]);
+  }
+  function showCookie() {
+    try {
+      const cookie = getSid();
+      document.getElementById('instructions').style.display='block';
+      document.getElementById('showbutton').style.display='none';
+      document.querySelector('textarea').textContent = `const POKEMON_SHOWDOWN_TESTCLIENT_KEY = '${cookie}';`;
+      return "Okay, look back at the page"
+    } catch (err) {
+      alert(err.message);
+      return;
+    }
+  }
+</script>
+
+<div id="instructions" style="display:none">
+  <p>Place this in <code>config/testclient-key.js</code>:</p>
+  <textarea readonly></textarea>
+</div>
+
+<!--
+
+So yeah, there's an interesting question of whether I should provide this
+convenience feature at all. There's a reason browsers have made it harder and
+harder to access your cookies, after all. But browsers do still make it
+possible, and this page has some big red warnings, so I think this is good
+enough.
+
+-->