The website API now reports userid '0' as an unregistered user.
Apparently PHP treats the string '0' as falsy. In the interests of
not overhauling literally all our APIs, I've decided to only change
the code in the website API. The rest doesn't need to be changed
because number-only userids haven't been allowed for a very long
time.
Fixes https://github.com/smogon/pokemon-showdown/pull/7704
The automatic server detection just loops through all registered
servers and tries each of them to find the correct one. This process
will hang if any registered server isn't responding to DNS queries,
which at the number we currently have, makes all servers not sending
serverid fail.
We now hard-require the Config.serverid setting, to prevent this
problem.
To support running Smogtours on HTTPS, we now support non-443 ports.
We also now set SameSite=None headers for the SID cookie, so it's once
again possible to stay logged in on servers other than Main.
This is mostly useful for the testclient, which otherwise can't interact
with the login server without huge hacks like the iframe copy/paste.
Requiring an external sid resolves any security issues; sid being the
only cookie we use for security-sensitive things, and also being our
CSRF token.
In theory, this is also useful for clients that don't support cookies,
although I'm unsure how they'd get their hands on an sid in the first
place. I guess just run login actions?
This doesn't support setting accounts up for Google login: that still
has to be manually done via the database by setting the email field to
`username@gmail.com@`, where the second `@` denotes that it's using
Gmail login.
If the email field does end in `@`, `getassertion` will note this by
sending `;;@gmail`, to convey that the server is expecting a Google
login token rather than a password.
Upon receiving `;;@gmail`, the client will replace the password box will
with a Google login button, and then send the resulting Google login
token to the server in the `password` field. The server will validate
the "password" using the Google server libraries, and otherwise handle
the login as normal.
Note that Google login requires various features that a paranoid person
might disable; most notably 3rd-party cookies.
FixesZarel/Pokemon-Showdown#3394
Prepared statements are much better than manually constructing queries,
but PHP's MySQLi prepared statement syntax sucks.
So does PDO's, but we're abstracting it out so we can make it not suck,
and give it the syntax it should always have had. Which is what this
does.
Yay, finally.
For too long, ntbb-session and ntbb-database have been maintained
outside of this repo, but no longer! All these files are now part of the
repository, making it significantly more self-contained.
If I had to say why it took this long, I think it was mostly inertia. It
was easier leaving them where they were than having to audit them for
private keys in the wrong places, etc.
I'm starting to think of PS more as sim first, website secondary than
the other way around, now. Especially now that we don't have a forum,
the website itself isn't really important... Maybe one day I'll get rid
of the landing page and make the sim itself the first thing you see when
you hit pokemonshowdown.com... but today is not that day!
The repo is still not "batteries-included" since I am not going to teach
anyone how to set up PHP and MySQL or even get the config files working.
But for anyone who wanted their own client, well, it gets a lot easier
to do now.
