Our new API replacement for action.php is in
https://github.com/smogon/pokemon-showdown-loginserver
I haven't completely deleted the old-replays folder because there
are some things we haven't replaced that I don't know what to do
with... I guess that'll come in a future commit.
The website API now reports userid '0' as an unregistered user.
Apparently PHP treats the string '0' as falsy. In the interests of
not overhauling literally all our APIs, I've decided to only change
the code in the website API. The rest doesn't need to be changed
because number-only userids haven't been allowed for a very long
time.
Fixes https://github.com/smogon/pokemon-showdown/pull/7704
The automatic server detection just loops through all registered
servers and tries each of them to find the correct one. This process
will hang if any registered server isn't responding to DNS queries,
which at the number we currently have, makes all servers not sending
serverid fail.
We now hard-require the Config.serverid setting, to prevent this
problem.
To support running Smogtours on HTTPS, we now support non-443 ports.
We also now set SameSite=None headers for the SID cookie, so it's once
again possible to stay logged in on servers other than Main.
- `$prefix` needs to be initialized
- `$_REQUEST['prefix']` was misspelled as `$_REQUEST['format']`
- prefix argument in `getTop` not correctly marked as optional
- fix missing `FROM`, `AS alias`, and extraneous `)` in query
- `LIMIT` apparently can't be parameterized in MySQL?
This required a new architecture for serving replays from inside the
client repository, because that seems like a better call than
introducing yet another PS repository.
(Experience gives me the impression that separating repositories wasn't
a good idea, and we should be working to make PS more mono-repo-like,
rather than less.)
License for replay code is tentatively AGPLv3, although feel free to ask
for a more permissive license if you have plans to use it in an
open-source project that requires it.
This is mostly useful for the testclient, which otherwise can't interact
with the login server without huge hacks like the iframe copy/paste.
Requiring an external sid resolves any security issues; sid being the
only cookie we use for security-sensitive things, and also being our
CSRF token.
In theory, this is also useful for clients that don't support cookies,
although I'm unsure how they'd get their hands on an sid in the first
place. I guess just run login actions?
POSTing JSON data is now supported, since apparently Axios does that by
default: #1160
In addition, error messages should be more informative, for anyone else
trying to write a third-party client.
This doesn't support setting accounts up for Google login: that still
has to be manually done via the database by setting the email field to
`username@gmail.com@`, where the second `@` denotes that it's using
Gmail login.
If the email field does end in `@`, `getassertion` will note this by
sending `;;@gmail`, to convey that the server is expecting a Google
login token rather than a password.
Upon receiving `;;@gmail`, the client will replace the password box will
with a Google login button, and then send the resulting Google login
token to the server in the `password` field. The server will validate
the "password" using the Google server libraries, and otherwise handle
the login as normal.
Note that Google login requires various features that a paranoid person
might disable; most notably 3rd-party cookies.
FixesZarel/Pokemon-Showdown#3394
