how are we gonna handle authentication?

[EngineerRunner]

if we want to add uploading, leaving comments, changing profile picture, we need to be able to log somebody into scratch's api. but how will that integration work? we'd have to:

• assume it is always running locally and have the user input their username and password
• go along with the massive security holes (and ban from scratch) by having it hosted publicly and asking for scratch logins
• use a browser extension that the website communicates with to do the actions?
• or just not have any of that functionallity at all.

[redstone-dev]

I think that Scratch Auth is the obvious choice. The user_data array is for testing, we could use SQLite or MySQL when we get Snazzle into production.

[EngineerRunner]

but, even with ScratchAuth, we can't do social actions on behalf of the user like posting on the forums. that's what I meant.

[redstone-dev]

Oh, yeah, that's a problem. Hm...

[Darth-Ness]

For now, since servers are all locally hosted, it should be fine if someone put in there password and username like normal. That will become a problem once there's public server's though.

[NotFenixio]

What about summoning a Scratch login pop-up, and when the user logs in, extracting the sessionId cookie?

[redstone-dev]

That sounds a little shady. I don't want to do that.

[NotFenixio]

That sounds a little shady. I don't want to do that.

Yeah, I don't know what I was thinking.

[redstone-dev]

not feasible

[dynamixbot]

REOPEN DESCRIPTION (ISSUE IMPORTANT)

We can have the user enter their password and then authorise it by randomly generating a 256-bit random hash which they type into their profile's comments. Else, they can type it into a cloud project which gets accessed by Snazzle to verify and let through the user. The user's password can then be stored to allow future login.

[NotFenixio]

How does that give the user the "WeWontStealYourPassword™" feeling?

[dynamixbot]

How does that give the user the "WeWontStealYourPassword™" feeling?

Uhhhh maybe not enter your scratch password?

[EngineerRunner]

REOPEN DESCRIPTION (ISSUE IMPORTANT)

We can have the user enter their password and then authorise it by randomly generating a 256-bit random hash which they type into their profile's comments. Else, they can type it into a cloud project which gets accessed by Snazzle to verify and let through the user. The user's password can then be stored to allow future login.

why would we need to verify it..? i'm assuming you havent read this issue, since it is about being able to authenticate with the APIs. you'd need to enter your password for that, which is why a public instance is an inherently flawed idea if we want social actions (without the possible extension i mentioned, but that would get us a swift ban from being mentionable on scratch).

[dynamixbot]

REOPEN DESCRIPTION (ISSUE IMPORTANT)
We can have the user enter their password and then authorise it by randomly generating a 256-bit random hash which they type into their profile's comments. Else, they can type it into a cloud project which gets accessed by Snazzle to verify and let through the user. The user's password can then be stored to allow future login.

why would we need to verify it..? i'm assuming you havent read this issue, since it is about being able to authenticate with the APIs. you'd need to enter your password for that, which is why a public instance is an inherently flawed idea if we want social actions (without the possible extension i mentioned, but that would get us a swift ban from being mentionable on scratch).

the api doesn't have anything to check passwords, BUT we could make it so that once you enter the password, it will log you out currently, log you in again on scratch if password is correct and also log you in on snazzle? or you could just, ya know make a auth of our own with some auth method

[dynamixbot]

IDEA:

We check the IP Address of a computer and match that to the IP of a Scratch Account

[NotFenixio]

the api doesn't have anything to check passwords, BUT we could make it so that once you enter the password, it will log you out currently, log you in again on scratch if password is correct and also log you in on snazzle? or you could just, ya know make a auth of our own with some auth method

Uhm, there's no way of logging out with the API on specific locations, and the idea of this is to be able to perform social actions from Snazzle, and that forcefully requires you entering your password.

IDEA:

We check the IP Address of a computer and match that to the IP of a Scratch Account

There's no way of doing that since Scratch doesn't store IPs. Also, this could be risky since IPs are not unique identifiers.

[dynamixbot]

@NotFenixio new ideas

IDEA 2:

We send an email to their email address to verify the login. (Permanent login until logout)

IDEA 3:

We send a code to their email and let that IP be logged-in for 6 months.

[NotFenixio]

@NotFenixio new ideas

How do we get the user's email address? Also I think you keep misunderstanding. Yes, there are many ways of verifying the user's identity, like Scratch Auth/Oauth, the ways you said, and others, but what we need is a way to log in into the user's account in order to perform social actions like commenting, posting, sharing projects, etc. That isn't possible without getting the password.

[dynamixbot]

@NotFenixio new ideas

How do we get the user's email address? Also I think you keep misunderstanding. Yes, there are many ways of verifying the user's identity, like Scratch Auth/Oauth, the ways you said, and others, but what we need is a way to log in into the user's account in order to perform social actions like commenting, posting, sharing projects, etc. That isn't possible without getting the password.

OHH I was misunderstanding. I mean are Scratch social actions session-based? So we could get the session ID and then use the ID to perform social actions. Or, a proxy by using the password to login and then something??? I'm all out of ideas.

I'm posting a thread in the AT's for this (using API to perform social actions)

[NotFenixio]

OHH I was misunderstanding. I mean are Scratch social actions session-based? So we could get the session ID and then use the ID to perform social actions. Or, a proxy by using the password to login and then something??? I'm all out of ideas.

Yep lol

[dynamixbot]

Also, if anyone asks why did i reopen this, well authentication is an important thing alright.

[dynamixbot]

UPDATE: AHypnoman on scratch has given some Node.js code to perform social actions.

First, what Scratch T&C's say about these bots:

• These proxy bots cannot be purely controlled by AI or can't be modified into bots to perform social actions for malicious use.
• These proxy bots should not cause disturbance to normal Scratch users and spam to slow down servers or cause damage to servers.
• These proxy bots are not allowed to like, love, follow, comment or post without authorization from user
• And of course, any vulgar, discriminatory or sexual content cannot be posted by the bot and the bot can't be AI/sentient so moderation++

The code by AHypnoman on scratch is available on https://scratch.mit.edu/discuss/topic/751964/?page=1#post-7899193 and below

The best way to do this is with someone else's library (like mine - shameless plug). If you don't want to use someone else's you'll need to do this.
You'll need to get a CSRF token, session ID token and server X-token.
You can get your CSRF and sessionid tokens by looking at your Scratch cookies (find scratchcsrftoken and scratchsessionid
cookies) (Note that the quotes in scratchsessionid are important and not to be ignored).
To get your X-token you'll need to query the Scratch /session API using code similar to this:

//in JS, Node
fetch("https://scratch.mit.edu/session/", {
  "credentials": "include",
  "headers": {
    "X-Requested-With": "XMLHttpRequest",
    "X-token": xToken,
    "Cookie": "scratchcsrftoken=" + csrfToken + ";scratchsessionsid=" + sessionId + ";"
  },
  "method": "POST",
  "mode": "cors"
}).then(res=>res.json().then(response=>{
  const xToken = response.user.token
  //This is your token! ^^
}))

Now you can query/post to almost all endpoints of the Scratch API using this code (you may need to change the “method”, “body”, and the URL arguement):

//in JS, Node
fetch("https://api.scratch.mit.edu/proxy/projects/" + projectId + "/loves/user/" + username, {
     "credentials": "include",
  "headers": {
    "X-Requested-With": "XMLHttpRequest",
    "X-Token": xToken,
    "X-csrftoken": csrfToken,
    "Cookie": "scratchcsrftoken=" + csrfToken + ";scratchsessionsid=" + sessionId + ";"
  },
  "method": "GET",
  "mode": "cors"
})

[dynamixbot]

Also, can we invite @ahypnoman to join authentication of this?

[NotFenixio]

Oh sure, I'll invite him

[NotFenixio]

or them, I don't know

[dynamixbot]

Oh sure, I'll invite him

Great!

or them, I don't know

It's a he.

[EngineerRunner]

i've renamed this back since the original question in OP still hasn't been answered. so we can use the scratch APIs, do we:

• assume that Snazzle is always running on a user's local system, so they enter their password in the server code.
• go along with the massive security holes (and inevitable ban from scratch) by having a public instance where users enter their passwords, to be sent to the snazzle server
• do all the API interactions client-side
• create some kind of browser extension that has access to snazzle and scratch and uses your stored sessionid to carry out requests (since its an extension, this would get us banned from scratch too)
• or not have any other functionality and have it be a viewer akin to Ocular

[redstone-dev]

• create some kind of browser extension that has access to snazzle and scratch and uses your stored sessionid to carry out requests (since its an extension, this would get us banned from scratch too)

I had a neat idea for this. Maybe it could be integrated with Scratch Addons, so if you use Scratch Addons, it could use your session ID from that to log you in? I wonder if mentioning Scratch Addons in Snazzle would get us banned from Scratch, however. (Not in the Scratch forum post, I mean in Snazzle itself.)

[dynamixbot]

• create some kind of browser extension that has access to snazzle and scratch and uses your stored sessionid to carry out requests (since its an extension, this would get us banned from scratch too)

I had a neat idea for this. Maybe it could be integrated with Scratch Addons, so if you use Scratch Addons, it could use your session ID from that to log you in? I wonder if mentioning Scratch Addons in Snazzle would get us banned from Scratch, however. (Not in the Scratch forum post, I mean in Snazzle itself.)

nahh, we let them login with their password and get banned from scratch

[dynamixbot]

Idea! (inspired by @EngineerRunner )

Create a browser extension which is available on the Chrome Web Store called Snazzle Log-In, which accesses a session-id from Scratch continuously. This session-id is then sent to Snazzle's webapp or whatever platform app at this point and gets a log in, WITHOUT HAVING TO TYPE IN ANYTHING!!

[EngineerRunner]

Idea! (inspired by @EngineerRunner )

Create a browser extension which is available on the Chrome Web Store called Snazzle Log-In, which accesses a session-id from Scratch continuously. This session-id is then sent to Snazzle's webapp or whatever platform app at this point and gets a log in, WITHOUT HAVING TO TYPE IN ANYTHING!!

would get us instantly banned from being mentioned on scratch

[dynamixbot]

Idea! (inspired by @EngineerRunner )
Create a browser extension which is available on the Chrome Web Store called Snazzle Log-In, which accesses a session-id from Scratch continuously. This session-id is then sent to Snazzle's webapp or whatever platform app at this point and gets a log in, WITHOUT HAVING TO TYPE IN ANYTHING!!

would get us instantly banned from being mentioned on scratch

rip. We could try and make a login-password type thing and get Scratch's Stamp of Safety™ on it.

[davidtheplatform]

Idea! (inspired by @EngineerRunner )
Create a browser extension which is available on the Chrome Web Store called Snazzle Log-In, which accesses a session-id from Scratch continuously. This session-id is then sent to Snazzle's webapp or whatever platform app at this point and gets a log in, WITHOUT HAVING TO TYPE IN ANYTHING!!

would get us instantly banned from being mentioned on scratch

rip. We could try and make a login-password type thing and get Scratch's Stamp of Safety™ on it.

that will never happen for multiple reasons

[dynamixbot]

Idea! (inspired by @EngineerRunner )
Create a browser extension which is available on the Chrome Web Store called Snazzle Log-In, which accesses a session-id from Scratch continuously. This session-id is then sent to Snazzle's webapp or whatever platform app at this point and gets a log in, WITHOUT HAVING TO TYPE IN ANYTHING!!

would get us instantly banned from being mentioned on scratch

rip. We could try and make a login-password type thing and get Scratch's Stamp of Safety™ on it.

that will never happen for multiple reasons

We could always try? There is a chance if ST's mood is good and other stuff?

[davidtheplatform]

Idea! (inspired by @EngineerRunner )
Create a browser extension which is available on the Chrome Web Store called Snazzle Log-In, which accesses a session-id from Scratch continuously. This session-id is then sent to Snazzle's webapp or whatever platform app at this point and gets a log in, WITHOUT HAVING TO TYPE IN ANYTHING!!

would get us instantly banned from being mentioned on scratch

rip. We could try and make a login-password type thing and get Scratch's Stamp of Safety™ on it.

that will never happen for multiple reasons

We could always try? There is a chance if ST's mood is good and other stuff?

• the st doesn’t like bots doing social actions, tis would make it much easier for that to happen. They also don’t like interaction with the servers that aren’t from an official client.
• Letting people advertise a service that asks for your scratch password would lead to impersonation and other scams to get peoples passwords
• They can’t trust anyone else with the passwords
• Given the outright ban on extensions/userscripts and refusal to make exceptions they probably won’t make exceptions for any other rules

[dynamixbot]

Idea! (inspired by @EngineerRunner )
Create a browser extension which is available on the Chrome Web Store called Snazzle Log-In, which accesses a session-id from Scratch continuously. This session-id is then sent to Snazzle's webapp or whatever platform app at this point and gets a log in, WITHOUT HAVING TO TYPE IN ANYTHING!!

would get us instantly banned from being mentioned on scratch

rip. We could try and make a login-password type thing and get Scratch's Stamp of Safety™ on it.

that will never happen for multiple reasons

We could always try? There is a chance if ST's mood is good and other stuff?

• the st doesn’t like bots doing social actions, tis would make it much easier for that to happen. They also don’t like interaction with the servers that aren’t from an official client.
• Letting people advertise a service that asks for your scratch password would lead to impersonation and other scams to get peoples passwords
• They can’t trust anyone else with the passwords
• Given the outright ban on extensions/userscripts and refusal to make exceptions they probably won’t make exceptions for any other rules

1. okay, that is an issue for us
2. i mean like, we aren't storing the passwords ourselves. we're just getting session-id's so that we can log a user in, and this would be sso.
3. again, not storing nobody's passwords
4. okay, second issue for us again.

[davidtheplatform]

Asking for the session token isn’t as bad as a password but it still has most of the same problems

[redstone-dev]

Asking for the session token isn’t as bad as a password but it still has most of the same problems

We could, as mentioned, somehow integrate this with Scratch Addons, that's already banned from Scratch, and we could just not mention how we implemented login when posting about it on the Scratch website :P

[Elip100]

The only way to add commenting, favoriting projects, and similar actions is to have the user's password or session id. It is possible to grab a session id with a browser extension, but we would probably want our own browser extension (I can create one if needed). Once we have the session id or password, the best way to interact with the Scratch website is probably through scratchattach. If we just want to get the username of a user (this will not allow for commenting and similar actions), the best option would be Scratch Auth. It is simple and secure.

[dynamixbot]

The only way to add commenting, favoriting projects, and similar actions is to have the user's password or session id. It is possible to grab a session id with a browser extension, but we would probably want our own browser extension (I can create one if needed). Once we have the session id or password, the best way to interact with the Scratch website is probably through scratchattach. If we just want to get the username of a user (this will not allow for commenting and similar actions), the best option would be Scratch Auth. It is simple and secure.

We are wanting all Scratch features, so scratchattach would be the way. Since Snazzle is already primarily written in Python, it would be easy to integrate scratchattach. The Dazzle dependencies library could add scratchattach features, and the main Snazzle code could be modified to include all of those featues.

[Elip100]

The only way to add commenting, favoriting projects, and similar actions is to have the user's password or session id. It is possible to grab a session id with a browser extension, but we would probably want our own browser extension (I can create one if needed). Once we have the session id or password, the best way to interact with the Scratch website is probably through scratchattach. If we just want to get the username of a user (this will not allow for commenting and similar actions), the best option would be Scratch Auth. It is simple and secure.

We are wanting all Scratch features, so scratchattach would be the way. Since Snazzle is already primarily written in Python, it would be easy to integrate scratchattach. The Dazzle dependencies library could add scratchattach features, and the main Snazzle code could be modified to include all of those featues.

Then now the question is: Do we use ask the user for their username and password, or do we use a browser extension?

[redstone-dev]

We are wanting all Scratch features, so scratchattach would be the way.

We don't need it. It's just a bunch of API calls anyway, and we could integrate it into Dazzle. Plus, scratchattach relies on ScratchDB for some things.

[dynamixbot]

The only way to add commenting, favoriting projects, and similar actions is to have the user's password or session id. It is possible to grab a session id with a browser extension, but we would probably want our own browser extension (I can create one if needed). Once we have the session id or password, the best way to interact with the Scratch website is probably through scratchattach. If we just want to get the username of a user (this will not allow for commenting and similar actions), the best option would be Scratch Auth. It is simple and secure.

We are wanting all Scratch features, so scratchattach would be the way. Since Snazzle is already primarily written in Python, it would be easy to integrate scratchattach. The Dazzle dependencies library could add scratchattach features, and the main Snazzle code could be modified to include all of those featues.

Then now the question is: Do we use ask the user for their username and password, or do we use a browser extension?

Browser extension just seems like an additional problem for us, so username and password would be the way to go. However, if we could manage to integrate Scratch Addons with Snazzle, it would let us login without getting banned from Scratch in theory.

[dynamixbot]

We are wanting all Scratch features, so scratchattach would be the way.

We don't need it. It's just a bunch of API calls anyway, and we could integrate it into Dazzle. Plus, scratchattach relies on ScratchDB for some things.

Once we get Voyager out eventually, we could ask TimMcCool to migrate from ScratchDB to Voyager. It would be beneficial for everybody to use Voyager.

[redstone-dev]

Once we get Voyager out eventually, we could ask TimMcCool to migrate from ScratchDB to Voyager. It would be beneficial for everybody to use Voyager.

I'd prefer not to depend on scratchattach because we already have Dazzle. Also the last commit on Voyager was 2 months ago, so we need to accelerate its development or it will never be available for us (or others) to use.

I think we should all focus on Voyager for the time being until it can really compete with ScratchDB in terms of features.

[Elip100]

We are wanting all Scratch features, so scratchattach would be the way.

We don't need it. It's just a bunch of API calls anyway, and we could integrate it into Dazzle. Plus, scratchattach relies on ScratchDB for some things.

I disagree. Scratchattach would be very useful for interaction with the scratch website. It handles all authentication and POST requests needed (why try to reinvent the wheel?). It also only uses ScratchDB for forums and leaderboards as far as I know, so it wouldn't break anything that isn't already broken. Also, we can pick and choose when and when not to use it; we could still use Voyager for the forums.

[NotFenixio]

help plz everything on my side is on fire

[NotFenixio]

i feel like this whole this thread was just more focused on what to use and not how to authenticate

[dynamixbot]

help plz everything on my side is on fire

oh lord what is it

[NotFenixio]

oh lord what is it

the only cat meme with help plz i could find lmao

[dynamixbot]

oh lord what is it

the only cat meme with help plz i could fix lmao

i meant what help you needed with voyager?

[redstone-dev]

I disagree. Scratchattach would be very useful...

I dunno, just something about using a library like that irks me, but I have realized that it could be better.

[NotFenixio]

i meant what help you needed with voyager?

Oh, sorry. Well, if anyone could add category linking it'd be of great help. Somehow my Git installation broke and I can't be bothered reinstalling it right now. This should be pretty straightforward:

• Outside the main function, create another function that traverses the entire CATEGORIES object and creates some objects into SurrealDB.
• In the _index_categories function, add a relate() after creating the Topic to relate the recently created topic with its category. You'll probably need to use a query to get the Surreal ID.
• Test it and commit!