Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Steam Integration: FAQ/Q&A
#1
So as some of you may know, we are working on a way to integrate Steam with our forums. Naturally this will cause some concern, questions, and all that fun stuff. I'll take any questions/comments/suggestions here in this thread and keep this first post updated with all relevant information.

Comments in red are from Talmera. All user questions will be posted at the end of this post, with a link to the original question post.

Comments in green pertain to the script which we now use.

Q: What is Steam integration?
A: Steam integration is essentially eliminating the need to remember a separate password for the forums. All you would need to do to log into the forums is login using your Steam account.

Q: ZOMG - is that secure?! My Steam account is valuable!
A: The first half of the image below explains really nicely how this process works. All auth processes are very closely protected by Steam and forcing a user to enter in their login/pass anywhere that isn't on Steam's website is a violation of their terms of use.
[Image: OpenIDvs.Pseudo-AuthenticationusingOAuth.svg]

Q: So what is sent back then, if not my login/password?
A: The only data returned after you have logged in on Steam's website is your SteamID. No other data is sent back, no login information, no passwords, nothing. This will then be compared against the values stored in our database.


Q: What? How do/will you know what my username is then?
A: Steam has what is known as an "XML Stream". Anybody can "tap" into this stream and find information, but only from stuff that is made public. We are basically using the same principle that makes SteamRep work. All we need to "tap" into the XML Stream is a reference. That reference, in this scenario, would be your SteamID.

Q: Wait - does that mean all somebody needs to log into my forum account is my SteamID?
A: That would be interesting if it were that simple, but no. I won't go into detail as to what our forums actually compares to check if you are who you say you are. How to avoid people falsely logging in as you: Don't leave yourself logged in on Steam on your browser and make sure your password is secure. I can give tips on account security, but not here Tongue
A: Passwords to log into your main account without Steam are randomly generated. this is no longer an issue.

Q: What data related to our Steam accounts is actually stored on the forums?
A: Your SteamID, your nickname, and probably your profile pic.
A: Ideally after the first login you would be able to change your profile picture to something you think suits the forums better.

Q: What is the point of all of this? I like how things are done now.
A: Ideally - making all members login/register using Steam would greatly reduce the number of spambots, problematic users, and the need for proxy controls. I mean - if Steam says you are who you are, it probably isn't lying unless somebody hacked you. It would make things a lot easier. Not only that - it would save you from having to remember an additional password. Other data that is public (Avatar, Nickname, etc.) can also be accessed with relative ease and stored into the forums saving you sometime. In addition to that - we all play Garry's mod, which means we all have to have Steam. So it is a win win situation.
A: I would be able to loosen up on the security so much, not only would it make things easier on new members with less restrictions most importantly I can disable/remove the proxy blocker altogether as making a steam account is a long and annoying process and i can stress less in general, it really is a win/win scenario.

Q: So when this is finished, will it be mandatory?
A: Ideally yes, unless otherwise said.
A: This is something I mulled over for a while and I came to the conclusion that yes it would be mandatory as it is highly unlikely that someone who plays Gmod does not have a steam account, and in future endeavors if we ever branch out into say Minecraft again I doubt many people would not have steam anyway.

Q: What about existing users? How will those forum accounts be handled?
A: Currently existing forum accounts will have the option to link to a Steam account. Where/how this will be executed is still a bit early to say. I'm thinking a button in your profile or something. There will probably be a grace period to allow as many users to link their accounts as possible. After this period, manual linking can probably still be achieved.
A: depending on how Tauvi adds the steam column to the database manual syncing should be relatively easy if you miss the period.
A: Right now, you need to PM me/Tal your Steam ID. See the announcement for more details.

Q: When will this be finished?
A: Given there isn't a forum mod that does this in an easy and trustworthy manner, it gets to be hand coded. Whoopee. I don't have an estimated time of finish, though I am shooting for before August.
A: Honestly I had no expectations, Tauvi is doing this because he loves the community and the challenge he can take as long as he wants XD

Q: Wait so you are hand coding this? ZOMG YOU'RE GOING TO STEA--
A: Yeaaaah no. See second point. I'm just coding the modification to make the process work with our forums. Work as in - replace the login fields with a single "Login with Steam" button, as well as some of the auth processes that used to take place on our forums.
A: Yea, we will be able to explain that it's an authentic steam login once it's running on the test site.
A: I didn't actually code the script we are using. I merely integrated it into our forums. Regardless, it has been quality checked and is up to standards.

Q: What features are expected?
A: Pretty basic. Replacement of the current login options with a single button. Option to link profile to Steam (probably in your forum profile). Replacement of current registration options with a single "Login with Steam" button.

Q: Can I suggest a feature?
A: I dunno.. there isn't that much that can be added besides the base functionality of the mod.

Q: So can I see the source code to make sure you aren't stealing information?
A: It is open source, so I don't see an issue.
A: For information on what valve gives us here is there developer link
A: This code is no longer open source. It is the property of another coder so unfortunately we cannot now.

Q: Can I see the database to make sure you aren't lying?
A: No. Most I can spare you are screenshots from my system forum host.
A: No. allowing people the ability to see the database is a serious privacy risk at most we can explain the process like above.

Q: What protocol will the Steam login going to be using? SHA-1 salted or SSL or etc?
A: SHA-1 and SSL are slightly different things.
SHA-1 is a cryptographic hash, and I can go on endlessly why SHA-1 is insecure, but I'll spare you that. If I were to use any hash functions, I would probably use SHA-2(512/384) or Whirlpool (my personal favorite given nobody has heard of it). I mean cracking 512 bit algorithms is quite fun right? Also, if we're talking about storing the Steam data hashed, I don't really think it is necessary. I mean take a look at SteamRep. A hacker would have to go through all of those IDs and even then - nobody knows exactly how I'm storing the SteamIDs into our database.
SSL is a method for secure transfer of information. I was thinking HTTPS protocol should be sufficient, but I haven't gotten that far yet in the coding process.
A: Irrelevant Info
[Image: XmM2GJ6.png]
Reply
#2
I'm going to go through and add a few things in red just so people can know some of my information too.



There we go I hope that helps give a clearer perspective on what is going to happen if anyone has further questions feel free to post them here and or message Tauvi/Myself.
http://www.youtube.com/watch?v=WibmcsEGLKo<br />A wake up call<br /><br />Always forgive your enemies - nothing annoys them so much. - Oscar Wilde
Reply
#3
What protocol will the Steam login going to be using? SHA-1 salted or SSL or etc?
[right]<br />Nekomimi <3<br />[Image: c083cd6cd930bd8f2aea09125354b272]<br />[quote='Tenryuu' pid='' dateline='1405037305']Shymapler asked if she was the one at fault since Taurvi acted ready to accept her and why she was so wet
Reply
#4
(06-20-2013, 10:01 AM)s0llux-captor link Wrote:What protocol will the Steam login going to be using? SHA-1 salted or SSL or etc?

SHA-1 and SSL are slightly different things.
SHA-1 is a cryptographic hash, and I can go on endlessly why SHA-1 is insecure, but I'll spare you that. If I were to use any hash functions, I would probably use SHA-2(512/384) or Whirlpool (my personal favorite given nobody has heard of it). I mean cracking 512 bit algorithms is quite fun right? Also, if we're talking about storing the Steam data hashed, I don't really think it is necessary. I mean take a look at SteamRep. A hacker would have to go through all of those IDs and even then - nobody knows exactly how I'm storing the SteamIDs into our database.
SSL is a method for secure transfer of information. I was thinking HTTPS protocol should be sufficient, but I haven't gotten that far yet in the coding process.
[Image: XmM2GJ6.png]
Reply
#5
I really appreciate that you guys dumbed it down for me with the pictures so that my level of understanding could comprehend the transition. Smile
Check out my channel!!<br />http://www.youtube.com/channel/UCKJ2sn0ngKfBDMg5wsYYrcA
Reply
#6
(06-20-2013, 05:33 PM)Commander_Milander link Wrote:I really appreciate that you guys dumbed it down for me with the pictures so that my level of understanding could comprehend the transition. Smile

Thank Wikipedia actually. That image was genius, whoever made it.
[Image: XmM2GJ6.png]
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)