Do not share POESESSID values with other people

Please allow trade site to index SSF stashtabs, so we don't need to login with apps like acquisition. Searching our own stashtabs ingame is far weaker than searching with such tools.
https://www.pathofexile.com/developer/docs/authorization:
"We do not support the implicit grant or the PKCE (proof key for code exchange) extension. This means that any distributed application (one that runs on a user's machine) will need to be backed by a secure server in order to keep your application credentials secret."

So for a standalone tool, we need to host a site for the OAuth?

For example, Exilence has https://next.exilence.app.

Would it be okay to host the secure server on the user's machine? :O
Running heists fully zoomed in... because
While I fully agree with the general idea, I do have a few complaints. POESESSID is an ugly hack for us developers too because we have no better way.

But this argument here is invalid to a great extent:

Those tools are downloaded as .EXE files. Thus they have access to your poesessid already anyways if you are running them on the same PC as your browser. You are already trusting the developers to not betray you now nor later (auto-updates).

On the general issue:

As a developer myself, I am missing a lot of functionality in the API still. Trading is a main concern. Not for writing a bot of course, you could make restrictions that make botmakers a real hard life. But I have a tool like PoB where I generate search request URLs automatically. Would be nice to be able to parse the results myself instead of opening a browser with 10 tabs as it is now.

Also, what about "Better PoE trading", a chrome App with direct access to the browser. Does this need to be rewritten too in your idea? Or shall I write such an App to gateway the data I want to my "real" App? Bit of a pain as I have never written a chrome app, but I could do that on a weekend I guess.

A suggestion: Why don't you give us official access to the frontend API via OAuth too? That would solve most problems already. And remove the no reverse-engineering clause while you are at it, maybe change it to a "can change any time and you do so at your own risk" or so.

The low support resources on your side for the API are less of a problem I think. After all we are used to having no support when abusing the web frontend and being on our own anyways. ;-)
"
Juxx2013 wrote:
Those tools are downloaded as .EXE files. Thus they have access to your poesessid already anyways if you are running them on the same PC as your browser. You are already trusting the developers to not betray you now nor later (auto-updates).


Can you point me to code to get the POESESSID from an .exe outside the browser? If I had that I wouldn't have to require my users to configure it.

The PKCE (proof key for code exchange) extension for OAuth would be to support local apps. I would like understand the reasoning why GGG is choosing not to support it.
Running heists fully zoomed in... because
"
CelticHound wrote:
Can you point me to code to get the POESESSID from an .exe outside the browser? If I had that I wouldn't have to require my users to configure it.

Cookies used to be stored in a cookies.txt file in clear text, but unfortunately this is not done anymore today. Instead they are stored in binary formats and different for each browser.

But there are a few ways to remote control a browser, I'll describe the one I am most familiar with and that works for all of them with one API only:

I have worked professionally with a tool called "Selenium"[1] that is commonly used in software QA. You can start the browser with it, navigate to pathofexile.com and then directly read the cookie from the browser. This is quite a bit overhead just for extracting a cookie. But actually not more than starting a browser and asking the user to log in via OAuth either.

If you are looking into this, know that there are two modes of operation. You do not need the java server program to use it. Check out "Selenium Webdriver", this is probably what you want. There are bindings for most common programming languages too. The Java API is the most stable one though.

If you dig a bit deeper into it, you'll find that you could also connect directly to the webdrivers of each browser and work without the Selenium overhead.


Another idea whould be to reverse-engineer the cookie file format. I read for firefox it is just a SQLite database. All common languages have libraries for SQLite. There is some more information on a site[2] I grabbed from a quick google search but there is probably better ways on stackoverflow.


And a third one is to write a browser extension, as I referenced in my above post. "Better PoE Trading"[3], "Looty", all those work directly on the website by adding functionality to chrome/firefox. They can access the cookie too. Bit more overhead to ask the user to install the addon and restart their browser again, so choose wisely. GreaseMonkey is a more basic one, but again, needs to be installed before use while Selenium/Webdriver work out of the box.

HTH
Juxx


[edit] One more I just stumbled upon. You probably know the tool displayed here[4]. I don't know how exactly they included the browser on the left side, but I am pretty sure you can control that one and read data from it too.


[1] https://www.selenium.dev/documentation/webdriver/
[2] https://www.digitalcitizen.life/cookies-location-windows-10/
[3] https://chrome.google.com/webstore/detail/better-pathofexile-tradin/fhlinfpmdlijegjlpgedcmglkakaghnk "Awakened PoE Trade"
Last edited by Juxx2013 on Dec 25, 2022, 2:49:05 AM
The problem can be easily solved by having the SID changed on every operation, not static as it is now.
🌞 Designer of SimpleFilter see My Item Filters 🌞

Report Forum Post

Report Account:

Report Type

Additional Info