A byondcert web API

ID:2208473
 
Feb 4 2017, 10:21 am
Applies to:Website
Status: Open
Issue hasn't been assigned a status value.
So, apparently, if you go to

https://secure.byond.com/login.cgi?url=http://yoursite.com/


after login it redirects the browser to the site with a querystring of byondcert=[whatever]. From what I can tell, this byondcert is based off of the domain name in the url= and the ckey or something. Is it possible to get a web API that looks something like this?

https://secure.byond.com/byondcert.cgi?byondcert=[whatever]&domain=[whatever]


And it would return in querystring form the ckey or if there's an error it would return an error.
Feb 4 2017, 2:15 pm
byondcert is literally just sent to the hub as two strings, byondcert and byondexpire except they're sent over the connection servers have with the hub (for dmcgi)
Moving it to an HTTP/S request would remove the need for fully implementing OAUTH and not require emulating the network protocol.
+1 on request
Feb 6 2017, 1:20 pm
Make this happen lummox.
Feb 9 2017, 4:00 pm
I would argue that implementing an api for your own crypto stuff is probably a bad idea instead of using a well known and supported standard that has libraries in many programming languages.
Feb 9 2017, 4:59 pm
what does this have to do with crypto
Feb 10 2017, 6:20 pm
Weren't you the one talking about how bad byondcert was in irc?

From the way everyone seems to talk about it it doesn't exactly seem like the best thing ot use as an auth point
Feb 10 2017, 6:22 pm
In response to Optimumtact
Optimumtact wrote:
Weren't you the one talking about how bad byondcert was in irc?

From the way everyone seems to talk about it it doesn't exactly seem like the best thing ot use as an auth point

Byondcert isn't (inherently) bad. Its basically a watered down OAUTH: The website redirects to the byond login page, the byond login page on success redirects to the webpage with the byondcert/byondexpire, which the website then asks the hub if the byondcert is valid and the hub returns data like name/gender/etc
May 2 2017, 2:37 pm
Bump. Some simple way to validate a byondcert and associate it with a ckey would allow third party services to authenticate and identify byond users.
May 2 2017, 2:51 pm
In response to Airjoe
Airjoe wrote:
Bump. Some simple way to validate a byondcert and associate it with a ckey would allow third party services to authenticate and identify byond users.

May 4 2017, 2:34 am
A simple but uneffective way to produce this is by PHP.

<?
$_key = $_GET['key'];
$_pass = $_GET['pass'];

$__haystack = file_get_contents(urldecode('https://secure.byond.com/login.cgi?login=1;key='. $_key . ';password=' . $_pass . ';'));
$__needle = 'Logins are not allowed from this location.';
if(strpos($__haystack,$__needle))
{
    die('Login Successful.  Welcome: ' . $_key);
} else{
    echo $_key ? 'Login Unsucessful' : '';
}
?>

<form method="GET">
<b>BYOND Key</b>: <input type="text" name="key" id="key" value="<? echo $_key; ?>"></input>
<b>Password</b>: <input type="password" name="pass" id="pass"></input>
<input type="submit" value="Login">
</form>


How This Works:

BYOND passes data via the GET parameters rather than POST, thus making text in the URL readable.

We submit the data from our end, check BYOND's response.
FYI: BYOND will not complete the connection.

Now we EXPLOIT some data.

IF THE CREDENTIALS ARE A MATCH BYOND will not let us login and will say "Logins are not allowed from this location"

OTHERWISE BYOND will say the typicall "LOGIN UNSUCCESSFUL, Invalid key/password.

All in all, +1 for this feature.

I've been waiting for this feature for quite some time.

Edit: For anybody reading.. if you don't already know the obvious.. this is completely insecure and is 100% not advisable to use, for both the developer and the user. So lets hope we get a true WEB API