Zeus904 Posted January 8, 2020 Share Posted January 8, 2020 Greetings all! I would love to see the option to opt-in to me utilizing my own steam web api key on backpack.tf for my inventory load requests. Now I know there are tons of security concerns with this hence the opt-in part. I'd imagine this would mitigate the recent inplementation of maximum calls per account relativley well. There are some obvious things to be discussed regarding this so id love some feedback here and to have some meaningful conversations! Off topic: How does one apply to be a dev, for backpack.tf keyword: APPLY I see a ton of suggestions and have yet to see one be implemented. And yes I would instantly apply to be a dev for this community as it's my current career and ive loved all 8 years of doing it! (And no i wouldnt want to be paid coding is fun as all hell imo and id love to start fixing up and improving whats here :D) Link to comment Share on other sites More sharing options...
Adolf Storms Posted January 8, 2020 Share Posted January 8, 2020 what other type of credential would be used for verification in your scenario? Link to comment Share on other sites More sharing options...
Zeus904 Posted January 8, 2020 Author Share Posted January 8, 2020 2 hours ago, Adolf Storms said: what other type of credential would be used for verification in your scenario? Assuming you mean api key verification. You would need to be signed in to use one after that much id say if someone had another persons steam api key the least of their worries is their query limit on backpack. (Also it doesn't seem abusive in nature as it's simply used for inventory get requests) Thanks for the relevant response btw! I was hoping for stuff like this Link to comment Share on other sites More sharing options...
mb_ Posted January 8, 2020 Share Posted January 8, 2020 For just viewing of backpack content this would be ideal solution (distribute fetch commands to users), i think things get a lot more complicated once we include listings (since client could tamper with response payload sent to bp). Link to comment Share on other sites More sharing options...
Adolf Storms Posted January 8, 2020 Share Posted January 8, 2020 9 hours ago, Zeus904 said: Assuming you mean api key verification. You would need to be signed in to use one after that much id say if someone had another persons steam api key the least of their worries is their query limit on backpack. (Also it doesn't seem abusive in nature as it's simply used for inventory get requests) Thanks for the relevant response btw! I was hoping for stuff like this has become 'old hat' and didn't even take into account the fact we're already signed in via steam credentials lol after so many years doing the same thing it doesn't even register in my brain XD Link to comment Share on other sites More sharing options...
Vortegan Posted January 8, 2020 Share Posted January 8, 2020 Does backpack.tf load it through the steam web API or the TF2 web API? Or am I just confused? Link to comment Share on other sites More sharing options...
Zeus904 Posted January 8, 2020 Author Share Posted January 8, 2020 8 hours ago, mb_ said: For just viewing of backpack content this would be ideal solution (distribute fetch commands to users), i think things get a lot more complicated once we include listings (since client could tamper with response payload sent to bp). The steam api key is for fetching your bp ONLY. Listings are a backpack.tf feature which is completely unrelated to steam. Also the api key simply allows auth (and in this case your call limit) and nothing else you wouldnt be able to do anything more than drop your key in the settings as you cant run code off of just the api key (youd need to be able to run code on backpack.tf consistently and have whatever ur exploit you want stored on their end for it to be something of the nature you mentioned. Which again an api key does not open the gates for) Tl;dr An api key doesnt let you run code on backpack. It simply lets you use your own account and its limits for loading your inventory so this won't be an issue. Remember the call goes from backpack.tf to steam and the response from steam to backpack the only thing your key does is say that its you making the call. Link to comment Share on other sites More sharing options...
Zeus904 Posted January 8, 2020 Author Share Posted January 8, 2020 1 hour ago, Vortegan said: Does backpack.tf load it through the steam web API or the TF2 web API? Or am I just confused? Both api's use the same key view the auth documentation for refrence https://steamcommunity.com/dev Link to comment Share on other sites More sharing options...
Vortegan Posted January 8, 2020 Share Posted January 8, 2020 4 hours ago, Zeus904 said: Both api's use the same key view the auth documentation for refrence https://steamcommunity.com/dev I'm aware of that but I was asking which one does backpack.tf use? Link to comment Share on other sites More sharing options...
Wsdea Posted January 9, 2020 Share Posted January 9, 2020 We or backpack.tf don’t need a key to load a given inventory. Or am I missing something ? Link to comment Share on other sites More sharing options...
Vortegan Posted January 9, 2020 Share Posted January 9, 2020 13 hours ago, Wsdea said: We or backpack.tf don’t need a key to load a given inventory. Or am I missing something ? Any inventory loaded through Steams Web API or TF2s Web API needs to have an API key attached to the request to ensure that the server doesn't get over loaded. You can get yours from here provided you've spent $5 on the steam store. Link to comment Share on other sites More sharing options...
Zeus904 Posted January 9, 2020 Author Share Posted January 9, 2020 20 hours ago, Vortegan said: I'm aware of that but I was asking which one does backpack.tf use? The key I'm referring to is the one you can get from here https://steamcommunity.com/dev/apikey (Looks like you found it, replying so others can see) 4 hours ago, Vortegan said: Any inventory loaded through Steams Web API or TF2s Web API needs to have an API key attached to the request to ensure that the server doesn't get over loaded. You can get yours from here provided you've spent $5 on the steam store. Beat me to it this is it ^^^^ Link to comment Share on other sites More sharing options...
Vortegan Posted January 10, 2020 Share Posted January 10, 2020 This is a great idea, but I couldn't imagine the outrage if API keys got leaked etc and I'm sure bptf don't want the headache of storing it. So maybe what if it's sort of like a per session use? The API key doesn't go to their servers it sits on the client and destroys it self after the website session has ended. Or maybe it can be stored as a cookie with like next level encryption. Link to comment Share on other sites More sharing options...
Wsdea Posted January 10, 2020 Share Posted January 10, 2020 On 1/9/2020 at 2:34 PM, Vortegan said: Any inventory loaded through Steams Web API or TF2s Web API needs to have an API key attached to the request to ensure that the server doesn't get over loaded. You can get yours from here provided you've spent $5 on the steam store. That's not true... anyone can do a GET request at this url ! https://steamcommunity.com/profiles/[STEAMID]/inventory/json/440/2 Link to comment Share on other sites More sharing options...
Vortegan Posted January 10, 2020 Share Posted January 10, 2020 22 minutes ago, Wsdea said: That's not true... anyone can do a GET request at this url ! https://steamcommunity.com/profiles/[STEAMID]/inventory/json/440/2 That's not true... that link is not the web API, it is just the inventory in a JSON format. The API call GetPlayerItems returns IEconItem Objects, which is the correct web API. Link to comment Share on other sites More sharing options...
Zeus904 Posted January 24, 2020 Author Share Posted January 24, 2020 Bumping... Apologies All for the mini-necro here, I just wanna keep this thread somewhat active until we can hear some opinions from the staff/devs. Link to comment Share on other sites More sharing options...
D.Alex Posted January 24, 2020 Share Posted January 24, 2020 It looks like the site developer already announced that he will be taking a different approach (in #announcements channel on BP Discord) Quote There are two projects planned for this year [...] I want to change our approach and make the fallback inventory the default source, and some important processing with the old data source will be moved to the background Apparently this was suggested by manic (BP Discord link) Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.