Jump to content

Api limit fix (potential)


Zeus904

Recommended Posts

Greetings all!

 

I would love to see the option to opt-in to me utilizing my own steam web api key on backpack.tf for my inventory load requests. Now I know there are tons of security concerns with this hence the opt-in part. I'd imagine this would mitigate the recent inplementation of maximum calls per account relativley well.

 

There are some obvious things to be discussed regarding this so id love some feedback here and to have some meaningful conversations!

 

Off topic: How does one apply to be a dev, for backpack.tf keyword: APPLY I see a ton of suggestions and have yet to see one be implemented. And yes I would instantly apply to be a dev for this community as it's my current career and ive loved all 8 years of doing it! (And no i wouldnt want to be paid coding is fun as all hell imo and id love to start fixing up and improving whats here :D)

Link to comment
Share on other sites

2 hours ago, Adolf Storms said:

what other type of credential would be used for verification in your scenario?

 

Assuming you mean api key verification. You would need to be signed in to use one after that much id say if someone had another persons steam api key the least of their worries is their query limit on backpack. (Also it doesn't seem abusive in nature as it's simply used for inventory get requests) Thanks for the relevant response btw! I was hoping for stuff like this :D

Link to comment
Share on other sites

For just viewing of backpack content this would be ideal solution (distribute fetch commands to users), i think things get a lot more complicated once we include listings (since client could tamper with response payload sent to bp).

Link to comment
Share on other sites

9 hours ago, Zeus904 said:
 

Assuming you mean api key verification. You would need to be signed in to use one after that much id say if someone had another persons steam api key the least of their worries is their query limit on backpack. (Also it doesn't seem abusive in nature as it's simply used for inventory get requests) Thanks for the relevant response btw! I was hoping for stuff like this :D

 

has become 'old hat' and didn't even take into account the fact we're already signed in via steam credentials lol after so many years doing the same thing it doesn't even register in my brain XD

Link to comment
Share on other sites

8 hours ago, mb_ said:

For just viewing of backpack content this would be ideal solution (distribute fetch commands to users), i think things get a lot more complicated once we include listings (since client could tamper with response payload sent to bp).

The steam api key is for fetching your bp ONLY. Listings are a backpack.tf feature which is completely unrelated to steam. Also the api key simply allows auth (and in this case your call limit) and nothing else you wouldnt be able to do anything more than drop your key in the settings as you cant run code off of just the api key (youd need to be able to run code on backpack.tf consistently and have whatever ur exploit you want stored on their end for it to be something of the nature you mentioned. Which again an api key does not open the gates for)

 

Tl;dr An api key doesnt let you run code on backpack. It simply lets you use your own account and its limits for loading your inventory so this won't be an issue. Remember the call goes from backpack.tf to steam and the response from steam to backpack the only thing your key does is say that its you making the call.

Link to comment
Share on other sites

13 hours ago, Wsdea said:

We or backpack.tf don’t need a key to load a given inventory. Or am I missing something ?

Any inventory loaded through Steams Web API or TF2s Web API needs to have an API key attached to the request to ensure that the server doesn't get over loaded. 

 

You can get yours from here provided you've spent $5 on the steam store.  

 

Link to comment
Share on other sites

20 hours ago, Vortegan said:

I'm aware of that but I was asking which one does backpack.tf use?

The key I'm referring to is the one you can get from here https://steamcommunity.com/dev/apikey  (Looks like you found it, replying so others can see)

 

4 hours ago, Vortegan said:

Any inventory loaded through Steams Web API or TF2s Web API needs to have an API key attached to the request to ensure that the server doesn't get over loaded. 

 

You can get yours from here provided you've spent $5 on the steam store.  

 

 

Beat me to it this is it ^^^^

Link to comment
Share on other sites

This is a great idea, but I couldn't imagine the outrage if API keys got leaked etc and I'm sure bptf don't want the headache of storing it. So maybe what if it's sort of like a per session use? The API key doesn't go to their servers it sits on the client and destroys it self after the website session has ended. Or maybe it can be stored as a cookie with like next level encryption. 

 

Link to comment
Share on other sites

On 1/9/2020 at 2:34 PM, Vortegan said:

Any inventory loaded through Steams Web API or TF2s Web API needs to have an API key attached to the request to ensure that the server doesn't get over loaded. 

 

You can get yours from here provided you've spent $5 on the steam store.  

 

That's not true... anyone can do a GET request at this url ! https://steamcommunity.com/profiles/[STEAMID]/inventory/json/440/2

Link to comment
Share on other sites

  • 2 weeks later...

Bumping...

Apologies All for the mini-necro here, I just wanna keep this thread somewhat active until we can hear some opinions from the staff/devs. 

Link to comment
Share on other sites

It looks like the site developer already announced that he will be taking a different approach (in #announcements channel on BP Discord)

Quote

There are two projects planned for this year

[...]

I want to change our approach and make the fallback inventory the default source, and some important processing with the old data source will be moved to the background

Apparently this was suggested by manic (BP Discord link)

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...