Jump to content
Zeus904

Api limit fix (potential)

Recommended Posts

Zeus904

Greetings all!

 

I would love to see the option to opt-in to me utilizing my own steam web api key on backpack.tf for my inventory load requests. Now I know there are tons of security concerns with this hence the opt-in part. I'd imagine this would mitigate the recent inplementation of maximum calls per account relativley well.

 

There are some obvious things to be discussed regarding this so id love some feedback here and to have some meaningful conversations!

 

Off topic: How does one apply to be a dev, for backpack.tf keyword: APPLY I see a ton of suggestions and have yet to see one be implemented. And yes I would instantly apply to be a dev for this community as it's my current career and ive loved all 8 years of doing it! (And no i wouldnt want to be paid coding is fun as all hell imo and id love to start fixing up and improving whats here :D)

Share this post


Link to post
Share on other sites
Adolf Storms

what other type of credential would be used for verification in your scenario?

Share this post


Link to post
Share on other sites
Zeus904
2 hours ago, Adolf Storms said:

what other type of credential would be used for verification in your scenario?

 

Assuming you mean api key verification. You would need to be signed in to use one after that much id say if someone had another persons steam api key the least of their worries is their query limit on backpack. (Also it doesn't seem abusive in nature as it's simply used for inventory get requests) Thanks for the relevant response btw! I was hoping for stuff like this :D

Share this post


Link to post
Share on other sites
mb_

For just viewing of backpack content this would be ideal solution (distribute fetch commands to users), i think things get a lot more complicated once we include listings (since client could tamper with response payload sent to bp).

Share this post


Link to post
Share on other sites
Adolf Storms
9 hours ago, Zeus904 said:
 

Assuming you mean api key verification. You would need to be signed in to use one after that much id say if someone had another persons steam api key the least of their worries is their query limit on backpack. (Also it doesn't seem abusive in nature as it's simply used for inventory get requests) Thanks for the relevant response btw! I was hoping for stuff like this :D

 

has become 'old hat' and didn't even take into account the fact we're already signed in via steam credentials lol after so many years doing the same thing it doesn't even register in my brain XD

Share this post


Link to post
Share on other sites
Vortegan

Does backpack.tf load it through the steam web API or the TF2 web API? Or am I just confused?

Share this post


Link to post
Share on other sites
Zeus904
8 hours ago, mb_ said:

For just viewing of backpack content this would be ideal solution (distribute fetch commands to users), i think things get a lot more complicated once we include listings (since client could tamper with response payload sent to bp).

The steam api key is for fetching your bp ONLY. Listings are a backpack.tf feature which is completely unrelated to steam. Also the api key simply allows auth (and in this case your call limit) and nothing else you wouldnt be able to do anything more than drop your key in the settings as you cant run code off of just the api key (youd need to be able to run code on backpack.tf consistently and have whatever ur exploit you want stored on their end for it to be something of the nature you mentioned. Which again an api key does not open the gates for)

 

Tl;dr An api key doesnt let you run code on backpack. It simply lets you use your own account and its limits for loading your inventory so this won't be an issue. Remember the call goes from backpack.tf to steam and the response from steam to backpack the only thing your key does is say that its you making the call.

Share this post


Link to post
Share on other sites
Zeus904
1 hour ago, Vortegan said:

Does backpack.tf load it through the steam web API or the TF2 web API? Or am I just confused?

Both api's use the same key view the auth documentation for refrence https://steamcommunity.com/dev

Share this post


Link to post
Share on other sites
Wsdea

We or backpack.tf don’t need a key to load a given inventory. Or am I missing something ?

Share this post


Link to post
Share on other sites
Vortegan
13 hours ago, Wsdea said:

We or backpack.tf don’t need a key to load a given inventory. Or am I missing something ?

Any inventory loaded through Steams Web API or TF2s Web API needs to have an API key attached to the request to ensure that the server doesn't get over loaded. 

 

You can get yours from here provided you've spent $5 on the steam store.  

 

Share this post


Link to post
Share on other sites
Zeus904
20 hours ago, Vortegan said:

I'm aware of that but I was asking which one does backpack.tf use?

The key I'm referring to is the one you can get from here https://steamcommunity.com/dev/apikey  (Looks like you found it, replying so others can see)

 

4 hours ago, Vortegan said:

Any inventory loaded through Steams Web API or TF2s Web API needs to have an API key attached to the request to ensure that the server doesn't get over loaded. 

 

You can get yours from here provided you've spent $5 on the steam store.  

 

 

Beat me to it this is it ^^^^

Share this post


Link to post
Share on other sites
Vortegan

This is a great idea, but I couldn't imagine the outrage if API keys got leaked etc and I'm sure bptf don't want the headache of storing it. So maybe what if it's sort of like a per session use? The API key doesn't go to their servers it sits on the client and destroys it self after the website session has ended. Or maybe it can be stored as a cookie with like next level encryption. 

 

Share this post


Link to post
Share on other sites
Wsdea
On 1/9/2020 at 2:34 PM, Vortegan said:

Any inventory loaded through Steams Web API or TF2s Web API needs to have an API key attached to the request to ensure that the server doesn't get over loaded. 

 

You can get yours from here provided you've spent $5 on the steam store.  

 

That's not true... anyone can do a GET request at this url ! https://steamcommunity.com/profiles/[STEAMID]/inventory/json/440/2

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...