Skip to content

Online connection (Authentication)

Jump to bottom
Daniel López Guimaraes edited this page Aug 4, 2023 · 4 revisions

Pou authenticates the client using a session cookie unn_session. This cookie doesn't expire on the server and the client can make any request with it until you log out.

Some endpoints are available without the need of an account. After the login or register has been done, the client can make requests to all API endpoints that weren't available before.

Since the requests are made using HTTP with no security, the account password sent by the client when registering or logging in is hashed using MD5.

Register

The registration process goes as follows:

sequenceDiagram
    participant Client (user)
    participant Game server
    Client (user) ->> Game server: Email address
    Game server ->> Client (user): Captcha
    Client (user) -->> Game server: Captcha answer
    Game server ->> Client (user): Session cookie, default nickname
    opt If fields are set
        Client (user) -->> Game server: Change password, nickname
    end
    Note over Game server,Client (user): Game services
Loading
  1. The server checks if the email address is registered.
  2. If it isn't, it replies with a captcha as a base64-encoded PNG image. The 11th character has to be removed for decoding to work.
  3. If the answer provided by the client is valid, the server provides a unn_session session cookie and makes a random nickname. The default password is "", without the quote marks.
  4. The client saves the current state of the game to the server.
  5. The user will be prompted to set a password and nickname. If the user changes those fields, the client will modify the password and nickname of the account, in that order.

Login

The login process is the following:

sequenceDiagram
    participant Client (user)
    participant Game server
    Client (user) ->> Game server: Email address
    Game server -->> Client (user): Not registered
    Client (user) ->> Game server: Password
    Game server -->> Client (user): Session cookie, account info, save state
    Note over Game server,Client (user): Game services
Loading
  1. The server checks if the email address is registered.
  2. If it is, it sends a message to the client about it {"registered": true}
  3. If the password provided by the client is correct, the server sends a unn_session cookie, some account information and the current save state stored on it.

PouHash

Some methods use a custom MD5 function to validate the data being sent to the server. This is applied on methods like saving the current state, deleting an account, or editing the data of a game session.

This function appends some text at the start of the data: MD5("p@v_" + data)

def pou_hash(data: str):
    payload = "p@v_" + data
    hash = hashlib.md5(payload.encode("utf-8")).hexdigest()
    return hash
Clone this wiki locally