Online multiplayer game login server for secure user authentication. Written in Python using Flask.
https://craft.michaelfogleman.com/
- The user visits the web front-end of the login server to register for a new account.
- After registering and logging in, the user can manage “identity tokens.”
- The user creates an identity token which is copied and pasted into the game client.
- The game client saves the username and identity token to use for future logins.
- An identity token looks like:
717e3c1a034247ef91e6b78dd8088b77 - The user can revoke any identity token at any time. The identity tokens are more secure than regular passwords and the user doesn’t need to reuse or make up a new password.
- Game Client contacts Login Server over secure HTTPS.
- Game Client sends stored username and identity token to Login Server.
- Login Server checks for matching identity token in database (they are salted and hashed just like passwords).
- If the identity token is valid, the Login Server creates a new, short-lived access token. This is sent back to the Game Client.
- The Game Client sends the access token to the Game Server (this connection is plain text because we don’t need / want encrypted communication for game play). Access tokens can only be used once and expire in one minute.
- The Game Server sends the access token to the Login Server to verify the client's request to authenticate.
- If the access token is valid, unexpired and unused, the Login Server confirms a successful login and sends user information to the Game Server, such as a distinct user ID.
- The Game Server can then use the user information as needed. The user is now logged in.
- The Game Client is written in C. It uses libcurl to easily perform HTTPS POSTs to the Login Server. It uses plain sockets for communication with the Game Server.
- The Game Server is written in Python. It uses the requests module to communicate with the Login Server.
- The Login Server is written in Python and uses the Flask web framework.