Recently we had a crypto spam wave in the forum, that one seems to generally have been a larger one as the exact content can/could be found all over the internet and it started to appear on the same day. The most likely cause is one of the bigger breaches and password reuse, e.g. https://haveibeenpwned.com/
. Anyways, to stop the spam I wanted 2fa for logins into the forum as well, however, that would pretty much remove any incentive to ever visit the website as it's just a hassle.
So instead I used the "opportunity" to entirely redesign the way we handle logins as by now we accumulated quite a few properties that staff people have to individually sign into. Also with the launcher it's quite annoying to switch the login credentials around when switching from player account to staff account or vice versa.
The goals were quite simple:
- Single sign on across all web properties
- Email must be involved to avoid an account becoming compromised due to unrelated breach events of other sites
- Logins should be a rare event and become a complete non issue
- The launcher should be part of the single sign on process and not require a separate login
- Staff people should be able to just play with either account without having to logout and in again
A popular mechanism to handle single sign on is usually based on oauth, either using it directly or more commonly via open id connect.
I looked into a couple off the shelf solutions, like keycloak, but in the end opted to implement it from scratch. In the end it's largely based on oauth 2.1
with features we don't need left out while also meshing some oidc features into it.
As for the email being involved in every actual login, here I just opted for removing the password entirely and just having one time passwords sent to you via email instead. Technically this is no longer 2fa, however, the basic assumption is if your email has been compromised, you have bigger problems. Having a "forgot password" functionality effectively reduces it to "just" needing access to the email account anyways.
Logins being rare is achieved via the single sign on cookie having a 7 day lifetime that gets extended whenever a new authorization is required, that is the case every time you try to log into the game. That means unless you clear your cookies (or we have to change the encryption key) you should only see the actual login once.
You might see a "login"-button on this website a couple times (that happens when the refresh token becomes invalid due to the auth server restarting), however, clicking it would then do the single sign on check and not require you to go through the actual login process again.
The launcher has seen some quite extensive changes to support single sign on. Specifically it's now registering a custom url protocol on first launch which then allows you to launch into the game from a button on this website. And the solution for staff being able to log into both their staff and player account without having to actually switch accounts is literally just having a second button there.
At the same time, the launcher implementation has moved from c++ using wxwidgets to zig and direct win32 api calls. That lead to a reduction from 5MB to 350kb while being a single executable having zero dependencies.