-
Notifications
You must be signed in to change notification settings - Fork 408
CREST (deprecated)
NOTE: CREST support has been dropped by CCP, this article is deprecated.
With EVE Online: Parallax, CCP finally implemented writable CREST support, and the first endpoint to utilize this feature is the fitting resource. Third-party applications can now communicate directly with EVE Online via the CREST fitting resource, allowing users to browse their saved fittings, upload new ones, and delete old ones, all from within the third-party application.
pyfa supports these new CREST features. There are two different modes of action that can be selected in the preferences: implicit (default), or user-defined.
Under implicit mode, you can use the CREST menu to log into a character via EVE's Single Sign-On service. Doing so will open a local web server on port 6461, allowing CCP to communicate the access token back to pyfa. Once pyfa has this token, it will be able to access CREST services for that character. The access token has a time limit that is set by CCP (currently 20 minutes), after which time the token will expire and the character information will be forgotten on pyfa's end.
While the token is active, you will be able to browse your saved fittings on the EVE server and upload new ones. Modifying existing fittings is not currently supported by CREST.
Under user-defined mode, the user can supply their own client details to use. To do so, you must register a new application at https://developers.eveonline.com and agree to the developer license. When registering the application, the callback must be http://localhost:6461.
Under this mode, pyfa uses the OAuth2 Authorization grant rather than the Implicit grant. The benefit to this is that you will also get a refresh token, allowing pyfa to automatically refresh the character when the access token expires. This also allows pyfa to store the character and refresh token in the database. When utilizing CREST functions, you will be able to choose which character you wish to use. The end result is a smoother flow, a sort of "login and forget", and may be easier for people working with multiple accounts as you do not have to continuously log in and out of the characters.
Q: Why can't pyfa just utilize refresh tokens by default
A: In order to receive a refresh token, and thus save the character to be used at any time, pyfa must supply it's own secret key to EVE's SSO service. Being a distributed open-source software, we cannot guarantee the secrecy of this key no matter what precautions we take. While keeping our key secret is much less a concern for pyfa (being a single-user application), there was still possibility of user's uploading their database to a public location. Knowing pyfa's client details and refresh tokens of a user, a malicious user can access and modify your saved fittings. This was not a chance we wanted to take. There is a possibility of allowing the user to encrypt their refresh tokens and thus allowing pyfa to use Authorization grant; this option is still being considered. The entire discussion on this topic can be found here: https://github.com/DarkFenX/Pyfa/issues/383
Q: My firewall / organization blocks the port pyfa uses. What can I do?
A: Right now? Nothing. As this time, CREST support is new and in it's infancy. There are plans in place to have the SSO service redirect to a public webpage that will either communicate with pyfa or displays needed info to be copy and pasted into pyfa to get it to work. Unfortunately, these ideas are not yet ready.