Sharing code is a good thing...
This feature would allow users to upload the code online, and share it faster.鹿
https://gist.github.com/{gist_user}/{gist_id}/raw/{file_name}http://hastebin.com/raw/{key}鹿 _I would recommend to prompt the user to confirm their action, just in case._
We can't implement any such feature that requires the user to log in, because there is no way to hide the password from any server admin running malicious lua code.
I believe hastebin does not require you to log in.
can't implement any such feature that requires the user to log in
What the ** are you talking about?
GitHub Gist, Pastebin and hastebin... all allow public/anonymous uploads - no login/account is required.
What password?! Well there is API key.
I only meant that I am pretty sure that hastebin allows anonymous pastes, and that I wasn't sure about the others.
EDIT: I was only pointing out the fact; I wasn't saying that we coulnd't use either of these. I also wanted to point out the fact that we can only do this with sites that allow anonymous pastes, due to the fact that we can't guarantee password security.
I'm pretty sure both pastebin and github just require api keys to which on github I know you can restrict, not sure about pastebin.
How about OAuth2? It's almost seamless, it uses their login pages and limits the permissions of the token to exactly what is needed. So when a malicious admin intercepts the OAuth2 token, they still can't do anything with it except whatever permissions have been granted. The tokens can also be revoked easily, whereas passwords can't.
Now, your question is, how do we know this is the real GitHub site? Easy, instead of having users use some suspicious looking browser frame, just launch a Steam browser window (or ask users to copy a link to their browser of choice), which will initiate the OAuth2 authentication process. Once the process is complete, the redirect page will contain just the OAuth2 key to be copied into a text box back inside GMod. The key will then be stored clientside and will be used for a particular service.
Ok and then how do you get the oauth key out of the browser and into the lua code so that we can upload the code using it?
EDIT: nevermind you mentioned a text box. But that's not automatic though
EDIT: Gmod does have javascript integration, so I guess that could work, but that can be intercepted by admin abusers.
Moreover, there are "private" options for Gist and Pastebin.
GitHub calls it secret Gist. Pastebin calls it unlisted paste.
I am not sure about hastebin.
You simply never share the link if you want it "private". See, no user accounts required, etc.
The manual parts are required to keep a level of discretion/control by the end user. ShareX does something similar, where you have to copy-paste the OAuth key to the appropriate textbox for whatever integration.
However, I'd like to make something clear: I don't totally support this, again because it makes the Wiremod editor excessively complicated (you'd need a server for the redir URL, stay in sync with API changes, make sure admins aren't extorting users of their login details, and so on). A simple anonymous "Upload to Pastebin" plus a couple of other well-established services is fine, but not all this, please.
A simple anonymous "Upload to Pastebin" plus a couple of other well-established services is fine
Yes. This. No need for user accounts/logins, passwords, etc... I have never mentioned to do the whole thing with user accounts, and so on.
Ok, let's just do public and private/anonymous (secret/unlisted) sharing, that does not require user accounts/passwords.. It is a simple HTTP (POST) request.
So... Focus on it. API key.
If wire would have come with builtin API key, chances are, Pastebin will block it due too many requests or something... Well, I think it takes just five players to keep spamming (POSTing) HTTP requests repeatedly (with same API key) for it to be blocked by Pastebin after a couple of minutes. I am not sure about Gist; never tried it..
There could also be a daily/weekly/monthly limit or something.
It is all on the client-side, nothing is networked to the server-side. So, the question is, how do you save API key on the client, without server being able to see it? Because, it would be very annoying to have to enter API key every single time. I have an idea, here it is:
When the user clicks Upload to Gist/Pastebin/hastebin button, it would check if there is a file key.txt, if this is the first time the user clicked it, it will return false. So, the user is prompted to enter API key, and their secret phrase (API key will have to be encrypted with user's secret phrase). Next time the user clicks Upload to Gist/Pastebin/hastebin button, key.txt file will exist, so the function should return true, and this time it should only ask a user to enter their secret phrase.
This way, only "infected"/bad servers may reach to client's file system, and even if they do, key.txt file will always be encrypted, so if they doesn't know the secret phrase - they can't unlock it, so its basically useless to them. However, they could try brute-force technique, but nothing can stop "bad" hackers over time....
To confirm the upload, you would enter your secret phrase (every time you want to upload it online). And to cancel it, you would simply close the window/frame, whatever or click the cancel button..
So, what do you think of this approach? Like?
If it requires an API key inputted manually then forget it. Shooting through hoops for every individual user to get some super-encrypted API key to use some service anonymously is unnecessary work.
Gmod does have javascript integration, so I guess that could work, but that can be intercepted by admin abusers.
Correction: Anything can be intercepted _only_ if wire has been infected/modified (or if server is compromised, etc.), such as a client sending such information to the server and then to admin abuser...
Let's not worry about that, because that's again the story about players' trust the server they are playing on...
So, without API key. Okay. @oldmud0 has already explained it a bit. Now I will try to round it.
When the user clicks Upload code to Gist/Pastebin/hastebin button, it would copy the code to clipboard (see SetClipboardText function), open Steam web browser in overlay, and automatically navigate to the wanted service (see gui.OpenURL function). But, there is a problem with that, Steam overlay can be enabled/disabled by the user via Steam settings. So, instead of using Steam overlay, create a new window/frame with DHTML on it, and use JavaScript integration to automate it as much as possible. This way, a user can be presented with full website interface, allowing them to set any options offered by services such as Gist/Pastebin/hastebin. Minimizing the number of clicks a user must do, right now I think it can be minimized down to only 2 clicks (possibly 1!).
If all it takes is one click, then a user should be prompted to confirm their action, however if it takes two (or more) clicks, then I think there is no need to prompt a user.
What are your thoughts about this approach?
If the text editor had a useful integration point for third-party addons (eg. calling a hook and passing in the menu bar as an action), this could easily be achieved by a third-party addon. It would feel like serious feature creep for Wiremod to be responsible for dealing with API keys or manipulating third-party websites via Javascript injection.
If the text editor had a useful integration point for third-party addons
It sounds like Editor was not designed and constructed with extensibility in mind.
So, new issue?
It would feel like serious feature creep for Wiremod to be responsible...
Yeah, I agree..
Most helpful comment
If the text editor had a useful integration point for third-party addons (eg. calling a hook and passing in the menu bar as an action), this could easily be achieved by a third-party addon. It would feel like serious feature creep for Wiremod to be responsible for dealing with API keys or manipulating third-party websites via Javascript injection.