🤑 Indie game store🙌 Free games😂 Fun games😨 Horror games
👷 Game development🎨 Assets📚 Comics
🎉 Sales🎁 Bundles

dobydigital

6
Posts
2
Topics
2
Followers
A member registered 229 days ago

Recent community posts

You're pretty lucky -- I've posted three different posts, and also commented on an ongoing GitHub issue and have yet to hear back.

Thanks for the clarification. I feel like the Itch support is pretty lacking to be honest. It almost feels like this plae is dead, or dying. At least they allow me to deliver patches and have a platform for distributing my game.

(Edited 2 times)

Hello, I'm trying to distribute the game to some folks by giving them the download key. They can get to the download page, download directly, and add it to their collection. To be clear, this is a one-off generated key (not one from bulk keys). This key also has the claim-ability unchecked.

However, when they open up the Itch application to grab the game, it gives them an error "While searching for a download: invalid game":

http://i.imgur.com/nqKPqwX.png

They are fully able to see the game in their collection, however.

I'm relying on Itch to provide game patches, so I really need these users to have access to the game via the Itch app. Is there a step that I'm missing? I just want to be able to distribute the game usng a single key, instead of having to generate keys in bulk and then hand them out one-by-one.

Thanks in advance for any clarification on the process of using the "Refinery" workflow.

The only way someone is gonna get that API key is if the player launching the game figures out what the key is, by looking in the environment, and gives it to someone else.

That's why I mentioned you can get fancy and prevent replay attacks by verifying the API key against a service that YOU own. You can prevent it from being used again by storing it in a database somewhere or something. Get creative.

(Edited 2 times)
Can't anybody pass any user that has bought the game?

Nope.

The Itch application passes an environment variable to your application that contains a session API key. It's unique to the user and dare I say impossible to forge. You then take that api key, and pass it as an authorization header to the https://itch.io/api/1/jwt/me endpoint. If you get a user JSON object back, then the key is valid and you can trust that they are who they say they are.

If you get an object back that contains anything else, like an error, then it's not valid.

I finally got this set up tonight. Here is a sample of what might be returned upon verifying a key against the API:

POST /api/1/jwt/me HTTP/1.1
Host: itch.io
Authorization: The ITCHIO_API_KEY environment variable sent to your game
{
  "user": {
    "gamer": false,
    "id": 509014,
    "url": "https://dobydigital.itch.io",
    "username": "dobydigital",
    "developer": true,
    "press_user": false
  }
}

Here's what it might look like if you send an invalid token through:

{
  "errors": [
    "invalid base64"
  ]
}
{
  "errors": [
    "header not HS256"
  ]
}

Basically anything with error in it is invalid, so don't authenticate the user.

(Edited 4 times)

Well I haven't got my application set up yet, but from reading the documentation it seems as though:

1. Use https://itch.io/api/1/jwt/me to get information about the player (I'm assuming you're already doing this)

2. Then call the API described here to verify the user is legit (if your game requires a user to have purchased the game, or obtained a key from you some other way)

3. You should now be confident in your game client that your user is valid (and owns the copy of the game if you decided to do #2). You should be able to pass the same ITCHIO_API_KEY environment variable to the server, and have the server also perform #1 & #2 again so it can also trust the player is legit. The key is valid until ITCHIO_API_KEY_EXPIRES_AT environment variable so you should be able to auth using that key until it expires. I don't yet know how long that timeframe is though.

I haven't set my game up to use the app manifest yet, since I've only just started using Itch. I'm still reading documentation about different API functionality and just wanted to give you an idea of how it all seems to flow in my mind.


If you want to get really really fancy once you've got the basics:

There are also some other cool ways you can use to make sure that the API key you've been given doesn't go to waste if the expiration they give you is a short timeframe and you don't want you user to have to re-launch your game. You can also create your own verification backend that verifies, and translates Itch API keys into session keys that YOU control. You can then use those session keys to authenticate with your server, and the server verifies your internal session keys. You can even get crafty and set them up to rotate around so the key can only be used once and refreshes for every request in order to prevent replay attacks.

I don't see any movement on this on GitHub, is it not going to happen? I too have the need to offer patching, or update notifications to users who are not using the Itch.io application.

(Edited 1 time)

Is it something that's already built into my Itch.io experience? I keep seeing references to things like "limited playtesting", "distributing keys", and things like that. However, I already see options like this in the game management screen: "Restricted — Only authorized people can view the page", and also the "Distribute" where you can manage your keys. Is Refinery some umbrella term that encompases all of these features, or is there more to it that I'm missing?

It seems as though these features didn't exist at one time and are now just built into the system (eg new users take them for granted). I see Refinery as a new user and think there's more to what I'm currently seeing in my console -- like a separate game management process.

Thanks for the information.