Skip to main content

Browse GamesGame JamsUpload GameDeveloper LogsCommunity
Indie game storeFree gamesFun gamesHorror games
Game developmentAssetsComics
SalesBundles
Jobs
TagsGame Engines
itch.io Community » itch.io » itch app Development

Potential Security/Identity Issue - /me giving old user after changing user

A topic by Drunken Angel Entertainment created Jun 13, 2021 Views: 273
Viewing posts 1 to 1
Drunken Angel Entertainment3 years ago

In my game (still in development), I use the "https://itch.io/api/1/jwt/me" call together with the ITCHIO_API_KEY environment setting to figure out who is playing the game. 

All seemed to work well, until I decided to register a new account for testing purposes and use it on the same machine. 

So I did this:

  • Created account A on the website
  • Downloaded and installed the Itch app
  • Logged into the Itch app with account A
  • Started my game from the Itch app, https://itch.io/api/1/jwt/me gave me account A, as expected
  • Created account B on the website
  • Logged out of account A in the Itch app
  • Logged into the Itch app with account B
  • Started my game from the Itch app, https://itch.io/api/1/jwt/me gave me ... account A! Even though I am logged in with account B from the app.
  • Whut?

Is this intended behavior? Can't see how it could be. This feels like a security/identity problem. Or am I doing something wrong? 

Please advice.

Reply
AboutFAQBlogContact us
Copyright © 2024 itch corp · Directory · Terms · Privacy · Cookies