Topic: Add-Ons Server

I've started writing a server for add-ons which is by and large (not entirely) functional already.
Widelands Code is at Noordfrees:addons-webserver (implementation)
Server code (written in Java) is at branch webserver (implementation)

The server can be run locally by simply typing

git checkout webserver
javac *.java
java Server

Widelands, with this branch, currently connects to a server running on 127.0.0.1 port 7399 (unless specified otherwise with --addon_server_ip and/or --addon_server_port).

This server supports not only downloading add-ons and metadata (several times faster than in master, though I don't know how much of this increase comes from the transfer protocol and how much from the fact that I run the server on the same machine) but also writing comments, voting on add-ons, and uploading own add-ons to the server. For the latter three activities, it is of course necessary to authenticate to the server. For testing I've defined a few dummy usernames and passwords accepted by the server, but the aim is of course to have the server use the online gaming credentials, like the metaserver.

So I now have a few questions:

• How can the server check whether a given username is the name of a user registered on the website, and whether a given password hash is identical to that user's gaming password hash?

• In the current implementation, Widelands creates the sha1 of the password and sends this hash to the server (like I believe the network gaming code does). Is this secure? Which additional security steps must or should be taken? (I'm not familiar at all with this networking security stuff…)

• Does the machine on which the official server will run in the end (I assume it's the same one on which the website and the metaserver live, right?) have the ability to push newly submitted add-ons and the updated metadata back to GitHub periodically (essentially, to use git with bunnybot's login), so that older Widelands versions will also benefit from it?

Top

Quote