DevBlog 1: User Authentication

This is part of a series of devblogs for my alternative Stargate Command web client. Read the introduction here.

The very first thing I did after I got the idea to create an alternative web client for Stargate Command was to figure out how I can authenticate as an existing user. Basically, the whole project depended on whether this is possible.

Since it’s not intended that third party applications authenticate a user, there is no proper API I could use. The best way to go in this case is to figure out how the normal web login works and do the exact same steps programmatically.

Debugging the Web Login Using Chrome Developer Tools

I simply used the Chrome Developer Tools to record all HTTP requests during the login so I can see exactly what’s being sent back and forth. It’s important to check “Preserve log”, otherwise we will lose all recorded requests when the page reloads. I also deleted all existing cookies so we start from a clean slate.

The screenshot below shows the first request to the homepage. You can see we are getting 3 cookies. _TopFan-BCK_session, guest_user_id and session_id.

We are now ready to fill in our login credentials and hit the submit button. The login POST request is made via AJAX from the web client, that will be handy for our implementation since a successful login will return a 200 OK response instead of a redirect.

In the screenshot below you can see that we are sending our login credentials, along with a CSRF token, as form data to the login endpoint. The response contains a new _TopFan-BCK_session cookie and we are logged in. At this point, the javascript web client simply reloads the page.

After the page is reloaded, the returned HTML contains our user info as seen below. The HTML is badly formatted so the screenshot just contains the URL to the user profile, but we are definitely logged in at this point.

We also got a new _TopFan-BCK_session cookie again. In fact, every request to their servers will return a new _TopFan-BCK_session cookie. This is important for our implementation later on.

Login Procedure Step by Step

From what we found out, we can say the login works as follows:

1. Request any site on stargatecommand.co and grab the cookies & CSRF token.
2. Post the login credentials along with the CSRF token and cookies to the login endpoint.
3. Correct credentials will return a 200 OK status and a new _TopFan-BCK_session cookie.
4. Merge the new _TopFan-BCK_session cookie with the existing guest_user_id and session_id cookies to have an updated cookie set for future requests.

The currently implemented login function looks like this. It exactly covers the steps above.

The Complete Workflow

The login function works but we’re not done yet. The user session has to be persisted on our own client. The goal is to not store them in any database so the easiest and also simplest solution is to store our 3 cookies the same way they are stored on the Stargate Command platform, on the user’s browser.

This is the complete login workflow:

1. User submits the login form on our client with their credentials.
2. Our client calls the login function and obtains the cookies from Stargate Command.
3. If the login was successful, our client sends the cookies to the user so they can be stored in the browser.

And whenever the user uses our client which needs to interact with Stargate Command, it goes as follows:

1. The user visits a profile page. The request to our client contains the stored cookies.
2. Our client uses those cookies to request the profile information on behalf of the user.
3. Stargate Command proceeds the request as if it’s a normal request by the user and returns the profile and another _TopFan-BCK_session cookie.
4. The profile data and the new cookie set gets returned to the user of our client.

Is It Secure?

It’s as secure as the normal usage of the Stargate Command platform from a crypto standpoint. While all the cookies are stored on the user’s device, they still go through my own client. I will run the open-sourced, public version without any modifications. If you don’t trust me or just simply want to host it on your own, you are free and encouraged to do so.

Little Demo

This is a small demo of the described process. It also fetches the information of the logged in user from Stargate Command. We’ll explore that in a later article.

This article is part of a DevBlog where I show my findings and explain the technical implementations of my alternative Stargate Command web client. If you like what I do, leave some claps and follow the publication to stay up to date :)