From The Mana World

This article is currently only a proposal

The features or design guidelines described in this article are only a proposal made by one or some persons. It has not been evaluated or accepted by the core development team yet. Feel free to add your personal opinion about them or make counter proposals.

People who approve this proposal People who oppose this proposal



Synopsis

This proposal documents a method for external applications to perform tmwserv related operations and data calls.

After a lengthy review of the web interface code located at the old svn repository I've came to the conclusion that while indeed a meritorious task with lots of potential, I am unhappy with the current implementation as it has a few several severe limitations. One of major limitation is connecting directly to the database located on tmwserv.

  • Uncovered sql injections in the web interface could render the entire database completely vulnerable to malicious exploitation.
  • The web server will either have to be hosted local to tmwserv or connect directly via an open port to the database server (unlikely in the event of using sqlite)
  • The web interface will need to support multiple types of databases (mysql, postgresql, sqlite)
  • Web interface specific data will eventually clog tmwserv database, unless it uses a separate database.


Advantages and disadvantages to using XML-RPC

Advantages Disadvantages
  • The ability to keep the web interface on a separate platform.
  • Data being passed via XML-RPC is left in the hands of the core developers who work mostly on the actual database itself.
  • An additional layer of transparency, significant changes to the database should not affect the web interface or external application as long as the RPC calls are consistent.
  • It will be possible for instantaneous operations to be performed by an external client (for example, a global announce)
  • ACL and logging of the XML-RPC server will increase security (and even better, firewall rules).
  • XML-RPC calls can be disabled individually in the event of a security issue or abuse.
  • Will allow seamless integration to many current as well as new features (Blue112's Auction bay) via procedure calls.
  • RFC

Proposed RPC Methods

Method Description Input Parameters Output Parameters
account.authenticate Provide a mechanism to authenticate a user. Returns true if successful.
  • Username (string)
  • Password (string)
  • Boolean
account.character.list Provides a list of characters associated with an account
  • Username (string)
  • array (Char1(string), Char2(string), Char3(string) ...)
account.character.owner Returns the username of the account owning the character
  • Character (string)
  • Username (string)


account.character.stats Returns an array of stats for the specified character
  • Character (string)
  • array (str(string), agi(string), dex(string) ...)
account.character.level Returns the character's level
  • Character (string)
  • Level (int)
account.character.gc Returns the character's gold coins
  • Character (string)
  • GC (int)
account.character.gender Returns the character's gender
  • Character (string)
  • boolean
account.character.skilllevel Returns the characters basic skill level
  • Character (string)
  • skilllevel (int)
server.statistics.online Returns the amount of players online
  • null
  • online (int)
server.statistics.maxonline Returns the max amount of players that was online.
  • null
  • maxonline (int)

Other uses

Account creation can be performed both on the website, or via the client, with data being passed via XML RPC. One particularly useful area is the email confirmation links, for example, if the player registers an account via the client, then the server generates a confirmation hash, stores it in the database and sends an email with a url+confirmation hash pointing to the website. The website then takes the hash and passes that via XML-RPC. The server then validates the hash, if correct activates the account and returns true, else returns false.

Method Description Input Parameters Output Parameters
account.activate Activates the account based on confirmation hash, Returns true if successful.
  • Confirmation Hash (string)
  • Boolean

Implementaton

I will leave this details for the developers.

Related links