Get Steam ID of player

[Jaede 5]

Does anyone know if it is possible to find a player in the database by their Steam ID, or if not perhaps a way to get the Steam ID of a specific player?

[Audrel 2,223]

Why would you need this info? If a player is causing you problems on your server, their IP should be in the database in their character info. Just IP ban them. If it's not a case where you want them off your server, just ask them. It's more polite than slinking in the shadows snooping out information.

[Jaede 5]

I'm looking to implement a Steam oAuth login for our server's website, that is connected to their in-game character.

[Nappy 1,369]

It would also be useful to be able to ban based on steamid as well. IP and char name bans are easy to get around. If someone causes problems on your server then being able to ban by steamid would be very useful I suspect.

[Audrel 2,223]

4 hours ago, Jaede said:

I'm looking to implement a Steam oAuth login for our server's website, that is connected to their in-game character.

 

Ah, there is an API. I dunno anything about. https://steamcommunity.com/dev and here http://steamcommunity.com/dev/apikey

 

This is how they do it on EVE Online I believe. They use keys instead of your ID. Search for SteamID API. There's more documentation than that but it's all really Greek to me since I don't code anything (even websites ).

 

Edited December 18, 2015 by Audrel

[Jaede 5]

Yeah, that is the Steam API which I can use to let a user log in with their Steam account. That's the easy part, I've done it before and it's not much work to implement.

 

However, what I want to know is, once I have the Steam ID of a logged-in Steam user, is it possible to get the player account(s) from the Wurm Unlimited database that belong to that particular user?

Edited December 19, 2015 by Jaede

[Sklo:D 2,210]

You can do that via the password hash.

[Jaede 5]

31 minutes ago, Sklo:D said:

You can do that via the password hash.

 

How is the password hash related to the Steam profile though? As far as I can tell from some tests on my dev server, it's not the Steam ID or any hash of it.

[bigsteve 378]

Its a combination of steamID and character name i believe...

[Jaede 5]

1 hour ago, bigsteve said:

Its a combination of steamID and character name i believe...

 

I tried some combinations but no luck.

 

Is there anyone who knows a bit better how it works (what hashing algorithm, salt, etc), or who could check out the code to figure it out? I don't have the Java skills to do this myself, I wouldn't even know where to start nor do I have the time to learn a whole new environment just for this unfortunately.

[Ahava 3]

First the username gets hashed with SHA-1 then encoded with Base-64.

 

In case of my Username the String would be like this:
Ahava = Hash with SHA-1 + base64 = MjExMTU0OTVjODcxZjJjYWNkYTMwZDgzYmJlZjlhNTg3ZjBhMWJjNg==

 

The Users Steam ID is set infront of the Base-64 String like this: 76561198009798814MjExMTU0OTVjODcxZjJjYWNkYTMwZDgzYmJlZjlhNTg3ZjBhMWJjNg==

 

Both are then hashed again while the bytes from the string are used as salt. They get hashed with the PBKDF2WithHmacSHA1 algorithm, 1000 iterations and 192 length.

 

I tried to recreate it in php but sadly php doesn't support PBKDF2WithHmacSHA1. Now I'm trying to make a mod which puts the SteamID directly in the database.

[Jaede 5]

Thanks for the reply @Ahava! I'm working in Node.js, which has a pretty good crypto module built-in that I'm using.

 

I got the first half of your instructions, my code now gives me the steamID + base64String thingy correctly, but then it goes wrong. I use crypto.pbkdf2 which according to the documentation  "applies HMAC digest function SHA1" which sounds a lot like your "PBKDF2WithHmacSHA1" (I don't know much about all these various algorithms though so I may be wrong). But I'm still a bit confused about the rest, like what data exactly do I need to use for the salt? Also, a length of 192 as you say gives me a very long string while the password string in my database is only 48 chars long. Could you perhaps give some more details on the steps to get to that password?

 

If it helps, this is what I've got now: https://gist.github.com/woubuc/cfb19cc6902bb2f91985

[Ricowan 199]

The whole idea behind hashes is that they cannot be reversed.  You cannot start with a hash and end up with the strings used to create them.

 

You *can* use the same hash functions to compare an existing hash with the hash you create from that function.  This is how password hashing works.  You don't decode a hash and compare it to the password, you hash the password and then compare it to the stored hash.

 

 

Edited December 22, 2015 by Ricowan

[Ahava 3]

As far as I know you can't really recreate the hashing function from java because it works on a bytecode level. As a workaround I've made a small java program which gets called via the php exec() function to generate the correct hashes. Maybe node.js has a similar function.

[Jaede 5]

9 hours ago, Ricowan said:

You cannot start with a hash and end up with the strings used to create them.

That's not what we're trying to do. We were talking about how to recreate the hashing process of WU, in order to end up with a password hash that matches the one in the database.

 

 

7 hours ago, Ahava said:

As far as I know you can't really recreate the hashing function from java because it works on a bytecode level. As a workaround I've made a small java program which gets called via the php exec() function to generate the correct hashes. Maybe node.js has a similar function.

I think Node should be able to recreate the algorithm using Buffers instead of strings, but I don't have enough experience with those (and no experience whatsoever with Java) so I probably won't be able to properly implement it.

 

Node has an exec function as well, could you maybe share your Java program, so I can implement it in my app? It would help me immensely.  

And if you don't mind, sharing the code on Github or something would also be very interesting so I could look it over some time and see if I can implement it with Node directly. I don't know Java development and I don't have a Java development environment set up but I should be able to understand Java code.

[Dzhalagash 7]

On 12/18/2015 at 3:28 PM, Audrel said:

Why would you need this info? If a player is causing you problems on your server, their IP should be in the database in their character info. Just IP ban them. If it's not a case where you want them off your server, just ask them. It's more polite than slinking in the shadows snooping out information.

Ban the IP?
What year is this? 
You can't ban a player by banning his IP. Most of IPv4 are dynamic.

[Audrel 2,223]

40 minutes ago, Dzhalagash said:

Ban the IP?
What year is this? 
You can't ban a player by banning his IP. Most of IPv4 are dynamic.

 

You have better advice for a Wurm server run from someone's PC? A server that has no console to speak of and a server that doesn't provide any access to player data - unless you dig into the database where you get an IP? Even the client using the GM commands offers only an IP ban or character name ban. It doesn't matter what year it is or if the IP is dynamic or not. That's the info the game server, database, and client give you. That's what you have to work with. 

Edited December 23, 2015 by Audrel

[Ahava 3]

7 hours ago, Jaede said:

And if you don't mind, sharing the code on Github or something would also be very interesting so I could look it over some time and see if I can implement it with Node directly. I don't know Java development and I don't have a Java development environment set up but I should be able to understand Java code.

I'm not sure if I'm allowed to share it. I'm using some of Wurm's decompiled code with it so it's not totally my own work. But if you want to, you can add me on steam and maybe I can help you a bit. My steam profile is: http://steamcommunity.com/profiles/76561198009798814/

[Ricowan 199]

11 hours ago, Jaede said:

That's not what we're trying to do. We were talking about how to recreate the hashing process of WU, in order to end up with a password hash that matches the one in the database.

Oh!  I completely misunderstood the original post.  You already have all of your player's SteamIDs and you're trying to match them up with the in-game characters.  Sorry about that.

 

[Jaede 5]

4 hours ago, Ahava said:

I'm not sure if I'm allowed to share it. I'm using some of Wurm's decompiled code with it so it's not totally my own work. But if you want to, you can add me on steam and maybe I can help you a bit. My steam profile is: http://steamcommunity.com/profiles/76561198009798814/

I added you on Steam

[ago 470]

19 hours ago, Audrel said:

You have better advice for a Wurm server run from someone's PC? A server that has no console to speak of and a server that doesn't provide any access to player data - unless you dig into the database where you get an IP? Even the client using the GM commands offers only an IP ban or character name ban. It doesn't matter what year it is or if the IP is dynamic or not. That's the info the game server, database, and client give you. That's what you have to work with. 

Banning a player by name is much better than banning the player by IP.

With dynamic IPs most of the offenders get a new IP after resetting the router and are back in business. And those behind a NAT (mobile connections are very often using private addresses and connect though a NAT proxy) will get a whole subnet blocked.

 

Getting the steamid from a connected player should not be too difficult and adding a ban by steamid feature neither. This way you could actually ban individual players with precision. They can still get a new steamid but they'd have to spend the money for the game again.

[Parsiuk 38]

Bit late to the party: so if I understand all that correctly, in Wurm Unlimited database we have only hash based off the SteamID, and we can't retrieve original SteamID. Where we can open a "feature request" with Devs to have that added to database? Or is there a mod which does that? Even displaying SteamID in logs would be good enough for me.

 

Reason behind it is that I want to give rewards based on votes on third party website. That website offers API so I can check which steam ID voted on my server. Player name is not good enough, I need to know steam name or steamID. Is there a mod which could help here?

 

I was considering setting up a website where player can login using Steam OAuth and associate player name with their steam account, but that's another complication which I want to avoid. Giving rewards based on player name is not an option: with Steam launcher you can create huge number of alts. Rewards by IP make even less sense.

[Nappy 1,369]

There is a way to obtain steamid.

 

Desolation is using a whitelist option for people to play on the server (you can experience this on first login because you pick kingdom and gender then get disconnected automatically, when you reconnect to the server you are automatically whitelisted to be allow on the server).

 

This means that in addition to the usual:

 

1) Ban by playername - not much of a threat on fast skillgain servers were people can build new accounts quickly

2) Ban by IP - use a VPN client to get around it easily

 

We can also:

 

1) Blacklist - prevent someone from being allowed to play at all

2) Whitelist - allow only people who have been approved to play

3) Run a variable system where we trust people on first connection - allowing them to be automatically whitelisted - however we can also prevent a second, third etc char and of course we can always go to option 2 if required for server stability

[Eject 407]

On 8.11.2016 at 3:59 PM, Nappy said:

There is a way to obtain steamid.

 

Can you link me to the mod`^^

 

Eject

[Army 1,102]

13 minutes ago, Eject said:

Can you link me to the mod`^^

The specific mod Nappy mentioned there isn't public, and won't be shared for now since it's still part of the Desolation Anti Cheat system.

It's not really hard to obtain the ID, so maybe another public mod contains this feature already. Otherwise it should be easy to do this yourself too.