It seems that you're using an outdated browser. Some things may not work as they should (or don't work at all).
We suggest you upgrade newer and better browser like: Chrome, Firefox, Internet Explorer or Opera

×
avatar
Yepoleb: Crap, they changed the way authentication works and it only allows registered URLs now. As we have no way to register our own clients, this makes everything a lot more complicated. I'll try to figure something out as soon as possible.
Seems like it. I tried the projects I have that use authentication and they have the same result.

You know, there was a serious security problem with the way it had been working. You could have a website which used auth.gog.com to allow users to log in and they would think it was similar to logging into a site through Steam. In fact, GOG's auth page is completely different. If you log into a site through Steam all you're doing is proving that you are the owner of that Steam account. With auth.gog.com you are actually authorising a token that gives the site near-complete control of your GOG profile - but very few people would expect that behaviour so it would be perfect for scamming. (although to my knowledge nobody has tried this so far).

This risk has been bothering me for a while and I actually decided just a moment ago to come to this very thread to warn about signing into strangers' sites through auth.gog.com and suggest that GOG limit authentication to certain registered domains. It's quite a coincidence to come here just a few hours after jamieadkins95 discovered that that had already done this.

It's a good thing, really, but it also sucks because now we lack 2 important services: a way for our custom tools to access our accounts, and a way for users to verify their accounts to 3rd party sites without handing over the keys in the process.

Well, I guess it's time to go back to trying to reverse-engineer Galaxy to see how it's done there.
avatar
Yepoleb: Crap, they changed the way authentication works and it only allows registered URLs now.
It's not the only thing they changed in order to ramp up security.

I'm having trouble with calling the products APIs, as it seems they've added a throttling filter that automatically bans your IP if you reach a certain risk criteria (I'm using this fancy placeholder as I haven't been able to figure out if it's based only on the number of requests per time limit or other factors as well, when it triggers, how long the ban lasts etc).

I'm still trying to figure out the best way to circumvent it without having to wait half a year to map the entire id range.
avatar
Barefoot_Monkey: Seems like it. I tried the projects I have that use authentication and they have the same result.

You know, there was a serious security problem with the way it had been working. You could have a website which used auth.gog.com to allow users to log in and they would think it was similar to logging into a site through Steam. In fact, GOG's auth page is completely different. If you log into a site through Steam all you're doing is proving that you are the owner of that Steam account. With auth.gog.com you are actually authorising a token that gives the site near-complete control of your GOG profile - but very few people would expect that behaviour so it would be perfect for scamming. (although to my knowledge nobody has tried this so far).

This risk has been bothering me for a while and I actually decided just a moment ago to come to this very thread to warn about signing into strangers' sites through auth.gog.com and suggest that GOG limit authentication to certain registered domains. It's quite a coincidence to come here just a few hours after jamieadkins95 discovered that that had already done this.

It's a good thing, really, but it also sucks because now we lack 2 important services: a way for our custom tools to access our accounts, and a way for users to verify their accounts to 3rd party sites without handing over the keys in the process.
I know, the previous implementation was insecure and violated the OAuth2 standard. I'm glad they fixed it, but suck that there's no secure alternative.

avatar
Barefoot_Monkey: Well, I guess it's time to go back to trying to reverse-engineer Galaxy to see how it's done there.
There's no need to, I've been there already. The Galaxy client redirects to a gog.com URL, which is trusted by the login site. Native code has to get the token from the internal browser.

avatar
WinterSnowfall: It's not the only thing they changed in order to ramp up security.

I'm having trouble with calling the products APIs, as it seems they've added a throttling filter that automatically bans your IP if you reach a certain risk criteria (I'm using this fancy placeholder as I haven't been able to figure out if it's based only on the number of requests per time limit or other factors as well, when it triggers, how long the ban lasts etc).

I'm still trying to figure out the best way to circumvent it without having to wait half a year to map the entire id range.
I'm requesting each product individually and haven't noticed a problem. The download time is not that bad if you cache them for a day. Maybe I or someone else can create daily dumps and upload them somewhere.
I figured out a workaround until we find something better. The on_login_success page does not automatically redirect, so you can have the user manually copy the login code. Open https://auth.gog.com/auth?client_id=46899977096215655&redirect_uri=https%3A%2F%2Fembed.gog.com%2Fon_login_success%3Forigin%3Dclient&response_type=code&layout=client2 and after the redirect there should be a &code= parameter in the url. This is the code to use for a token request. I have an ugly but functioning implementation at https://github.com/Yepoleb/pygogapi/blob/master/gogapi.py#L508
avatar
Yepoleb: I'm requesting each product individually and haven't noticed a problem. The download time is not that bad if you cache them for a day. Maybe I or someone else can create daily dumps and upload them somewhere.
I'm not doing what you think I'm doing :).

My goal is to query each product id in batches of 50, up from 0 to (probably) 2.5 billion, to see which of them are mapped to a product, which are not and how the mappings are distributed across the entire used id range. More info here.

The amount of traffic I'm producing by querying the APIs most likely exceeds average usage. This wasn't a problem until a few days ago when I noticed all the queries I was submitting returned HTTP 400, whereas if I tried them from another location everything was still working as expected.

The new reality is that the GOGBear throttles us all!
Post edited February 11, 2017 by WinterSnowfall
avatar
WinterSnowfall: The new reality is that the GOGBear throttles us all!
We need to stop him! He can't go around oppressing innocent developers all over the world. Grab your digital pitchforks and start going into the streets! Follow the lead of our savior WinterSnowfall!

To be fair, I don't think throttling after so many requests is unreasonable. You're probably causing more load than all the other users together.

Edit: Actually, let's not go into the streets. Leaving the house is not something a programmer should do, as he becomes very vulnerable against social interaction. We can protest from our rooms.
Post edited February 11, 2017 by Yepoleb
avatar
Yepoleb: You're probably causing more load than all the other users together.
No, not really, not unless there are only a few people using Galaxy concurrently. I've actually limited the number of queries I'm firing out per second to about 30 (each on a batch of 50 ids), just so I don't generate too much load. I'm also reusing the same HTTP connections, not to put too much pressure on the back-end servers and load balances (assuming there are any).

Now if GOG's servers can't handle 30 requests per second on top of the regular traffic they're getting, maybe they need to think about an upgrade instead of bringing out the throttling GOGBear :).
Post edited February 11, 2017 by WinterSnowfall
high rated
Here's some urls that might be of interest to you

[url=https://content-system.gog.com/open_link?generation=1&path={path_here]https://content-system.gog.com/open_link?generation=1&path={path_here[/url]}
example: https://content-system.gog.com/open_link?generation=1&path=redists/DOSBox072/52837940

https://content-system.gog.com/dependencies/repository?generation=2
[url=https://content-system.gog.com/products/{product_id_here}/secure_link?generation=2&path=/&_version=2]https://content-system.gog.com/products/{product_id_here}/secure_link?generation=2&path=/&_version=2[/url]
[url=https://content-system.gog.com/products/{product_id_here}/secure_link?generation=2&path]https://content-system.gog.com/products/{product_id_here}/secure_link?generation=2&path[/url]=/

[url=https://cdn.gog.com/content-system/v2/dependencies/meta/{hash_here]https://cdn.gog.com/content-system/v2/dependencies/meta/{hash_here[/url]}
[url=https://cdn.gog.com/content-system/v2/store/{product_id_here}?{token_here]https://cdn.gog.com/content-system/v2/store/{product_id_here}?{token_here[/url]}
[url=https://cdn-api.gog.com/content-system/v2/store/{product_id_here}/?_token={token_here]https://cdn-api.gog.com/content-system/v2/store/{product_id_here}/?_token={token_here[/url]}

If anyone wants to easily figure out more Galaxy API urls then you can use mitmproxy to see the requests and responses

Install mitmproxy
Run mitmproxy (mitmweb -b 127.0.0.1)
On first run mitmproxy will create certificate files to %USERPROFILE%\.mitmproxy
Replace "C:\ProgramData\GOG.com\Galaxy\redists\rootCA.pem" with "%USERPROFILE%\.mitmproxy\mitmproxy-ca-cert.pem" (make a backup copy of the root certificate bundle before replacing it)
Make all traffic to go through mitmproxy (I used Proxifier to do this)
Run Galaxy and look for interesting requests/responses on [url=http://localhost:8081]http://localhost:8081[/url]/
Absolutely amazing! Thanks. Have been thinking about researching this for a long, long time... especially since gog galaxy is *still* very incomplete (almost zero progress since v1.0) & a big fat memory hog.

Has anyone any better ideas about how to query for installed gog games & associated information ?

The best way i came up with was querying the Registry : 'HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\'

That gets me :
- id (the one used in https://embed.gog.com/user/data/games)
- iconPath
- name
- path
- startmenu folder name (parsing that gets relevant executables (play, setup, manual, ...))
- version
- size
- installDate

However it does yield false positives like a game itself plus its deluxe edition upgrade, which might be reconciled by merging items with the same install path... but i guess now i could query api.gog.com & lookup the game_type! thx :-)

(although there is obviously zero interest in it, i am currently expanding my Gog-&SteamShortcutManagementScripts & contemplating a custom game launcher)
Post edited February 18, 2017 by bernstein82
avatar
bernstein82: Has anyone any better ideas about how to query for installed gog games & associated information ?

The best way i came up with was querying the Registry : 'HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\'
There should be a subkey for each (manually installed?) game in "HKLM\SOFTWARE\GOG.com\Games\". Can't verify that though atm, as I'm just looking at the innosetup script and don't have time to boot up Windows. Are you just interested in the manually installed games or all?
avatar
Yepoleb: There should be a subkey for each (manually installed?) game in "HKLM\SOFTWARE\GOG.com\Games\".
I can confirm that they exists for games installed by galaxy as well. thx!
avatar
Yepoleb: Are you just interested in the manually installed games or all?
Since i've switched all my gog games from manual installation to galaxy managed, primarily those installed by the client, but ideally both... (reinstalling hundreds of games manually after a windows reinstall is a no-go. galaxy makes it painless)

atm i'm just trying to better manage the mess gog makes in my startmenu (creating almost 400 folders in my root startmenu folder... *jeez*), i am however contemplating to build a minimal cross-store game launcher (a more flexible way of what i currently do with powershell & fences) and a tiny background autoupdate/download service
Post edited February 20, 2017 by bernstein82
I didn't know about this thread. Good to see some work was already done for it. GOG failed to keep their promise of releasing official Galaxy API documentation, so what's left is only reverse engineering.
avatar
shmerl: [...] GOG failed to keep their promise [...]
Do you have a link to this 'promise' you keep speaking of? Just curious.
avatar
shmerl: [...] GOG failed to keep their promise [...]
avatar
HunchBluntley: Do you have a link to this 'promise' you keep speaking of? Just curious.
I have to dig it up. Look for one of the community Q&A videos. The old GOG post video was down the last time I looked it up, but I think it might be still available on Twitch.

UPDATE: This is the one: https://www.twitch.tv/videos/45398732?t=49m48s
Post edited June 07, 2017 by shmerl
avatar
shmerl: UPDATE: This is the one: https://www.twitch.tv/videos/45398732?t=49m48s
Well, what he actually said is that they would *LIKE* to get the APIs documented someday™. Probably just as much as I'd like to be able to play all the games I bought someday (which is probably not going to happen unless I get some extra lives).