Sharing api.

MinekPo1

MinekPo1

Modder
Registered
#1
#1
Hello yall. I spent the past two days figuring out how the sharing api works, so thought I'd share it.

Note that my knowledge is mostly educated guesswork based on the de-compiled game code.

1. Authentication

The game takes a platform_id also referred to as a platform_token by the code to request a sharing_id and login_token pair from the server. The platform_id seems to be a 128b spooky hash (Wikipedia) of a random lowercase 16B alfa-numeric string. The login_token seems to be considered public. The code also uses a specific user agent: s&1FS&xdkf2r5k9p2zU!PDYXW$bqae, however I have not checked if the server requires it. The login_token is attached in the Login-token header in each authorized request.

2. API Routes

The API routes used in the code are:

  • POST: /api/users/create
    Not authenticated. Takes one parameter, platform_id.
    Returns a json object with two keys user_id (sharing_id) and login_token
  • GET: /api/users/rockets/<user_id>?page=<page_num>
    Authenticated.
    Returns a json object containing a list of rocket items (see below) under rockets and the number of pages under pages
    204 indicates no rockets being posted by the user (or empty page?)
  • GET: /api/rockets/get/<sort_mode>?page=<page_num>&category=<category>
    Authenticated. Note that category is a integer.
    Same as /api/users/rockets
  • GET: /api/rockets/<rocket_id>
    Authenticated.
    Returns a json object representing a rocket. It has the folowing fields:
    • name: string
    • description: string
    • category: list of ints
    • data a base64 encoded compressed (gzip) json blueprint
    • version string
    • views int
    • downloads int
    • rocket_id string
    • owner_id string
    • public bool
    • uploaded_utc date at which the rocket was uploaded, as a int
    • vote_status int
    • votes two long list of ints
  • GET /api/rockets/search?query=<query>&page=<page>
    Authenticated.
    query seems to be an arbitrary string, page is a int
    Return value the same as /api/user/rockets
  • POST /api/rockets/upload
    Authenticated.
    Parameters:
    • name string
    • desc string
    • category list of ints
    • rocket_data a base64 encoded compresed (gzip) json blueprint
    • public bool
    • version string
  • POST /api/rockets/linked-upload
    Authenticated.
    Parameters:
    • rocket_data a base64 encoded compresed (gzip) json blueprint
    • version string
    • preview_url string. The game passes in a empty string
  • POST /api/rockets/edit
    Authenticated.
    Parameters:
    • rocket_id string
    • desc string
    • category list of ints
    • public bool
  • POST /api/rockets/delete
    Authenticated.
    Parameters:
    • rocket_id string
  • POST /api/rockets/vote
    Authenticated.
    Parameters:
    • rocket_id string
    • vote int.
  • GET /api/users/mod-check
    Authenticated.
    Returns a json object with the key is_admin storing a bool with the result of the query.

I would like to thank N2O4 for setting me on the right path, as I originally was trying to sniff packets, which, in hindsight is so dumb, but whatever.

If you would like to play around with these api routes, I made a mod providing console commands to send them using the same functions the game uses: download, source
 
nim

nim

Modder
Man on the Moon
Registered
#3
#3
Wow! I was looking through this a few months ago, I could not figure it out. Thanks.
 
Altaïr

Altaïr

Space Stig, Master of gravity
Staff member
Head Moderator
Team Kolibri
Modder
TEAM HAWK
Atlas
Deja Vu
Under Pressure
Forum Legend
#4
#4
Wow, nice work, I don't know how I missed this. I gave you the modder role, you now have full control over your thread (if you want to update it and so on).
 
pixelgaming579

pixelgaming579

Modder
Registered
#7
#7
FYI: A majority of these API routes are for an (as of now) unreleased version of the sharing system that afaik doesn't work, so only 2 of these routes actually do something right now: POST /api/rockets/linked-upload for upload and GET /api/rocket/{rocket_id} for download (seems like you forgot to add that second one).
 
T

tpglitch

Registered
#14
#14
MinekPo1 said:
Hello yall. I spent the past two days figuring out how the sharing api works, so thought I'd share it.

Note that my knowledge is mostly educated guesswork based on the de-compiled game code.

1. Authentication

The game takes a platform_id also referred to as a platform_token by the code to request a sharing_id and login_token pair from the server. The platform_id seems to be a 128b spooky hash (Wikipedia) of a random lowercase 16B alfa-numeric string. The login_token seems to be considered public. The code also uses a specific user agent: s&1FS&xdkf2r5k9p2zU!PDYXW$bqae, however I have not checked if the server requires it. The login_token is attached in the Login-token header in each authorized request.

2. API Routes

The API routes used in the code are:

  • POST: /api/users/create
    Not authenticated. Takes one parameter, platform_id.
    Returns a json object with two keys user_id (sharing_id) and login_token
  • GET: /api/users/rockets/<user_id>?page=<page_num>
    Authenticated.
    Returns a json object containing a list of rocket items (see below) under rockets and the number of pages under pages
    204 indicates no rockets being posted by the user (or empty page?)
  • GET: /api/rockets/get/<sort_mode>?page=<page_num>&category=<category>
    Authenticated. Note that category is a integer.
    Same as /api/users/rockets
  • GET: /api/rockets/<rocket_id>
    Authenticated.
    Returns a json object representing a rocket. It has the folowing fields:
    • name: string
    • description: string
    • category: list of ints
    • data a base64 encoded compressed (gzip) json blueprint
    • version string
    • views int
    • downloads int
    • rocket_id string
    • owner_id string
    • public bool
    • uploaded_utc date at which the rocket was uploaded, as a int
    • vote_status int
    • votes two long list of ints
  • GET /api/rockets/search?query=<query>&page=<page>
    Authenticated.
    query seems to be an arbitrary string, page is a int
    Return value the same as /api/user/rockets
  • POST /api/rockets/upload
    Authenticated.
    Parameters:
    • name string
    • desc string
    • category list of ints
    • rocket_data a base64 encoded compresed (gzip) json blueprint
    • public bool
    • version string
  • POST /api/rockets/linked-upload
    Authenticated.
    Parameters:
    • rocket_data a base64 encoded compresed (gzip) json blueprint
    • version string
    • preview_url string. The game passes in a empty string
  • POST /api/rockets/edit
    Authenticated.
    Parameters:
    • rocket_id string
    • desc string
    • category list of ints
    • public bool
  • POST /api/rockets/delete
    Authenticated.
    Parameters:
    • rocket_id string
  • POST /api/rockets/vote
    Authenticated.
    Parameters:
    • rocket_id string
    • vote int.
  • GET /api/users/mod-check
    Authenticated.
    Returns a json object with the key is_admin storing a bool with the result of the query.

I would like to thank N2O4 for setting me on the right path, as I originally was trying to sniff packets, which, in hindsight is so dumb, but whatever.

If you would like to play around with these api routes, I made a mod providing console commands to send them using the same functions the game uses: download, source
Click to expand...
How can i manually do authentication so I can get data from a bp in Postman? (e.g. https://sharing.spaceflightsimulator.app/api/rockets/9_ZaN__-Ee6-okV2_UUAwg)
 
You must log in or register to reply here.