Hello, I am a computer science student and I am making a website for my school to be able to have a leaderboard based on each student. The problem is that via the HTB API we are not able to check if the account really belongs to a given student. Is there another solution, for example that the student can authenticate and have a callback of their user name or ID.
Sorry in advance if certain sentences are poorly formulated, I am French
Thank you in advance for any help you can give me
Hi rexkrouger27,
So what you are trying to do is, confirm class mates account ownership via the HTB API to confirm the legitimate owner of the account? I can advise you straight away this is not allowed and you will not be able to do this, the HTB API was not designed for this and they do not allow to you to query this (non-staff)
This would be an issue which effects CIA - Confidentiality, Integrity & Availablity.
An easier way (may be long-winded however, each student that wished to be added to the leaderboard can provide there HTB # and you secure that in a encrypted file with associated data) The user will only have a HTB # if they have an account with HTB.
Also why do you need to verify that they are who they say they are? Are people pretending to own accounts they do not?
au revoir
Hi @Sqwd
Thank you for your reply
Exacly I m trying to confirm class mates account ownership to confirm the legitimate owner of the account.
This is exactly what I thought, so it is not possible to do this via the HTB API and I completely understand that (CIA).
I think the HTB# is a public information so anyone can provide another #
I think I will ask the user to enter a word or phrase which I will then hash and then ask them to put in the description only during authentication to be sure that they are the owner of the account. Then retrieve the hash in the description to see if it corresponds to the word/phrase he entered previously.
Please let me know what you think about this possibility.
I do this because I think it is always possible that a student with bad intentions will try to be posted with someone else’s account.
Have a good day