As I said, implementing a whole bunch of features and overhauling the framework, so the features offered are clicking together and have a robust concept and ecosystem around them.
Since this is not gonna happen any time soon, as a web game developer, just ask the user for their name for that leaderboard. And if your game is bigger, you would have your own servers that would help with logging in users and no need for an underlying framework that Itch would provide.
I know you said that, I am sorry if my English is not good enough, I am not a native speaker.
My question is: Why do you think the only way to enable this feature is "implementing a whole bunch of features and overhauling the framework, so the features offered are clicking together and have a robust concept and ecosystem around them", instead of one of the solutions suggested by @leafo? Or even adding an Oauth authentication.
Currently, usernames could be acquired by brute-force, or one could also scrape the website searching for public usernames.
Please, help me to understand technically why this is a "security nightmare"?
adding an Oauth authentication
Itch.io has Oauth authentication, it’s just not formatted like other services like google, discord, etc.
Instead of saying something like “login with itch” this is the page:
IE not something I’d ask end users to login with.
Better OAuth would be super nice for web games, but we just need to make sure It’s not super harsh for end users while still telling them what OAuth allows devs to do.
Something designed to only access username/display name & a UID doesn’t need such a harsh screen.
Something like a “connect to itch/login with itch” screen would be great.
Currently, usernames could be acquired by brute-force
Not really. Even if you would manage to scrape all usernames by looking which profiles exist or not, you would not have a connection to which games those users played.
It is not the existence of profiles that is a privacy issue. It is the connection of who plays what (and when). That is information that falls under privacy rules and you need to explicitly allow these things to be shown public. Users need to have control over such things.
So even if developers would use the oauth verification thingy to fetch the usernames from users playing with the Itch app, those devs still would have no right to display those usernames as the content of their games. Be it as a leaderboard or anything else.
English is not my native language either. But if you read closely, leafo did not offer a solution. He talked about a hypothetical future in which such a feature would be implemented. And if they implent such a thing, it would be by "require the user to opt into sharing their information with the game". That opt in would not even be per developer, it would be per game.
That this feature still is not implemented after 5 years tells me, that it is not easy to do and maybe they realized the same as me: this feature alone is not interesting enough to implement it standalone. It would need more features to accompany it.
--
As for the security nightmare, that would be, if the information would be given to the web game just like that. No opt in. Just publich a web game and you can scrape users. Then anyone, even a scammer, could do with those information (who played what and when) whatever he likes. For example trying to see if that account also has a discord by the same name and with the information gained (game preference) to display advertisement, social scam attempts and so on. "I saw you played tank shooter 5000, here try my tank shooter 5500, do not worry that it is a password protected file. I selected you as an exclusive beta tester because you seemed to like my game.".
Just because you do not immediatly see a way to exploit something does not mean, no one can. And scammers try very hard and every day to abuse Itch's services.
