A new major version (and complete rewrite)

[gerwaric]

Since the original release of Acquisition in 2014, there have been significant changes to both Path of Exile such as the OAuth, rate limiting, and the new API, as well as changes to the software Acquisition uses, such as c++17, Qt 6, and Qt Quick 2 with QML.

Now that I've been maintaing acquisition for a while, I think I have a basic handle on most of the codebase, and I think it's time to update acquisition's design based on everything that's changed in the last ten years. Wish me luck.

This new major version:

• It will support nested stash tabs, which means it will support searching unique stash tabs as well as map stash tabs.
• It will be fully based on OAuth, with POESESSID used only for forum shop thread management.
• I'm hoping to reintroduce support for pseudo mods
• I'm hoping to add support for other mods like crucible, that acquisition doesn't know about now
• I'm hoping acquisition will be able to support Path of Exile 2, although I do not have early access.
• I'm hoping to publish a pre-release alpha by the end of the year.

It you're worried about what this means for acquisition:

• Acquisition will stay open-source freeware. This is just a hobby for me. I'm not even a real software developer.
• I'll try to keep addressing bugs in the current version, at least until this new release is close to feature complete.

Should this next version be 1.0 or 2.0?

I don't know, but I think a rewrite is a good time to graduate from the 0.x series.

[came-here-to-learn]

Hello, sounds great!

Question: do you think it is worth to allow POESSID access as well? Probably makes your life harder for some thing.
But isnt that safer? Also allowing for faster updates?

[gerwaric]

That's a good question. I've thought about it a lot. Using the session cookie approach with POESESSID to authentication does have a couple of downsides:

• Authentication Security: Copying a browser's session id into another app is a vulnerability from a security perspective. It exposes the user to session hijacking, which is a well-known problem. My day job relates to cybersecurity, so even though it will be invconvenient, I hope--and expect--that GGG will lock down this method of API access completely at some point.
• Design Complexity: The official developer API can only be accessed via OAuth. There are a couple legacy website endpoints that GGG has allowed third-party programs like acquisition and POB to use, but these endpoints do slightly different things and return slightly different data structures. Being able to handle both complicates acquisition's design, since the two approaches do not translate directly 1:1.
• Maintainability: The legacy website endpoints acquisition uses are undocumented and subject to change without notice; this just happened with the account changes GGG is preparing for Path of Exile 2, and I was scrambling over the weekend to figure out what was happening.

However, the POESESSID approach is still needed to manage forum shop threads, because there is no API for those. Fortunately, that part of the code is completely separate from the part that downloads characters and stash tabs.

The biggest downside to OAuth that I can see is that until I or someone else decides to setup an intermediate authentication server, the OAuth tokens may need to be refreshed quite often compared to POESESSID, which can remain valid for a while. This is because Acquisition is currently a public OAuth client (intended for freeware projects like Acquisition), which GGG has placed some additional security restricitons on.

Some other open source PoE tools have akready moved to using a confidential client with an intermediate authentication server. This is an even more secure approach to OAuth. At some point I may try talking to them because I don't have any experience with servers like this.
I'm also not sure how much it would cost to run that server, and how much work it would take to keep it running.

For all those reasons, I'm inclined to move to OAuth using a public client for inventory management, and keep POESESSID around for forum shop management.

[aiolos01]

I have to admit I still only use POESESSID. There is no advantage (from my point of view) in using OATH. You have to re-authorize acquisition all the time. POESESSID works for a very long time before needing to update it.

I have OATH in Thunderbird. I've set it up once and it just works from then on. I've only had to re-authorize it once on one of my emails. I believe it uses two kinds of tokens with the second kind being used to get a new authorization token when it expires. Or so I've read, I haven't really looked into it.

Npt sure if this is possible with acquisition or if you have the inclination to setup such an elaborate system. You're already doing a lot of work on this. Just offering my point of view.

[gerwaric]

@aiolos01 I've just finished some testing that makes me think you can go indefinitely without re-authenticating--as long as you open up acquisition at least once a week. I'm not 100% certain, but pretty hopeful about it right now.

If that turns out to be the case, then it may also be possible to install a background user task that runs periodically to keep your OAuth token active even when you are not running acquisition.

[gerwaric]

@aiolos01 yes, reauthenticating a bunch is a pain. Acquisition does get a refresh token that should be good for a week according to GGG's docs, but I haven't done anything with it yet. I'll spend some time on this to see what's possible with a public OAuth client.

In the meantime, I'm not going to stop supporting the current version and POESESSID authentication until GGG does something to make it unusable, or we have OAuth working in a way that isn't too annoying.