Updates to my API project chessinsights.xyz, oAuth python script

Hey everyone, just thought I'd give an update to my project chessinsights.xyz if you didn't see my last post it's a website that uses the API to export and visualize all of a players chess.com data.

What I've added:

• Added an "explore" page for full text search and advanced filtering
• Added an "Top openings" chart with interactive links to chess.com wiki pages
• Added a "Result By Opponent Rating" chart
• Added the ability to upload profiles saved via json
• Refactored everything into VueJS and Nuxt

Everything runs on client side javascript but because of the recent API changes I'm not sure how long it will work. I've been working on setting up an oAuth based access and made this python script for anyone having trouble getting a token response.

https://gist.github.com/NotJoeMartinez/7809273edf3edb10093357235d52213b

The project is open source and available on github:
https://github.com/NotJoeMartinez/chess-insights

Some updated images of the site:

i tried it and it's very good! It's basically chess.com insight but free. Just wondering, does the games drawn by has the 50 moves rule? because i dont see it

That's still a work in progress, but it will log the number to the console if you open your dev tools lol.

Very good since i dont have diamond membership . Just one question why do you need a chess.com auth system? is chess.com forcing it for api access or are you just setting it up for yor site.

Also the zoom in and out for "Elo over time" with the scroll wheel is really appreciated!

Screenshots look cool, I'll give this a try!

For the Oauth code, why didn't you consider using a higher library like one of these https://oauth.net/code/python/

cool

I'm not well versed on the OAuth token system but when I looked into it a month or two ago, it seems that you will probably need that if making parallel requests.

I'm guesssing the OP is doing that when pulling down all the data required for their app.?

If everything is on the client side then wouldn't you need to send the OAuth token to the client side as well, so they can run the request?

I am not sure what OAuth token chess.com generates, but if there is no expiration and regeneration for every client or session, and you send it to the client side then that would mean anyone can extract it and use it for any request until it is revoked or expires.

Am I missing something here?

My current understanding of the system is that it allows you to generate OAuth consent URLs for your application, which will prompt the user for resource access. If they agree, it will redirect them back to a specified endpoint on your application with an access token in the URL, which you can use to bypass rate limiting.

The decrypted token looks like this:
```json
{
"id_token": "<id_token>",
"token_type": "Bearer",
"expires_in": 86400,
"access_token": "<access_token>",
"refresh_token": "<refresh_token>"
}
```

So yes, the client will have access to the token, but it is only their token.

This process still exposes the applications client ID, which would allow someone to generate their own OAuth consent URLs, but their requests would be limited to whatever account they authorized.

• OAuth documentation

I'm not making parallel requests. But if they plan to enforce the user-agent rule stated in their API update post I won't be able to adapt the client side requests due to `user-agent` being a forbidden header name on browsers. I've yet to get a 403 while testing and a bunch of other projects that make client side requests are still working. So maybe the browser user-agents/refer headers are sufficient?