Cannot make calls to steam api site from my own site (Security Issue)

Question

I'm trying to create a web application that utilizes steam web apis, and overall I'm basically very confused as to how start this application.This question basically outlines my problem, and I don't know how exactly to create endpoints and solve this problem.

Currently I have Apache Tomcat for my web server, and I'm writing all the html/css/javascript code in Notepad++. I don't want to use jQuery, because I don't know if I need to. Now all I want to do is just grab data from steam's apis.

For example, using this api:

http://api.steampowered.com/ISteamUser/GetFriendList/v0001/?key=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&steamid=76561197960435530&relationship=friend

I just want to grab a user's friend list. The problem is, as in the question I linked above, I can't make calls to steam apis from my own site, and I don't know how to create an endpoint on my server and fix this problem.

Any help is greatly appreciated. I'm new to all of this, and it'd definitely confusing as hell.

Answer 1

As far as I'm aware for Steam's public APIs they shouldn't need a proxy as the above answer suggests, to do AJAX requests (which is what I assume you are doing), since they surely must implement CORS. Besides this is merely a browser restriction and shouldn't affect anything server side.

The restriction Dustin is trying to explain how to get around is to do with making an AJAX request to a site on a domain different to the one you are requesting that doesn't allow CORS (Cross Origin Resource Sharing). Hence a website would send the data to a proxy server set up to make the request on its behalf and return the data.

Can you elaborate what sort of errors you are getting when trying to make a request?

I'm assuming you are using the APIs found here, https://developer.valvesoftware.com/wiki/Steam_Web_API#GetPlayerSummaries_.28v0001.29

In which case I have to ask, if you see where all the Xs are, these are place holders in that URI. Instead of the Xs you should have a Steam Web API key which you can sign up for from here:

https://steamcommunity.com/dev/apikey

I'm not sure the domain name is that important when signing up since I've repurposed keys before.

Note that Valve's public APIs are quite limited and a number of the libraries floating around on the web don't use them, but instead have either reverse engineered Valve's Oauth login code for their main site to use privately, undocumented web APIs, or they have reverse engineered the desktop client itself somehow.

Answer 2

You can proxy the requests from your server to the steam site using mod_proxy. First need to enable rewrite and mod proxy in Apache

a2enmod rewrite
a2enmod proxy
apache2ctl reload

Let's assume your site is www.example.com and the web root is /var/www on your server. Create a directory /var/www/steamapi. In this directory create a file named .htaccess with the following

RewriteEngine On
RewriteRule ^(.*)$ http://api.steampowered.com/$1 [P]

The [P] tells Apache to proxy the request. Now instead of making request to api.steampower.com use absolute url below in your XHR/AJAX url parameter

/steamapi/ISteamUser/GetFriendList/v0001/?key=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&steamid=76561197960435530&relationship=friend

Apache will rewrite the request to the URI below and proxy the results back to you. Your browser won't complain because you are making a request to the same domain.

http://api.steampowered.com/ISteamUser/GetFriendList/v0001/?key=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&steamid=76561197960435530&relationship=friend