Seems like it. I tried the projects I have that use authentication and they have the same result.

You know, there was a serious security problem with the way it had been working. You could have a website which used auth.gog.com to allow users to log in and they would think it was similar to logging into a site through Steam. In fact, GOG's auth page is completely different. If you log into a site through Steam all you're doing is proving that you are the owner of that Steam account. With auth.gog.com you are actually authorising a token that gives the site near-complete control of your GOG profile - but very few people would expect that behaviour so it would be perfect for scamming. (although to my knowledge nobody has tried this so far).

This risk has been bothering me for a while and I actually decided just a moment ago to come to this very thread to warn about signing into strangers' sites through auth.gog.com and suggest that GOG limit authentication to certain registered domains. It's quite a coincidence to come here just a few hours after jamieadkins95 discovered that that had already done this.

It's a good thing, really, but it also sucks because now we lack 2 important services: a way for our custom tools to access our accounts, and a way for users to verify their accounts to 3rd party sites without handing over the keys in the process.

Well, I guess it's time to go back to trying to reverse-engineer Galaxy to see how it's done there.

It's not the only thing they changed in order to ramp up security.

I'm having trouble with calling the products APIs, as it seems they've added a throttling filter that automatically bans your IP if you reach a certain risk criteria (I'm using this fancy placeholder as I haven't been able to figure out if it's based only on the number of requests per time limit or other factors as well, when it triggers, how long the ban lasts etc).

I'm still trying to figure out the best way to circumvent it without having to wait half a year to map the entire id range.

I know, the previous implementation was insecure and violated the OAuth2 standard. I'm glad they fixed it, but suck that there's no secure alternative.

There's no need to, I've been there already. The Galaxy client redirects to a gog.com URL, which is trusted by the login site. Native code has to get the token from the internal browser.

I'm requesting each product individually and haven't noticed a problem. The download time is not that bad if you cache them for a day. Maybe I or someone else can create daily dumps and upload them somewhere.

I figured out a workaround until we find something better. The on_login_success page does not automatically redirect, so you can have the user manually copy the login code. Open https://auth.gog.com/auth?client_id=46899977096215655&redirect_uri=https%3A%2F%2Fembed.gog.com%2Fon_login_success%3Forigin%3Dclient&response_type=code&layout=client2 and after the redirect there should be a &code= parameter in the url. This is the code to use for a token request. I have an ugly but functioning implementation at https://github.com/Yepoleb/pygogapi/blob/master/gogapi.py#L508

I'm not doing what you think I'm doing :).

My goal is to query each product id in batches of 50, up from 0 to (probably) 2.5 billion, to see which of them are mapped to a product, which are not and how the mappings are distributed across the entire used id range. More info here.

The amount of traffic I'm producing by querying the APIs most likely exceeds average usage. This wasn't a problem until a few days ago when I noticed all the queries I was submitting returned HTTP 400, whereas if I tried them from another location everything was still working as expected.

The new reality is that the GOGBear throttles us all!

We need to stop him! He can't go around oppressing innocent developers all over the world. Grab your digital pitchforks and start going into the streets! Follow the lead of our savior WinterSnowfall!

To be fair, I don't think throttling after so many requests is unreasonable. You're probably causing more load than all the other users together.

Edit: Actually, let's not go into the streets. Leaving the house is not something a programmer should do, as he becomes very vulnerable against social interaction. We can protest from our rooms.

No, not really, not unless there are only a few people using Galaxy concurrently. I've actually limited the number of queries I'm firing out per second to about 30 (each on a batch of 50 ids), just so I don't generate too much load. I'm also reusing the same HTTP connections, not to put too much pressure on the back-end servers and load balances (assuming there are any).

Now if GOG's servers can't handle 30 requests per second on top of the regular traffic they're getting, maybe they need to think about an upgrade instead of bringing out the throttling GOGBear :).

Here's some urls that might be of interest to you

[url=https://content-system.gog.com/open_link?generation=1&path={path_here]https://content-system.gog.com/open_link?generation=1&path={path_here[/url]}
example: https://content-system.gog.com/open_link?generation=1&path=redists/DOSBox072/52837940

https://content-system.gog.com/dependencies/repository?generation=2
[url=https://content-system.gog.com/products/{product_id_here}/secure_link?generation=2&path=/&_version=2]https://content-system.gog.com/products/{product_id_here}/secure_link?generation=2&path=/&_version=2[/url]
[url=https://content-system.gog.com/products/{product_id_here}/secure_link?generation=2&path]https://content-system.gog.com/products/{product_id_here}/secure_link?generation=2&path[/url]=/

[url=https://cdn.gog.com/content-system/v2/dependencies/meta/{hash_here]https://cdn.gog.com/content-system/v2/dependencies/meta/{hash_here[/url]}
[url=https://cdn.gog.com/content-system/v2/store/{product_id_here}?{token_here]https://cdn.gog.com/content-system/v2/store/{product_id_here}?{token_here[/url]}
[url=https://cdn-api.gog.com/content-system/v2/store/{product_id_here}/?_token={token_here]https://cdn-api.gog.com/content-system/v2/store/{product_id_here}/?_token={token_here[/url]}

If anyone wants to easily figure out more Galaxy API urls then you can use mitmproxy to see the requests and responses

Install mitmproxy
Run mitmproxy (mitmweb -b 127.0.0.1)
On first run mitmproxy will create certificate files to %USERPROFILE%\.mitmproxy
Replace "C:\ProgramData\GOG.com\Galaxy\redists\rootCA.pem" with "%USERPROFILE%\.mitmproxy\mitmproxy-ca-cert.pem" (make a backup copy of the root certificate bundle before replacing it)
Make all traffic to go through mitmproxy (I used Proxifier to do this)
Run Galaxy and look for interesting requests/responses on [url=http://localhost:8081]http://localhost:8081[/url]/

Absolutely amazing! Thanks. Have been thinking about researching this for a long, long time... especially since gog galaxy is *still* very incomplete (almost zero progress since v1.0) & a big fat memory hog.

Has anyone any better ideas about how to query for installed gog games & associated information ?

The best way i came up with was querying the Registry : 'HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\'

That gets me :
- id (the one used in https://embed.gog.com/user/data/games)
- iconPath
- name
- path
- startmenu folder name (parsing that gets relevant executables (play, setup, manual, ...))
- version
- size
- installDate

However it does yield false positives like a game itself plus its deluxe edition upgrade, which might be reconciled by merging items with the same install path... but i guess now i could query api.gog.com & lookup the game_type! thx :-)

(although there is obviously zero interest in it, i am currently expanding my Gog-&SteamShortcutManagementScripts & contemplating a custom game launcher)

There should be a subkey for each (manually installed?) game in "HKLM\SOFTWARE\GOG.com\Games\". Can't verify that though atm, as I'm just looking at the innosetup script and don't have time to boot up Windows. Are you just interested in the manually installed games or all?

I can confirm that they exists for games installed by galaxy as well. thx!
Since i've switched all my gog games from manual installation to galaxy managed, primarily those installed by the client, but ideally both... (reinstalling hundreds of games manually after a windows reinstall is a no-go. galaxy makes it painless)

atm i'm just trying to better manage the mess gog makes in my startmenu (creating almost 400 folders in my root startmenu folder... *jeez*), i am however contemplating to build a minimal cross-store game launcher (a more flexible way of what i currently do with powershell & fences) and a tiny background autoupdate/download service

I didn't know about this thread. Good to see some work was already done for it. GOG failed to keep their promise of releasing official Galaxy API documentation, so what's left is only reverse engineering.

Do you have a link to this 'promise' you keep speaking of? Just curious.

I have to dig it up. Look for one of the community Q&A videos. The old GOG post video was down the last time I looked it up, but I think it might be still available on Twitch.

UPDATE: This is the one: https://www.twitch.tv/videos/45398732?t=49m48s

Well, what he actually said is that they would *LIKE* to get the APIs documented someday™. Probably just as much as I'd like to be able to play all the games I bought someday (which is probably not going to happen unless I get some extra lives).