I couldn't agree with you more when it comes to improving the API. What we need most is an API endpoint that provides exact and complete information on files that can be mass queried (e.g. get information on all files belonging to a certain or multiple product(s) with one API call) and is accessible to everyone and not just owners of the file. Then we can finally do away with the XMLs that are a PITA to request.

But you are wrong when it comes to logging in. It's actually fairly easy to login without an integrated browser as long as you are not stuck in ReCraptcha hell.

Yeah. Login can be as easy as sending an HTTP POST. But if GOG asks the user to solve a reCAPTCHA during login, You'll need a full web browser or something that can render HTML pages and let the user interact with the rendered login page to solve the reCAPTCHA. There is no way around this right now.

According to my experience you only get stuck in ReCraptcha hell if you either log in often within a short time or after several failed login attempts. And once your IP is flagged you will have to train the AI for the next 1-2 days if you want to log in before you get out again.

Through normal use you should never get recaptcha unless your memory is so bad that you screw your login up often or you share your IP with many other people (e.g. the IP of a VPN exit point). So logging in is actually as simple as a GET to retrieve a CSRF token followed by a POST with your email, password and the token.

I'd love to believe so, but certainly wasn't my experience in the past. Before making gogcli, I tried gogrepo and I got stuck into login hell. Never managed to actually try out the tool successfully because of the recaptcha.

In the end, what worked for me (and is gogcli's way to this day) is grabbing the bloody cookie from my browser session and sticking it in a file for the client to use although what sude describes seem somewhat simpler than that from a end user standpoint (I might actually try it out when I have more time), but it is still kind of hammy and not great for a user experience.

The only way to really make it really nice from a user standpoint and always working as Timamat16 mentions here is to use a browser engine (I might tryout a Tauri wrapper at some point now that I know Rust), so yeah, I think gog could make integrating authentication in third parties a lot better.

Anyways, I will not debate it to death in this thread, but that is my opinion, as far as authentication is concerned. Overall though, we are in agreement that the gog api could be greatly steamlined to allow third party clients to give a better user experience while backing up their collection (and also hammer gog's services less heavily while doing so).

GOG could also just switch to an authentication service that actually works. It's really nice to able to confirm identity by scanning a QR code or entering a 6 digit number that expires quickly.

I am sad for the missed opportunity of calling it gogog. :-(
Thank you for your work, Tiamat16! I believe the problem you describe does not affect only Open Source. I have read of access keys being distributed with closed software.

Still, I am grateful for all the people who go to the trouble and take the risk of fully sharing the fruits of their labor for the benefit of complete strangers.
As long as it is not sending a code through SMS to my cell phone!
I have a few FIDO2 USB tokens I would like to use. Or a Time-based One-Time-Password. Make it Opt-In!
But I am afraid that is not on GOG's plans. Unless there is some sort of significant security breach.

Many people seem to think that way, but no: even after publishing some code publicly, under an open license, you are still under no obligation of anything. You don’t have to provide a contact e-mail for users, or some public bugs tracker. You don’t have to listen to unsolicited feedback, nor fix bugs that do not even impact your own use.

Hey, I even have some of my code out in the wild that probably does not work without modification unless run directly from my machine. That does not prevent it from being shared directly from my distribution official documentation.

And I have some projects I work on, share under an open license, but won’t accept feedback or bug reports about. Because I do them primarily for myself, and other people are free to use them "as is" but I won’t listen to their complaints, because I mostly don’t care about any use case but my own ;)

(of course I do work on more "standard" open projects too, including open bug trackers where we listen to users feedback)

Ha ha. I think it's a bit too late to change the name to gogog (although it sounds like a very cool palindrome).

I removed the need to store the GOG credentials, and the next release won't have this problem. (It shouldn't have happened in the first place.)

Open-source projects usually come with no warranty or liability. It's achieved by using various open-source licenses.
(Gogg is available under MIT license.)

Given the replies I've seen from people here, I feel it could benefit GOG to provide users with an official game file downloader that can run on different operating systems.

There used to be one. It was called "GOG Downloader."