Scratch Login

so do yall remember when I was getting data from scratch to make scratch 4.0? anyways, I wanna make a user be able to log in to scratch from a snap project (like Scratchattach), but I'm not sure if that's allowed, or if the snap! servers have weak security. also, is it wise to save the login information in the browser cookies?

Allowed by Scratch, you mean?

No, on general principles, never save passwords online, including in cookies. Isn't that right?

Both Scratch and Snap!, but I'm guessing that it's allowed by scratch considering so many python extensions like Scratchattach exist

Ha! Tell that to Google and Microsoft.

Also, i may need help transitioning this code into snap.

data = json.dumps({"username": username, "password": password})
_headers = headers
_headers["Cookie"] = "scratchcsrftoken=a;scratchlanguage=en;"
request =
    "", data=data, headers=_headers
    session_id = str('"(.*)"', request.headers["Set-Cookie"]).group())
except Exception:
    raise exceptions.LoginFailure("Either the provided authentication data is wrong or your network is banned from Scratch.\n\nIf you're using an online IDE (like Scratch possibly banned its IP adress. In this case, try logging in with your session id:")
    session = Session(session_id, username=username)
return session

What i have so far:
untitled script pic (5)

If it's okay with them, I don't see why we would boggle at it, although maybe I'm missing some subtlety.

Don't they store hashed passwords?

The system for logging into another website with your scratch account, that is also used on the scratch wiki, is a strange system (that makes me question why they don't just implement oath already). The process goes something like this.

  1. Enter your username into the website
  2. The website generates a random number
  3. It sends you to a scratch project to either enter the code into the comments, or into the project (with cloud variables), or onto your profile.
  4. The website then scans the desired method of logging in, and then when it sees the code, and the user who sent the code.

TLDR; it's a complicated system that's used by the scratch wiki, but also makes me wonder why scratch doesn't implement oath already.

Yup, sounds like a kludge. But I guess it has the virtue that Scratch itself doesn't have to cooperate to make it work. You just prove that you have access to that Scratch user's projects in a way that anyone can verify. People could do that with Snap! too, and we'd have no reason to complain.

i think you should use scratch auth, which i saw on penguinmod


Also, I don't want to link a scratch username to a project, I want to be able to do stuff like comment, view notifications, edit my profile page, etc. (don't worry, nothing malicious.)

what have you done so far. why dont you use an iframe

scroll up

send link script pic isnt working rn. and why not use iframe

Snap! scratch login (
i dont want to use iframe because i dont know how and i want to make my own login ui

iframe is the simplest code ever. look it up. just use iframe to display the scratch link and your project is done

Using an iframe may be simple, but it's also boring and lazy. It would be more fun, and a much bigger challenge to create it yourself.


Yeah, instead they store a user token, much more secure

Such tokens have expiration dates, and also, since they aren't chosen by the user, they're safe against foolish users who use the same password at different sites.

wait a minute are you saying i should have an iframe with the scratch website in it?
because if that's what you're saying, then the whole point of me making this is to make the scratch website look different and have more features.

i thought you couldn't read data from iframes unless they are from the same domain?