There should be a secret key that’s randomly generated for each place with HttpEnabled, and sent along with the HTTP request. The most non-breaking way to add this would be in an additional header. The server could then check the validity of the key. This should be able to be accessed or changed on the website, per place/universe.
This would allow us to check that it’s from a ROBLOX game; only the account owner and ROBLOX would know the key. This means the server can know if a request came from your game or not, which is fairly useful.
The only issue I see with this is there are many places that use HttpService for services which you might not want to send this to; therefore, it should be off by default, and only be sent if there’s an additional boolean parameter in the method call (GetAsync or PostAsync).
[quote] If you can do without sending it in the header,
HttpService:GenerateGUID()
might be useful for you. [/quote]
That’s not what this is. I have no way to be sure a GUID came from my game or not; it’s not unique to the place. To test this, print(game.HttpService:GenerateGUID() = =game.HttpService:GenerateGUID()) from the command bar.
To use this, I’d either have to trust every GUID (making it useless) or hardcode it into the source (partly defeating the purpose of this suggestion).
EDIT:
The point of this is that it’s hard to spoof, so that’s a different use case.
I brought this up in RDCEast and spoke with one of the admin on it in length. The best solution we came to would to have a key that’s generated by ROBLOX that’s associated with that specific game server which is sent with every request going through HttpService that the web server can use to look up information about the request through an api on the roblox site. This key would be known only to HttpService, which means nothing can steal it unless they have server-side access and it would help add an additional layer to those that work with HttpService for verifying request authenticity. The admin said that they would put it on the list but since I couldn’t provide enough users wanting it as a feature that it would stay basically on the back burner until they have completed other projects which they deem more useful and more greatly wanted by the community.
The best way you could probably do this is to send the JobId in the request and then use something like this:
local PlaceId = 1818
local JobId = GetJobIdFromRequest()
local response = JsonDecode(HttpGet("http://www.roblox.com/Game/PlaceLauncher.ashx?request=RequestGameJob&gameId="..JobId.."&placeId="..PlaceId))
local joinTicket = JsonDecode(UrlDecode(response.joinScriptUrl):match("ticket=(.+)&signature=$"))
local RequestPlaceId = joinTicket.PlaceId
if RequestPlaceId == PlaceId then
DoWebAPI()
else
ThrowHTTPError()
end
Keep in mind that’s pseudo-code and may or may not work. Take it as a guide.
[quote] The best way you could probably do this is to send the JobId in the request and then use something like this:
local PlaceId = 1818
local JobId = GetJobIdFromRequest()
local response = JsonDecode(HttpGet("http://www.roblox.com/Game/PlaceLauncher.ashx?request=RequestGameJob&gameId="..JobId.."&placeId="..PlaceId))
local joinTicket = JsonDecode(UrlDecode(response.joinScriptUrl):match("ticket=(.+)&signature=$"))
local RequestPlaceId = joinTicket.PlaceId
if RequestPlaceId == PlaceId then
DoWebAPI()
else
ThrowHTTPError()
end
Keep in mind that’s pseudo-code and may or may not work. Take it as a guide. [/quote]
The problem with that is anyone who joins the game can get a valid JobId, which defeats the purpose of the validation system. Anything that is accessible by the client is to be considered insecure as users can and will spoof anything. (Have had problems with this in the past)
[quote] The best way you could probably do this is to send the JobId in the request and then use something like this:
local PlaceId = 1818
local JobId = GetJobIdFromRequest()
local response = JsonDecode(HttpGet("http://www.roblox.com/Game/PlaceLauncher.ashx?request=RequestGameJob&gameId="..JobId.."&placeId="..PlaceId))
local joinTicket = JsonDecode(UrlDecode(response.joinScriptUrl):match("ticket=(.+)&signature=$"))
local RequestPlaceId = joinTicket.PlaceId
if RequestPlaceId == PlaceId then
DoWebAPI()
else
ThrowHTTPError()
end
Keep in mind that’s pseudo-code and may or may not work. Take it as a guide. [/quote]
The problem with that is anyone who joins the game can get a valid JobId, which defeats the purpose of the validation system. Anything that is accessible by the client is to be considered insecure as users can and will spoof anything. (Have had problems with this in the past)[/quote]
It’s possible to get a valid JobId, but if you do you’re probably going through more trouble than is worth.
[quote] [quote=“FiniteReality” post=191096]The best way you could probably do this is to send the JobId in the request and then use something like this:
local PlaceId = 1818
local JobId = GetJobIdFromRequest()
local response = JsonDecode(HttpGet("http://www.roblox.com/Game/PlaceLauncher.ashx?request=RequestGameJob&gameId="..JobId.."&placeId="..PlaceId))
local joinTicket = JsonDecode(UrlDecode(response.joinScriptUrl):match("ticket=(.+)&signature=$"))
local RequestPlaceId = joinTicket.PlaceId
if RequestPlaceId == PlaceId then
DoWebAPI()
else
ThrowHTTPError()
end
Keep in mind that’s pseudo-code and may or may not work. Take it as a guide. [/quote]
The problem with that is anyone who joins the game can get a valid JobId, which defeats the purpose of the validation system. Anything that is accessible by the client is to be considered insecure as users can and will spoof anything. (Have had problems with this in the past)[/quote]
It’s possible to get a valid JobId, but if you do you’re probably going through more trouble than is worth.[/quote]
In comes exploiter, who’s only passion in life is doing the things that are more trouble than is worth just cuz
[quote] What if you just created a server-side “passphrase” if you will, and sent it with every request?
local key = "Th1s1sAP4sxspHras3"
You would then have the code on your server and when your server receives an HTTP request, you check if the keys match. [/quote]
This is one method, but considering the asset steal exploit out right now that can steal anything, the source code which would have the key is no longer secure.
As long as its a custom header name that can’t be send or changed by the roblox HTTP api.
Then generate a key for each game itself, and sent it automatically with the requests, that way it can’t be spoofed.
Something like the header “Authentication”, a header that Discord uses. As far as I know, there is no way to customize headers correct?
Also, I just realized we can send up to 500 requests a minute with HTTPService, that is interesting, I thought it was much lower before. That could possibly be dangerous couldn’t it?