I’m making a plugin that utilizes the Trello API which requires me to put my Trello API Token and Key inside the module I am using.
So if my plugin were to get leaked (the source code), would my Trello API Token and Key also be exposed? Is it possible for someone to view the source code of another creator’s plugin (either legitimately or illegitimately)?
Through what I’ve found on the web, it is possible to view the ModuleScripts of a plugin and my TrelloKey and TrelloToken are stored there, would that also expose by Trello account?
BTRoblox or RoPro has this option which allows you to view script sources and everything.
It works on pretty much anything on the marketplace.
This isn’t an option on paid plugins, but I’m 100% sure that’s only done because it would be against TOS.
Right now, you get redirected to the new marketplace, which ATM doesn’t have that option though changing the URL allows you to use the old one.
Yup, they have access to EVERYTHING. the Only way you can do that is making the Plugin paid Which requires you to be in the Plugin market place program.
No matter what, at the end of the day; plugin code and the contents of, can be viewed, paid or not.
I’m not entirely sure what the practical use for a Trello API within a plugin would be, is there any way you explain the functionality? Your best bet would be to find a different solution aside from Trello.
My goal was to make a Network in roblox that connects different games that follow a similar banlist. So a ban in one game will have the same user Id banned in all the games that are connected to the network. Anyone can create a network and share the code for people to join. That was the idea and I’m 99.9% finished and was preparing for release and I came across the security of my Trello API.
I’m using Trello as a database sort of because that’s the only thing I’m familiar with.
Aren’t there de-obfuscaters? I’m taking all this precaution because anyone knowing my Trello Token and Key are given complete access to my Trello account.
I dont think so, if there were, roblox games would have minimal exploiters as devs can view the code and see whats being abused, even if there are some i dont thino they are 100% fully functional
Then why can’t you have the ‘network code’ that people share, be their individual trello token?
Alternatively you can make a expressjs server; which will take the given token, parse the response from your trello database, and return it.
The issue here is, you’re trying to make an open ended system which everyone has access to, and can use, but you’re not authenticating usage. You said it yourself “Anyone can create a network and share the code for people to join”, so why don’t you use this ‘code’ as a means to authenticate the trellos?
Here’s an example.
A user starts the plugin, they create a new network, and they’re given a unique key for the network. Upon doing so, your web server associates that key in a database for a given trello ‘list.’
The user makes a post request to your webserver, the post request requires an authentication, ie; the key they were given in the bullet above. You then match that key to your trello list, and do an action accordingly.
If a key provided is invalid, then they cannot do actions, and ensure each key can only do actions on the trello list associated with that key.
Realistically speaking, your best bet is to completely scrap trello and just host a real database, but that’s a different topic entirely.
PS: To people saying to encrypt it; the idea of encrypting something insinuates that it can be decrypted, if people have the algorithm used to encrypt a key, as well as the source to decrypt it (so it can be used again as a trello key); then the entire point is useless.
The only means of encryption in which is irreversible would be hashing, and that’s not plausible in your case.
