As of right now, MessagingService allows you to communicate cross-server really easily, but it doesn’t solve another problem this causes: desyncing between servers for live events, “master server” problems (as explained here), or other external platform ideas - such as a external moderation interface, like Phantom Forces uses.
The only ‘good’ way we have right now of maintaining connections between Roblox servers and external services is HTTP long polling, which is slow, inefficient, and annoying to program. Adding WebSocket support was already declined as stated here, so I propose a compromise that would be secure but also easy to program for.
Its a pretty simple idea: Allow external servers to access the MessagingService queue via an API (would be easy to make a WebSocket interface for this purpose, which would not have the security concerns as stated earlier with Roblox servers itself doing it)
const WebSocket = require("ws");
const ws = new WebSocket("wss:///api.roblox.com/messagingservice?key=(api key)");
ws.on("open", function open()
{
ws.send("(message from MessagingService)");
});
ws.on("message", function incoming(data)
{
console.log(data); //whenever a MessagingService alert is sent
});
Enabling this API would be the same other ‘dangerous’ APIs - via the game settings tab.
A developer can then generate an API key to use from the same tab.
This would make cross server events, external moderation, or just general game management far easier then having to use the slow, insecure methods that are used right now. Thanks!
Great idea, one small concern. I’ll preface this by saying I know little about web stuff, but wouldn’t it be a lot better to pass the key via an authorization header instead of putting it in the URL? Or even better, encoding the transfer data with a private/public key combination?
I wouldn’t feel comfortable passing such an important key through a URL for some reason. I feel like you could be the target of a man in the middle attack in that case.
Allow the creation of web-hooks on a games configuration page for a particular topic in messaging service. When a string is sent to this web-hook, it will be the equivalent of using PublishAsync with the given topic and string from a normal game server. This would allow more efficient communication outside of roblox servers, currently you have to poll at an interval and this uses up many HTTP requests and is not instantaneous. This would also allow the use of web-hook pushing services like zapier without the game developer having to fork out money for server hosting.
No other special considerations should need to be taken by roblox, game developers should be able to create their own ways to determine if incoming data should be allowed. I could send a json file to my own web-hook with a unique key, or encrypt it a certain way, but the data string sent to the games SubscribeAsync callback should be the same raw data posted to the web-hook.
I recommend Roblox rolling their own Oauth 2 implementation. This would call for an Authorization Server to handle the different requests types and implementiing grants if they really have security in mind. I have built my own OAuth API similar to Facebook’s or Google. (Not that I actively use it. Turns out building your own MMORPG is really expensive. While I handled the backend and framework on my own. Very proud of it ofcourse. I’d compare it to Amazon’s GameLift. Took me a couple of weeks. I won’t go into specifics.
But at this point of time, and moving forward in the future. Communicating with our game servers is VERY important. It’s nice to be cradled in a sandbox to play in. But if you’re gonna continue to increase the quality of your platform do note that the developers will also increase in quality.
Basically what I’m trying to say is. Security is not an excuse. I strongly hope that one day I’ll be able to really create the tools that would improve my workflow and better enable me to make the types of creations that are already possible on the platform… If only it was implemented.
