I’m currently working on a project. Something that I would really like to implement for security is verifying if a request comes from a specific place (I know its possible, I just don’t know how).
@Froast said before that there is an endpoint for getting the IPs of running game servers. This would be perfect for this. The only issue is, I can’t find that endpoint anywhere.
If anyone knows what this endpoint is, I’d really appreciate it!
I found a solution in this thread which might be what you’re looking for:
-- Get the HTTP Service
local HttpService = game:GetService("HttpService")
-- Get a response from the server (should probably use pcall)
local response = HttpService:GetAsync("http://ip-api.com/json")
-- Get the IP Address from the response
local ipAddress = HttpService:JSONDecode(response).query
-- Display the IP Address
print(ipAddress)
the only issue is this relies on that API being available, I will continue to have a look to see if there are any other solutions.
I will be doing this from a remote server. Not from within Roblox, so that won’t be possible.
I’d want something far more reliable than that. It would be best if I could find that endpoint I talked about in the OP.
Maybe you can try to make the server send it’s own IP to your remote server.
Yeah, thats what I’m going to do, but then I need to check if that IP is legit and is actually coming from Roblox.
You may want to check this out:
https://devforum.roblox.com/t/roblox-gameserver-ip-address-range/86669
Roblox rents servers out, this isn’t reliable.
What if instead of checking the IP address, you verify the unique game id which each instance of a place has and gets generated when a session starts?
I found this response in a similar thread.
Here’s an example of a response from this API from a game which (at the time of posting this) has a few sessions running. Each instance of the game is stored in the collections array, each with a unique guid.
This would not be an effective security method - the JobId is visible to the client as well.
All they’d have to do is check your games running JobIds via an easily accessible web API.
The reason the IP method might be slightly more reliable is because specific IP spoofing is far more challenging to do effectively.
It would probably be an easier solution because the client could also easily get the server’s IP address by checking their own network traffic. But you are correct in that spoofing the IP would make the task more difficult.
However, when the data is being passed to the server for authentication, it should also be passed alongside some form of authentication token (time based authentication would be even better) because this means that it doesn’t matter much what data is used (whether it is an IP address or a guid) as it is getting authenticated regardless, similar to how various API services handle API tokens.
Checking the servers IP will be far more secure and reliable. I will also make it so that each server sends an initial request to get a private key. This way each server can only get the private key once.
It wouldn’t really be a solution - it’s far easier to bypass (literally, make an API request) - likewise, what the user is looking for is a way to ensure basic integrity for the sender of requests, which I’m pretty sure would fall out of scope of a TOTP system.
@grilme99 You could probably ask Froast for the API Endpoint (if it hasn’t been deleted). I personally don’t see much merit in this particular form of authentication. Honestly, unless you’re worried about your game being hijacked and someone analysing network traffic, a (long) shared key like @ScriptedForum is suggesting would be apt.
Can you provide more information into your use case / exact requirements? This would help us give you a better answer as we’re all sort of puzzling this one out.
Sure! I’m creating a website that makes creating services on Roblox far easier. I’m currently working on a replacement for third party modules. I want the replacement to provide authentication. Only certain games can use your private script. Verifying the request is from Roblox will mean that the place id that also comes with the request will be real.
Ah right - I can see why you’d like to do this 
IP spoofing is possible, although fairly easy to restrict to just the most dedicated hackers - keep this in mind. @Froast do you have any input here?
I’d also like to add on. Spoofing the IP shouldn’t be possible. Every new server will send an initial request as soon as it starts and receives a private key. The private key is required for all requests after that.
This means that if someone were to disguise as the server they wouldn’t be able to send a request because that server has already sent the initial request and the attacker wouldn’t know the private key.
This is actually remarkably smart. However, you’re relying on Roblox updating IPs quick enough - they cache stuff pretty intensely.
Each server will have its own ip and port. That shouldn’t be an issue
Eh? I don’t think you understand my meaning.
If your server starts before Roblox updates its cache, then the initial server request will be declined. It can take a while (sometimes up to 3 mins) for Roblox to update the cache.