I would like to securely achieve client and serverside usage of a ModuleScript that returns a table with methods (basically a Lua class).
Currently, I have a ModuleScript that needs to be used by the server and client (it acts as a physics manager for a vehicle). However, I would like to privatize my code as much as possible. I am afraid that exploiters can easily find my code.
I have tried to locate the ModuleScript in the ReplicatedStorage, so that both the client and server have access to it. This is not really a solution to my problem, since exploiters can access the ReplicatedStorage as any client can.
If the client can access it, it can be copied. You could try to obfuscate your code but if your game eventually gets big, it can still be unobfuscated. It also is performance intensive.
Why would you want to privatise it anyways? No one is probably going to copy your code — sorry but that’s the truth. And if you think exploiters being able to read module scripts can enable them to exploit then you’ve done something wrong. Major changes should have checks on the server and the server only should carry it out.
ModuleScripts really aren’t meant to act as a bridge between Client and Server, (I was under that impression for a while too). When you call require on a ModuleScript,
What this means is that for the server there exists a copy of the module’s contents and for every client there exists a copy of the module’s contents - and theses “copies” are different references.
You can use ModuleScripts to create a bridge between server and clients quite neatly although. For example, a ModuleScript might exist somewhere local to each client (StarterPlayerGui, StarterPlayerScripts, etc) which contains functions that can be called that then invoke the server either through a RemoteEvent or a RemoteFunction. The functions that handle these events and invokes can then exist in one or more Scripts or ModuleScripts located in ServerScriptService (not replicated to clients) such that any implementation details of your code would not be accessible to any exploiter unless they had access to the server somehow (but as @PeterShall22 said, this isn’t really a huge concern as your implementation should involves steps and checks to prevent any sort of mal-use by clients).