HTTPService: Provide an unalterable security measure

Qwertygiy · July 4, 2014, 5:43pm

HttpService is a wonderful, wonderful tool. I use it to log who has visited my game, what people have chatted in my game, to look up usernames based on userIds, and other things. It’s incredibly helpful. But, one thing that has worried me a little bit is that there seems to be no way for the requested page to tell where the request came from. If someone steals your script, or figures out how to format the request the right way, or even just puts in knowingly incorrect data, there’s no way to tell for sure.

Say I had a page that would log who had been awarded what badges. I format it with one parameter for the game ID, one parameter for the badge ID, and one parameter for the user ID. I put it as a free model so that other people can use it to track awarded badges. Joe does it properly for his sword fight game, it works great. Bob does it properly for his obby, it works great. John runs the following code…

for q = 1, 1234567890 do
for w = 1, 1234567890 do 
wait(1)
game.HttpService:PostAsync(mypageurl, "gameid=" .. q .. "&badgeid=" .. w .. "&userid=" .. math.random(1, 50000000))
end
end

Suddenly you can’t tell what is real data and what is spam.

I know that using passwords makes this less of a problem, but Robloxians are a crafty, exploity bunch.

So, I would like there to be some variable that it sends that cannot be altered, that provides proof of where the script comes from, so that there is far less chance of false data like that. Either the game’s PlaceId or CreatorId would work well for the value of it, or both, though you could get the creator’s ID from the place ID with just a little bit of extra page reading in PHP.

Den_S · July 4, 2014, 6:20pm

As far as I know there’s a special header field containing the place id (roblox-id header?).
Either way, you can still send http requests outside of roblox so you can spoof it that way too.

The only way to more effectively prevent spoofing is to make sure the requests originate from a Roblox server (and check the place id header), but I think there is no api to get a list of ips currently used by Roblox to assert the integrity.

GollyGreg · July 4, 2014, 7:36pm

just a quick semi offtopic question

Why would you upload your script to free models with your page url still in the script?? :S

Qwertygiy · July 4, 2014, 7:46pm

[quote] just a quick semi offtopic question

Why would you upload your script to free models with your page url still in the script?? :S [/quote]

That’s sort of the point of this. You can’t do that right now because there’s no security measure at all (or so I thought, it may exist as pointed out above, I just haven’t checked yet since reading.). But if you wanted to make a big database, you have to make sure all the data you receive is valid.

Ravenshield · July 4, 2014, 9:30pm

I support this.

sncplay42 · July 4, 2014, 9:36pm

[ul]
[li]Generate a key for each user of the service.[/li]
[li]Associate that key with the user’s place.[/li]
[li]Give that key to the user and instruct them to put it in a StringValue.[/li]
[li]Require that to modify/update/whatever data for a place, the request must contain the key that you gave to the user of the place.[/li]
[/ul]

That’s the most basic way of doing it.