I need to create a studio plugin that has a login feature. It is for integrating with my current project, Devable.
My question is, does Roblox do any kind of logging or anything that makes it unsafe to submit authentication information via a Studio plugin?
Iâm not sure, but if you wanted to login in the plugin, can you implement a system that works the same as those password resetting systems, you give the user a code from the website, and using some http service magic you can put the code in the plugin, and it auto directs you to your plugin, without having to login. And if someone managed to get the code no harm should be done to the userâs account, I think
One-time passwords feel pretty clunky. I guess this approach will work but I want to avoid it if I can.
Doing a âloginâ for a plugin within the Roblox Studio application, would, for me at least, seem pretty suspicious.
In particular if the âloginâ consist of âusername and passwordâ. - As this could very very quickly cause unintended sensitive information to be send, due to the human (i.e. kids), who uses Roblox Studio, may think it is the Roblox login credentials that is needed.
So I suggest that you avoid having a âusername + password loginâ dialog for your plugin. - Also to reduce, of what you are doing, the possibility that Roblox could/may remove and block your plugin (and worse, your account), if it is deemed as a âlogin key-loggerâ.
As starmaq suggest, it is probably a little better, to only let your plugin ask for a single âAPI keyâ for your web-site. And this âAPI keyâ is one that you generate, at your web-site, when the user register an account at your web-site.
Once this âAPI keyâ have been generated, for a user at your web-site, the user can be instructed to copy-and-paste this âAPI keyâ into your plugin in Roblox Studio, and then your plugin could/should cache/save the âAPI keyâ, using plugin:SetSetting() - then the user wonât have to type in the âAPI keyâ, every time they restart Roblox Studio and/or activate your plugin in Roblox Studio.
Also for the âAPI keyâ, at your web-site, you can then easily block/revoke, without involving any âuser sensitive informationâ.
Iâm not an expert. It might work, though if you use a third-party site to manage the log-ins, of course. This is because the password mechanism gets unlocked and verified on a third-party, not through Roblox studio. At least thatâs how I think about it. Youâll probably need something like encryption and the decryption key.
You make a good point, it can be encrypted on the client-side with a public key and decrypted on the server (in this case Devableâs webserver) using your own private key, as if this information is stored it will be encrypted.
Yes, there is logging of HttpService calls.
Could you provide evidence of this?
(Also @PMGDesigns)
We use Firebase Auth for account management. Itâs all handled by Google. I wouldnât need to encrypt from Studio because SSL is handled by the OS.
Considering I will have, at multiple points on the login screen, âLog in to your Devable accountâ and âThis is not your Roblox username or passwordâ, I donât think this is an issue. Not only this, but I highly doubt many kids who are new to Studio will be using Devable.
Having an API key isnât any more secure than username and password. This API key would require access to pretty much all APIs.
Along with this, we donât access the database via our own APIs. The database is fully managed and scaled for us and we access it directly. Database security rules prevent this being abused, however, the security rules require an authenticated user to be used (which adds a whole other layer of complexity to using API keys).
Where is it logged? Iâm more worried about debug logs that are stored on the users PC (which could then be accessed later) over Roblox logging requests from their end. Although, I donât think itâs possible for Roblox to log them on their end because the requests donât proxy through Roblox and, as far as I can tell, no extra HTTP request is sent.
Though the request itself doesnât go through Roblox, Roblox still sends a lot of telemetry, which could include what kind of stuff people are using HttpService for.
I should also point out that the HttpService supports HTTPS requests. If you want to make a secure login putting the details in the body of an HTTPS request is the way to be confident that nobody is going to be able to see the password hanging around in logs / caches or snooping it from unsecured WIFI.
Yeah Iâm using SSL, no doubt about that.
This is good to know. Even if the post body were to end up in Robloxâs hands (I highly doubt it does), I donât think itâll be a huge issue. If I later find out that this is an issue then Iâll be sure to change the authentication message to some sort of one-tine password.