Let’s say I want to make a plugin where the only button option within the plugin is for a “Setup”. Once the user completes the setup process, scripts are added to the game that are there to listen and react to certain events (in my case, the script would be using HttpService to make get/post requests).
Is there absolutely any way to keep that code private or as private as possible? Especially if I eventually want to sell the plugin for USD, there’s got to be a better way to private the code, right?
As far as I know, the main script used for the plugin only works within Roblox Studio and not within an actual running game, please let me know if I am wrong.
The plugin is for making connecting my external API easy. Basically, the scripts would be added with the click of the button. I just want the scripts that are added to handle API stuff. For example, when my external API sends a post request for an Open Cloud Messaging Service publish.
I am just trying to find out if there is a way to private or hide these scripts so that the source isn’t easy to access. It only makes sense that Roblox gives creators the opportunity to private some source code (if not doable), especially now that some things can be sold for USD.
No. Even plugins such as InCommand, openly place their events and scripts inside the game to make it work. And even if you were to find a hacky way of keeping them private, they would still be visible. The plugins are on these people’s PCs, and even with some extensions, they can get the plugin source code, effectively allowing them to see everything.
You have a point, Roblox needs to be able to get the plugin from somewhere. If not, it wouldn’t be able to read it. Also, memory dumps in the game could be a danger too for leaking the scripts.
Once you obtain a plugin, you are then technically allowed within the API to get the source code of that plugin (this is required to install the plugin), so once that access is granted, it’s best for you to assume the person can see everything.
Darn. I find that really silly, to be honest. Not everything HAS to be so open-sourced… Especially if a small group or company wants to make their own assets to sell.
BUT, one thing I just thought that may not be such a bad idea is: Can’t I make the scripts in an external file (visual studio code) and then use the script(s) made by the plugin to get the script from the external file?
Nevermind… Loadstring would be required, and if I set it via script.source, it is still there in the script.
The problem here is all of the methods that you can use technically would still allow the user to see the contents of your script, it’s effectively impossible to hide them if you’re going to use them. Sorry, this is how the internet works, and millions of developers would like to make it stay that way.
(And don’t try obfuscating either, that’s against ToS.)
And where would that external file would be located? Wouldn’t the user also be able to see them? If you use HTTPService, it’s the same case here, they will still be able to see the API request being made and the response.
Yeah. I’m aware that nothing is really secure within the internet, there’s probably always something an exploiter/hacker can do to obtain source code. I just think Roblox needs to find a way to allow developers to have a better chance at securing more important scripts, especially for tools/assets that aren’t being listed for free.
When I said “external file”, I meant a file somewhere within the directory of my external program/web API thing. The file would contain the code I would use within the scripts in studio.
What you’re asking existed before with Private ModuleScripts. And you wanna know why it got removed? People were putting malicious code inside the modules, causing extreme harm to other peoples’ games. Allowing private code to exist is a huge security vulnerability, sure, people like you would use it in a good way, but many wouldn’t. And just because some good people could use a certain feature, we shouldn’t risk many innocent people to bad people with malicious code.
Would still be accessible. API request would still contain the result which would most likely contain the contents of the script.
And now Roblox has features such as Identity Verification where users have to verify using their own government credentials before having access to certain things. It may not 100% solve that issue, but it would certainly be a step forward into allowing private module scripts again.