New "Dev Chat" Plugin

I am hosting the servers on my end and all of the data is sent and reciveved there.

People shouldn’t be installing obfuscated plugins - it’s a huge trust issue.

Dude its Awsome! how did you made that! are people allowed to take that?

Totally understandable, but we need to find a way to keep our external APIs keys secure. While obfuscating isn’t the best option as it still can be bypassed we just did that for now. I know you have messed around with APIs and stuff in the past so if you would like to message me on discord I would be more than happy to talk.

Kaden#4291

Not really a good selling point.

1. This causes trust issues
2. This category is meant for open-source assets, not obfuscated open-source assets

Then implement a different and more secure (send-and-receive, etc) method of communicating with your servers. This isn’t a good excuse for hiding the plugin source. If anything, upload the source to GitHub and remove the API keys if you can’t do what I said above.

Can you message me on discord I would love to talk

Kaden#4291

I no longer use Discord, you can PM me if you’d like to discuss this.

Yeah this is a team create chat ours is a cross-game chat

I was primarily talking about the name. Would you be so kind and change it to something else?

Honestly, the concept itself sounds cool, but it just seems far too suspicious. The code is obfuscated, so no one can verify it’s secure, and there is no explanation of how it can communicate between two different studio instances, especially considering they’re not connected in any way. If this uses an external server, that’s something that should be clarified, and it shouldn’t be obfuscated for a plugin that can allow the creators to see each player’s IP with each request to an external server.

Overall, sounds like a cool concept, but it’s just missing a lot of key details that people need to actually understand what’s going on in the plugin…

They communicate through the external server (Which is likely to log chat messages). I agree, obfuscating the code wasn’t the best decision.

If it’s something that is widely used by developers, security only makes it hard to tell what exactly the plugin is doing. It really shouldn’t be obfuscated, especially with such a lack of information of how exactly it works.

I agree with you on this and I am working on securing my API keys so our code can be open-sourced without leaking the keys. We use the keys to prevent people from accessing and spamming messages our corrupting data, etc.

You’re 100% right I’m sorry its suspicious me and the co-developer are actively working on figuring out ways we can publish the plugin without obfuscating it, right now it’s not an option for us because we have a key that needs to be hidden and we haven’t found any other ways yet, if this plugin seems interesting to you and you just don’t trust it maybe check back next week and hopefully we’ll find a solution

That raises a few concerns for me, to be quite honest. When you make a request with a server, most of the time, your IP address is visible to the server, hence why so many people feel it’s a security concern. Although the concept itself is neat, there are a lot of concerns with how exactly it came to be. For example:

What exactly is being stored on the server?
How are conversations stored to be viewed at a later date?
Is it secure enough to actually use to convey vital information whilst developing?
Can it be exploited or manipulated in any way that can cause a disruption in someone’s development process?
Can we request for the stored information to be cleared for privacy reasons.
Who else can see our conversations?

Among many other concerns, there are just too many unanswered questions in my opinion.
Also, a separate concern, how is the server hosted? Typically, servers cost money to host regardless of circumstance, even if you don’t actually own the physical server. There are still a lot of vital questions that remain unanswered.

You can’t hide the key… even if it’s obfuscated eventually people will be able to find it. That’s just the downside of a public plugin. It needs to be somewhere in the script for the plugin to work, and it can be found even if it’s hidden deep in the code with enough time. All of it’s contents can be accessed by anyone, so even with obfuscation, with enough time, people will be able to find it. It’s much simpler to add an anti-spam on the server side as opposed to making the client completely unviewable to the people who will be relying on it. Overall, the concept seems interesting, but it just has too many missing points and too many details left out.

I 100% agree with you, I am just lost on how to make the API keys secure.

1: A table containing information, that information being - UserId, Message text, and a tag which is used to see if you’re a VIP user or in anonymous mode data gets deleted after 60 seconds
2: The table uploaded when you send a message is stored for 60 seconds no one is able to view it after and it is deleted from our server - it is kept in logs for moderation purposes
3: It should be but I would not recommend sharing vital information in case of bugs I’m unaware of
4: I’m not entirely sure what you mean but they cant affect your studio at all
5: If someone contacts us yes we can remove all messages they’ve ever sent
6: Moderator’s that are personally trusted by me, and will not be able to take any of those messages out of Moderation context

These are the answers to your current questions

You can’t make API keys secure if they are meant to be shared. What you should instead focus on is securing your API by rate limiting the server and suspending suspicious clients. Obfuscating the source code is not secure and makes your plugin suspicious. I would also refrain from logging messages on the server and instead use something called Diffi-Hellman-Key-Exchange. This will make sure only certain parties are able to read messages.

Why would you use this instead of, for example, Discord?