I no longer use Discord, you can PM me if you’d like to discuss this.

Yeah this is a team create chat ours is a cross-game chat

I was primarily talking about the name. Would you be so kind and change it to something else?

Honestly, the concept itself sounds cool, but it just seems far too suspicious. The code is obfuscated, so no one can verify it’s secure, and there is no explanation of how it can communicate between two different studio instances, especially considering they’re not connected in any way. If this uses an external server, that’s something that should be clarified, and it shouldn’t be obfuscated for a plugin that can allow the creators to see each player’s IP with each request to an external server.

Overall, sounds like a cool concept, but it’s just missing a lot of key details that people need to actually understand what’s going on in the plugin…

They communicate through the external server (Which is likely to log chat messages). I agree, obfuscating the code wasn’t the best decision.

If it’s something that is widely used by developers, security only makes it hard to tell what exactly the plugin is doing. It really shouldn’t be obfuscated, especially with such a lack of information of how exactly it works.

I agree with you on this and I am working on securing my API keys so our code can be open-sourced without leaking the keys. We use the keys to prevent people from accessing and spamming messages our corrupting data, etc.

You’re 100% right I’m sorry its suspicious me and the co-developer are actively working on figuring out ways we can publish the plugin without obfuscating it, right now it’s not an option for us because we have a key that needs to be hidden and we haven’t found any other ways yet, if this plugin seems interesting to you and you just don’t trust it maybe check back next week and hopefully we’ll find a solution

That raises a few concerns for me, to be quite honest. When you make a request with a server, most of the time, your IP address is visible to the server, hence why so many people feel it’s a security concern. Although the concept itself is neat, there are a lot of concerns with how exactly it came to be. For example:

What exactly is being stored on the server?
How are conversations stored to be viewed at a later date?
Is it secure enough to actually use to convey vital information whilst developing?
Can it be exploited or manipulated in any way that can cause a disruption in someone’s development process?
Can we request for the stored information to be cleared for privacy reasons.
Who else can see our conversations?

Among many other concerns, there are just too many unanswered questions in my opinion.
Also, a separate concern, how is the server hosted? Typically, servers cost money to host regardless of circumstance, even if you don’t actually own the physical server. There are still a lot of vital questions that remain unanswered.

You can’t hide the key… even if it’s obfuscated eventually people will be able to find it. That’s just the downside of a public plugin. It needs to be somewhere in the script for the plugin to work, and it can be found even if it’s hidden deep in the code with enough time. All of it’s contents can be accessed by anyone, so even with obfuscation, with enough time, people will be able to find it. It’s much simpler to add an anti-spam on the server side as opposed to making the client completely unviewable to the people who will be relying on it. Overall, the concept seems interesting, but it just has too many missing points and too many details left out.

I 100% agree with you, I am just lost on how to make the API keys secure.

1: A table containing information, that information being - UserId, Message text, and a tag which is used to see if you’re a VIP user or in anonymous mode data gets deleted after 60 seconds
2: The table uploaded when you send a message is stored for 60 seconds no one is able to view it after and it is deleted from our server - it is kept in logs for moderation purposes
3: It should be but I would not recommend sharing vital information in case of bugs I’m unaware of
4: I’m not entirely sure what you mean but they cant affect your studio at all
5: If someone contacts us yes we can remove all messages they’ve ever sent
6: Moderator’s that are personally trusted by me, and will not be able to take any of those messages out of Moderation context

These are the answers to your current questions

You can’t make API keys secure if they are meant to be shared. What you should instead focus on is securing your API by rate limiting the server and suspending suspicious clients. Obfuscating the source code is not secure and makes your plugin suspicious. I would also refrain from logging messages on the server and instead use something called Diffi-Hellman-Key-Exchange. This will make sure only certain parties are able to read messages.

Why would you use this instead of, for example, Discord?

ikr I should strap a letter to a pigeon and send him to you

There are so many versions of this plugin, let alone one that have much better features and are open sourced. This plugin is pretty bad compared to other ones, it’s not even open source.

… Not to even mention the fact that there’s one built into Roblox Studio. Doesn’t the one in Studio work perfectly fine- so why waste resources on a pointless plugin that you have to install/pay for yourself in the future.

Also.

Buddy, you can’t do anything against anyone who takes this.

This is a cross-server chat I have not seen 1 plugin that works cross-servers

mmm-. not the point.

It’s like saying: I have a box. But I have this box’s made out of gold; when the main use of this box is to carry items.

umm… what?.. this is nothing like any other plugin if I open the plugin in my game and you a completely random person open it in yours we are still able to chat we don’t need to be in the same place and know each other

Correct me if I’m wrong, but couldn’t you do that to begin with in Roblox Studio? If not, it’s really not that hard to just create a group on Roblox.com, and even from there, you could just use Discord.

Your plugin is a golden box to say the least.

And sure, by using Discord, you might be taking .5 seconds more to send a message, but in my opinion, it’s still better than using a plugin like this. (Not to mention the fact that in Discord, you can send media, and be less filtered ;D)