Thanks! Please keep us updated.
it would be great if “Local Test” can fetch secrets from the Secret Store. I find it ridiculous that I have to go into Team Test every time I test my game. and it seems even more ridiculous to me to wrap it in pcall just so it doesn’t give an error in “Local Test”.
This is an update from a bit ago, although it’s not detailed whether locally configured secrets work in local testing enviroments or are just an option to configure secrets locally to work with live sessions. That being said, zipcatmax has said they are working on secrets for local instances:
That being said, AFAIK the current implementation of this is still bugged, but zipcatmax is working on a fix.
Unsure if you will be able to access the live secret store or only be able to use secrets setup locally/read from a local file.
The former could create some security vulnerabilities based on the method of implemention so it’d be interesting to see how it’d go. This is beyond the scope of your question, but I find these sorts of things very interesting!
We won’t be able to implement this in a secure way. As soon as the secret gets onto developer computer, there is no way for us to ensure it is not captured and saved somewhere.
I found and fixed the problem in Studio. Next release will have the fix.
Is it currently not possible to have two API keys in one URL?
API I’m using requires ?key={key0}&token={key1}
but using two secrets doesnt seem to work…
Right now I need to combine the first part of the URL (a string) and then the two queries which cannot be concatenated with Secrets. The basic AddPrefix and AddSuffix seem to be only for singular queries even though many APIs require multiple.
Solution:
If you must append multiple secrets to a URL like you are saying you can save the entire portion of the URL as a single secret. Instead of saving key0
and key1
as individual secrets it would be something like setting a secret as: ?key={your-key-here}&token={your-token-here}
for the domain you want to use. Not the cleanest solution, but it should fix your problem.
Security Concern:
If possible you should really be passing these arguments as headers rather than as part of the URL. While I don’t think you will have any security problems with Roblox’s servers making these calls, it’s best practice to do this and is good to build as a habit. If the API you are using doesnt support that then ¯\(ツ)/¯ but if it’s your own API I suggest implementing authentication checks via headers and not just URL queries.
I’d like to see compatibility with being able to pass both secrets and stringswith AddSuffix and AddPrefix, but currently we can only pass strings as an argument for these methods. Having multiple keys as a query rather than passed headers is something that a lot of legacy APIs use and it could be nice to have some support for the older web.
Hey,
I’m pretty sure a new Studio version has just rolled out. Secrets still don’t save and persist between sessions. I haven’t yet tested whether they actually work locally.
Can you confirm the fix for both of these issues has been released?
Release notes for version 630 haven’t been released yet, so I’m guessing we are still in version 629 even tho it’s around the time for an update. However, you should note that many updates for version 629 are still pending and not live, so even if the update has been pushed it could still be pending approval.
Might not even appear on the release notes. Some bug fixes don’t. But we’ll see
Locally-saved secrets still do not save across sessions or work at all in playtesting. It seems nothing has been fixed here. Have confirmed on version 630.
Could be the case that it hasn’t went LIVE yet.
Indeed, this is not supported. It sounds like a useful feature, allow AddPrefix/AddSuffix concatenate another secret, but here I agree with Sammy, passing multiple secrets via URL feels unnatural.
Yes, this is our usual practice, to employ “slow rollout”. We must ensure that changes do not break anything else in the system, hence the need for such practice. It is at 100% now, and should be working for everyone.
Thanks for the info. Secrets now save between Studio sessions but I still can’t seem to access them via scripts.
It likely means there is some mismatch in the JSON or script. For example, secret name, or JSON format, or secret content not being base64-encoded. If you could paste the JSON and a script, that might be helpful. We don’t validate JSON when saving it (even invalid input will be saved, but it won’t be loaded in the game server, causing “Secret not found”).
I do agree that passing the secrets as parameters is definitely unsecure. But it’s just how the Trello API (developed by Atlassian) works. Feature support for this would be very nice but I guess for now I will have to use the solution @Mmm_Wafflez came up with.
Hey again,
Not sure what happened but it seems to be working now! Thanks a lot for your continued assistance.
I’ll be sure to let you know if I experience any further issues.
I’d recommend adding a regex check to validate JSON when saving as this could be a somewhat annoying thing to debug with a pretty easy fix. Low priority ticket item tho.
Heres some examples of how to do this:
Perl and JS:
Regex strings are pretty much the same across different languages so I hope you can implement this whenever you have spare time.
How do i add a secret to this window?
I am unsure of the format and is unable to find documentation
come on man, I can’t even use it
You want to write Secrets in JSON format wrapped with curly brackets where the key is the Secret name and the value is an array with the first value as the Token and the second value as the whitelisted URL. Note that you should prepend URLs with a * (wildcard) to make sure that all subdomains associated with a domain are whitelisted aswell.
Roblox has been down just before and it caused the method GetSecret to fail (telling the secret was not found), which my game was not designed to handle at all and broke everything because I didn’t even know the method could error in this case. It would be nice to either document that this function may error in case roblox gets down (so advise to wrap in a pcall ), or either return a secret but with empty value or whatever.
edit 2: When i run local Test, i’m able to retrieve the secret, but when i try to use it in a request such as:
local response = HttpService:PostAsync(
apiUrl,
HttpService:JSONEncode(self.payload),
Enum.HttpContentType.ApplicationJson,
false,
{["api-key"] = apiKey} -- secret
)
I get the error:
Header "api-key" has unallowed character - Server
However, team test is working with the api-key i have put the web portal. therefore im assuming there is some issue with the formatting in Game Settings > Security > Secrets. how can we verify that it is being parsed correctly?
edit 1: i’m guessing it doesn’t work in command bar, it seems to work locally - however new issue: there is no documentation on how to use Secrets with PostAsync header variant or RequestAsync headers. when i try to use it i get “header must be a dictionary”. this feature is borderline useless.
command bar doesn’t appear to be working. maybe i am doing something wrong.