The problem is both of these are clientside functions, and I’m not too keen on trusting the client to honestly tell me what their teleport data is (hey I just teleported from somewhere and I’ve got a backpack full of rockets and explosives! Trust me!!).
This teleport data is sent serverside, and I should be able to receive it serverside too. I’d rather not have to waste two dataStore calls on this when there’s a feature that’s already supposed to do it for me.
Exploits like RC7 cannot connect to the ROBLOX client as soon as it loads in from what I’ve tested. It takes them about 5-10 seconds which is plenty of time to send a secure call to the server.
That they can’t currently does not mean they’ll never be able to. Though at the moment I imagine you could see someone use something like Fiddler to change the data being sent, like they have with animation data in the past.
Pretty sure that’s sent clientside. Teleportation only happens on the client. When you “teleport from the server”, it’s just the server saying “hey client, you need to teleport”.
It should probably be (also) the other way around: EDIT: I meant the client still does the actual teleportation (connecting to new server etc), but it’s the (original) server that’ll talk to the web APIs for the data (e.g. IP) needed by the client to connect to the new server.
Teleportation is initated from the server/client
If it’s on the client, tell the server about the teleportation and wait for confirmation.
The “confirmation” would just be the server using the RequestHandler web APIs etc. (would also (later on) allow for an API where we can block/allow teleports serverside)
If it’s on the server, do the confirmation process and give the result to the client, so it can teleport. (both the data from RequestHandler to actually teleport, along with the teleportData)
During the confirmation, as part of the process, the server uploads the teleportData to somewhere (just a web API that can cache teleportData for each player for 5m or so, more than enough time)
Client has the teleportData (or teleport failed) and now actually teleports to the other server
Client can use its local copy of the teleportData to immediatly do GUI stuff or whatever
(already has data if teleported “from the client”, otherwise sent by server with the confirmation)
Server uses the web API to get the cached teleportData for the player and fires some kind of event
At this point, the server can use the (secure, spoof-proof) teleportData for idk… spawning your ship.
When the teleportData gets stored/loaded, it gets linked to the teleport ticket (instead of the player, or both, doesn’t matter), otherwise I could get teleportData from another game session.
Having the ability to block/allow teleportations from the server, which would be possible when the above is implemented, would also be nice, e.g. to stop exploiters from teleporting to places they shouldn’t access, like higher level places in the same universe.
when teleporting, roblox doesn’t completely re-instance itself, level 7’s will still work and you can hook the methods of the teleport service to send spoofed information
edit: this is probably wrong. but you don’t have to hook both events, only the first event that sends the data.