Voxel Admin System (Early Indev)

You can go with some sort of API key mechanism where your server receives the API key and the authenticated user ID, that way you can validate a particular request comes from a game server from that particular user. It makes much more sense from a security perspective to keep Roblox accounts linked 1:1 to accounts on your third-party system.

For third-party login without needing additional passwords, you can support this feature request with your use case: Log in with ROBLOX, OAuth, SSO - #20 by PMGDesigns

2 Likes

I like it, but there is one thing I would add. A button that toggles dark/light mode.

I did this because I cannot transfer voxel accounts. I built this whole system up on an account system and it would just not work if I changed this now. For the people who don’t trust me enough, there still is a way to log in as “guest”. This game will be at some point moved to a website anyways and is just temporary.
This account system makes it possible for me to have custom profile pages. However, if someone looses their roblox account, this is a big security risk for database owners, plus I cannot transfer their voxel account. If people don’t trust me, sure. That’s their thing. They don’t need to use voxel nor have an account there. All the stored stuff is encrypted and that’s the highest security that I can provide.

Plus, people don’t need to use a actual password which they use on other sites.

When it’s moved to a website then you can have the login stuff. However, what you are currently showing is in studio (and may be live in-game?) so TOS still apply to it. That means the login screen still remains questionable. Personally, I wouldn’t want to risk my account being moderated due to that login screen if I was the developer (which in my opinion, is unnecessary anyway).

That’s the life of developing something before considering design flaws. If this project is truly in early development then it shouldn’t be the end of the world to switch it.

What does this do behind the scenes database wise? Do your kick/bans/warns save if you use a guest? If they do, why would people bother to login in the first place?

Using your roblox account as authentication can have these too, I don’t see why you mention it.

They could also lose the game that the admin system is running on. I don’t think this point is a big deal with that in mind; if you lost your roblox account then the game is compromised regardless of the admin database’s integrity.

They could also lose the game that the admin system is running on. I don’t think this point is a big deal with that in mind; if you lost your roblox account then the game is compromised regardless of the admin database’s integrity.

I was referring to the user accounts. If a game gets compromised thats still fine, since what you saw in the video above is not being given to anybody. That will be a seperate game. But it is a security risk for database admins if one of them loses their account and someone goes into the database and for example just gives everyone infinite ammo. Voxel will also serve as a replacement for datastores, since its easier to manage data like that.

What does this do behind the scenes database wise? Do your kick/bans/warns save if you use a guest? If they do, why would people bother to login in the first place?

Guest accounts are for normal users who just want to take a look at public databases.
Admins will be required to have an account.

That’s the life of developing something before considering design flaws. If this project is truly in early development then it shouldn’t be the end of the world to switch it.

It would be a huge code rewrite, for which I don’t really have the time.

No offense but a login system is pretty pointless when you can literally just check Player UserIds. Having a username password system also allows for the chance someone may have the password giving them the chance to use it if they aren’t supposed to. Although I am sure you spent time on the login system, it really is a pointless system which I am guessing is to mock other systems that aren’t games, therefore requiring the system in some way.

Also having a fake loading bar that takes that long to finish is pretty pointless. I would not want to use something that takes that long to open knowing the loading bar doesn’t even need to exist. I could go further on some of the UI you have there but I believe I have said enough for now.

I was too.

The game getting compromised is very significant. I understand that your database would be safe from such a case, but if the attacker has edit access to the game then the integrity of your database is irrelevant at that point. Why waste time with infinite ammo when the attack can do whatever they want.

I understand, but that excuse won’t hold if the admin system gets caught up with Roblox moderation. It’s something you should strongly consider before releasing it.

I understand, but that excuse won’t hold if the admin system gets caught up with Roblox moderation. It’s something you should strongly consider before releasing it.

I will see about that and possibly contact a mod before that to get stuff cleared.

The game getting compromised is very significant. I understand that your database would be safe from such a case, but if the attacker has edit access to the game then the integrity of your database is irrelevant at that point. Why waste time with infinite ammo when the attack can do whatever they want.

Elaborate on that. I do not really understand what you are trying to say there.
All the account system is trying to protect is if a normal user gets compromised, to make the attacker unable to interact with the database.

This is actually not a good method at all (from my understanding) as people can simply use a Base64 Decoder. Instead with my personal opinion I would use HashLib - Cryptographic hashes in pure Lua since this supports many different hashs. If I am wrong please correct me.

EDIT: I’m a complete idiot, ignore me.

It is encrypted using a custom number. Someone would need to go trough millions of numbers in order to find the one I encrypted it with.

1 Like

Sorry, what? I was replying to him asking what 67-bit encryption is? I also don’t think he understands that encrypting all data at rest for this kind of application doesn’t make sense as it will sarcastically hurt query performance. It’s better to hash passwords instead of using encryption, methods such as Argon2, Bcrypt, or even PBK are way better than using base64 or any other method. Base64 is not built for that.

To be honest, I would actually want to try this out now! It looks so cool and well-made! Good job bro!

Just wanted to say that the project is still alive and being worked on, however we are in need of developers. So if anyone reads this and is interested in helping, then go and take a look at this The Voxel Project is hiring [OPEN]