Closed TheDrawingCoder-Gamer closed 3 years ago
He thought about this:
I gitignore the API keys for the game, so that no one can nab them and post fake highscores on the leaderboards. But because of that the game doesn't compile without it.
Just make a file in
/source
and call itAPIStuff.hx
, and copy paste this into itpackage; class APIStuff { public static var API:String = ""; public static var EncKey:String = ""; }
and you should be good to go there.
I understand that, but what I am worried about is the compiled javascript. It doesn't matter if he gitignore's it because the apikeys are in the compiled javascript.
http://www.newgrounds.io/help/encryption/ -- Not fool-proof, but it already does some attempts to combat this
Using encryption is very secure, as long as the end-use can not easily find your encryption key.
I can easily find the encyption key in the javascript on the website, which isn't very hard to download
While truly dedicated users could reverse engineer your code and cheat, most people will be too lazy to do so.
this code is way too easy to reverse engineer
Ah-- I just realized I was stupid and didn't bother to check the Haxe library repository. A simple comparison and yeah, I think I have indeed found the API keys. Obfuscation (and definitely a change of the API keys!) would be a good idea
Likely a good idea to delete/close this issue-- the fact that it's still open is just bringing more awareness to it, and it's probably better to just message ninjamuffin99 directly about it
How would one do so?
Deleting doesn't appear to be enabled-- so closing it is just a "Close issue" button
I mean how would one message ninjamuffin
ninjamuffin99 has an email on their GitHub profile! Also Newgrounds has DM capabilities but I can imagine that's super cluttered
ok
Please check for duplicates or similar issues before asking your question.
What is your question?
Directly referencing API keys in source code is not a good idea, as it will appear in compiled javascript, and a relatively experienced person can find them in a few minutes. Have you considered protecting them, or doing something special in the web build? Have you tried using an obfuscator on the javascript? If I wanted to cause chaos I could very easily make a build that always gives me 69696969 points on a song and put in the correct api keys. I just wanted to make sure you know about this.