Closed DoctorGester closed 6 years ago
moofMonkey
commented
6 years ago You can try to get API keys via HTTP request to your server, and then at serverside detect is server located at valve network or not (client can easily hook IsDedicatedServer)
DoctorGester
commented
6 years ago @MoofMonkey people already successfully acquired dedicated server access with malicious intents and hacked other games. There is literally no way to protect your game from that.
moofMonkey
commented
6 years ago @DoctorGester, btw detecting server network is the best protection now. At least there's nothing better for dedicated servers.
DoctorGester
commented
6 years ago It is known. https://github.com/Perryvw/ValveWhitelist
SinZ163
commented
6 years ago Alternative option is having the engine add some tokens as a http header to lua and panoramas HTTP API's that our backends can check against, maybe JWT?
Main problem is not being able to know WHO sent the request, both in steamID for panorama stuff, and gamemode ID for lua stuff
moofMonkey
commented
6 years ago Alternative option is having the engine add some tokens as a http header to lua and panoramas HTTP API's that our backends can check against, maybe JWT?
Really crutch. More realistic idea that Valve will add dedicated-only files.
DoctorGester
commented
6 years ago It's not a crutch and it's a better idea in my opinion.
SinZ163
commented
6 years ago What, restructure how the entire steam workshop system works, which affects many games, not just Dota. or add one GC server to client packet and add a couple of lines to CScriptHTTPRequest
moofMonkey
commented
6 years ago Now way to do this is You can try to get API keys via HTTP request to your server, and at your server you must check dedicated server key, which will be sent in the request
This would enable safe access to foreign APIs since API key files could be excluded and only the dedicated server would have access to them.