search

Phalcode / gamevault-app

Frontend for the self-hosted gaming platform for drm-free games
https://gamevau.lt
Other
402 stars 18 forks source link

Allow Logon to Backend with the client via a Cloudflare Service Token #455

Open MisterVertigo7 opened 1 week ago

MisterVertigo7 commented 1 week ago

Is your feature request related to a problem? Please describe. I'm trying to make my GameVault backend server available to the public, but I want to make sure it is secured. Right now it is behind a reverse proxy using CloudFlare. It works great for normal web-based applications because when you browse out to the web application site you can use an authentication method to allow access. However, GameVault is not web based and the client has no way to authenticate to CloudFlare.

Describe the solution you'd like Doing some reading, I found a feature in CloudFlare for "Service Tokens". It's kind of like an API key. I could provide a service token to my GameVault client, and then when I try to connect to my public server it would automatically authenticate to CloudFlare using the token key. It looks like if the token information is formatted properly in the header of the request, it will authenticate.

To be honest, I'm not a developer so I don't have any idea if something like this is even possible. I'm just looking for solutions to my issue! :)

Describe alternatives you've considered I've tried disabling all authentication on CloudFlare for GameVault, but that is really unsecure.

Additional context Here is the CloudFlare documentation page for Service Tokens: https://developers.cloudflare.com/cloudflare-one/identity/service-tokens/

Alfagun74 commented 1 week ago

Thank you very much for reaching out! The situation you described seems quite specific to your setup, and it may fall a bit outside the typical scenarios we’ve designed our system for.

At the moment, our system doesn’t support a client-side plugin architecture, though we agree it would be a great enhancement for custom features like this! Given that our code is open-source, an experienced developer might be able to help you implement this through a fork. Another option to consider is using a proxy to fiddle in the service token.

While zero-trust architectures offer excellent security benefits, they can sometimes add extra layers of complexity. In your case, a simpler setup like a VPN or a walled-garden approach might be a more practical solution.

I’m not entirely sure of the technical solution here since this scenario is new to me as well. However, based on your description, could a feature like “Advanced Settings” -> “Append Custom HTTP Request Headers to all requests” help address your issue?

Perhaps you could experiment with Postman, and let us know if that feature idea brings you closer to a solution!