We are developing a front-end dashboard external to GameSparks to display charts, graphs based on data stored in the game. We are using the Callback URL to retrieve and update some of this data. One concern is that the callback url does not appear to use any authentication besides the public keys in the url text itself.
Question One Is there a way to secure the callbacks url event so that it may be protected. If anyone were to access the url, they could replay events sent.
Question Two Do you have any best practices for using callback urls? Or is there an alternative solution that is more secure.
Thanks,
Best Answer
D
Devon Klompmaker
said
about 7 years ago
If anyone else is interested in how this can be done, take a look into https://code.google.com/p/crypto-js/.
We are creating a module with this script, then are doing a simple public key / private key to hash the data being sent across the wire. This will allow you to check that the hashed data, matches the re-hashed data on the GameSparks side.
For instance you may have the following:
var sentData = {
time : 201332923,
data1 : "some string",
"publicKey" : "SDFSXJAKDFJEDFJF+=",
"dataHash" : "hash of the sent data using AES"
};
Then on the GameSparks side, you re-hash the data and compare against the dataHash. This will allow you to determine if anyone has manipulated the sent data. You can then also store the time as a request ID, so that they are forced to change the time the request was made.
Those are pretty big questions, and its hard to know without specifics but i'll do my best to answer as generally as i can.
[1] - There isn't any apparent way to secure callback url requests built into GameSparks but there are security practices that you could implement yourself; the obvious being to send a cryptographic hash along with the request which can be matched on the server. Another way to make sure that request are duplicated and sent is to send a unique Id with all requests which is checked against a collection were you store all requests. If the id is a duplicate then dont process that request. This is used in some games where transactions are required (with hash encryption).
[2] - I'm sure there are plenty of best practices you can find threads about on forums, but something to note when using gamesparks is never to send REST request from the client directly as it contains the server-secret. It is intended for communications between servers primarily.
I hope that answers your questions. We may be back to you with a more complete description of REST security when we get a chance.
Sean
D
Devon Klompmaker
said
about 7 years ago
Sean,
Thanks for the feedback. We will look into implementing a public / private key hash.
D
Devon Klompmaker
said
about 7 years ago
Answer
If anyone else is interested in how this can be done, take a look into https://code.google.com/p/crypto-js/.
We are creating a module with this script, then are doing a simple public key / private key to hash the data being sent across the wire. This will allow you to check that the hashed data, matches the re-hashed data on the GameSparks side.
For instance you may have the following:
var sentData = {
time : 201332923,
data1 : "some string",
"publicKey" : "SDFSXJAKDFJEDFJF+=",
"dataHash" : "hash of the sent data using AES"
};
Then on the GameSparks side, you re-hash the data and compare against the dataHash. This will allow you to determine if anyone has manipulated the sent data. You can then also store the time as a request ID, so that they are forced to change the time the request was made.
Devon Klompmaker
We are developing a front-end dashboard external to GameSparks to display charts, graphs based on data stored in the game. We are using the Callback URL to retrieve and update some of this data. One concern is that the callback url does not appear to use any authentication besides the public keys in the url text itself.
Question One
Is there a way to secure the callbacks url event so that it may be protected. If anyone were to access the url, they could replay events sent.
Question Two
Do you have any best practices for using callback urls? Or is there an alternative solution that is more secure.
Thanks,
If anyone else is interested in how this can be done, take a look into https://code.google.com/p/crypto-js/.
We are creating a module with this script, then are doing a simple public key / private key to hash the data being sent across the wire. This will allow you to check that the hashed data, matches the re-hashed data on the GameSparks side.
For instance you may have the following:
var sentData = { time : 201332923, data1 : "some string", "publicKey" : "SDFSXJAKDFJEDFJF+=", "dataHash" : "hash of the sent data using AES" };Then on the GameSparks side, you re-hash the data and compare against the dataHash. This will allow you to determine if anyone has manipulated the sent data. You can then also store the time as a request ID, so that they are forced to change the time the request was made.
- Oldest First
- Popular
- Newest First
Sorted by Oldest FirstCustomer Support
Hey Devon,
Those are pretty big questions, and its hard to know without specifics but i'll do my best to answer as generally as i can.
[1] - There isn't any apparent way to secure callback url requests built into GameSparks but there are security practices that you could implement yourself; the obvious being to send a cryptographic hash along with the request which can be matched on the server. Another way to make sure that request are duplicated and sent is to send a unique Id with all requests which is checked against a collection were you store all requests. If the id is a duplicate then dont process that request.
This is used in some games where transactions are required (with hash encryption).
[2] - I'm sure there are plenty of best practices you can find threads about on forums, but something to note when using gamesparks is never to send REST request from the client directly as it contains the server-secret. It is intended for communications between servers primarily.
I hope that answers your questions.
We may be back to you with a more complete description of REST security when we get a chance.
Sean
Devon Klompmaker
Sean,
Thanks for the feedback. We will look into implementing a public / private key hash.
Devon Klompmaker
If anyone else is interested in how this can be done, take a look into https://code.google.com/p/crypto-js/.
We are creating a module with this script, then are doing a simple public key / private key to hash the data being sent across the wire. This will allow you to check that the hashed data, matches the re-hashed data on the GameSparks side.
For instance you may have the following:
var sentData = { time : 201332923, data1 : "some string", "publicKey" : "SDFSXJAKDFJEDFJF+=", "dataHash" : "hash of the sent data using AES" };Then on the GameSparks side, you re-hash the data and compare against the dataHash. This will allow you to determine if anyone has manipulated the sent data. You can then also store the time as a request ID, so that they are forced to change the time the request was made.
-
Documentation Notes
-
Design issues with user events
-
Using NoSQL
-
Runtime Collections vs Metadata Collections
-
Anonymous authentication from browser app
-
Modules
-
Movement With Unity
-
Problem with url parameters for downloadables
-
Querying NoSql GameSparks database
-
Challenge accesType
See all 2487 topics