On my website, what's the best (easiest) practice to hide the secret key?
Best Answer
C
Customer Support
said
over 6 years ago
Hi Dylan,
The secret is a crucial component in authenticating with the server.
The onInit() callback will retry a connection in the event the credentials are wrong so you must have supplied an incorrect secret. The server secret can be found in the integrations tab of the configurator.
The most common way that our customers have kept their API Secret secure is to hide the secret on your own server, using it to generate the hash when required by the service, this allows you to stop your secret being exposed. We offer a Node JS SDK :https://bitbucket.org/gamesparks/gamesparks-node-server-sdkThis might of help to you when setting up this server.
You would override the onNonce function making a call to this server requesting the secret.
Hope this helps.
Best Regards, Patrick.
D
Dylan Hunt
said
over 6 years ago
Oh nice! I'll check it out, thanks
D
Dylan Hunt
said
over 6 years ago
Also - the secret is just something I completely make up on my-end , right?
Customer Support
said
over 6 years ago
Answer
Hi Dylan,
The secret is a crucial component in authenticating with the server.
The onInit() callback will retry a connection in the event the credentials are wrong so you must have supplied an incorrect secret. The server secret can be found in the integrations tab of the configurator.
Regards, Patrick.
D
Dylan Hunt
said
over 6 years ago
I've learned a lot lately and made some super progress regarding node+hiding my key:
Ok on JS client side, onNonce originally had this:
Instead, I sent an Ajax POST to the node server with the nonce.
My node server received the POST and the nonce.
Now what? While awaiting a reply, I assume the next step is to grab cryptojs for node via npm and try to reproduce the above cryptojs snippet. Assuming I get that, what's the next step? I have the sha256 nonce + secret key, then...return that back to js and continue processing?
Since it's ajax/async, should i handle it like this:
Return the sha256 back to js client
I can't just "return" back to the SDK because it was async - I have the value .. now what?
^ If init failed the first time, it seems it'll keep responding until it gets it. Can I do this:
Once the ajax returns the value, store it in public var (it's different every time, so it doesn't matter if someone grabs it, right, since it's not my secret),
on onNonce(), see if that public var is filled -- if filled, return it. If not, do that ajax call to the node.
Which seems to be best practice for this?
Cheers! I'm so close. You are very patient :P
D
Dylan Hunt
said
over 6 years ago
gah I responded with my secret key again ... these tickets aren't public, are they? I need to stop doing that. If public, pls remove. If not .. eh.
D
Dylan Hunt
said
over 6 years ago
Ok I found out how to use crypto, but it seems the npm package cryptojs and crypto-js both use some different types of code -- if I use the same 256 hashing as the regular JS one, it forms different combinations!
What techniques are you using on node's side for onNonce?
D
Dylan Hunt
said
over 6 years ago
Hi, just follow up about finding the equivalent crypto method for Node. Js and node seem to have different values so looking for the crypto example for node that can be found on the js SDK doc but not the node doc. Thanks
Dylan Hunt
On my website, what's the best (easiest) practice to hide the secret key?
Hi Dylan,
The secret is a crucial component in authenticating with the server.
The onInit() callback will retry a connection in the event the credentials are wrong so you must have supplied an incorrect secret. The server secret can be found in the integrations tab of the configurator.
Regards, Patrick.
- Oldest First
- Popular
- Newest First
Sorted by Oldest FirstCustomer Support
Hi Dylan,
The most common way that our customers have kept their API Secret secure is to hide the secret on your own server, using it to generate the hash when required by the service, this allows you to stop your secret being exposed. We offer a Node JS SDK :https://bitbucket.org/gamesparks/gamesparks-node-server-sdk This might of help to you when setting up this server.
You would override the onNonce function making a call to this server requesting the secret.
Hope this helps.
Best Regards, Patrick.
Dylan Hunt
Oh nice! I'll check it out, thanks
Dylan Hunt
Also - the secret is just something I completely make up on my-end , right?
Customer Support
Hi Dylan,
The secret is a crucial component in authenticating with the server.
The onInit() callback will retry a connection in the event the credentials are wrong so you must have supplied an incorrect secret. The server secret can be found in the integrations tab of the configurator.
Regards, Patrick.
Dylan Hunt
I've learned a lot lately and made some super progress regarding node+hiding my key:
Ok on JS client side, onNonce originally had this:
return CryptoJS.enc.Base64.stringify(CryptoJS.HmacSHA256(nonce, Secret));
Instead, I sent an Ajax POST to the node server with the nonce.
My node server received the POST and the nonce.
Now what? While awaiting a reply, I assume the next step is to grab cryptojs for node via npm and try to reproduce the above cryptojs snippet. Assuming I get that, what's the next step? I have the sha256 nonce + secret key, then...return that back to js and continue processing?
Since it's ajax/async, should i handle it like this:
Dylan Hunt
gah I responded with my secret key again ... these tickets aren't public, are they? I need to stop doing that. If public, pls remove. If not .. eh.
Dylan Hunt
Ok I found out how to use crypto, but it seems the npm package cryptojs and crypto-js both use some different types of code -- if I use the same 256 hashing as the regular JS one, it forms different combinations!
What techniques are you using on node's side for onNonce?
Dylan Hunt
-
Documentation Notes
-
Design issues with user events
-
Using NoSQL
-
Runtime Collections vs Metadata Collections
-
Anonymous authentication from browser app
-
Modules
-
Movement With Unity
-
Problem with url parameters for downloadables
-
Querying NoSql GameSparks database
-
Challenge accesType
See all 2487 topics