Sign In Register

How can we help you today?

Start a new topic
Answered

How do you hide your secret key on the web?

On my website, what's the best (easiest) practice to hide the secret key?


Best Answer

Hi Dylan,

The secret is a crucial component in authenticating with the server.

The onInit() callback will retry a connection in the event the credentials are wrong so you must have supplied an incorrect secret. The server secret can be found in the integrations tab of the configurator. 

Regards, Patrick. 


Hi Dylan, 

The most common way that our customers have kept their API Secret secure is to hide the secret on your own server, using it to generate the hash when required by the service, this allows you to stop your secret being exposed. We offer a Node JS SDK :https://bitbucket.org/gamesparks/gamesparks-node-server-sdk This might of help to you when setting up this server. 


You would override the onNonce function making a call to this server requesting the secret.


Hope this helps.

Best Regards, Patrick. 

Oh nice! I'll check it out, thanks

Hi, just follow up about finding the equivalent crypto method for Node. Js and node seem to have different values so looking for the crypto example for node that can be found on the js SDK doc but not the node doc. Thanks

Also - the secret is just something I completely make up on my-end , right?

Answer

Hi Dylan,

The secret is a crucial component in authenticating with the server.

The onInit() callback will retry a connection in the event the credentials are wrong so you must have supplied an incorrect secret. The server secret can be found in the integrations tab of the configurator. 

Regards, Patrick. 

I've learned a lot lately and made some super progress regarding node+hiding my key:


Ok on JS client side, onNonce originally had this:


return CryptoJS.enc.Base64.stringify(CryptoJS.HmacSHA256(nonce, Secret));


Instead, I sent an Ajax POST to the node server with the nonce.


My node server received the POST and the nonce.


Now what? While awaiting a reply, I assume the next step is to grab cryptojs for node via npm and try to reproduce the above cryptojs snippet. Assuming I get that, what's the next step? I have the sha256 nonce + secret key, then...return that back to js and continue processing?


Since it's ajax/async, should i handle it like this:


  1. Return the sha256 back to js client
  2. I can't just "return" back to the SDK because it was async - I have the value .. now what?
  3. ^ If init failed the first time, it seems it'll keep responding until it gets it. Can I do this:
Once the ajax returns the value, store it in public var (it's different every time, so it doesn't matter if someone grabs it, right, since it's not my secret),
on onNonce(), see if that public var is filled -- if filled, return it. If not, do that ajax call to the node.

Which seems to be best practice for this?

Cheers! I'm so close. You are very patient :P


gah I responded with my secret key again ... these tickets aren't public, are they? I need to stop doing that. If public, pls remove. If not .. eh.

Ok I found out how to use crypto, but it seems the npm package cryptojs and crypto-js both use some different types of code -- if I use the same 256 hashing as the regular JS one, it forms different combinations!


What techniques are you using on node's side for onNonce?

Login to post a comment