LÖVE

Great post by Zorg there, I agree 100%.

Tricky wrote:I make most of my games able to contact the GameJolt API and with love not being to obfuscate code I'm basically forced to expose all the security codes I have to enter in GameJolt. In BlitzMax, as a compiler based language I could always keep that part closed-sourced

Security must always be enforced on the server side.
If you are using an API that connects to a server for example,
it is the server's responsibility to validate and block requests.
When you have to 'hide code from the user' then you've lost the battle.

You ask for the impossible.
The code asked is to confirm the game is "real". No way the sever can check that in any possible way. Basically it's the game's "password" in order to login. So basically what you claim cannot exist, especially not on a server where many games are housed of many different programmers not part of the server team. It's the only way GameJolt (or a similar site) can check if the game logging in is the game it claims to be. In other words, making your Love2D game GameJolt compatible always means you have to expose this password for the whole world to see. Basically in your claim ALL sites lost the battle, since humans need a password too to login to a site.

I agree, all security which can be done on the server side should be done on the server side, but your statement is by far too simplistic, as 100% of all games using the internet (commercial ones included) would have lost the battle. There is always something in the program the server needs to authenticate the game.

Tricky: I reckon this may not be convenient, but what if your app contacted your own server, which contains the pass, and then calls GameJolt? Acting as a proxy. This way, the password wouldn't be bundled with your app. On the downside, you need a server up at all times.

Briefly looking at the GameJolt documentation, I will assume you are referring to the "Private Key" which is used in order to generate a "signature".
As far as I can see, GameJolt's API is primarily designed to exclude this private key from request urls, not to hide it from users.

The code asked is to confirm the game is "real". No way the sever can check that in any possible way

Sure, GameJolt should be able to determine if user X owns your game.

Hmm, instead of storing the key in lua, could you modify Love2D's source and put it in the compiled code? And then hook the function into lua and call it that way?

Skeiks wrote:Hmm, instead of storing the key in lua, could you modify Love2D's source and put it in the compiled code? And then hook the function into lua and call it that way?

Extra work for literally no more protection than what a tin foil would provide for a potato inside ashes... except in the case of the potato, it would result in a neat meal... this wasn't a good paralell

Make your code mini and obsufucated. Like with JavaScript. And make it one file too. That would be cool.

bobbyjones wrote:Make your code mini and obsufucated. Like with JavaScript. And make it one file too. That would be cool.

Again, more work doing it and even more when you'd want to understand your own code sometime later.

zorg wrote:

bobbyjones wrote:Make your code mini and obsufucated. Like with JavaScript. And make it one file too. That would be cool.

Again, more work doing it and even more when you'd want to understand your own code sometime later.

No matter how much you obfuscate, if I understand correctly, wouldn't you just have to run Fiddler to see all the requests the app makes?

After looking through the GameJolt API you guys are right. There really isn't much value in hiding the private key. My initial understanding was that GameJolt would generate a unique signature every time you made a request, but the signature seems to stay static based on the private key. Someone could always just get the URL you post to gamejolt and modify it, they don't really need the private key (unless I'm misunderstanding something...). At that point I guess it's up to you and gamejolt to decide if achievements or scores that are being posted are accurate, or if you even care enough to validate.