Topic by dardar 2019-09-22 20:07:44

  • From: legendland
  • Registered: 2013-11-06
  • Posts: 1,205
  • User Karma: 516

So I was curious to see how creative everyone would get with this problem.
In every API call, you have a ID, a secret, and an access token, (most of the time).
Now, if we're talking about python here, how would one go about securing the ID and secret safely?
After all, if you put it in myprogram.py, anyone can just open it up and get it.
Similarly, if you cythonise it, anyone can just do something like:
import yourprogram
print(yourprogram.api_call_client_id)

So, is it simply a case of trying to obscure it?
Make your api call variables look like innocent variables, like x? and then cythonising?
or is there a better way to go about this

Nathan Smith
Managing Director of Nathan Tech
It's not disability
It's ability!

dardar's Website

Quote Post 1

Thumbs up

Reply by magurp244 2019-09-22 22:06:19

  • Registered: 2015-05-30
  • Posts: 3,195
  • User Karma: 942

Any program on a users system can be breached, communications between programs can be intercepted, or altered in memory. The most you can do is make it really inconvient, which has tradeoffs in terms of time and complexity to implement, along impacts on game performance. This is one of the reasons some groups are pushing streaming platforms like googles Stadia so hard, a client server model can more easily be defended from intrusion by securing the games core program on the servers. Client wise, you can't hack what isn't there.

-BrushTone v1.3.3: Accessible Paint Tool
-AudiMesh3D v1.0.0: Accessible 3D Model Viewer

Quote Post 2

Thumbs up

Reply by dardar 2019-09-23 11:23:55

  • From: legendland
  • Registered: 2013-11-06
  • Posts: 1,205
  • User Karma: 516

True enough.
I had arguably considered doing that, making it to where the python client does an https request to the server, which then serves up the correct key/secret.
The obvious disadvantage to that is that anyone could just do it themselves?
though in theory... Hey would this work?

import requests
class my_request():
def __init__(self):
  data=["secretkey":"a secret key"]
  secret_key_-combo=requestss.post("http://yoururl.com/yoursite.php", data=data

Then have it to where in the php page, you have it to where the php says, ok if(hash(secretkey)==<insert long hash key here>):
or even. if(mysqli_fetch(secretkey)):
I know I'm writing code that ultimately doesn't work here, but you get the idea.
So then if you cythonise the class, and include it as part of the main data file, it couldn't be studied or used, or included without including your entire program which kinda makes it obvious?

Nathan Smith
Managing Director of Nathan Tech
It's not disability
It's ability!

dardar's Website

Quote Post 3

Thumbs up

Reply by Ethin 2019-09-23 14:34:54

  • Ethin
  • Generous angel
  • Offline
  • Registered: 2010-04-21
  • Posts: 8,193
  • User Karma: 1,099

This is something similar to what HashiCorp Vault does: you can log in through various authentication methods. After you've logged in, you are given a token to submit further requests as an authenticated user.

"On two occasions I have been asked [by members of Parliament!]: 'Pray, Mr. Babbage, if you put into the machine wrong figures, will the right answers come out ?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question."    — Charles Babbage.
My Github

Quote Post 4

Thumbs up

Reply by amerikranian 2019-09-23 17:13:13

  • Registered: 2014-05-08
  • Posts: 3,546
  • User Karma: 390

I have asked a question that is similar to yours. You can find the answers I received here. Pretty interesting read, even if I don't comment much in the topic

My Updated Python Guide
Click here for a massive compendium of game recordings
My Github

Quote Post 5

Thumbs up