Make requests from Teverse server identifiable

Hi there!

All Teverse web requests should contain a special ID (linked to the server), which is sent in a custom header with the request. Then, on the receiving server, it can find the ID and check that against a web API to validate the ID. Then if all is well, you know the request has come from a Teverse server.

Hi there! Unforunately this is not as simple as it appears as someone could just clone the token and then start sending requests with it.
However, securing web requests and allowing their source to be verified is something we have discussed at length and it will definitely be a feature - likely through a combination of a web API and checksums, but we haven’t ironed out exactly how it will work yet.

Cheers!

1 Like

I have an idea for how this could potentially work: Time-based tokens.

The way I use time-based keys is with “steps” and “secrets”. The “step” is simply the floor of the current unix time divided by four (changes once every four seconds). The secret is a random string. In this case, I recommend the game ID be added onto the end of the secret.

To get the key, it would just be a hash of the current step with the secret shoved onto the end. This can then be reproduced on the server side, to see if it matches. (Note that the server side should also calculate for the previous step to see if it matches).

In this way, another endpoint can quickly verify whether a server is a teverse server or not, and you can keep secrets secure. The game ID added to the end will prevent a malicious developer from quickly grabbing the token and using it to make requests to other developer’s servers.

I don’t know how good this will actually work in production, but I use it in my personal projects and it seems to work very well. :slight_smile:

(edit) Note that this solution only works if the teverse servers stay secure. Once the secret is leaked, it’s a free-for-all until it is changed.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.