Neat Technique For a (sort-of) Unforkable Repl

JonathanNitzan · December 8, 2023, 7:26pm

So, I came up and made this concept into a repl, and it works surprisingly well.
I have a 64-digit code, and I put it in as a secret. I then hid some code among core module files (of which there are several hundred python files in) and hid some code in several of the files. When the repl starts, if the secret doesn’t match a certain value, it deletes all the files. Though it’s technically doable to get it working still, most people won’t spend the time to scan several hundred files (which can contain tens of thousands of lines of code).

All in all, a fairly neat solution

Firepup650 · December 8, 2023, 7:28pm

What if you just don’t start the Repl, and dig through the files?

Then no one can use it at all, Secrets only exist for your end of the Repl. (Cover page will shred itself too)

JonathanNitzan · December 8, 2023, 7:29pm

Then I can call it from a replit db instead ig.

Firepup650 · December 8, 2023, 7:30pm

That also doesn’t exist for anything but your end of the Repl, unless you put the URL to the DB in your code, or use a DB proxy. both methods which make it easier for someone to get the code.

JonathanNitzan · December 8, 2023, 7:31pm

Then is there a good way to verify the following?
A. The working user
B. The repl owner

Firepup650 · December 8, 2023, 7:32pm

The REPL_OWNER secret/env var.

No, though you could check if it’s in the cover page or not.

NuclearPasta0 · December 8, 2023, 7:32pm

see:
https://docs.replit.com/programming-ide/repl-env-metadata

JonathanNitzan · December 8, 2023, 7:40pm

Which env is that lol for the cover page

Firepup650 · December 8, 2023, 7:53pm

For the cover page? It’s a function @bigminiboss wrote:

A smol program to check if current running instance is temp fork (cover page)

import uuid
import os

def is_cover_page():
    x = os.environ["REPL_ID"]
    return not (str(uuid.UUID(x, version=4)) == x)

print(is_cover_page()) # False if forked/owner || True if cover page

bigminiboss · December 8, 2023, 9:47pm

In my opinion this doesn’t work. The best you can do is use a server verification link in which you send someone to a website where you do a captcha and check the owner using replit auth and send the info back that way

JonathanNitzan · December 9, 2023, 5:28pm

When forking a repl, do the keys in the database copy over?

bigminiboss · December 9, 2023, 5:41pm

no they do not. However, any cover repl is forked so keep that in mind. That is, every time a repl is run, it is forked and put into a temp VM that gets deleted

JonathanNitzan · December 9, 2023, 5:49pm

Hold up… Then how do systems like highscore work? I thought the cover repl’s use the same database?

bigminiboss · December 9, 2023, 6:00pm

they don’t work like that. They send a https request to a global server which stores the scores. Otherwise, if it’s a repl that uses deployment THEN the db is global otherwise it needs an external server

JonathanNitzan · December 9, 2023, 6:15pm

So how can I track if it’s a main fork or not. I was thinking I could use the db to store a key or something, but clearly that’s not true.

bigminiboss · December 9, 2023, 6:27pm

yeah sadly you can’t. You can know if it’s the cover repl or not but you can’t actually let it run normally on the cover page because replit doesn’t want to spend the afternoon adding proper security or even just deleting env vars after run + give some global ones ;-;

Classfied3D · December 9, 2023, 6:59pm

If you want to authenticate a user from a console repl to an external leaderboard, you should use repl identity, that way you can ensure that a request came from an account. You have to use an external leaderboard, because replit ‘ghost forks’ non-server repls.

JonathanNitzan · December 10, 2023, 3:33pm

I don’t want to force them to login though, I’d rather just autocheck

Classfied3D · December 10, 2023, 5:36pm

Repl identity is autocheck

JonathanNitzan · December 12, 2023, 3:08pm

I thought it requires you to sign in though?