Secure DB proxy?

Wouldn’t implement a token-based auth system solve this?

Like, when the user logs in using their credentials, a web token is returned. And this web token would consist of a header, payload, and signature.
Than, you use the token to make requests to DB Proxy, like, every time the game makes a request to the database, it includes the token in the header.
And after that The DB proxy receives the request and verifies the token by decoding it using the same secret key used to encode it.

Idk I think this works in my head?

2 Likes

That’s what I thought too, but the token would have to be public, so Idk.

3 Likes

Can’t just you know create a separate server in replit?

And like, this server will have the token stored in an environment variable (Secrets).
And when the game needs to make a request to the database, it sends a request to this separate server instead of directly to the database.

Than, the separated server receives the request from the game, attaches the database access token to it, and sends it to the database. The database will process this request and send the response back to the separated server. With the response it forwards back to the game.

Wait, my head is starting to explode, let me catch a breath

1 Like

How will the server detect if the game is sending the request?

1 Like

Maybe API keys?

But that would make the API public… Rate limit the API key?

Damn, the more I think the more complex it seems

2 Likes

I think I got it all figured out:

  1. Create a server that is the proxy
  2. Create a Secret with some python code to encode/decode a string
  3. Generate a random API key and set it to a Secret
  4. Make requests with the encoded API key in your game

And the API will just decode the API key and check if that matches the actual API key but encoded with the secret

Idk if this makes sense

3 Likes

I think so too.

The server will act as a middleman between the game and the database. And since it will hold the actual token/key required to access the database, will be keeping it hidden from the client-side code.

So are we done? We did it? Hahaha

4 Likes

Still need to make a template for it :wink:

Can’t do it rn but I will eventually

3 Likes

if your code can access the db, the user can, as Secrets are not available to the user. all the code does is automate stuff, which the user can do easily.

1 Like

Yeah I realized this recently lol… OK… I don’t think it’s possible to get a secure Repl DB on a console Repl.

1 Like

yes, unless replit fixes their REPL_IDENTITY token to serve as Google WEI…

WAIT: We should hire Google to create Web Environment Integrity for Replit!

2 Likes

I don’t think Replit has $10,000,000,000

Hey @QwertyQwerty88 @WindLother @Firepup650 @python660!

If you want I can invite you to my Repl to play around with these ideas there, because I don’t know how to do the things you are talking about :laughing:.

okey ig @SalladShooter

oh yeah well we found out this whole thing is useless because it’s not possible to make the API key secret

@QwertyQwerty88 would there be any way at all to have a global DB?

'Course there is, but it’s not secure.

Jeez, when will Replit make it possible to make ANYTHING secure on a Console Repl?

@QwertyQwerty88 man, I guess I will have to put this project on hold.

I really recommend you don’t do that cause then the project will be kept on hold for probably years. I might create a template of a website that looks like the Replit Console so you don’t have to do any work to just convert your Console Repl to a website so you can have a global DB.

@QwertyQwerty88 so like a flask project? I don’t really know how to use flask (I do know Python though) or make a global DB. Would you be able to help?