Secure DB proxy?

Yes and yes.

Wait, let me invite you to a Repl. I’ll just explain to you the basics of Flask.

Wait… how on earthare you going to achieve this? If I understand correctly, you’ll add the db part into the user’s code based on what their code is?

the user’s code will use replit.db just fine

like I’ll execute the code but replace prints and inputs to work with my web console thing

This is more of a hacky workaround, but it would probably be possible to have a console repl prompt the user to open a repl auth enabled repl in a new tab, authenticate there, and send the Repl auth jwt token back to the console repl so it could use that to authenticate with the db proxy.

This would need 3 repls - a db proxy, the main console repl, and the repl auth web repl. (You could combine the db proxy and the repl auth repls)

Edit: AFAIK this wouldn’t work because Replit in no way exposes the raw JWT token to anyone (it’s HTTP Only and the repl proxy only gives you the headers… (I even tried disabling repl auth and spoofing the /__replauth endpoint but apparently disabling repl auth does nothing?)

3 Likes

Thats what github cli auth does.

2 Likes

Hmm it might work, the client cli repl (client) sends an authentication request to the web auth server (auth server), forming a websockets connection. The client then sends a auth initialization message with the requested username through the WS conn. then recieves a code. After that, the user goes to the auth server page and enters the code, then logs into replit auth. Then, the auth server matches the code with it’s internal db and sends a socket response to the client, with a (potentially signed) key. Now, there is an endpoint for getting validating username/key pairs that the db server recieves from the client. On validation success, identity has been effectively proven.

1 Like

Has anyone raised this to the Replit Staff’s attention yet?

1 Like

I’m sure they have thought of this and will probably work on it, but they could be busy doing other things right now.

2 Likes

I’m currently working on CLI Auth (cliauth.repl.co/__repl) as replit probably won’t fix this sooner than I can complete CLIAuth

3 Likes

Oh, yeah, but you can make a read-only proxy, or proxy with rules (kinda like firebase)

2 Likes

Yes, that will work. Sadly if replit had exposed the jwt tokens it would have been slightly simpler…

I created a quick demo of this:

https://replit.com/@GrimSteel/SecureConsoleDBAccess?v=1

It’s a console interface into https://replit.com/@GrimSteel/SecureCentralReplDb, which also handles Repl Auth.

The console starts a WS connection with the db repl, and sends it a unique session code. It then prompts the user to login with Repl auth in a new tab (the code is passed in the query string). Once they authenticate, the db repl notifies the console repl that they authenticated and sends basic user data for personalization (“Hello, GrimSteel”).

The user can then set, read, list, and delete keys in the database.
Keys are stored like this: USER_ID:KEY where USER_ID is the ID from repl auth and KEY is the key that the user sees. It’s sanitized so you can’t do any sneaky things with backspace characters to access someone else’s keys or anything like that

I’ve created a key called mykey, so the raw key in the database is 13277969:mykey. While I hope this solution is secure, try to prove me wrong!

4 Likes

bravo, definitely quite fast!

2 Likes

Wow. Using a websocket is a great idea, I never thought of that.
Quick question: how does it using Replit Auth work.
@bigminiboss you should check this out.

3 Likes

So there are two Repls:

  1. The one with Repl Auth and Repl DB (this one has a web server for Repl Auth)
  2. The console repl that gets ghost forked.

When the user chooses to authenticate in #2, it notifies #1 over the WS and sends it a unique session code. The user then clicks the link displayed (https://whateverinamedthatrepl.grimsteel.repl.co/?code=SESSION CODE) which has a button for the Repl Auth popup. When they authenticate, Repl Auth reloads the page, sending a new web request to #1 with the repl auth headers (and the code search param). #1 finds the websocket connected that has the corresponding code, and lets it know that it authenticated successfully. Then, back on #2, it shows a success message and allows the user to interact with the db. #1 now knows the user ID associated with that websocket which is how it configures the isolated db keys

Like @python660 said, this is how many cli tools do it(they prompt the user to open a login page in a browser)

5 Likes

Great explanation! I’ll definitely be using this for my console games in the future!

1 Like

hey there @GrimSteel I’ve already implemented something similar about 2 years ago, so I already know @MiloCat I just have moved on from doing console games

3 Likes

Oh okay sorry for the ping!

1 Like

what @GrimSteel outlined is quite literally the exact same thing as this https://replit.com/@bigminiboss/PyAuth-Full-Version except I didn’t use websockets

3 Likes

That repl is private sadly.

1 Like