Verifiable Identity and Proper DRM Management: The Problem with Protecting Public Endpoints and Database Proxies

You set up a public console project designed for public use that uses Secrets and/or Replit DB. Yay! Or that’s what it seems like until your first user runs your project.

Your user asks you, “Why is there a db error? Why does it say cannot read API_TOKEN from process.env:man_facepalming: :person_facepalming: :woman_facepalming:
You soon realize that your db is not shared with other users who “fork” (or ghost-fork, depending on the scope) your project, only to have an “offline” copy of your project that does not interact with the data presented in other user’s copy of your project. You then go to work once again and set up a database proxy, which takes a request and “proxies” it to the database.

Your users are now able to use your service, but a new type of error pops up. “Why are there people with millions of in-game points, while us humans are constantly being reset to 0?” Some people took your database URL and started sending spoofed requests to your database backend to submit stuff.
You clearly need a better way to verify data coming into your database proxy. Now, instead of accepting just any old unauthenticated request, you do some server side processing with “Repl Identity” to verify the user’s identity.

That solved one problem, but users are still spoofing their own scores. Uh oh. Now, the only solution is to do the game logic on the server side, and to protect user’s identity with Repl Identity. Now everything seems to be fixed. Congratulations, you’ve essentially made a CLI “website”!

What’s the problem here?

Essentially, the only way to use secrets is to have your users fork your project, or make a “website” design which computes the game logic on the server side in one repl. However, once you start making games in the console which require anything more than public source code, then you run into a big problem of how to protect your game from being tampered with, while the only “fix” comes at a huge cost; the performance and response times of the game.

My solution:

I propose that replit improves the ghost-fork model by allowing replDB and/or secrets to be used apart from the Repl editor and the owner’s account.