Skip to main content

Browse GamesGame JamsUpload GameDeveloper LogsCommunity
Indie game storeFree gamesFun gamesHorror games
Game developmentAssetsComics
SalesBundles
Jobs
TagsGame Engines
Faustto33 days ago (1 edit)

Glad to hear your concern!
I have a few things to clarify though. First of all I don't want your Patreon credentials, only the email. You need to enter an email which you used on patreon, but if you didn't know, that is public info and anyone can see it, as long as they request the whole campaign info on the Patreon API, which can be done quite easily by anyone. For the password it can be something completely different and I cannot even gather that info as it is processed by Google's Firebase system.

It is a fair concern and I see your point, but that is just how it works. I am putting the Patreon email restriction as a sort of protection against someone spamming bot accounts and overflowing the database.

So, yeah. Your patreon email is public and the password is managed through google, AND IS NOT NEEDED TO BE THE SAME AS THE PATREON ONE, with nothing going through me.

I know that just me saying this won't remove your concern, but I hope this gives some clarity on how things work. I can show source code if that still doesn't sound believable.

Reply
merrykek33 days ago(+2)

Your UI is set up such that it appears like it is asking for users' Patreon credentials. I see now that that was not your intent, so I apologize for making assumptions.


With that being said, asking for a password on a blackbox interface is just not the best way to go about it in my opinion. You've described your backend to me, and I believe you. But the current setup is going to easily confuse users into typing in their REAL Patreon PW into your app. Some may even do it out of sheer laziness. If you ever experience a data breach in the future, some of those REAL patreon credentials will be leaked. It's just not secure. 


Research how to set up OAuth with Patreon. I believe it's a service they provide. That way users are redirected to Patreon's actual website, where they can log in with their regular Patreon credentials. Then all your DB is storing is non-sensitive info like tokens and login times. 


Again, sorry if I came on a bit strong in my first comment. I'm a web dev myself, so i know how easy security is to overlook when your main focus is on the product itself. I also know just how quickly bad security can bite you in the ass if you aren't careful. Good luck.

Reply
Faustto33 days ago

Thank you for the feedback and I will look more into it!

I know that it is not too clear, but I think I said in the text next to the UI that the password can be a new one.

Currently, as I said, I am using Google's firebase, as such it has OAuth for google accounts. The database currently doesn't contain passwords - only email and UID. The game creates an automatic Auth file on your computer, which is encrypted and auto read upon opening the game if it exists.

I will look into how Patreon does this and I think there was a way, when I was researching their API. As the game is still in a demo, the current system is made to just work. In the official release, it probably won't even require Patreon emails too and would verify your Patreon tier through OAuth seperately but not use it to log in.

Anyways, thank you for the feedback and I will be more careful with the security going forward!

Reply
AboutFAQBlogContact us
Copyright © 2025 itch corp · Directory · Terms · Privacy · Cookies