🤑 Indie game store🙌 Free games😂 Fun games😨 Horror games
👷 Game development🎨 Assets📚 Comics
🎉 Sales🎁 Bundles

How to implement a secure & passwordless access to a multiplayer game

A topic by CrashDumpSoftware created 25 days ago Views: 72 Replies: 2
Viewing posts 1 to 3
(+1)

I have a multiplayer game using the itch.io API-Key for passwordless access. When started via the itch.io app I use the API-Key given by the app otherwise I use OAuth to get the API-Key.

In the case of the itch.io app the process looks like this:


I now realized that this is not secure as it can be exploited like this:


The documentation here says that the key is game specific. But I don't know how to verify that the key is for my game. If the itch server would tell my server at step 6 for which game the key was created the flaw would be fixed.

Is there a possibility for my server to find out for which game the key was created?

Whe the game is not started via the itch.io app I use the OAuth-API to get the API-Key. That has the same problem: I don't know how to verify that the given key was created for my game.

Did I miss something? Or is it not possible with the current API to implement a secure passwordless login?

Maybe this is not a real problem ... who will steal access to a game that is free anyway?

Admin

You can call the endpoint /api/1/API_KEY/me to get information about the current user & the key you're using to access them with.

For JWT keys, which are bound to a game, you'll see a field: 

issuer: { game_id: 111111 }

Try that out and tell me if you have any issues.

That worked. Thank you!

What about the OAuth-Key? In my profile I can see that they are linked to the OAuth application. Can I query that information as well?