I have a multiplayer game using the itch.io API-Key for passwordless access. When started via the itch.io app I use the API-Key given by the app otherwise I use OAuth to get the API-Key.
In the case of the itch.io app the process looks like this:
I now realized that this is not secure as it can be exploited like this:
The documentation here says that the key is game specific. But I don't know how to verify that the key is for my game. If the itch server would tell my server at step 6 for which game the key was created the flaw would be fixed.
Is there a possibility for my server to find out for which game the key was created?
Whe the game is not started via the itch.io app I use the OAuth-API to get the API-Key. That has the same problem: I don't know how to verify that the given key was created for my game.
Did I miss something? Or is it not possible with the current API to implement a secure passwordless login?
Maybe this is not a real problem ... who will steal access to a game that is free anyway?