Authentication for clients?

Balmark · November 2013

Hey

Is there any unique string or number or something I can take to give some form of authentication that a request has come from within NS2?

I can GetSteamId from Client .. and GetUserName .. but is there anything I can get from the Client that will allow me some way to validate that a request has come from a user while the game is running and not someone trying to spoof ? some form of pgp from within the engine I could use a public key to check its valid?

Cheers,

Bal

GhoulofGSG9 · November 2013

Afaik there is no method providing you any way to check if a client is really ingame. I searched for a similair method in the past but there seems to be non.

BTW for what exactly do you want to use such a check?

Balmark · November 2013

I've webservices setup for a mod .. (btw when I say ingame .. I mean within ns2.exe .. not necessarily when they're in a server playing) .. so might be nice to have the ability to possibly provide some internal NS2 method with a salt string

Was hoping something like

String Client.getEncryptedSteamId() that's encrypted with some UWE private key and I dunno (possibly pass some salt in as a parameter or something) .. I could do some more encrypting and then send it to a webservice, decrypt on a webservice side plus decrypt it using UWE public key to show the steamid is from the actual client (more interested about stopping others using other ppls steamid .. even just making it hard .. passwords would probably be needed in the end :P )

Balmark · November 2013

I'm probably barkin up the wrong tree with this anyhow .. was just the first hole in what I was tryin to do I've found .. era I'll figure somethin out

lwf · November 2013

You would need to have the server vouch for the client.

Balmark · November 2013

I really just want a challenge/response from UWE/ns2.exe .. like use 'my salt' to encrypt the users steamid .. give me a string I can decrypt and check with my salt or something .. but don't think anything like that is there or will be ..

client: HI, I say I am 'Steam_0:0:123' ...
mod server: ok .. 123 .. here's salt 'abc' please give me an encrytped string using my salt and your private key I can decrypt ... use salt abc
client: ok, using salt abc, your encrypted string for 'Steam_0:0:123:abc' is hhhhgggaaa (this is based off a private getSteamID + encrypting with private key
mod server: ok using your public key, I can decrypt your string and get 'Steam_0:0:123:abc', so you came from ns2.exe that have Client.getSteamID 'Steam_0:0:123'

My mod can get random salts from the webservice and then use the hhhhgggaaa as a 'token' to send with requests

Anyhow.. regardless, it doesn't exist at the moment .. so no point going over it

lwf · November 2013

I don't see the point. You're asking to have conversation going between the client and the server where the client has to prove it has a certain SteamID. Why? Steam already performs authentication so the server has the verified SteamID of each player.

If your mod depends on the client sending HTTP requests including their SteamID and it has to be the correct ID, then you got a problem. You can never trust data from the client, you can't get around that. Perhaps you could have the server send whatever it is that needs to be sent instead?

Authentication for clients?

Comments