rojo icon indicating copy to clipboard operation
rojo copied to clipboard

Published 20 hours ago verified publisher icon rojo-rbx

Add support for passing authorization data through the studio plugin

Open Zalymo opened this issue 11 months ago • 3 comments

There should be a setting for pasting in a secret key which is passed with the HTTPS request whenever the Roblox plugin sends a request to sync to the Rojo endpoint.

Example use case: I currently have my Rojo endpoint publicly exposed so that any developer on my team can open their studio and connect to the endpoint at any time to sync in changes (this works especially well if working with people who are in different time zones or are across the world). Since my endpoint is publicly exposed, I need to employ some form of authentication (to ensure my game's data isn't stolen if someone discovers the endpoint), and I currently do this in the form of remote IP verification.

However: there are more security vulnerabilities associated with this form of authentication, it's more tedious to maintain, and can be limited by location.

Instead, it would be better if the Roblox plugin allowed the developer to authorize themselves by passing in a secret key with the request (bonus points if it saves the secret key, just like how it currently saves the endpoint for quicker initialization). Even though this may be a niche use case right now, it ultimately helps open up the plugin to people (like me) who want to use Rojo with public endpoints for speedy collaboration, but are concerned with security.

Zalymo avatar Mar 01 '24 02:03 Zalymo

bonus points if it saves the secret key, just like how it currently saves the endpoint for quicker initialization

I'm not sure I'm willing to commit to this because local plugins (those not downloaded from the website) all share the same settings file so it would inviting people to store authentication keys in plaintext in a place other plugins can conceivably read from.

Otherwise, this seems reasonable and I'd like to support it.

Dekkonot avatar Mar 01 '24 02:03 Dekkonot

Even plugins that aren't local would still be writing a secret to an unencrypted file. I think we can revisit this when Roblox releases Secrets.

boatbomber avatar Mar 01 '24 04:03 boatbomber

Even plugins that aren't local would still be writing a secret to an unencrypted file. I think we can revisit this when Roblox releases Secrets.

Does anyone have any more information about these? I recall secure secret storage being announced at RDC 2023, and there's a mention of a Secret data type in the Roblox 599 release notes, but it's unclear if they'll be practical for use by plugins.

kennethloeffler avatar Mar 01 '24 05:03 kennethloeffler