Jump to content

Backends?


cdelstad
 Share

Recommended Posts

JS all the way for me usually (excluding the DB of course, which is C).

 

Node.js backend, usually fronted with either nginx or varnish. I'll either write directly using node's http methods, or use koa to structure the server/s.

 

I have a number of services for stuff like score tracking, user auth etc etc. I sometimes deploy them in a docker or rocket shell.

 

Node.js is a good choice for stats/leaderboards etc as it deals with very fast JSON transactions well, is relatively low memory and has good scalable performance for this sort of thing. nginx/varnish would normally handle the static serving (node can do this of course but it isnt really a major usecase for it i.e. you dont need much smarts for static serving so dont lug the smarts around with you!).

 

In terms of DB (which will be the bottleneck normally) I frequently use levelDB for smaller stuff and I've just started using rethinkDB for anything more complicated, both have first-class node integrations.

Link to comment
Share on other sites

I´m usign AJAX calls to a .php file to save the leadersboard and actually I need to improve this thing because now is pretty easy so "hack" those leadersboards sending some info to that .php file.

 

Do you guys know how can I limit those calls to files hosted only in mydomain, gamejolt.com, itch.io... Without CORS as I need to allow to save that info from .ipa´s and .apk´s

 

Thanks in advance.

Link to comment
Share on other sites

I´m usign AJAX calls to a .php file to save the leadersboard and actually I need to improve this thing because now is pretty easy so "hack" those leadersboards sending some info to that .php file.

 

Do you guys know how can I limit those calls to files hosted only in mydomain, gamejolt.com, itch.io... Without CORS as I need to allow to save that info from .ipa´s and .apk´s

 

Thanks in advance.

 

When you send along your AJAX call send some stuff in the header, then, when you receive a message check the headers and ditch anything that does not match. i.e. itch.io sends X-REFERRER=ITCH, gamejolt sends X-REFERRER=GAMEJOLT etc etc. Ditch requests without the header or with a malformed header.

 

It still isnt the most secure method but it is a little better. There are some standard and common non-standard headers that might be better suited, but I'm not sure what .ipas and .apks would send without too much of your own effort.

 

Headers can be manipulated though, without CORS it wont stop determined hackers.

Link to comment
Share on other sites

Well, I´m pretty sure this would improve security at least a little bit, thanks mate. Also, if I want to include one of those headers in my own files, how show I do that?

 

I mean, I have a leadersboard and I´m sharing information between an .ipa, an .apk, a game hosted on gamejolt and I want to include the same game hosted on my own hosting, so I would need to include some kind of header in my code I guess :)

 

Thanks in advance, mate.

Link to comment
Share on other sites

I'm guessing your AJAX is posting to the endpoint, if you are using some sort of library (request, superagent or jquery for example) they all have their own ways of attaching custom headers. `XMLHttpRequest` has a `setRequestHeader` function but you dont want to be using that old thing for your calls, this is how you'd add headers using fetch (most frameworks follow this convention):

fetch('/leaderboard', {  method: 'post',  headers: {    'Accept': 'application/json',    'Content-Type': 'application/json',    'X-FROM': 'gamejolt'  },  body: JSON.stringify({    uid: 'XXX',    score: 1234  })})

I'm not sure how you'd check the headers with PHP (my PHP knowledge is constrained to fiddling, and breaking, simple wordpress themes so I tend to steer clear) but the basic premise is that you examine the request object and perform some logic based on the existence and type of your custom header. I think this SO question answers it.  

 

You'd need to change your code probably to include those headers, although some frameworks attach some standard custom headers (the X-Forwarded ones sometimes always get attached using something like `window.location.host` which would help).

 

I've used this sort of thing in node several times to provide some basic sanity checks on where requests are coming from, mostly for logging or tracking but sometimes for giving the server clues on how to proceed.

Link to comment
Share on other sites

I think the number one thing you can do is use https - if you aren't already. You can get free SSL certificates, and others for pretty cheap.

Another thing you can do is have a user create a login as part of their setup process, then when they start the game, make a call to a login process and get a token. Then pass that with every call. e.g.: Amazon's S3 REST API.

I am guessing you are already doing the above two things.

 

Here are a couple articles I bookmarked while researching backends.

 

http://www.wikihow.com/Create-a-Secure-Login-Script-in-PHP-and-MySQL

 

http://www.wikihow.com/Create-a-Secure-Session-Managment-System-in-PHP-and-MySQL

 

Hope these help,

-Chad

Link to comment
Share on other sites

Question really is how far do you want to go to keep things 'secret'?

 

SSL is certainly going to help (be wary of very cheap certs) but you're rightly worried about hackers sniffing your obfuscated JS, which, as headers are strings, they probably wont be obfuscated.

 

Token access is a great idea, not the easiest thing to set up but plenty of help as its a standard mechanism.

 

You can even do crazy stuff like having some sort of algorithm that takes the time (or some other variables) and then creates a custom header key which the server then validates against those variables (time). The algorithm can be worked out of course but its easier to obfuscate than strings and depending on complexity brute-forcing it could be tricky enough to be 'practically' impossible. You could even frequently change the algorithm either by uploading new code or requesting it somehow. Still not as good as login-based tokens though.

Link to comment
Share on other sites

cdelstad I´m not doing that at all, but probably the https thing would be something good, can you point me to a link or tell me something about that :)? mattstyles about your last point, I´m doing something like that, I´m sending hour/minute/second to a php, apply an algorithm to that info to get a seed and compare it later when I send the info to the save function... well, something like that but something should be wrong, I guess once you receive the seed, you can use it to save as many as you want (I can tell this because all the records are all the same time XD)

 

Well guys, probably SSL is my thing, what should I do about that?

Link to comment
Share on other sites

Here's an article that talks about it.

https://trevellyan.biz/why-your-website-should-use-https-instead-of-http/

You can get a SSL cert for about $15/yr. Your hosting service may also offer something

You can always just flip https on your website without a real cert, but the website will complain every call. Maybe not a problem if it is only to your api calls on the backend, but I have not tried it to confirm.

Hope that helps.

Link to comment
Share on other sites

Using HTTPS encrypts everything going between the client and server. So it helps a lot. It is not perfect, but generally agreed as one of the best first things to do to improve security. It makes it more difficult for a sniffer, etc to see what you're sending. Vs. Http, which sends passwords as plain text so it is completely readable.

Link to comment
Share on other sites

The ssl cert is good for outside sniffing, but I know what you're getting at, the endpoint and any custom header or other magic will be in your JS, which, in theory is readable, particularly strings which dont generally obfuscate (you might find that whichever uglifier/minifier you use has settings you can crank right up, for sensitive parts of your code you can crank it up and it'll be pretty difficult to reverse engineer back to an easily human-readable code snippet).

 

Token based is the best way, this involves the user manually logging in, and that is your secure point. At some point the login details are entered by the player, ssl then makes sure they cant be sniffed, so you have your security point in how secure the password/user combo is. Pass back a token, again via https, and use that token in subsequent calls to your api. Have the token expire after a set amount of time and after that your api will be pretty secure. Change the algorithm that creates the tokens every so often and its even more secure.

 

The token way keeps the security bit (manual entry of password) out of the code.

 

Of course, hackers could still use their own token to send phoney data to your leaderboard but this is where you get into pattern watching for signs of attack. You could even have your code periodically send other messages to the server i.e. if you know that a player must reach level 100 before getting 1 million points then have the game ping the server (with the token) upon reaching level 100, if someone posts a score of 1 million without having reached level 100 (or close) then you know something fishy is going on.

Link to comment
Share on other sites

Exactly, that´s the point, the call and the variables are in the .js file so you can read it pretty easily, that´s my problem...

 

Anyway, I think I´m gonna try the token approach, I don´t like the idea of "hey, you need to log in to play my game" but it seems is my only chance... Dammit, I hate those scriptkiddies

Link to comment
Share on other sites

They'd only need to login to post scores and it could be optional. You can cache their token locally, next time they play you either update the token or kill it and force them to log in again. Its a balance between user convenience and security, as it always is.

 

I like the idea of a fingerprint scanner that sends you an email with your password for the day, the browser then caches it for a day from the email and uses that to log in to everything, but, theres cons to that as well of course and it takes a fair bit of technology to get set up. Something has to be done about the glut of passwords and log in details we carry around with us though.

Link to comment
Share on other sites

Here's another thought.

Parse.com. It's free as long as your transactions are lower. (it's free up to 30/second, which would amount to 2,592,000 per day - IF you could keep transactions to exactly 30/second. There will be peak times for users. But if you have high transactions, hopefully by then, you're bringing in income from your app(s). ;) It may not be a bad place to start, then move to other hosting later. You'll really want to keep the number of transactions down to logins and maybe high score updates. ;) It amounts to about $0.14 per hour you are above 30/second (per 10/second you are over).

 

It has login logic built in, even allowing users to log in with Facebook or other social media, and keeps it safe. ;)

Check out the CORE and scroll down a little bit to see the login info.

https://www.parse.com/products/core

 

Also, here's an example app that does all of this so you can look at the source code.

https://parse.com/tutorials/todo-app-with-javascript

 

I am considering trying this out. 

There's also a class on tutsplus that shows Intel XDK with Parse.com for $9, but I am not sure it is necessary. I have not taken the course, just bookmarked it in case I am struggling to make it all work.

http://code.tutsplus.com/courses/build-apps-with-xdk-and-parse

 

Digital Ocean is another more cost effective option. They have plans as low as $5/month. But you pretty much have to develop your own

Hope this helps,

-Chad

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...