Concerned about the safety and security of Godot project

Let say that I’m using Godot and use Steam as a method to authenticate, thus I would use something like this:

# Authenticate with the Nakama server using Steam
var session : NakamaSession = await client.authenticate_steam_async(Steam.getSteamID())

However, due to how easily Godot project can be decompiled, bad actor can prick open my .pck folder, and modify the authentication to somethting else like this:

# Authenticate with the Nakama server using Steam
var session : NakamaSession = await client.authenticate_steam_async("777TEST")

Repack the .PCK back, and now that bad actor can illegitimately acting as SteamID of 777TEST. There’s this post about protecting your Godot project from decompilation however it’s not a foolproof and with time, people would still be able to prick your codes.

Thoughts?

Unless I’m missing something, you must pass an authentication token from Steam, not the Steam ID directly. This is the function signature:

func authenticate_steam_async(p_token : String, p_username = null, p_create : bool = true, p_vars = null, p_sync : bool = false) → NakamaSession:

Note that username will only be used on new Nakama account creation.

Yeah, I skimmed it and completely missed the parameters… Is there a detailed info about how to obtain this “Token string”? How do we get SteamToken from our client? On the official documentation it’s just … three dots, what’sthat?

I’m using GodotSteam, and can’t find any mention of “token” on the documentation Authentication - GodotSteam

Have a look at Steam docs. Your client will authenticate and retrieve a session ticket, and send it to the Nakama server. Nakama will then call ISteamUserAuth/AuthenticateUserTicket passing the session ticket (this token should already be passed to Nakama as a hex encoded UTF-8 string).

In the GodotSteam doc, it is described here:

Getting Your Auth Ticket

First you’ll want to get an auth ticket from Steam and store it in your TICKET dictionary variable; this way you can pass it along to the server or other clients as needed:

TICKET = Steam.getAuthSessionTicket()

This function also has an optional identity you can pass to it but defaults to null. This identity can correspond to one of your networking identities set up with the Networking Types class.

Now that you have your auth ticket, you’ll want to pass it along to the server or other clients for validation.

1 Like