There is a Godot server and clients from the same project code with Nakama Godot SDK. The Godot server and clients connect to the Nakama server (using any authentication method). The clients also connect to the Godot server. How can the Godot server ensure that the connecting client is not a fraud and corresponds to a specific Nakama client?
Is it possible to identify a Nakama server client using the token on godot server?
"Or maybe I am missing a simpler mechanism for creating an authoritative Godot server, but with some degree of client freedom regarding the Nakama server?
Hello @Serh,
The socket.server_key does prevent clients not in possession of the key from connecting, this should give you some protection against unwanted actors trying to connect to the server.
So far I have settled on the fact that the client authenticates on the nakama server and receives a session, and with it an access token and a refresh token, then it connects to the godot server and sends it an access token, the godot server creates a session (I did not find a validation function), then the godot server checks the client ID from the session for a match with the ID of the connecting client.
To validate the tokens you could create a server-to-server RPC that uses the same logic as here.
We’ve recently added a subset of the configuration values to be available to read from the runtimes to access the encryption key.
Best.
thanks for the links, I need more experience to understand these concepts.
If I understood correctly, then Godot server can be a client with ID 000000…00000? then how do I log in with this account? I tried to add an authentication method to this account in the nakama web interface. but this is prohibited by the system.
You can call S2S RPCs using just the runtime HTTP key, this means there’s no authentication step to get a session - these invocations won’t have a user_id set in the context, because of it - you should populate whatever data you need in the payload (e.g.: the user_id) as the Godot server is authoritatively calling Nakama on behalf of the user.
Hope this clarifies.