Public/Private AppID

Options
Reznok
Reznok
in Photon Bolt
In the current design of Photon, it appears that the AppID is supposed to remain secret. It's what's used to authenticate to the Photon Cloud system and allows for creating sessions. If the AppID were compromised, a malicious user could:
1. Use that AppID for their own project, and pass the costs off to the real owner
2. Create a ton of rooms/sessions and flood it (essentially a DoS)
3. Probably more...

It make sense that there's an auth token for this, but what I can't fathom is why every client is required to use the same token as the servers. I propose that there should be a Public token, which is used by clients in the exact same way, but is unable to do certain things on the server (such as creating new sessions), and a Private token, which is used by servers, that allows the high levels of access required to actually create sessions.

I've seen a few threads on this topic that suggest obfuscating/making the AppID hard to find, but that's still a client side protection which is just bad.

Comments

Cookies,
anyone?

We use cookies and related technologies to enhance your experience, show you personalised content and analyze performance and traffic on our website. By clicking on the „Accept All“ button you consent to the use of non-functional cookies and the subsequent processing of personal data to optimize our website and services as described in more detail in our Privacy and Cookie Policy.

By clicking on the „Customize or Deny all“ button you can decide otherwise. Clicking on the „Customize“ button will take you to a page where you can configure the usage of non-functional cookies (and related technologies) or deny all of them. You can access these settings at any time and also subsequently deselect cookies at any time in the footer area of our website.

ACCEPT ALL

Cookie Overview

We use the following categories of cookies and related technologies to enhance your experience, show you personalized content, and analyze performance and traffic on our website. We respect your right to privacy and accordingly you can chose to not allow some types of cookies (and related technologies). Click on the different category sliders and change our default settings to manage your cookie settings.

For more information on the specific cookies/related technologies we use and on how we use these, please see section 15 E. of our Privacy and Cookie Policy.

ABSOLUTELY NECESSARY

Authentication cookies we use are required to run our services … Cookies are required: Link

FUNCTIONAL AND MARKETING COOKIES

These cookies collect anonymous data and allow us to optimize our website and user experience. These cookies are listed here:

ANALYTICS

Help us to understand how visitors interact with our services, enables us to analyze and improve our services (also through third party analytics).