Web updater access to password protected sites

[Yc3k]

Hi all.

I was wondering is there a way for a Ren'py web updater to access and update the game from a password protected web site? Here's my problem.

I am developing a game and I have successfully implemented the web updater. I want to grant access to different versions of my game to different people without using Ren'py's password system since it's so easy to "hack" it. You just open the archive and read what the password is. So my idea was this.

I have my own hosting and website. I wanted to protect the downloads (the different folders with the updated game files) with password on server side. Now, when you're in game and you click to update the game the game should ask you a password to access the content on the server and you will have to input the password manually. Similar to logon screen on a website. If you enter the correct password the update continues, if not, it wont allow you to update the game. There will be no way for you to know the password if I didn't give it to you.

I am aware this would require some actual Python programming but I was just wandering if it is at least possible to do something like that, before I continue to waste countless hours on trying to find a solution?

[PyTom]

You could pass the password in the URL for update.json, and have the server side check it and return the file iff the password matches.

[Imperf3kt]

I used to run an IRC boy that was programmed in python.
With the bot, users could register by sending a username and password to the server. This password was stored as an encrypted string in a text file. Trying to use the string as the password would fail.


I ll try to dig up the relics of the bot and see how it achieved that, it may be able to be implemented within Ren'Py


Edit:
Github for the repository
https://github.com/ProgVal/Limnoria

[Yc3k]

You could pass the password in the URL for update.json, and have the server side check it and return the file iff the password matches.

Wouldn't that mean I would still need to have that password stored locally (in game)? I want to avoid that completely. The main reason is if I want to change the password for whatever reason.

[Yc3k]

I used to run an IRC boy that was programmed in python.
With the bot, users could register by sending a username and password to the server. This password was stored as an encrypted string in a text file. Trying to use the string as the password would fail.


I ll try to dig up the relics of the bot and see how it achieved that, it may be able to be implemented within Ren'Py


Edit:
Github for the repository
https://github.com/ProgVal/Limnoria

OK, but this password was still saved locally on your computer, right? What if I changed the password server side?

[Imperf3kt]

Oops, forgot about this and now its midnight

The password was stored nowhere, the user input the password, it was sent to the server, where it was encrypted and then it remained that way.

If I wanted to see everyone's password, I could not. I couldn't even see my own password as it is not stored anywhere.


I'll have to look at it more tomorrow (or maybe someone else will) - no guarantees I will have any actually useful info though.

[Yc3k]

Oops, forgot about this and now its midnight

The password was stored nowhere, the user input the password, it was sent to the server, where it was encrypted and then it remained that way.

If I wanted to see everyone's password, I could not. I couldn't even see my own password as it is not stored anywhere.


I'll have to look at it more tomorrow (or maybe someone else will) - no guarantees I will have any actually useful info though.

Don't sweat it, mate. It's not that urgent mater.

Thank you for the trouble, though.

[PyTom]

You could pass the password in the URL for update.json, and have the server side check it and return the file iff the password matches.

Wouldn't that mean I would still need to have that password stored locally (in game)? I want to avoid that completely. The main reason is if I want to change the password for whatever reason.

No, you wouldn't. You can just let the user input the password, like so:

Code: Select all

label update:
     $ password = renpy.input("Please enter the update password.")
     $ update.update("http://my.domain.com/update/{}/update.json".format(password))
     
     return

This will ask for a password, and then format it into the update URL. If you want to change the password, you can change the directory the update is in on your server. (And make sure there's an index.html file so people can't just look at directory listings.)

[Yc3k]

You could pass the password in the URL for update.json, and have the server side check it and return the file iff the password matches.

Wouldn't that mean I would still need to have that password stored locally (in game)? I want to avoid that completely. The main reason is if I want to change the password for whatever reason.

No, you wouldn't. You can just let the user input the password, like so:

Code: Select all

label update:
     $ password = renpy.input("Please enter the update password.")
     $ update.update("http://my.domain.com/update/{}/update.json".format(password))
     
     return

This will ask for a password, and then format it into the update URL. If you want to change the password, you can change the directory the update is in on your server. (And make sure there's an index.html file so people can't just look at directory listings.)

Oh, now I get it!!! I must say I didn't quite understand you the first time. This is an fantastic idea!

Thank you very much, PyTom. You really helped me a lot!

Keep up the good work.

[Yc3k]

Hi guys,

Although the solution that PyTom gave me works great I still encounter a strange problem.

Every time I change the password (change the folder name on my server) or make a fresh build of my game and then try to update it, the first time I enter the password I always get a "Wrong password" message no matter what I do. Only after I click the update button again and type in the password again the game allows me to continue with the update, even though both times the password was correct.

I assume the problem is in the "updater.UpdateVersion" script but I cannot figure out how to fix it.

Here's the code I'm using

Code: Select all

label update_5:
    $ update_password_5 = renpy.input("Please enter the update password.")
    $ UPDATE_URL_5 = "http://my.site/renpy/updates/{}/updates.json".format(update_password_5)
    $ new_version_5 = updater.UpdateVersion("http://my.site/renpy/updates/{}/updates.json".format(update_password_5), check_interval=1, simulate=None)
    
    if new_version_5:
        show text "Thank you for the support! The updating process will start automaticaly in a few moments!{w=4.0}{nw}" at truecenter
        $ updater.update("http://my.site/renpy/updates/{}/updates.json".format(update_password_5), simulate=None)
        
    else:
        centered "Wrong password!{w=2.0}{nw}"
        call screen update()

Any help would be appreciated.

I've tried to change the "check_interval" to a different number and removing it all together without any effect. I've tried repeating the variable multiple times before "checking" it also no effect. I simply can't understand why do I need to input the password 2 times for it to recognize it and check it with the folder on my server.

[PyTom]

So, updater.UpdateVersion isn't meant to be used like this. It's meant to be used in screens, where the first call it it will generally return that no update is available, and then trigger an interaction restart, so the screen is updated and it's called again with current data. i'd suggest not using it, and just going straight to updater.update, which will give up if no update is available.

[Yc3k]

That's a shame cause I find it a really useful feature that I like to use.

What you're saying is if I use the updater.UpdateVersion as part of a screen, it will use the "check_interval" to check the availability of the update and if it gets a "true" it will then trigger a kind of a screen refresh with updated information? Did I understand you correctly? Sorry if I sound a bit noobish, I'm still learning the ropes.

Also, since this method of password checking isn't working as intended do you have any other idea how to do it? I know you've said to just use the updater.update and it will return an error if the password is wrong, but I would want to create a custom message as I have now without the updater.update actually starting the update process if the password is wrong.

If it can't be done, it's OK. Don't sweat it. Thank you.

***EDIT***
Nvm. I found a solution that works. It's a bit of a workaround but it gives me what I want. Thanks.