API Password masking

For general discussion of the Poker Mavens software
StormITSolutions
Posts: 6
Joined: Sat Feb 07, 2009 10:49 am

API Password masking

Post by StormITSolutions »

Hey guys,

Has anyone managed a good way of masking the API password,
We are playing around with our server and would prefer that bankers don't see it displayed when opening tournaments.

Any suggestions would be very helpful.
We trust our friends to be bankers but I am limiting what they can do so there is less chance of them breaking the remote server.

And we all know people love to cheat and removing temptation would be good.

Thanks

Al
Kent Briggs
Site Admin
Posts: 5878
Joined: Wed Mar 19, 2008 8:47 pm

Re: API Password masking

Post by Kent Briggs »

StormITSolutions wrote: Has anyone managed a good way of masking the API password,
We are playing around with our server and would prefer that bankers don't see it displayed when opening tournaments.
Build a web interface on a secure computer just for your bankers with some kind of login system that only they can access. That interface uses server-side scripting like PHP to communicate with the game server's API. The bankers will not be able to see that communication and thus won't know what the API password is.
StormITSolutions
Posts: 6
Joined: Sat Feb 07, 2009 10:49 am

Re: API Password masking

Post by StormITSolutions »

I have tried alot of methods but packet sniffers are still picking up the API password.
Looking into the password being stored in a remote server database and the php app calling the password from the bankers command after the submission on a remote banker site.

That way the call is done after on another server so packet sniffers cant pick it up.
A more roundabout way of doing it so I thought I would ask if others had a workaround or shall i just get stuck into the code.

I may be over complicating it as ive been told in the past I cant see the forest for the trees
AL
Kent Briggs
Site Admin
Posts: 5878
Joined: Wed Mar 19, 2008 8:47 pm

Re: API Password masking

Post by Kent Briggs »

StormITSolutions wrote:I have tried alot of methods but packet sniffers are still picking up the API password.
How are the bankers (or anyone else) seeing packets going from your computer running the web interface to your computer running the game server?
StormITSolutions
Posts: 6
Joined: Sat Feb 07, 2009 10:49 am

Re: API Password masking

Post by StormITSolutions »

The test I am trying is the scenario.

Bankers on remote pc's using remote web interfaces.

It's not a scenario we are currently using, but I'm crossing all the T's and dotting the i's for future use.
At the moment the bankers are on the same network as the server.

My understanding of the API was that if the user submits a command via a web site(http commands) they could "sniff" out the packets, I know this is normally the case but API is something im fairly new too.

Only started integrating API into my software to sync servers so not 100% sure of its application in this sense.

ANy information would be great to help my learning curve.

Al
Kent Briggs
Site Admin
Posts: 5878
Joined: Wed Mar 19, 2008 8:47 pm

Re: API Password masking

Post by Kent Briggs »

StormITSolutions wrote:At the moment the bankers are on the same network as the server.
Well that would be an issue if they have physical access to your own computers.
My understanding of the API was that if the user submits a command via a web site(http commands) they could "sniff" out the packets
They could see the packets if they had access to the sending or receiving computer. I'm not sure about inside a LAN but I suspect if they had access to the router it might be possible there also since all the network traffic would flow through it.
StormITSolutions
Posts: 6
Joined: Sat Feb 07, 2009 10:49 am

Re: API Password masking

Post by StormITSolutions »

Thanks for the quick responses.

I will monitor how the system goes and see If I can stop my collegues messing about with it.

Will write some php scripts to handle remote registration and api banker commads, will post the code when I'm done to allow others to freely use it.

Al
Kent Briggs
Site Admin
Posts: 5878
Joined: Wed Mar 19, 2008 8:47 pm

Re: API Password masking

Post by Kent Briggs »

One thing I could do, is add an option to bind the localhost (127.0.0.1) to the game server (in addition to it's regular IP). Then you could run a separate web server on that same machine and it would communicate with the game server via 127.0.0.1 and never expose the API password on the LAN.
StormITSolutions
Posts: 6
Joined: Sat Feb 07, 2009 10:49 am

Re: API Password masking

Post by StormITSolutions »

That would be a good option.
If its not too much trouble it would come in useful.

Al
Kent Briggs
Site Admin
Posts: 5878
Joined: Wed Mar 19, 2008 8:47 pm

Re: API Password masking

Post by Kent Briggs »

Kent Briggs wrote:One thing I could do, is add an option to bind the localhost (127.0.0.1) to the game server (in addition to it's regular IP). Then you could run a separate web server on that same machine and it would communicate with the game server via 127.0.0.1 and never expose the API password on the LAN.
This feature has now been added to version 2.33.
Post Reply