DDraceNetwork - developer

DDraceNetwork

Development / developer

Development discussion. Logged to https://ddnet.tw/irclogs/ Connected with DDNet's IRC channel, Matrix room and GitHub repositories — IRC: #ddnet on Quakenet | Matrix: #ddnet-developer:matrix.org GitHub: https://github.com/ddnet

Between 2020-02-24 00:00:00Z and 2020-02-25 00:00:00Z

[ddnet-maps:master] 1 new commit

fc4efd0 A Next LvL - ddnet-maps

[ddnet/ddnet7] Issue closed: #74 sv_map_vote in cfg don't work

@ChillerDragon the invalid signature means that it isn't a valid map file

10:54

it might got corrupted by something or it's a different file format

10:54

you could try the file tool to tell you what kind of file you're looking at

hi guys.

15:26

Why don't you plan to make authentication?

not again

1

kek

1

@3da are you really 3da?

https://discordapp.com/channels/252358080522747904/255191476315750401/681518446449524788

@3da are you really 3da?

@Learath2 may be

15:51

depends on what you mean

15:54

Centralized account system for teeworlds could help to make many cool mods

15:54

So I don't know why it doesn't exist yet

I mean as in the 3da that contributed to DDRace

15:54

back when btk and greyfox was still around

yes, I was the first man who made mod called DDRace

heartw

2

15:55

in 2010-2011 years I send my source codes to another developer

do you have the "first" ddrace map saved somewhere

Welcome back

I was young and stupid when I made first ddrace

15:55

my code was bad

I did work on a couple prototypes for an account system, never really made one that I was content with

but i had a lot of enthusiasm

I had one with asymmetric cryptography that I actually liked a lot, but making it user friendly enough was too much of a hassle

This morning I wanted to make another mod but I expected that DDNet already has accounts which I could use

15:57

But it is sad to know that there is no accounts

i dont think its sad

15:58

and making a account system is nothing difficult

15:58

so u can just do it in ur mod

doesnt KoG have a account system?

It would be cool to have single account system across the servers

every tw server?

Yeah, an account system is trivial, I also wanted one that we could use across all mods

16:01

I have one working with certificates to avoid centralisation but users would need to note down a mnemonic, not sure if that's the best ux

I think it should work so: Player authenticates in his client. Then client send some data to every server. And each server can check if the player is real. But simple servers may accept any usernames.

that would be insecure

16:01

you could host a server to grab accounts?

server don't receive passwords

Currently, the server sends a challenge, the user signs it with his private key, the server verifies the signature however it likes

16:02

I was thinking ddnet could host a verification server other mods are free to either use our verification or implement their own account pool

sounds good

No passwords no usernames, but the user would be responsible for not losing their private keys and if they do there is no good way to recover it

why not to use password as private key?

too short to be secure

16:04

a known plaintext attack would be feasible

May be it is possible to bind teeworlds accounts to some social network?

ugh

That would be a little too centralised for a lot of the developers taste

16:07

but combining what I have with oauth it is quite feasible to link a social account

16:07

wouldn't help recover the private key though

16:08

maybe ddnet could store peoples private keys in encrypted form, with their password for a recovery measure

16:08

Given it's open source that does sound feasible

16:12

Anyway, the current issue isn't that there is no good way, it's that I don't really have the time to code much anymore

I am interested in authentication for teeworlds

16:12

probably i can make some code

16:13

Currently I am good in .net core and JS

When I get back to italy I can share the code I have with you

You are Italian?

I just live in italy for now

cool

16:21

I think I can make whole certification center for ddnet except the integration with teeworlds (C++ part)

Well we need to design a protocol where servers can safely authenticate

Image attachment

16:51

What do you think about this simple diagram?

16:54

token should be once-off

the protocol to connect Auth server can be HTTPS

Make all those tokens one use and it should be safe enough

17:58

but I don't quite like the username+password setup

But the users like it

^

We want to make games for gamers but not for developers, right?

I already like the fact that you're back, @3da xd

Thanks guys. I don't know who you are but it is fine that we want to make cool teeworlds mods

(tbh I just hope for more & better changes to DDNet / TW community in general)

With certificates you don't need to remember any password, authentication just works

the user can remember his password in client

but what then it a person reinstalls client or even stitches to other OS? Won't that mean their acc is lost?

Then we are storing plaintext credentials on the users computer

This is common case in real world

Just because something is not easy to figure out, doesn't mean we should just skimp out on quality

18:10

Anyway if you want to implement it like this, feel free to go ahead, it should take like 3-4 days at a decent pace, it should be secure enough

I agreed that this is not 100% safe but it is better than account system which not exist at all

Btw, how does KoG's acc system work then?

18:11

you have to login only once

what is KoG?

and the server seems to remember the user by... no idea what

18:12

and registration goes thru their website

It's probably security by obsecurity, relying solely on the fact that KoG is closed source

well, some parts of ddnet could also be tho

18:12

like the part of authentication server

hmm

I'd guess it remembers some combination properties about the client at the point of login

why should we make auth server closed source?

Having literally everything accessible by everyone isn't always good idea

Security through obsecurity is just an illusion, if it isn't secure when open source it isn't secure

Guys let me tell you a story

and there are a lot of ways to implement secure authentication with username and password

18:14

just pick any and use it

<pointing at onby's bot detections>

First time DDRace was closed source

@Learath2 do u like jwt?

And I made special built-in admin password in compiled EXE

18:15

but this password was written as plain text in constant

18:15

and some users watched this password

18:15

I was so stupid

@Ryozuki not for what everyone uses it for but it does have good uses, as long as you acknowledge it's shortcomings

18:16

@3da there were a couple mods that took your example, like that city mod released on the forum

18:16

I think @heinrich5991 extracted the backdoor rcon password from that one

xd

I could make special admin password mode secured and obfuscated

18:16

As long as the executable is doing the authentication it's not very hard to extract the backdoor pw

18:18

Reverse engineering is quite fun

are you good in it?

I'm still learning a lot

hackers everywhere.....

I wish someday I'd see +DDrace or at least some of only-for-fun things accessible in DDNet... We actually have freezehammer out of like nowhere, so why not rainbows or that other thing which spawned kill particles all the time... I miss those times so much

Anyway, if you are okay with a centralised architecture, usernames and passwords and the fact that players can't reliably verify other players identity then there are dozens of authentication protocols out there you can use

18:22

The protocol you gave is vulnerable to man in the middle attacks, you need to add some identifying information about the server you are authenticating against while getting a token and the authentication server needs to make sure that the token is only used by the server you want to authenticate against

This is not final scheme but the main things are ok

18:23

18:24

I wish someday I'd see +DDrace or at least some of only-for-fun things accessible in DDNet... We actually have freezehammer out of like nowhere, so why not rainbows or that other thing which spawned kill particles all the time... I miss those times so much

@Soreu I agreed that mods should be more funny

Even if not the official ones, then maybe private ones that use the same mod

I don't like hard maps

I started hosting +DDRace with the "helper for everyone" just for pure fun in like 3rd day of playing in teeworlds <3

18:26

crazy times those were :p

My first days in teeworlds were awesome (edited)

btw, I will later have question about the mentioned freezehammer, but for now I'd rather further enjoy your discussion about hopefully finally having acc system

When normal kids were playing on the street with other kids. I was playing with other tees as normal tee.

:D

There is DDNet++

The most important thing in teeworlds for me is that you can start server with your mod and the players will join your server and discover the world which you prepared for them. The other game which gave the same is Warcraft 3 where you could easily make custom maps and invite random people to play with you

And also in the meanwhile to those working on DDNet 0.7: Would there be a possibility to rearrange entities, or actually change the way they are displayed altogether? Because together with @Ravie we have few ideas to make player's (and ppl making those graphics) life easier if possible ^^

Hi @3da . The usual argument against accounts is that we already have lots of ranks and can't verify who they belong to

yeah. this is problem

18:41

someone another can register my username

there are even some names that multiple people use at once

Is it hard to make communication by https with Auth server in teeworlds client and server?

i think

18:51

ppl should be able to have one registered name (edited)

18:51

but names not registered can be used by all

18:51

and name changes in place for transfer points

18:51

u change what name ur points are registered to

18:52

or, you are registered to an ID, not an actual name

18:52

so you have fluidity in choosing what name

18:52

but then /points would be very complicated

18:54

maybe /points would display smth like: ID:1303 (playing as "John Wick") - 1309 points (edited)

18:54

and if he changes name

18:54

ID:1303 (playing as "noob") - 1309 points (edited)

18:58

more clean: John Wick (ID:1303) - 1309 points

18:58

would solve the problem

18:58

and each player has a 4 digit id and password or smth

18:58

so like /register 1058 password12345

18:59

and /login 1058 password12345

Probably when accounts will be appeared all previous records will be marked as "unverified"?

mm thats true

because they are really unverified

19:01

any person can beat any record with any username

maybe its ID dependent?

19:01

no

19:01

this is a complicated problem

19:02

maybe you can have a username but its not your ingame name

19:02

but then that just removes the need for ID

Why username cannot be ingame name?

In KoG many players switch & login with their registered actual name right before finish (just pointing it out)

oh yeah that would work

19:04

nvm

19:05

so what happens if u finish on an already registered name

the ranks with unregistered accounts could go on i.e. the nameless tee

It must be possible to save old records but they will be unverified (edited)

i mean its a small community

19:06

i think it is viable to verify everyone individually

But using registered usernames will provide some features

you have to be logged in to have your clan tag (otherwise [!FAKE!] is displayed) and to use commands for registered players, like /power

ye clans will actually be legit

19:07

i wish we have an actual clan system

19:07

what is /power?

you get seasonal points for finishing maps (won't explain that in details as I don't know them) and then by using /power your can "spend" those on "funny" stuff like stars appearing all around you on spawn and starts going after you when you move (kinda like tail of stars or however to name it)

that would be dope

19:10

rocket trails, laser graphics for pistol

19:11

account system also allows ddnet to make money :p

We even can make something like store

19:11

to spend points

3da did you work together with greyfox?

19:12

bcs i thought he is the guy who made ddrace

I was talking with him in jabber

19:12

and made some commits in github

19:12

but my code was bad

19:12

and I left it

are you resposible for stoppers?

what is it?

a tile

I don't know. In my head all tiles have russian names

whoever made speedups has small brain

But I diffidently invented rounding lasers which freezes

19:15

oh the spinners

3da can you remember what was the first ddrace map?

I remember that first maps was very stupid and boring

19:17

until some man made fine map

eXo_freeze can give you an impression what early maps looked like

First maps was stupid because nobody knew how to use all these tiles

hi @3da btw

even me

19:18

hi

hi @3da btw

@heinrich5991

yes exo freeze looks weird

DDRace is based on [N]Race by Nox Nebula

19:19

where is he now?

that was a long time ago

19:24

I don't know

19:24

I saw him from time to time on IRC, but I think he's no longer there

Hope everything is ok with him

@3da not so hard, we do that for ddnet updates and server browser list

@deen cool

20:16

Here is my test scenario for auth server. Looks ok? https://www.paste.org/103193

Paste code - paste.org

www.paste.org - allows users to paste snippets of text, usually samples of source code, for public viewing.

It's still vulnerable to mitm

1

21:59

Alice joins fake server hosted by Eve, Alice starts authenticating, Eve asks the actual server for a serverToken passes it along to Alice, Alice authenticates to the authServer, Alice sends authResult to Eve's server, Eve just uses it to login on the actual server

22:05

It's not exactly trivial to design an authentication service where service providers can not be trusted. You can take a look at something like kerberos to get inspiration

22:06

Or OAuth if you are interested how social media giants are allowing people to use them for login

22:10

(Kerberos kinda fails for our use case imho, it requires us to keep plaintext passwords, which is a no no)

If you keep it to just one mod (where we can trust the servers themselves) I wouldn't bother with a separate authentication server, just let the servers authenticate the users themselves

agreed. My bad

we could also say that it's the users responsibility to watch out for fake servers

that's just not how it works

Yep. Some cryptography is required

yo someone can help me

yo someone can help me

@shlz first you help us to make account server

xd

23:38

*visible confusion

oh shit

23:38

how i can create a server

23:38

im trying some days

?

23:39

whats your question?

my friend can connect in my lan server

23:47

i put sv_register 1 but apparently no working

Exported 238 message(s)