Comments (5)
camgreenburg
commented on May 23, 2024
@jacobc-eth Can you give a little more clarity on what the value for users is? Is this important for security or performance reasons?
from hyperplay-desktop-client.
BrettCleary
commented on May 23, 2024
Is this for security? Because I think there could be better security strategies. For instance, maybe each game has an api key and any local calls that don't have a valid api key are rejected. This also adds complexity as the user should be able to close out of hyperplay (or it crashes) and restart it while their game is running without having to relaunch their game. Not sure if we can or want to get a list of all processes running in the OS and check if any of them are hyperplay games before starting the server in this instance.
I think rejecting all calls to the server that don't come from localhost should be good enough security for this stage. Open to discussing this further too.
from hyperplay-desktop-client.
camgreenburg
commented on May 23, 2024
This will be a necessary problem to solve before this goes public. Not neceessary for MVP.
from hyperplay-desktop-client.
flavioislima
commented on May 23, 2024
We thought about doing that because of security at first and also not spending machine resources, even though it is not too much.
the idea would be to run the proxy server only if a Web3 game is running and the wallet is connected.
I am not sure if there is a high-security risk or not but I imagine that, even if we deny all connections that are not from localhost, in case the machine has malware that can run a localhost server similar to how HP will do (we will be OSS after all), it could intercept the connection. I might be overthinking this but having it off or having API keys to be exchanged by HP and the games would be ideal imo.
from hyperplay-desktop-client.
jacobc-eth
commented on May 23, 2024
These are good points, @flavioislima. imho, we don't need this story for the developer alpha, but we should have it before launching the end-user beta. I believe to whatever extent possible, we should confine the local server to only the PID that is associated with the game that was launched. This can help with other applications on the device submitting spammy transaction requests that the user might think were being requested by the game they are playing, but were actually associated with a different application running on the device.
Ultimately, if the user has a RAT/malware, this is beyond our security model (same policy as metamask). A RAT could replace the HyperPlay software with a malicious fork of our client, and there is nothing we can do to stop this. However, we should still doing everything we can to curb spammy transactions and to defend against this in reasonable ways we can make these attacks harder to execute.
I'm updating the text of the original card to make things clearer.
from hyperplay-desktop-client.
Related Issues (20)
- Pull Heroic 2.11
- Investigate on how to easily have GPTK enabled HOT 1
- [Bug] Entering path for non-existent drive crashes HyperPlay
- [Bug] Showing Epic/Gog games when not logged in
- [Bug] Wrong transaction toast modal
- [UI] Black background behind refresh icon HOT 1
- [Bug] Installing to a restricted folder on Windows HOT 1
- [Refactor] Move App routes into separate component
- [Bug] Setting Experiemental Features
- [Tech] Build ESM instead of commonjs
- Browser games are missing MM in full overlay when the wallet is locked
- Extraction stuck when installing MCVERSE on MAC HOT 2
- Uninstalling a wrong imported game removes main folder
- Store a game metadata file on Install folder
- [Achievements]: use Unified Auth steam account instead of manual input HOT 1
- Calling contract not working on chains other than Ethereum Mainnet
- Upgrade Mantine from v6 to v7 on HyperPlay Desktop Client
- Cannot call upgradeable contracts
- Implement Search bar on Games Store HOT 1
- Client bogs down PC during extraction process
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from hyperplay-desktop-client.