Godot Version
4.6.2 stable for Linux
Question
I’m working on a frontend app with Godot, exported to web. No itch or anything else, I simply export with the default template and upload all files from the export folder to a server, and the backend team serves that page at given web address.
The problem is that for security reasons, the URLs and tokens the app uses are stored in a separate file, like secrets.txt, which I treat like a config file and open using the ConfigFile class. So when testing locally I can just have the file with localhost:1234 in it and test easily, but I have to trust the file will be in the same path when deployed to the web (and that should be pretty much it)
The thing is we can’t figure out where to put the file once the project is deployed. I have the secrets file in my res:// folder, so I pasted it in the same folder I drop index.html and all the files from the export in the server, but still can’t find it. I even hacked a little file browser that can go into/out of directories to manually crawl around the deployed app, and can’t find the file anywhere. Plus, I don’t know where the res:// and user:// folders are located in web exports.
I can get a listing of the directories with DirAccess (using the sample code from the docs and the “res://” path), and the secrets file should be right there in res://, but it’s not!!
The whole point of this is to have the devops team handle the secret URLs so I can focus on the Godot side, but we can’t find a way to just get that file ANYWHERE.
If you want non-resources to be packed inside res:// you must include them in the export settings. for example *.txt for all text files, or you could give the full path to your secrets.txt
Also, your User folder is never exported with the project.
Thanks! I’ve solved this part of the problem now, but there’s still the issue that I need someone else to find and edit that file from outside Godot, to put in the final, real, URLs for the exported project (that I could know in advance but can change because of DevOps stuff)
Sounds like you should turn this file into an HTTP request if you intend to update game installs after launching. For the web it may be your only option outside of making a new pack file, and for local game play it sounds like a better option to ensure the most up to date urls.
Yup, that’s what I’m considering.
The thing is that it kinda moves the weakpoint (?)
We are doing this for security reasons that are above me, since the idea is to not have any hardcoded URL. I guess hardcoding a specific URL to fetch stuff from and make requests is the best I can do for now maybe. I don’t know if malicious actors can do anything with a plain URL and HTTPS requests.
They certainly can do stuff with local files so that was never the secure option. They could set a DNS record on their own router overriding your domain name to their own similar service, this happens for old dedicated fan bases of now defunct game servers like Biohazard: Outbreak on the PS2. Though they would have to reverse engineer your server which is much more difficult depending on your server architecture, game servers such as my example are often leaked.
