For a few years now I’ve been networking my game using Godot 4’s new high level multiplayer API. I have a problem though. I want to release on Steam, and I cant figure out a way to know who is behind a multiplayer ID. I thought about using RPCs to basically ask everyone what their steam ID is and send that to everyone on the server, but that requires the clients to be honest and tell me their steam ID. Is there a way, perhaps before connection, to make a secure link between someone’s multiplayer session and their Steam ID? I really don’t want to have to rewrite my entire net code.
If you have a programmatic way to get your steam id into Godot. Then it should be that this same code will get your peers id, and all that need to happen is your game will get the id and send to the server automatically and distribute to the peers. No honesty required.
If you are worried about hackers, what can you do? Is that really a problem?
I think after the player joins you may be able to disable an RPC for a specific function, or just refuse changing the id from that Enet client after it’s been set once. There really isn’t a way to stop someone from spoofing unless steam provides a way to validate someone’s credentials.
I would also think there is another steam net API external to Godot to query these things.
Like SteamUser which is authed to steam. And steamclient and SteamServer.
I’m assuming you’re using GodotSteam, I’m not super familiar with how it works but I’d imagine there isn’t really a good way to trust another client like that unless you use Steam’s own p2p network because it’s Steam telling you “who is who,” not them announcing who they are.
An option is you could roll your own auth, at the start of the game, have a button that requires them to “login” to Steam or some other marketplace (using oauth) to get a new “identity” (could be like a uuid) then use that UUID/token to verify them with other clients by asking your own server (a trusted source), the profile info of that user. I wouldn’t exchange UUIDs but I’d use a lobby system to go back and forth. Something like this:
Client A > Sever: Create me a lobby.
Server > Client A: here’s your lobby code.
Client B > Server: hey here’s my UUID and I want to connect to lobby XXX
Server > Client B: sure here’s the IP address and a temp UUID for the lobby
Client B > Client A: hi I’m UUD, handshake
Client A > Server: who is Client B (UUID)
Server > Client A: Client B (UUID) is steamId: “…”, name: “…”, etc
This could be nice if you have a cross-play and use multiple marketplaces. But this all requires you to run a web server to verify all this info and makes the player “login” for the 2nd time, but even with all that, someone could still get your UUID/token and spoof which they are (session spoofing), so it’s not 100 foolproof.
But really, you might just be overthinking it. Does someone spoofing a Steam ID really affect the game? Trying to work around validating someone’s identity can be a very tricky problem to solve in a very untrustworthy place like the internet, or you can just trust it with a grain of salt and not let the Steam ID really dictate something important in the game. The only real reason I could see the identity being something you really should worry about is if the world/player data is persistent after a player disconnects from the server (like a survival game)
After a bit of looking around, it looks like theres a secure way to verify someones identity (User Authentication and Ownership (Steamworks Documentation)) from steamworks. You could use that to skip the “login” setp. You’d still need a trusted backend to process and verify your data.
After talking with Gramps who made Godot Steam, it seems like the only real way is for me to send the P2P session ticket to the server. I’m trying to see what that would look like. Also, yes it is incredibly important to get this right for me. I don’t have a lot of server side anti cheat right now but when I do, I would want to be absolutely sure that the person who is cheating is not impersonating another steam account so I could blacklist the right account.
If it’s really important, create your own login system. This is also what I’d personally do. Yes, users may find it annoying, but many other games also use a custom login system, so you’re not alone.