Question Downsides of LoginSession.GetLoginToken()

bluepilkintonching · Jul 20, 2023

Hi there!
I've just got started using Vivox for a co-op multiplayer game I am developing with a small team. I am a little confused about the process of how tolkens are supposed to be accessed when the game is production ready. In the Vivox Dev Docs, it says that I can genorate a development tolken using

Code (CSharp):

LoginSession.GetLoginToken()

but it goes onto mention 'Development and prototyping tokens should not be used in a production environment.'

I haven't been able to find the prefered method of accessing tolkens for the players. How safe is LoginSession.GetLoginToken() to use? What are the advantages of using it for development over whatever the prefered method is? What is the prefered method for a production enviroment?
Cheers!
Blue

EDIT: After a bit more looking, I've just found that the ideal way is by genorating tolkens on an online server by using something like Cloud Code. I gues what I'm wondering now is what security risks does using GetLoginToken() achually pose?
Thanks again!

MurphyMurph_21 · Aug 5, 2023

@bluepilkintonching Based on the docs here one downside to using GetLoginToken() is errors due to different user time settings. (ex, players may receive invalid/expired VAT(Vicox access tokens)'s when trying to login.

Also, before Unity added the Vivox settings to the Project Settings, you would have to store your credentials hardcoded in your app/game (client-side) instead of the game server/serverless functions(server-side) only knowing your vivox credentials. The server would then serve the client/game/app a VAT upon request when a user try's logging in, join channel, etc... App's/Games can easily be decompiled back into the source code and hackers trying to hack your game can easily see all your hardcoded credentials and then sell them or use them to manipulate your game. When dealing with paid services you don't want hackers to have access to your credentials because then you get the monthly bill for whatever the hacker did with your credentials. Hope this helps

Svartskogen · Oct 2, 2023

MurphyMurph_21 said: ↑

@bluepilkintonching Based on the docs here one downside to using GetLoginToken() is errors due to different user time settings. (ex, players may receive invalid/expired VAT(Vicox access tokens)'s when trying to login.

Also, before Unity added the Vivox settings to the Project Settings, you would have to store your credentials hardcoded in your app/game (client-side) instead of the game server/serverless functions(server-side) only knowing your vivox credentials. The server would then serve the client/game/app a VAT upon request when a user try's logging in, join channel, etc... App's/Games can easily be decompiled back into the source code and hackers trying to hack your game can easily see all your hardcoded credentials and then sell them or use them to manipulate your game. When dealing with paid services you don't want hackers to have access to your credentials because then you get the monthly bill for whatever the hacker did with your credentials. Hope this helps
Click to expand...

so does it mean it's safe to still use the GetLoginToken()? outside the issue with the time settings

You explained why it was an issue before, regarding credentials hardcoded, but how is it working now?

and how is GetLoginToken() even when not setting the "Test Mode" setting on Project Settings > Services > Vivox?

Search Unity

Unity ID

Useful Searches

Question Downsides of LoginSession.GetLoginToken()

bluepilkintonching

MurphyMurph_21

Svartskogen