I want to share some critical concerns I’ve discovered about the SilentWolf plugin for Godot games. Initially, it appeared to be the perfect solution for my project since it simplifies the addition of leaderboards and player accounts. However, upon further investigation, I found alarming issues that I think everyone should be aware of.
Security Issues
The main problem lies in how the API is structured. You have to embed your credentials directly into the game code like this:
GameBackend.setup({
"api_secret": "YOUR_API_SECRET_HERE",
"game_identifier": "YOUR_GAME_IDENTIFIER",
"enable_debug": true
})
This setup creates significant vulnerabilities. Anyone who acquires this key can manipulate your entire game database, including faking scores for any player, erasing leaderboards, and even deleting all saved player data without needing to log in as that player first.
Because this key is contained within game files, anyone can uncover it by monitoring network activity or through reverse engineering. To make matters worse, the plugin does not use secure connections, making interception even simpler.
Licensing Concerns
Additionally, the licensing is quite dubious. While you might have access to the source code, there is no actual license presented in the downloaded files. This means that technically you are not permitted to use it in your projects without express permission.
Moreover, their terms indicate that the service could be terminated at any time, which would jeopardize all your online functionalities.
Alternative Solutions
I am now transitioning to different services that address these concerns adequately. Platforms like Talo, Nakama, and W4Cloud ensure that API keys only have effects on the currently logged-in player, safeguarding everyone’s data better.
Has anyone else experienced these issues? What backend solutions are you opting for instead?