I am trying to be creative and simple about storing a login password in playcanvas that is not discoverable. I was looking at storing the password to be checked as a Tag in ‘Root’ of the scene.
The code could be as simple as this:
if (document.getElementById(‘password’).value === app.root.findByName(‘Root’).tags.list()[0]) {
alert(“Go”);
}
The ‘Root’ of the scene would only have one tag and that tag would be the password to check against what the user typed in.
Question: Are Tags discoverable when looking at the code? I am not looking for super secure, just enough to prevent the novice hacker from finding the password. I went digging for my Tag in chrome’s developer tools, but I am not savvy enough to hack it, if it can be hacked.
The reason for all of this, is to have a password on the public side of the launch page. I know the when you have a public build the build is a bunch of scrampled text, but I do need the extra password protection in case my project gets in the wrong hands. I will be able to reset the password as often as I need.
Thanks in advance…
Tags will be stored as plain text in the scene asset so not very secure unfortunately.
You could scramble the JS using something like this: https://jscrambler.com/
[Edit] Alternatively, you can store the hash of the password in the project and as long as the hash algorithm is not reversible, it would be a bit more resilient against a novice coder.
(Update) Scratch that, I would actually just be able to copy the hash into the debugger during the comparison. Making it a hash offers no extra benefit.
That said, if I wanted to bypass on the password check, it would trivial to do so as this is all done client side and all I would really have to do is put a breakpoint somewhere and bypass the check in the debugger.
That’s great. Thank you for the feedback and options.
Do you just want password protection against access to the site/page? If so, you can just restrict access via a .htaccess file.
I do want to protect the site. Some of our projects are confidential.
Can I use the .htaccess file with the PlayCanvas site or do I need to host it somewhere else?
Thanks for the help!
As the builds that are hosted on PlayCanvas are technically public if you have the link, you would have to download a build yourself and self host it with a .htcaccess file.