Various questions, mostly about security

Third Party Coronium
#1

I’m quite new to Corona development and Coronium Core.

I’m developing a mobile app (android only) for a client who wishes to give real prizes (weekly and monthly) to players having the highest scores. These prizes will range from merchandising items, discount cards and high cash amounts. Because of these, hackers will surely want to hack the game.

Luckily the game (a daily quiz with multiple choice questions) is server based, meaning that it’s the server that check the answers and allocates points to the user and not the app itself. Even if someone hacked the apk and reverse engineered the code, he could make the device think it won a lot, but the server would still know his real points.

Here are my questions concerning this project:

  • I’ve bought the Coronium plugin and installed Coronium Core. Is this the right choice for this project?

  • Is the Coronium server engine safe enough? By opening the apk, a hacker could get my server key. What is the worst he can do with it?

  • As per my client’s request, a user should be able to register on the app via an email or Facebook. If he chooses to use his email, the latter will be his username and a password will be randomly generated and stored on his device. What happens if he loses his phone? Is there a procedure where he can request a password reset with email confirmation?

  • I’m not sure I understood the user login procedure. After a provided username and password (which is auto encrypted), the app receives a user_id which it can then use for call to the server. Is this right? Is this user_id always the same after each login or does it have a specific lifetime (like a session id)? What would be the length of this lifetime? Can this length be changed?

  • As per my understanding, a user cannot access other users data. But can the server access all users data for leader-board purposes? Can a cron job be setup on the server to launch specific commands to Coronium? If yes, is there an example?

  • What happens when the app is suspended during a server call, does theCoronium plugin handle the callback, or should I implement a procedure to call the last request on resume? And what about the timeout after a long suspend period? What happens if internet connection is lost during a call? Is there a callback event for that?

  • Can the webmin be customized (integration of features specific to an app, like leader-boards, push messages management, etc…)? If yes, is there any documentation to help coding? Can these customization be done per application scope?

  • Is there a way to modify the Mailgun feature to use different key and domain per application scope?

  • I think I read something about a PHP bridge to Coronium? Is this in progress or already active? I didn’t find any more info on this. It could be really helpful.

#2

Hi,

Thank you for your interest in Coronium Core. You’ve got quite a few good questions here. Let me take some time to get some answers together for you in the next day or so.

-dev

#3

Hi.

I’m going to answer these numerically matched against your paragraphs. One thing to note is that Coronium Core development is generally driven by use cases, so thank you for sharing yours.

  1. In general, yes. But that depends on your timeframe and how important certain aspects of your other questions are to your development.

  2. If you use client-side database calls, you will most likely expose database table information that can be used to call other client-side methods that could include deleting data from your tables. You should generally create all database work using a server-side API to keep database info secure. While there is no way to call raw database queries from the client-side, there are methods available for deletions. One of the items on the Coronium Core roadmap is to implement a “role” system, and/or the ability to disable certain modules and methods from the client-side per app scope.

  3. A password reset via email is on the roadmap for a future release.

  4. User IDs are currently immutable; they do not change, and they do not expire. There is no session based system in place, though this too is something that can be added to the roadmap for a future release.

  5. Yes, you can query any users data on the server-side per scope (see here). Generally you’d want to create a separate database and tables with your meta data and associate it using the users ID (see here). The Jobs feature (which I’m implementing now, and is cron-like) will be available in the upcoming 2.5 release.

  6. If the call makes it the server on time, whatever operation was sent will take place, though if it is supposed to return data to the client, that obviously wont happen as the connection will be closed. There are ways to check for network connectivity through the Corona API, but the Coronium plugin itself does not handle that. The rest of the scenarios you mention are the responsibility of the developer.

  7. The Coronium Core Webmin itself can not be modified. But, it should be noted that the entire Webmin is built using the Pages APIin Coronium Core (and React for frontend). So it’s completely possible to create your own feature specific custom backends.

  8. Currently the Mailgun configuration is just a convenience if you are only using one account. While there currently is no way to set a Mailgun config via scope (though this is a good idea), you can supply different Mailgun credentials via the Email module (see here). All you’d need to do is check the incoming scope (see here) and use whatever credentials you need. But I will put this on the roadmap. Scopes in general will be reworked in the near future.

  9. The PHP bridge is in an experimental mode, but is avaiable here: https://develephant.github.io/coronium-core-docs/server/addons/

I hope that answers most of your questions. Some items depend on future updates, so if Coronium Core is what you decide on using, then I can push certain functionality to the top of the updates list.

-dev

#4

Thanks for your detailed answers. As per the latter I have some other questions. I’ve numerically match them with your answers:

 

  1. Timeframe will be 7 weeks as soon as I get go-ahead from my client, which should be either next week or the week after. Is the integration of the urgent features stated below feasible in this timeframe?

 

  1. I’ve planned to do most of the work on the server side so there should be no risk exposing table information or any api call that could delete users. My worry is the core functions itself and the “methods available for deletions” you mentioned. A “role” system would be great and could be an “urgent feature” if there is no other simpler way to block these methods from client use. Could there be a way to overide core methods?

 

  1. The password reset via email is the most “urgent feature”. What is the timeframe to implement this?

In the meantime I, could develop an api call to do that but I must first understand the structure of the user database and how it works. Can you help me understand? Does the server core mysql call have acess (read/write) to the user database?

 

  1. Session is not urgent. I was just trying to understand how the user_id system worked.

 

  1. The Jobs feature would be great but isn’t urgent. I can manage launching the leaderboard ranking commands manually. Though it would be great if for the mean time I could create a real cron job for this. Is there a command line that can launch server Lua scripts? When is planned the 2.5 release?

 

  1. I thought so. No feature requests here.

 

  1. I digged in some more and found that in the meantime. That is good news. No feature requests here.

 

  1. Mailgun config via scope will be useful only if multiple apps a developped on the same server, which is not the case now. Nothing urgent here.

 

  1. I will give the PHP bridge a try. Thanks.

 

Fred

#5

Hi,

Now that I finally have 2.5.0 out, I will start working on #2 and #3.

-dev

#6

Hi,

Thank you for your interest in Coronium Core. You’ve got quite a few good questions here. Let me take some time to get some answers together for you in the next day or so.

-dev

#7

Hi.

I’m going to answer these numerically matched against your paragraphs. One thing to note is that Coronium Core development is generally driven by use cases, so thank you for sharing yours.

  1. In general, yes. But that depends on your timeframe and how important certain aspects of your other questions are to your development.

  2. If you use client-side database calls, you will most likely expose database table information that can be used to call other client-side methods that could include deleting data from your tables. You should generally create all database work using a server-side API to keep database info secure. While there is no way to call raw database queries from the client-side, there are methods available for deletions. One of the items on the Coronium Core roadmap is to implement a “role” system, and/or the ability to disable certain modules and methods from the client-side per app scope.

  3. A password reset via email is on the roadmap for a future release.

  4. User IDs are currently immutable; they do not change, and they do not expire. There is no session based system in place, though this too is something that can be added to the roadmap for a future release.

  5. Yes, you can query any users data on the server-side per scope (see here). Generally you’d want to create a separate database and tables with your meta data and associate it using the users ID (see here). The Jobs feature (which I’m implementing now, and is cron-like) will be available in the upcoming 2.5 release.

  6. If the call makes it the server on time, whatever operation was sent will take place, though if it is supposed to return data to the client, that obviously wont happen as the connection will be closed. There are ways to check for network connectivity through the Corona API, but the Coronium plugin itself does not handle that. The rest of the scenarios you mention are the responsibility of the developer.

  7. The Coronium Core Webmin itself can not be modified. But, it should be noted that the entire Webmin is built using the Pages APIin Coronium Core (and React for frontend). So it’s completely possible to create your own feature specific custom backends.

  8. Currently the Mailgun configuration is just a convenience if you are only using one account. While there currently is no way to set a Mailgun config via scope (though this is a good idea), you can supply different Mailgun credentials via the Email module (see here). All you’d need to do is check the incoming scope (see here) and use whatever credentials you need. But I will put this on the roadmap. Scopes in general will be reworked in the near future.

  9. The PHP bridge is in an experimental mode, but is avaiable here: https://develephant.github.io/coronium-core-docs/server/addons/

I hope that answers most of your questions. Some items depend on future updates, so if Coronium Core is what you decide on using, then I can push certain functionality to the top of the updates list.

-dev

#8

Thanks for your detailed answers. As per the latter I have some other questions. I’ve numerically match them with your answers:

 

  1. Timeframe will be 7 weeks as soon as I get go-ahead from my client, which should be either next week or the week after. Is the integration of the urgent features stated below feasible in this timeframe?

 

  1. I’ve planned to do most of the work on the server side so there should be no risk exposing table information or any api call that could delete users. My worry is the core functions itself and the “methods available for deletions” you mentioned. A “role” system would be great and could be an “urgent feature” if there is no other simpler way to block these methods from client use. Could there be a way to overide core methods?

 

  1. The password reset via email is the most “urgent feature”. What is the timeframe to implement this?

In the meantime I, could develop an api call to do that but I must first understand the structure of the user database and how it works. Can you help me understand? Does the server core mysql call have acess (read/write) to the user database?

 

  1. Session is not urgent. I was just trying to understand how the user_id system worked.

 

  1. The Jobs feature would be great but isn’t urgent. I can manage launching the leaderboard ranking commands manually. Though it would be great if for the mean time I could create a real cron job for this. Is there a command line that can launch server Lua scripts? When is planned the 2.5 release?

 

  1. I thought so. No feature requests here.

 

  1. I digged in some more and found that in the meantime. That is good news. No feature requests here.

 

  1. Mailgun config via scope will be useful only if multiple apps a developped on the same server, which is not the case now. Nothing urgent here.

 

  1. I will give the PHP bridge a try. Thanks.

 

Fred

#9

Hi,

Now that I finally have 2.5.0 out, I will start working on #2 and #3.

-dev