Not if they are configured correctly. That would be a major game-changing problem. It does not exist except on badly configured setups. I would argue it’s pretty hard to actually do that unintentionally.
So here’s how I see it.
- User creates an account. They are now allowed to use your game, either as a player or server owner.
- User decides to set up a gameserver.
- User requests to register a new gameserver.
- Server responds by giving the user an oauth token (per gameserver. A user can have 10 servers if they want and each server will have a unique oauth token). You can restrict the amount they can have if you want.
- This token has permission to CRUD a single gameserver data and nothing else.
- User puts that oauth token in their gameserver settings.
- Users new gameserver starts. It sends data to the server with oauth token.
- Server checks if the oauth token is valid.
- Server responds OK with the CRUD request if the oauth token is valid.
So there’s a few things you can take from this.
- The server will know who owns the gameserver because a user will own the oauth token.
- The server will know which gameserver data to operate with because each token only has access to one gameserver data. A one-to-one relationship.
- When the gameserver starts and sends the CREATE request, it will also send it’s IP. Your server can query that IP to know if it’s offline. You can do that on request (when someone wants to actually know) or if you checked less than 10 seconds ago, send that response (i.e. mitigate internal hammering).
- Only the gameserver and the server know the oauth token, and they are transferrered via https so it’s “secure”. There’s no need to encrypt it, or actually any possible way to do so successfully. HTTPS is “the way” to do it.
- A person can “hammer” the CRUD endpoint but that’s a server thing, not necessarily an application thing. Firewalls can temporarily block IP addresses that request too fast for x minutes. My point is this isn’t something you should overly concern yourself with in development.
If you want your gameservers to have passwords, the password can be set in the gameserver settings file. That’s a perfectly normal way to do it for something like a gameserver. In virtually every single configuration file on a server, that’s how they’re stored. MySQL passwords and all. When you “ping” the gameserver to see if it’s alive it can tell you it has a password set. You could even be super-efficient and keep it all in the header.