How to create a secure Scratch Authentication System

For some reason i keep experimenting with the scratch data and api, lol.

Anyways, to the topic! Here’s how to create a safe and secure authentication system using… scratch!
This system uses secure javascript fetching cloud variable fetching thing to make sure you cannot log in as other users. If you somehow do, then you will hear your alarm clock waking you up in 5… 4… 3… (I’m serious).

To use this authentication system, you will need to know the basics of javascript.

So, it’s simple. Create an authentication page, and create a variable called “generatedcode” & a code that will generate a long random number (It should only only only only use numbers, because scratch does not support letters in cloud variables), and display it to the user.
Now, ask the user to enter the code you generated into the verification project, and after they’ve done it, create a button that will run the function “check”.

function check() {
fetch(`https://clouddata.scratch.mit.edu/logs?projectid=${524136137}&offset=0&limit=40`)
.then(res => res.json())
.then(res => {
  if (res[0].value == generatedcode) {
  location.href = "index.html#" + res[0].user;
  }else{
    alert("auth failed!")
   location.reload()
  }
})
}

Now, insert this code in your main page:

  var cookie = document.cookie;
  if (cookie.length > 8) {
    // INSERT A CODE HERE THAT WILL REMOVE THE LOG IN BUTTON AND DISPLAY A WELCOME MESSAGE
  }
  if (location.hash !== ""){
    document.cookie = "username=" + location.hash.substring(1);
    location.href = "index.html";
  }

Now, the username of the logged-in user will be in document.cookie displayed as username=LankyBox01

If you want to log out the user, use this code:

document.cookie = "username=; expires=Thu, 01 Jan 1970 00:00:00 UTC;";
location.reload;

Please let me know if i used unoptimized code, you spot a vulnerability, or you receive an error while trying to implement this into your website. An example of this system can be seen in my website: https://lankybox01.leahcimto.com/

as you can see, i am NOT LankyBox01

Never do client-side auth.

Alright nows a lovely time to write a post called “How to think like a penetration tester”
So I’ll get to the point. Whenever you put a bit of code on the client side, think of this “What if the user runs this with different parameters”. Also “Never trust user input” is also a nice thing to remeber, so don’t trust the user’s cookies or document.hash without validation on the server because there’s no way for you to have more control over the users browser than they do

While client side auth isn’t practical, combining Glitch with a Scratch project is really cool.

Oh and I forgot to mention, not really sure if the ST wants users putting random codes from random sites as they may think you are trying to hijack their account. Also,

res.find(i=>i.value==generatedcode)
// returns the object instead of having to get res[0]

res.find is Array.prototype.find

Cool project otherwise!

The demo website doesn’t work when it comes to the “Verify” page. After clicking “Done”, nothing happens. Console shows CORS errors.

And I’m not gonna lie, the concept’s cool but I think it’s rather executed in a poor way (read @javaarchive’s post on why).

Oh, then just get an extension that removes these CORS errors

Hmmm… let me check my super secret admin logs
Edit: Oj, you did not enter the code at all, how did you trick the website into using an older code
Edit edit: Nevermind my code is just bad, let me fix it

Wait, is THAT how it’s supposed to be?

I think it’s broken, https://clouddata.scratch.mit.edu/logs?projectid=524136137&offset=0&limit=40 (which is where the API requests are made) shows all the users are “LankyBox01”…

Done, i fixed my bad code by sending an extra cloud request

No, these are actual proper requests sent by me. Try also sending a request and checking again
https://scratch.mit.edu/projects/524136137

But the thing is, it should not be on the client to install stuff unless necessary (like the Scratch Lego WeDo plugin), it should be up to the webmaster.

I have been doing a lot of research and testing (a.k.a googling) on how to get rid of this error. This was the only result i could find that works. IDK

So why is it not working for me? I’ve tried different browsers, I’m still getting a CORS error.

Well, the system is still in beta and this is the only way to do it: Install an extension to get rid of it.

^

Please use server-side auth, client side isn’t secure.

Looks like clouddata.scratch.mit.edu (wait isn’t that a subdomain of a subdomain?) doesn’t have a CORS header…

Maybe moving the fetching part of the code to a backend or using something like Cloudflare Workers to fetch it for ya should solve the issue.

And how do i fetch a code to a backend?

The thing that will solve almost all your problems: NodeJS

Yea you need something you can trust…the backend, because completing the last step of authentication using a username on the client isn’t really secure because the username is something the client can forge.

also for your cors errors the main workaround is just proxying requests using a server but that still wouldn’t entirely solve the security flaws

How exactly can the client forge a username? As far as i know, there’s no way to send a request to the scratch cloud project with a different username…

Yeah, but if the auth is client-side, people can easily forge cookies