#Save player stats locally?

With GetDedicatedServerKeyV3 being compromised a few days after it was released and GetPlayerCustomGameAccountRecord not working I have given up on adding any sort of cloud saves for my custom game, instead looking to save user's stats locally (manually cheating by editing stats is a non-issue for my game).

However Dota's Lua API is unable to access the file system which is understandable. So given that we can't access the file API is there any way to store a user's data locally? Is it impossible?

What does it mean to save "locally"? In the player's PC? Remember that the player is just a client and you are playing on a dedicated server hosted by Valve

If you don't care about cheating with save files why you can't just use your http server and be done with it? Even if you somehow manage to find a way to store data locally it only matter of time until valve patch that to prevent ppl creating viruses or another similar shit with custom games

You can't create files of any kind on players' PC

That's a major risk

go back to the good ol' save code
generate an encoded string that players can copy to a notepad, and reload by pasting that

though, DediServerKey is your sole source of secrecy, so if you don't trust that API, you can't trust anything.

@flint sleet @plucky horizon I just want to save the player's stats, like K/D, games won, and other related stats (it's a single-player game about beating your own high score). Cheating is a non-issue because who cares if a player edits their K/D, it's a competition against yourself.

As for saving it using a server: it's not safe since GetDedicatedServerKeyV3 has been leaked so anyone can just make a call to my server to delete anyone else's data. All custom games that send requests have this issue.

@shy gust I had a similar idea but it feels tedious to copy+paste the code every game to track your high-score correctly :/

Well, one of solutions i can think of for you is just don't create "delete data by steam id" api call or you mean by "delete" modify someone else data (for grief purpose)?

Since all lua code is available, I don't think there's a way to solve this security issue, unfortunately.

Regardless, you can never save files on any player's PC, nor the dedicated server.

So there are two approaches to this:

Serverless: using the method Elfansoer suggested. Not amazing, but could work well.

Simple Server Addition - design your schema so that you can only add new scores to it, never to remove scores. The game will only show your highest score regardless. This has another security issue where you can be DDOS'd by griefers sending a ton of requests to waste your server's space and resources.

Why do you think V3 is compromised?

I'm also wondering this

Sorry for very late answer. Several custom game authors mentioned that they use it but it was compromised almost immediately. Source is random Reddit posts so not 100% reliable but I find it weird that they would lie about it.

rather than unreliable secondary answer like that, better you try it yourself then.
because the API is the anchor point of your mod's security.
so it is either serverless save-code or use the API in non-intrusive way, like only allowing to post highscores with limited rate or something like that

counterpoint, who gives a shit

as long as you make sure people can't wipe your DB with a request, who cares if some loser cheats

I mean that was exactly my point though? Idc about cheaters cheating their own stats, but since the server key impl. are leaked and custom game code is trivially ""decompiled"" anyone can post a request posing as anyone else. Even if I don't add a "delete" request people can still mess with everyone else's stats by updating them unfortunately :/

I'm sure that if v3 were compromised there would be some known cases of hacking of popular custom games

The reddit post I first found: https://www.reddit.com/r/DotA2/comments/ylhjjp/getdedicatedserverkeyv3_has_been_cracked_already/
The official issue on DOTA's issue tracker: https://github.com/ValveSoftware/Dota2-Gameplay/issues/14885
I also think Baumi made a statement on behalf of a few custom game creators, but can't find a link to that now.

@ebon blade is this your post on reddit?

yup

dunno much about it tho

i remember voiced people talking about it in this server

and someone trustworthy said itd been cracked already

thats all i got for you

its been forever

Eh but will they do that

who cares if it's a single player game

This GitHub issue is so stupid

also the reddit thread