So Im getting ready to release my plugin and am considering requiring product registration. I read the tutorial about the OnlineUnlock class and I think most of that is pretty straight forward, however I don’t understand the section about the back end server, as I have never worked with servers.
In the tutorial it looks like they make a local server, which I assume means a server running off your personal PC, but I also assume in a real life case you would use a separate dedicated server? If this is true, do I need to purchase a server space? (Possibly very dumb question) I already have a domain to release my plugin on, am I able to use that domain in someway to act as my server? Finally is there any type of maintenance needed for an authentication server ?
Any help appreciated! Thanks!
You will at least need to have a dedicated authentication server and database of users/purchases/licences.
Virtualised server offerings from AWS, Google Cloud, Azure, …, mean that you don’t have to worry about maintaining your own hardware, but you would still need to keep an eye on the latest security news and update your services accordingly. This is usually pretty low overhead in practice but not something you can ignore.
It’s possible that rolling your own anti-piracy will do more hard than good. Anything less than a comprehensive solution will get cracked pretty swiftly, and any measures you do put in may make the product worse for paying customers. I think there are two sensible strategies:
Do the minimum viable licence checking using your own authentication web infrastructure. Add just enough complexity to the licence check that when people download a cracked version it’s obvious that it’s not the same as the original version. If you plug-in becomes popular then a crack will appear fairly swiftly, but this approach will be minimally intrusive to your users.
Use a tried-and-tested comprehensive solution. PACE is the industry leader by a wide margin: https://www.paceap.com/ . They provide online licence management for you, so there’s a whole swathe of problems you no longer need to think about.
** JUCE is owned by PACE, but this post is not representative of JUCE’s or PACE’s opinions, nor is it meant to be an explicit advert for their services. I have personally released plug-ins using the first approach and made my peace with seeing a cracked version appear, disheartening though it may be. I just want to caution very strongly against implementing anything more than the minimum viable protection yourself.
Thanks t0m for the reply ! This is more a general reply to anyone that might be able to point me in the right direction. Unfortunately over the past few days I have made little headway with this. Again I have no experience with servers or databases so I am in new waters. I would also like to preface, I am not super concerned with someone taking the time to make a crack for this plugin, rather just that it is somewhat secure.
I’m currently looking at Google Cloud services to do this job. TBH, I’m already a bit lost at this part as I did not realize they offered so many services lol. Cloud SQL looks like the best database service of theirs, but for a “dedicated authentication server” I’m not even sure what I’m looking for. And maybe a stupid question, but would the authentication server basically just take the credentials you ask the user to supply, and then check to see if they exist in the database of purchases? I realize my lack of knowledge on this topic might seem concerning, but everyone starts somewhere lol.
On another note, as I previously mentioned, I plan on releasing this plugin mainly through my own website. I used Wix to build the site. I’m not sure if anyone is familiar with their setup, but they offer Wix databases which stores all my orders and user info. It would be convenient If I could directly use that database instead of having a separate database just for authentication.
After some more troubleshooting, I switched paths and went with lamda and dynamoDB from AWS. After a little researching I got my plugin to atleast contact and write to the dynamoDB table, however in a pretty crude way. But I think this is on the right track at least.