Offline replays

Currently, Space Station 14 replay files from servers depend on an active internet connection, which can be inconvenient for users who want to access their replays offline or in areas with limited connectivity.

To improve this, replays should be fully self-contained. This means they should come packaged with all the necessary data, including engine files and dependencies, to allow them to be watched offline. Not only would this make the system more user-friendly, but it would also ensure that replays are preserved for long-term use without relying on external servers.

This change would enhance accessibility, simplify the viewing process, and contribute to the longevity of replay content. Even after a server goes down.

This is already possible, albeit not in a very user-friendly way. If you have a prebuilt client, or build your own from the source code, then you can load a replay into that. You are likely to run into severe issues if your client is not on the same commit as the replay, though, so this works best if you have a copy of the git branch of the codebase and can check out the replay’s commit

That’s kinda the core problem that this suggestion seeks to tackle. While the approach I proposed might lead to larger file sizes, the trade-off is worth it to ensure compatibility and standardization. A standardized format would eliminate the need for users to match commits or manage code branches, to view replays offline. It should be accessible and simple even to a non-technical user.

Replay files should be fully self-contained. So that they can always be accessible. And remain preserved.

Having to put the client fully along in the replay will increase replay file size by A LOT

Replay files are already huge right now (200mb for like 2 hours) and the client itself is pretty hefty (164mb compressed as of writing this)

We already had to recently wipe a bunch of old replays (that were unplayable anyway due to engine security issues and dotnet upgrade breaking them) due to storage size limitations on our servers. (we had chosen not to pay for more storage) (afaik these are backed up by someone)

In theory though, with the way robust toolbox bundles work… this is possible if you look into it. But im my opinion its not worth the effort when its far easier to just compile from our github, which will have multiple copies even if our download servers die (and more secure as discussed by the game engine security upgrades (we backport critical security features, which in the past used to break old replays (this is now fixed)) actually thats stupid of me to say its not secure

This post was partially generated with the assistance of AI. I have carefully reviewed, edited, and refined the content to ensure its accuracy and alignment with my intended message.

I understand that embedding the entire client within replay files would significantly increase their size, potentially leading to storage challenges. However, the current method, requiring users to compile from GitHub or ensure version compatibility, can be cumbersome and may deter less tech-savvy players from engaging with replays.

A potential compromise could involve creating a lightweight, standalone replay viewer. This tool would be optimized for replay playback, removing the need to package the full client with each replay while still allowing users to view replays offline without extensive technical steps.

Implementing such a solution would enhance accessibility and preserve the integrity of replays, ensuring they remain a valuable resource for the community.

This standalone replay viewer would download the engine, and remain modular. If a player wants to share a replay, they can “export” it, which includes all the engine files.

The server does not need to retain this extended-size engine, rather, the client can merge all the necessary files into the replay archive itself.

However, there is another potential solution as well:

Rather than rely on a standalone client, it could be possible to store one copy of the engine files on the replay server (or another source that already exists)

When a user clicks to download a file, they can be given two options, an offline or online copy. (Or just default to offline)

The offline copy will create a temporarily stored file in a temp directory and merge it with the engine. After the download, the merged temporary replay file is deleted.

The user receives a self-contained copy, unless they opt for an online copy, which does not merge engine files.

I’m sorry, but I believe this message looks AI generated. But I will respond to it.

I agree this is possible, like I explained. The content bundle system which replays use. In theory (i have not tested this) can have their client files added onto by an external program. However, I do not believe it’s worth officially making it.

This issue in my opinion is pretty low priority, especially currently where all files required to run replay files can still be served by Wizards den (or well any servers) cdn. Our replays will be able to be played back for a while. And with some newer fixes to the replay system. They will now be able to survive dotnet version upgrades and security engine critical upgrades while still being able to be read back.

For security reasons, security checks are made every time you connect to a server or replay. To ensure the current engine you are loading is safe from known vulnabilities and loads a safe version for you automatically if it is. Replays can never be “offline” from the launcher itself. And thus we cant just include the engine itself (being able to pass your own engine may also result in people having an easier time making modified clients. Take this with a grain of salt)

A “lightweight replay client” is not possible. Due to how replays are loaded, they require the exact client to be loaded. Otherwise, they are good as gone as the data will mean jack shit to a modern client, or any reimplementation of the client. And again will require development time we dont have.

A far easier solution here also is to just make a script that automatically gets the correct version from the replay, check out the git hash and build the game for the user if user accesibility is the issue. We don’t need to overcomplicate the replay system.

To be sure this word is getting across.

This IS possible. But It’s not currently worth the effort officially imo. It could be an interesting project for someone though to tackle. Maybe if someone makes a pr it can be put into the launcher. No promises

Just confirming here: this is the core issue.

I want to make the launcher able to work offline even if just to make sure the game qualifies as a LAN party game, but we cannot compromise security for it. SS14 is a very unique game that in many ways makes this harder.

If we crack the above issue, the replay issue would be solveable as well.

This post was partially generated with the assistance of AI. I have carefully reviewed, edited, and refined the content to ensure its accuracy and alignment with my intended message.

This could be implemented using a certificate based system. Under normal circumstances, Space Station 14 requires online authentication when connecting. However, for situations where an internet connection is nonexistent, a fallback system similar to PGP/GPG could be utilized for offline authentication.

By default, the client should be configured to trust Wizden signed certificates. These certificates would validate the integrity and authenticity of files, such as replays or custom content bundles. This system should also allow third party certificates to be added, however those certificates should be treated similarly to third party hubs. Untrusted by default unless the user explicitly trusts it.

Users should be explicitly and heavily warned that sideloading custom certificates could compromise their client’s security. This safeguard is to make sure that only advanced users deliberately alter these settings, reducing the risk of unintentional exposure to malicious content.

At the end of each round, the server should perform an internal security check on the replay file. If these checks are successful, the server will automatically sign the replay with a trusted Wizden certificate.

If the security checks fail, the replay should be deleted to prevent loading corrupted or tampered files.

If a replay or content bundle lacks a valid signature, the client should display a generic notification prompting the user to connect to the internet for authentication. Avoiding detailed error messages prevents users from attempting workarounds that might compromise their security.

Advanced users who choose to interact with the signature system should be allowed to do so with caution, as improper usage, such as sideloading malicious certificates, will compromise their client.

If a replay is authenticated online, the client should self sign it for offline use. This makes sure that replays previously authenticated by wizden can be accessed without an internet connection, even after revocation.

In the event a certificate is compromised, the certificate trust server should send revocation signatures to clients. Signed by the affected certificate. These signatures would be automatically downloaded next time the client connects to the internet, revoking trust in older compromised materials. Revocation signatures should never be deleted. A new signature can be sent to clients via another update from the trust server, or through the discouraged custom method.

Wizden would likely need to issue a public announcement when such event occurs, including instructions for manual self-signing through the in-game console to re-authenticate trusted replays.

Certificates should only be used when:

The user lacks an internet connection or the server is unavailable.

The file being loaded (replay, custom content bundle) requires offline validation.

If these conditions aren’t met, the client should default to online authentication or refuse to load the file entirely.

By requiring valid and trusted signatures for offline files, this system makes sure that only trusted content is loaded, preserving the users security.

Users without internet access can still access trusted replays and content bundles seamlessly.

Advanced users retain the ability to manage certificates, while casual users remain shielded from unnecessary complexity.

Third party servers are still able to instruct users to trust their own certificates. Additionally, wizden could, manually at its own discretion, use the primary wizden signature to sign a third party certificate, thereby making it trusted. Allowing wizden to act as a root certificate authority. Additionally, it could be possible to automatically load other third party trusted certificates to the client through a certificate trust server. However, the primary wizden certificate can never be changed without a direct update to the client. The primary root trust certificate can only be revoked. Never modified or replaced by the certificate trust server. Clients should refuse any attempt to modify the primary trust certificate, and only accept revocation requests. The primary root trust certificate can only be changed through an update to the client itself. Other third party certificates may be changed via the trust server.

The private key for third party certificates should never be known to wizden. And changing the third party certificate on the primary trust server should both require approval from wizden, and the third party.

However wizden can, at any time, delete and revoke third party certificates from its own server. Which will force the necessity of sideloading.

In the event a client has already sideloaded a third party certificate, and it becomes trusted by a certificate trust server that the user trusts, than as long as the sideloaded certificate identifier is an exact match to the new trusted copy, the old sideloaded certificate should be replaced by the trusted copy.

Sideloaded certificates are immune to revocation, unless they have been replaced by a trusted copy, than revoked.

Wizden cannot blacklist a sideloaded certificate. As that would otherwise infringe on the open source nature of this game. Third parties are free to both make their own trust servers, the same way they may opt to use a third party hub.

Wizden can still force servers and users off from its own infrastructure, however those users retain the ability to switch to a third party provider. And sideload third party certificates (which, I expect third party servers will be relying on this feature if they aren’t able to get signed by wizden)

Let me know your thoughts about this <:

It was, I forgot to include an AI disclaimer, apologies for that.

The post has been corrected.

Additionally, for LAN compatibility, signed pre-packaged servers could be downloadable from within the client itself, and saved for offline use. A new “LAN” tab could be added.

Signed pre-packaged servers are trusted, therefore can be used offline. These could even be pre-packaged forks, such as LAN frontier or delta-V

Any tampering should invalidate the signature as the integrity and authenticity of it would be compromised.

Modification would require the sideloading of a self-signed certificate.

For offline play, when a launcher connects to the internet, it receives a temporary, signed key from wizden applicable to their account, which authenticates and allows offline play when wizden servers are unavailable.

Additionally, this fallback system could be used when authentication goes down, automatically.

These temporary keys should expire within one month from the last connection. Both for online and LAN servers.Once that expires, guest mode must be used for continued offline play if the user is unable to re-auth from wizden. The server_config.toml file should not be checked when validating the authenticity of a pre-packaged server.

Servers should default to online authentication unless unavailable. Additionally, servers may disable authentication through certificates or choose a shorter grace period. One month is just the default maximum. They may not choose a period longer than a month. The client should not be capable of authenticating an offline account certificate for longer than a month. Offline usage only requires one renewal per month, and should be only applicable to offline account authentication. Replays and other content should not have an expiration date without good reason.

The encouraged grace period for offline account authentication on public servers is one week. Rather than a month. Because if wizden authentication servers go down, it should not take longer than a week for service to be restored. This can be manually adjusted by administrators up to a month in the event that it does take longer to restore the authentication service.

If an account punishment occurs on a round while the account was signed in through a certificate, that information should be automatically noted within the note. As this may affect appeal processes. (For example, in the extraordinary event that the signed account certificate is somehow exfiltrated from the users computer while wizden authentication is offline. HWID and IP should also be noted in the note and visible for administrators with personally identifiable information permissions. So that those details can be cross referenced with previous connections, to validate the honesty of such an appeal)