Skip to content

README.md

Latest commit

 

History

History
197 lines (134 loc) · 6.84 KB

README.md

File metadata and controls

197 lines (134 loc) · 6.84 KB

roverse
Join our Discord

A secure and efficient Cloudflare Worker proxy for Roblox API endpoints.

Table of Contents

How It Works

Roverse uses Cloudflare Workers to create a secure proxy layer between your application and Roblox's API endpoints. When you make a request to your worker, it forwards that request to the corresponding Roblox API endpoint while keeping all necessary headers and authentication.

Requirements

Getting Started

  1. Clone and Setup:

    # Clone the repository
git clone https://github.com/robalyx/roverse.git
cd roverse

# Install dependencies
bun install

  2. Configure Environment:

    # Copy the environment example
cp .env.example .env

# Edit .env with your settings
# Set PROXY_DOMAIN to your custom domain (e.g. your-domain.com)
# Set PROXY_SECRET_KEY to your desired secret key

  3. Deploy:

    bun run deploy

Usage Guide

All requests to the proxy must include the X-Proxy-Secret header with your configured secret key. This authentication mechanism ensures that only authorized clients can access your proxy, preventing unauthorized usage and potential abuse of your worker's resources.

Converting Roblox URLs to Worker Requests

To use the proxy, convert any Roblox API URL by moving the subdomain into the first path segment:

Roblox URL:    https://{subdomain}.roblox.com/{path}
Worker URL:    https://your-domain.com/{subdomain}/{path}

Examples

Using curl:

# Get user details
curl -X GET \
  -H "X-Proxy-Secret: your-secret-key" \
  "https://your-domain.com/users/v1/users/1"

# Get groups with query parameters
curl -X GET \
  -H "X-Proxy-Secret: your-secret-key" \
  "https://your-domain.com/groups/v1/groups/search?keyword=test&prioritizeExactMatch=false&limit=10"

# Get games with universe IDs
curl -X GET \
  -H "X-Proxy-Secret: your-secret-key" \
  "https://your-domain.com/games/v1/games?universeIds=1,2,3"

The proxy will keep all your original headers (except the secret key) and forward them to the Roblox API.

Development

Commands

# Generate config from template
bun run generate-config

# Start development server
bun run dev

# Deploy to Cloudflare
bun run deploy

Testing Dev Server

Before testing, you may want to modify the PROXY_SECRET_KEY in your .dev.vars file. By default, it's set to "development".

When running the development server, you can access different Roblox API endpoints using the path-based routing. For example:

# Test users endpoint
curl -H "X-Proxy-Secret: development" \
  "http://localhost:8787/users/v1/users/1"

# Test games endpoint
curl -H "X-Proxy-Secret: development" \
  "http://localhost:8787/games/v1/games?universeIds=1,2,3"

# Test groups endpoint
curl -H "X-Proxy-Secret: development" \
  "http://localhost:8787/groups/v1/groups/search?keyword=test"

Pitfalls

Using workers.dev Domains

Using the default workers.dev domain can expose your worker to unwanted traffic. There are bots that scan for new SSL certificates and monitor these domains, looking for workers to abuse. These bots can quickly find and target your worker even before you start using it.

We strongly recommend using a custom domain instead of the default workers.dev domain. Custom domains are much less likely to be targeted by automated scanning, as they require more effort to discover and aren't immediately identifiable as Cloudflare Workers.

This is especially important if you're on the paid plan, as unauthorized requests will still count towards your quota even if they're blocked by your authentication. You may check the other pitfalls for more information.

Triggering Cloudflare's Abuse Protection

Cloudflare's abuse protection system may trigger if your worker receives too many requests per second, especially on the free plan. This may also happen if too much traffic originates from a single IP address or a small range of IPs.

If you need to handle higher request volumes, consider upgrading to the paid Workers plan which allows for thousands of requests per second. We recommend implementing your own rate limiting and request distribution strategies to stay within these boundaries and ensure reliable service.

There is no reason for Cloudflare to block your worker as long as you're not abusing the service. You may learn more about the limits here.

Protecting Against Unauthorized Usage

It's important to protect your worker from unauthorized usage and potential costly bills.

Some good practices would be to use a custom domain instead of workers.dev, implement Cloudflare's Web Application Firewall (WAF) rules, regularly monitor your worker's metrics, and periodic rotation of your secret keys which minimizes the impact of potential key leaks.

FAQ

Why use a proxy for Roblox APIs?

A proxy provides additional security, rate limiting control, and also helps prevent exposure of your original IP address when making API requests.

How secure is the secret key authentication?

The secret key is stored securely in Cloudflare Workers' environment variables. It's never exposed in logs or error messages, and all requests without the correct key are immediately rejected.

What endpoints are supported?

The proxy uses path-based routing, so all Roblox API subdomains are supported automatically. This includes users, games, groups, friends, avatar, presence, thumbnails, inventory, and any future subdomains Roblox adds.

If you find any endpoints that aren't working correctly, please open an issue.

License

This project is licensed under the MIT License - see the LICENSE file for details.