Meower's Server is a custom Python secure websocket (wss) server developed with CloudLink by MikeDEV. Meower's Server is the only project that gets early access to new CloudLink builds. As of Beta 4.8 (Patched Build 1.12.2022), the server is being hosted over a CloudFlare Argo Tunnel and runnning on a Raspberry Pi 4 B+ 4GB.
Original Server (2021)[edit | edit source]
When Meower started moving away from Scratch, the original server was based upon a Rasberry Pi 4 B+ 4GB, hosted with an ngrok tunnel. The first CloudLink build that was used was v0.1.4. Storage for userdata and posts were managed via a Samba connection to a NAS drive running OpenMediaVault. The most storage used by the server during it's original implementation was no larger than 100MB. The server suffered from a wide degree of instabilites and vulnerabilities. Because of these issues, MikeDEV rewrote the server. As a byproduct of rewriting the server, CloudLink was rewritten as well, deploying v0.1.5.x.
Instability[edit | edit source]
The original server suffered from instability issues. The server would randomly stop responding, or completely crash, causing all clients to stop working.
Security Vulnerabilities[edit | edit source]
The server suffered from numerous security vulnerabilites, discovered using MeowerWhoops.
The Disconnect Hack[edit | edit source]
By sending the "ds" command to someone, you could simulate the server relaying a shutdown request to a user, effectively terminating anyone's connection.
Username spoofing[edit | edit source]
By modifying the "origin" key in a CloudLink JSON packet, you could spoof the identity of someone and use custom usernames.
Poor Password Management[edit | edit source]
The original server relied purely upon SHA256 hashing for password management. This system would not suffice going into the future.
Current Server (2021-Today)[edit | edit source]
The Current Server, as of January 21, 2022, still runs upon a Raspberry Pi 4 B+ 4GB, using a Samba connection to a NAS for storage, running on a custom version of CloudLink Server v0.1.7.x. The server has several layers of protection against spoofing, unlawful disconnections, and brute-force attacks. As of Jan 21, 2022, The new server hasn't crashed or ever rendered unstable.
Direct Commands[edit | edit source]
A feature introduced in CloudLink v0.1.6.x was the Direct Command, which allows the server admin to create custom command handlers and send packets securely to a user. This is the implementation Meower uses for relaying messages and downloading data.
Memory-Object Based Identification and Origin protection[edit | edit source]
To combat username spoofing, the server uses Websocket Memory Objects for identification, allowing the server to send packets securely. With this, the server can override any modifications to a packet's origin, by writing over the origin key in the CloudLink JSON packet with a corrected username.
bcrypt password management[edit | edit source]
The server uses the bcrypt hashing algorithm for password management. It also salts passwords when storing into a user's database. A combination of salting and hashing with a high degree of difficulty helps secure the userstorage on the server.
Basic IP tracing and blocking[edit | edit source]
While flawed, the server requires a client to send over the client's reported IP address. This provides a primitive IP blocker into Meower, which has yet to be improved.
Highly-complex and heavily nested exception handlers[edit | edit source]
Every logic statement within the server has an exception handler. If anything goes wrong on the server, an exception handler takes care of the situation and allows the server to remain functional. Thus far, the server has encountered lots of exception errors but has never crashed or has been brought down because of a fatal exception.
DDoS Protection[edit | edit source]
Since the new server relies upon CloudFlare Argo Tunnels, the server has protections against DDoS (Distributed Denial of Service) attacks. As of Jan 21, 2022, there has been at least 3 attempts to flood the server with DDoS attacks (without MikeDEV's approval).