question

alexander.rieder avatar image
alexander.rieder asked

Azure Function differentiate between client/server/API

How can an Azure function differentiate between the origin/caller of the function?

The following use-case:
  • I have a function which performs some privileged operation on the Server endpoint (e.g. GrantItems).
  • This function can be called either from a GameServer or directly from PlayFab (e.g. if a player enters a segment)
  • I want to prohibit the client from calling this function.


However, I cannot differentiate between who is calling this function/what the origin is.

I tried using the passed in TitleAuthenticationContext when calling GrantItems, hoping that the EntityToken would contain information of the origin and prohibit calls which come from the client, but to no avail.

Passing 'secret headers' which are only known to the server is also not an option, as I can not set them when the call originates from PlayFab + security through obscurity is a bad idea.

So what would be the correct way of detecting such a call?

apisCloudScript
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

·
Citrus Yan avatar image
Citrus Yan answered

When executing Azure Functions via the ExecuteFunction API, the context FunctionExecutionContext passed by PlayFab contains the info about the caller: 

public PlayFab.ProfilesModels.EntityProfileBody CallerEntityProfile { get; set; }

You can use such info to identify who is calling the function. If it’s a player entity, you may abort their calls.

1 comment
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

alexander.rieder avatar image alexander.rieder commented ·

Thank you for your quick response!

I ended up using something like:

if(CallerEntityProfile.Entity.Type == "title_player_account")
    //Do player stuff
else if(CallerEntityProfile.Entity.Type == "title")
    //Do server stuff

For functions triggered by PlayStream, the existence of the PlayStreamEventEnvelope can be checked.

One of my other concerns was that anybody could potentially call the REST Endpoint, but I did some research and found out that as long as I do not leak the functionkey of the endpoint, nobody can call this from the outside and therefore it should be considered safe. (And the client never sees this functionkey, as the azure call is proxied by PlayFab).

1 Like 1 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.