question

dulupaz avatar image
dulupaz asked

ClientAPI Limitation when LoginRequest is done by Server for Client

I have been struggling in the way client login since if client use ClientAPI.Login to login then whether client has logged in would be client to tell server.

And that's what I'm struggling for.What if client does not pass login authentication or does not even try login and just notify server that "Hey I has pass login authentication with PlayfabID="XXXXXXX".Will this a security problem?

I then search for this question and found a thread in forum .

gbogarin says:

"I don't want to rely on the client to get the playfabid. "

"because right now the server relay on the client to get that playfabid"

So I assume this may cause security problem and I take the advice below.That is client ask server to send the login request to PlayFab for them and server will notify whether client pass login authentication and bind the playfabID with client if client pass login authentication.

After I go on with ClientAPI.GrantCharacterToUser, I found ClientAPI can't get called since all ClientAPI can't get called if client don't log in. And in my design, client ask server for login so server is the one who actually send login request, the one who actually login while my clients don't.

But I don't give up that design since I found alternative way to grant character to user by use ServerAPI.GrantCharacterToUser through cloud script and it work well because I can use PlayfabId to identify the player.

Same problem come with ClientAPI.Update/GetCharacterData.

But I don't give up that design. Since I recall the tutorial indicate that it is more recommended to use EntityAPI to store player/character data in Objects field.and it work well because I can use type as "character" and id as character id which can be retrieved when I grant character to player.

What breaks me is Economy ,There is lots of useful function I can't use.PurchaseItem,GetInventory,etc.

So I have been question myself whether I should abandon my design and just login on client side?

Or is there any way can make client into logged-in state without login process?Like set playfabId on client side?

It will be frustrated if it is better to abandon the design.Not only security problem but also server design issue. Since the NetworkAPI I use in game is server authoritative design all the state change is made in server so it would be more convenient I think if server handle data persistence. Otherwise client will have to ask server and database(playfab) update the state on the same time.

10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

·
Sarah Zhang avatar image
Sarah Zhang answered

The reason causes the clients can’t access the client API is that they haven’t passed the session ticket as the request header. You can find the info about the request header in the client API’s API reference, for example, ClientAPI.PurchaseItem.

When you log a player into PlayFab via ServerAPI.LoginWithServerCustomId, the player’s session ticket and its entity token would be contained in the API’s response. So you can pass these two fields from the server to the clients so that the clients can access the client API sets. You can save these two fields using predefined methods in PlayFabSDK. For example, in Unity, you can refer to the following testing code.

void Start()
    {
        //Receive the ClientSessionTicket and EntityToken from the server.


        PlayFabSettings.staticPlayer.ClientSessionTicket = "[The player’s SessionTicket]";
        PlayFabSettings.staticPlayer.EntityToken = "[The player’s EntityToken]";
        var request = new GetUserInventoryRequest { };
        PlayFabClientAPI.GetUserInventory(request, OnSuccess, OnFailure);
    }
    private void OnSuccess(GetUserInventoryResult obj)
    {
        Debug.Log("Success");
    }
    private void OnFailure(PlayFabError obj)
    {
        Debug.Log("Failure");
    }
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.