I have been struggling in the way client login since if client use ClientAPI.Login to login then whether client has logged in would be client to tell server.
And that's what I'm struggling for.What if client does not pass login authentication or does not even try login and just notify server that "Hey I has pass login authentication with PlayfabID="XXXXXXX".Will this a security problem?
I then search for this question and found a thread in forum .
gbogarin says:
"I don't want to rely on the client to get the playfabid. "
"because right now the server relay on the client to get that playfabid"
So I assume this may cause security problem and I take the advice below.That is client ask server to send the login request to PlayFab for them and server will notify whether client pass login authentication and bind the playfabID with client if client pass login authentication.
After I go on with ClientAPI.GrantCharacterToUser, I found ClientAPI can't get called since all ClientAPI can't get called if client don't log in. And in my design, client ask server for login so server is the one who actually send login request, the one who actually login while my clients don't.
But I don't give up that design since I found alternative way to grant character to user by use ServerAPI.GrantCharacterToUser through cloud script and it work well because I can use PlayfabId to identify the player.
Same problem come with ClientAPI.Update/GetCharacterData.
But I don't give up that design. Since I recall the tutorial indicate that it is more recommended to use EntityAPI to store player/character data in Objects field.and it work well because I can use type as "character" and id as character id which can be retrieved when I grant character to player.
What breaks me is Economy ,There is lots of useful function I can't use.PurchaseItem,GetInventory,etc.
So I have been question myself whether I should abandon my design and just login on client side?
Or is there any way can make client into logged-in state without login process?Like set playfabId on client side?
It will be frustrated if it is better to abandon the design.Not only security problem but also server design issue. Since the NetworkAPI I use in game is server authoritative design all the state change is made in server so it would be more convenient I think if server handle data persistence. Otherwise client will have to ask server and database(playfab) update the state on the same time.