question

niardev avatar image
niardev asked

Questions about PlayFab security and limits with Azure Functions

Hello,

As it is the first time I need cloud services for a game, I have several questions regarding PlayFab. I don't want to encounter a blocking issue due to limitations and migrate to Firebase for example in the middle of client-server development.

Those can be noob questions and there are a lot of questions, so sorry in advance.

Regarding security, I know I shouldn't blindly trust any data sent from client. So I currently use Azure Functions to process that data and do verifications to ensure validity of that data.

As the client can be modified, and according to quick searches on the web, my Unity game code could be modified (see Unity game hacking and Unity modding tools for example).

First question is : is it possible for a malicious player to modify my code and add client API calls like UpdateCharacterData() for example. As long as they have their character ID in memory, what prevents them from adding API calls?

If it is possible, I was planning on relying exclusively on ExecuteFunction() to only use Azure Functions when needed to interact with PlayFab data. (especially for writes)

The only direct client API calls would be those regarding login. (And ExecuteFunction())

Second question : Is there a way to prevent client from making API calls that are not initially implemented by me?

I've seen in my Title Settings (in Game Manager) that I can disable client API calls. Is this the way? But if I do enable this option, won't my client login API and ExecuteFunction calls stop working? What are my options here?

As I would like to rely on Azure Functions, I've checked the limits and I was wondering : are those limits only applicable for development mode or even in production mode, I will be that limited?

For example, I see in Data Storage > Character data value updates per 15 seconds = 5 update operations. Are these limits only from client, or also from Azure functions? And in production mode, does this limit will increase? Because if I need in a specific situation to update value more frequently than 5 times per 15 seconds. Is my only option to drop PlayFab altogether ?

Same for number of entity objects, or Azure Function (Cloud Script) scripts size etc.

Also, I can't seem to find a limit to client calls to API ExecuteFunction(). So I guess I can make as many calls as I want to my Azure functions? And what if a corrupted client tries to make a LOT of calls to my Azure Functions, is there any kind of security to prevent the billing from skyrocketing ?

And last question, a bit different from the others :
In my Azure Function project, I have "Helper" static classes (so not functions) with static methods used to process data like for example check validity of a string with Regex or if a string is present in an Enum. Can there be a problem with concurrency ? If two players run the same Azure Function at the same time and the Azure Functions call the same static (or not) method, is this okay and handled correctly by Azure with instances or do I have to do something to prevent this? And if yes, what should I do please?

Sorry for the length but I couldn't find answers on the web.

Thanks for you help.

CloudScriptentitieslimitsdataCharacter Data
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Made Wang avatar image
Made Wang answered

>> is it possible for a malicious player to modify my code and add client API calls like UpdateCharacterData() for example. As long as they have their character ID in memory, what prevents them from adding API calls?

This possibility is not excluded, you can refer to the discussion in Playfab Client API Security With Unity SDK - Playfab Community and Methods to reduce the likelihood of cheating - Playfab Community. What you can do is to check the validity of the data through Azure Function Cloud Script and then call the relevant write method.

>>Is there a way to prevent client from making API calls that are not initially implemented by me? I've seen in my Title Settings (in Game Manager) that I can disable client API calls. Is this the way? But if I do enable this option, won't my client login API and ExecuteFunction calls stop working? What are my options here?

Disable client API access in Game Manager->Title settings->API Features will disable all client APIs. If there is no special requirement, please do not use it. You can disable which APIs you do not want clients to call by modifying the API Policy, refer to API Access Policy - PlayFab | Microsoft Docs.

>>are those limits only applicable for development mode or even in production mode, I will be that limited?

The title limits in Game Manager->Title settings->Limits have nothing to do with what mode you are in and whether you use Azure Function Cloud Script or not. So yes, you will be limited.

>>I see in Data Storage > Character data value updates per 15 seconds = 5 update operations. Are these limits only from client, or also from Azure functions? And in production mode, does this limit will increase?

This refers to the limitation of the operation of updating character data, regardless of whether you are calling the API from the client, or the API called by Azure Function Cloud Script.

>>So I guess I can make as many calls as I want to my Azure functions? And what if a corrupted client tries to make a LOT of calls to my Azure Functions, is there any kind of security to prevent the billing from skyrocketing ?

PlayFab has a limit of 100 calls to the API per 2 minutes per client.

>>Can there be a problem with concurrency ? If two players run the same Azure Function at the same time and the Azure Functions call the same static (or not) method, is this okay and handled correctly by Azure with instances or do I have to do something to prevent this? And if yes, what should I do please?

I'm not an expert on Azure Functions, I suggest you seek professional support from Azure.

1 comment
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

niardev avatar image niardev commented ·

Hey, thank you for your answer. API Access Policy is very interesting!

Regarding PlayFab limits, especially storage. I have difficulties understanding every storage possibilities offered by PlayFab (Player Data, Character Data, Entities...).

I intend to use PlayFab for a RPG. A player can have multiple characters and each character has its own inventory. This inventory can be pretty big if the player is a hoarder.

Items inventory can be basic items ressources like wood, consumables like HP potion (with potentially multiple KVP like "quantity owned", "amount of HP recovered" or "cooldown") and of course, equipment. Equipment could have a lot of KVP, one for each stat provided (could be 10 differents stats), rarity, quantity owned etc..

And i'm just talking about inventory. Some currency are player wide, some are character wide.

Also, Players will store about 200 differents values (nested or not). Like their personal space (house) configuration etc.

Is there a suitable way to store this kind of data (especially regarding limits) while still being able to request that data quickly ? Or the only solution is an external database?

0 Likes 0 ·
Made Wang avatar image
Made Wang answered

>>Items inventory can be basic items ressources like wood, consumables like HP potion (with potentially multiple KVP like "quantity owned", "amount of HP recovered" or "cooldown") and of course, equipment. Equipment could have a lot of KVP, one for each stat provided (could be 10 differents stats), rarity, quantity owned etc..

You can use the Catalog and the player's Inventory to store this data, refer to Catalogs - PlayFab | Microsoft Docs. You can define the type of item, whether it is a consumable or not, and other custom data. The limit that exists is that the sum of the number of items in all catalogs is 3000.

>>Some currency are player wide, some are character wide.

PlayFab allows to define up to 10 currencies.

>>Also, Players will store about 200 differents values (nested or not). Like their personal space (house) configuration etc.

You can store this data in Player Data, refer to Player Data - PlayFab | Microsoft Docs. There is no explicit limit to the total number of key-value pairs in Player Data, but it should be kept as small as possible because 1) only 10 pairs of data can be updated at a time, and 2) every read/write will affect the meter. You can refer to our meter system(Pricing Meters - PlayFab | Microsoft Docs) and the best practices guide(PlayFab Consumption Best Practices - PlayFab | Microsoft Docs). In addition, the size of each key in Player Data is limited to 100bytes, and the size of each value is limited to 300000bytes. For larger data you can use Entity File to store, refer to Entity files - PlayFab | Microsoft Docs.

10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.