question

Montana Tuska avatar image
Montana Tuska asked

CloudScript ClientSide vs. ServerSide

So I've started work the CloudScript, it's awesome being able to avoid recompiling my game constantly to make a change. However, I am concerned of the security of using the CloudScript. Mainly, the fact that we can not specify certain CloudScript functions as server-callable only. I plan to use this to update player items and currencies after missions, but the idea that a client could call onto this function scares me. I am building in checks and balances so we don't get faked data, but that only helps so much. I'm hoping that this is an oversight on my part, maybe the context parameter could provide the API the call originated from?

And, as always, thanks for your time!

Player DataCloudScript
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

·
Joshua Strunk avatar image
Joshua Strunk answered

This is pretty similar to this question

Can the API Permission Policy be used to restrict specific CloudScript methods?

The gist is to just have your server code send a secret key/value in the args to your CloudScript calls.

2 comments
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Montana Tuska avatar image Montana Tuska commented ·

Yes, this is a possibility, but seems more like a workaround/hack then a proper way to handle things. I believe the best way is the how I already stated, simply providing a origination context stating if it's the Client/Server/Admin API.

Sorry about the duplicate though. had searched for a while and apparently missed that thread.

0 Likes 0 ·
brendan avatar image brendan Montana Tuska commented ·

No, that is in fact the correct way to manage this. Bear in mind that context is specific to Cloud Scripts triggered from a PlayStream action, and contains the event data that triggered the script (context.playStreamEvent) and the player profile of the player in question (context.playerProfile).

0 Likes 0 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.