question

lukaszszurgot avatar image
lukaszszurgot asked

Securing Azure Function Calls from Playfab: How to Restrict Access to Prize Table Only?

Hi,

I have set up a Prize Table linked to a Leaderboard, which in turn calls my Azure Function. To integrate this, I added my Azure function with its function key to Playfab's CloudScript. This means my function can also be accessed through the ExecuteFunction API, allowing any player to trigger it. I need to ensure that only the Prize Table is able to call my API.

Usually, I would convert CloudScript context into a FunctionExecutionContext and verify that the CallerEntityProfile property indicates it is a title. However, I can't do that because the Prize Table triggers a PlayStream event, which doesn't indicate who initiated it. There's a common property called 'SourceType' that is set to 'BackEnd', but I'm not sure if that's enough to prevent players from calling my function themselves.

What's the best way to ensure, within my Azure Function, that only the Prize Table is calling the API and not a player?

CloudScriptLeaderboards and StatisticsAuthenticationPlayStream
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

·
Neils Shi avatar image
Neils Shi answered

PlayFab executes cloud scripts through several mechanisms, and different mechanisms require different contexts. If you want players to use the ExecuteFunction API to execute the script, then you need to use the context model “FunctionExecutionContext”. In your case, when the leaderboard is reset, the Prize Table will execute an Azure Function, then you may use context model “PlayerPlayStreamFunctionExecutionContext”, so that the players cannot call the API ExecuteFunction to execute the cloud script. For more info, please refer to https://learn.microsoft.com/en-us/gaming/playfab/features/automation/cloudscript-af/cloudscript-af-context#use-the-context-model-when-executing-in-the-context-of-a-player . In addition, since the players don't know the Azure Function which you set up for the prize table, they cannot call it.

1 comment
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

lukaszszurgot avatar image lukaszszurgot commented ·

Thank you for your response. You've cleared up my doubts :)

0 Likes 0 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.