question

robert avatar image
robert asked

DeveloperSecretKey and Playfab Unity Editor Extension

In order to be able to download/upload the cloudscript with the Unity Editor Extension we have to enable the Admin API and provide the Developer Secret Key.

After enabling the Admin API with the checkbox the playfab shared settings object gets a new DeveloperSecretKey property which we set.

We now just wonder, when we make a build, will the extension remove the developer secret from the shared settings object before building? (using a pre-build handler), or, will the developer secret land in the binary which would be a huge security problem? (which would also mean for us not using the extension at all because we couldn't risk forgetting to remove the developer secret manually).

Thanks

10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

marcowilliamspf avatar image
marcowilliamspf answered

For Editor Extensions to utilize Cloud Script, and allow you to edit it and upload it to your title, you do not have to enable the Admin API. This ability is baked in to the current Editor Features and does not use the SDK at all. The developer secret key is automatically set behind the scenes when you login to Editor Extensions. These are in Editor scripts which are not included when you build.

You should disable the Admin API in your game client, and remove the developer secret key. If you are having issues with Editing Cloud Script via the Editor Extensions, that would be a separate issue (in which case, please do post the details).

10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

robert avatar image
robert answered

If we just login into the editor extension with our mail and password and click import cloud script we get following exception:

NullReferenceException: Object reference not set to an instance of an object
PlayFab.PfEditor.PlayFabEditorDataService+PlayFab_SharedSettingsProxy.get_DeveloperSecretKey () (at Assets/PlayFabEditorExtensions/Editor/Scripts/Utils/PlayFabEditorDataService.cs:57)
PlayFab.PfEditor.PlayFabEditorDataService.get_ActiveTitle () (at Assets/PlayFabEditorExtensions/Editor/Scripts/Utils/PlayFabEditorDataService.cs:167)
PlayFab.PfEditor.PlayFabEditorHttp.MakeApiCall[GetCloudScriptRevisionRequest,GetCloudScriptRevisionResult] (System.String api, System.String apiEndpoint, PlayFab.PfEditor.EditorModels.GetCloudScriptRevisionRequest request, System.Action`1 resultCallback, System.Action`1 errorCallback) (at Assets/PlayFabEditorExtensions/Editor/Scripts/PlayFabEditorSDK/PlayFabEditorHttp.cs:55)
PlayFab.PfEditor.PlayFabEditorApi.GetCloudScriptRevision (PlayFab.PfEditor.EditorModels.GetCloudScriptRevisionRequest request, System.Action`1 resultCb, System.Action`1 errorCb) (at Assets/PlayFabEditorExtensions/Editor/Scripts/PlayFabEditorSDK/PlayFabEditorApi.cs:90)
PlayFab.PfEditor.PlayFabEditorToolsMenu.GetCloudScriptRevision () (at Assets/PlayFabEditorExtensions/Editor/Scripts/Panels/PlayFabEditorToolsMenu.cs:113)
PlayFab.PfEditor.PlayFabEditorToolsMenu.ImportCloudScript () (at Assets/PlayFabEditorExtensions/Editor/Scripts/Panels/PlayFabEditorToolsMenu.cs:98)
PlayFab.PfEditor.PlayFabEditorToolsMenu.DrawToolsPanel () (at Assets/PlayFabEditorExtensions/Editor/Scripts/Panels/PlayFabEditorToolsMenu.cs:26)
PlayFab.PfEditor.PlayFabEditor.OnGuiInternal () (at Assets/PlayFabEditorExtensions/Editor/PlayFabEditor.cs:142)
PlayFab.PfEditor.PlayFabEditor.HideRepaintErrors (System.Action action) (at Assets/PlayFabEditorExtensions/Editor/PlayFabEditor.cs:174)
Rethrow as TargetInvocationException: Exception has been thrown by the target of an invocation.
System.Reflection.MonoMethod.Invoke (System.Object obj, BindingFlags invokeAttr, System.Reflection.Binder binder, System.Object[] parameters, System.Globalization.CultureInfo culture) (at /Users/builduser/buildslave/mono/build/mcs/class/corlib/System.Reflection/MonoMethod.cs:232)
System.Reflection.MethodBase.Invoke (System.Object obj, System.Object[] parameters) (at /Users/builduser/buildslave/mono/build/mcs/class/corlib/System.Reflection/MethodBase.cs:115)
UnityEditor.HostView.Invoke (System.String methodName, System.Object obj) (at /Users/builduser/buildslave/unity/build/Editor/Mono/HostView.cs:272)
UnityEditor.HostView.Invoke (System.String methodName) (at /Users/builduser/buildslave/unity/build/Editor/Mono/HostView.cs:265)
UnityEditor.HostView.InvokeOnGUI (Rect onGUIPosition) (at /Users/builduser/buildslave/unity/build/Editor/Mono/HostView.cs:232)

at this location:

public string DeveloperSecretKey { get { return (string)_developerSecretKey.GetValue(null, null); } set { _developerSecretKey.SetValue(null, value, null); } }

From what we have seen the DeveloperSecretKey for this case is accessed via:

public static Type GetPlayFabSettings()

and in the PlayFabSettings we found this:

#if ENABLE_PLAYFABSERVER_API || ENABLE_PLAYFABADMIN_API
        public static string DeveloperSecretKey
        {
            set { PlayFabSharedPrivate.DeveloperSecretKey = value;}
            internal get { return PlayFabSharedPrivate.DeveloperSecretKey; }
        }
#endif

So, without investigating this in detail we came to the conclusion that one has to enable the server or admin API. Seeing the property in the shard settings file we got doubtful about this, hence this thread.

Great that the Admin/Server API is not required to upload the cloud script, now there is just the question why we get the null reference then.

Thanks

1 comment
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

marcowilliamspf avatar image marcowilliamspf commented ·

Okay, thanks! This is definately an issue with the new version of unity + EE. We'll get on a fix for this right away.

0 Likes 0 ·
lanpartygamesstudio avatar image
lanpartygamesstudio answered

Sorry to revive this old thread but I was having the same concern as @robert.

So, by default PlayFabSharedSettings is an asset living inside a Resources folder:


This means that it will be included in every build since Unity always includes the contents of folders named "Resources" in the builds.

My concern comes from the fact that if we analyse this asset with a text editor we'll obviously find the Developer Secret Key there:

It is true that the PlayFabSharedSettings class code removes the DeveloperSecretKey field unless we enable Server/Admin APIs.

However my concern comes from the fact that if the PlayFabSharedSettings.asset file is included in the build it might still contain the secret key, even though it is not exposed by the PlayFabSharedSettings class.

The only possibility I can think of that would prevent this is if Unity re-serializes the assets using the current PlayFabSharedSettings.cs code which would indeed remove the secret key (if the compiler directives for Server/Admin APIs are not present). But if the build process just takes the asset as it is without further processing, I'd be worried the key is in fact being packed in the client's build.


So, should we manually remove the secret key from the settings asset when making a client's build?

Thanks a lot in advance!


captura2.jpg (15.4 KiB)
captura.jpg (82.0 KiB)
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

marcowilliamspf avatar image
marcowilliamspf answered

@lanpartygamesstudio - Please take a look here: https://github.com/PlayFab/UnitySDK/blob/master/Source/PlayFabSDK/Shared/Models/PlayFabSharedSettings.cs

You'll notice that DeveloperSecretKey is not even available at compile time if these pre-processor directives ENABLE_PLAYFABSERVER_API || ENABLE_PLAYFABADMIN_API || UNITY_EDITOR

This means that the .asset file will not contain any information for developer secret key when compiled as a GameClient. The property is not hidden, it simply does not exist if Server or Admin are not enabled.

So you shouldn't worry, you are not exposing the developer secret with client builds.

10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.