What is the correct way to allow clients to modify their user stats while maintaining security?
Currently, we have a server that monitors game events. When a game event triggers (gain exp for example), the server notifies the clients to run game logic code that calculates how much exp should the client gain. Then, the clients make a server API call to PlayFab to increase their exp.
Correct me if I'm wrong, but I think this approach has security flaws because clients may hack the game to increase as much exp as often as they want by abusing that Server API call.
As a potential fix, I've heard of people talking about letting clients Execute cloud scripts, and perform game logic there. However, our game logic for calculating how much exp/stats and stuff are quite complex and I would prefer not having to move them into Cloud Script code and instead leave them as in game logic.
Another possibility is that for everytime clients make a Server API call to PlayFab to change their exp, the clients tell the server to do it instead. The server would use the client's PlayFab credentials to login and update user stats. However, I don't know if this is possible.
What is the best way to enforce security when clients are executing API calls?