Security auth question
Hello, I have a question about authentication across multiple servers using playfab. My game is supposed to use playfab mainly for auth, photon server (on-premises) for multiplayer and mysql database on another server.
What i want to achieve is client connects via playfab then i connect to photon server using PlayFabID as a userID and the photon server later manages mysql database based on userID (PlayFabID). Also i want my client to connect to mysql database (via php) in the same manner (using PlayFabID).
I guess it works, but it seems highly unsecure since someone can connect to mySQL database and photon server if he only knows a certain PlayFabID without logging to playfab.
Im not too familiar with authentications and stuff, so here is my question. How can I make a validation and make all these connections safe.
Best Answer
The short answer is that you will need to manage your own security for your SQL Database.
What you described is a custom logic that you need to roll for security and everything, and yes, correct that it's insecure. In terms of security, we do not support for Players who need to connect to your own MySQL database;
Please take a look at https://api.playfab.com/documentation/server/method/AuthenticateSessionTicket for AuthenticateSessionTicket - Validated a client's session ticket, and if successful, returns details for that user.
and
Gets a Photon custom authentication token that can be used to securely join the player into a Photon room. See https://api.playfab.com/docs/using-photon-with-playfab/ for more details.
Can you share what you are trying to accomplish? And why can’t you just use our datastore?
What i need is to store a cards collection (few hundred) and collections for each player and its easier for me to manage it through mysql. Im going to think about possible solution, just one last question to be sure. If I understand it correctly Im not able to run cloud script from external source without PlayFabSDK, or am I? What im thinking of is getting value out of cloud script function by using http request on my own. Thanks for answer.
If you're trying to call ExecuteCloudScript from your own server, yes, you can do that. You can use our SDK for that, but it's not a requirement - they're just simple Web API calls, so you can feel free to use your own custom code.
Regarding Cloud Script through HTTP request, here is the detailed info. https://api.playfab.com/docs/tutorials/landing-automation/writing-custom-cloud-script
