It doesn't match the secret key we have for server or admin APIs, and it doesn't match any other key shown in the playfab dashboard. Does the client API use an autogenerated key? What generates this field and what is it used for? Is it shown anywhere in the dashboard?
Hello everyone. It is good that you are concerned about the security of your title and your game, and I have carefully tested the situation you're asking about.
Here's the line of code that is concerning to everybody: https://github.com/PlayFab/UnitySDK/blob/master/ExampleTestProject/Assets/PlayFabSDK/Shared/Models/PlayFabSharedSettings.cs#L12
You can note the conditions where the value exists, and when it does not:
#ifENABLE_PLAYFABSERVER_API||ENABLE_PLAYFABADMIN_API||UNITY_EDITOR
UNITY_EDITOR exists anytime you're in the editor itself. And that's why you can still see the value.
I've tested this condition in the past and determined it's safe for client builds.
You can repeat my steps like this:
This was tested earlier this year, with Unity 2017, a little before the release of 2018.
[UPDATE] I just retested with 2018.1.0b13 (My home computer is slightly out of date), and found that this is still true. I also made the test instructions a little clearer.
Well, just checking that ScriptableObject's code would have made that clear to me in a just a few seconds instead of losing my time, and worse, making others lose theirs. I don't know why I didn't do that first. Thanks, and my most sincere apologies, @Paul Gilmore and @Brendan
Please have a look at https://community.playfab.com/questions/810/209678127-Developer-Secret-Key-Title-ID.html
It sounds like the implication is that it's the server+admin api key - if that's true, why doesn't it match the API key that's shown in the playfab dashboard, the one we use for our other tooling?
The developer secret key should be your Secret Key from the Game Manager. It sounds like you're saying you're seeing something pre-populated, which shouldn't be the case. What exactly are you seeing in your developer secret key in your project?
I also have the "DeveloperSecretKey" in the "PlayFabSharedSettings" asset, after just selecting the studio in the editor extensions. I only have the client API enabled (no admin, server, etc.) From what you said, I assume that key shouldn't go anywhere near a public build; however, the "PlayFabSharedSettings" asset is in a "Resources" folder, so it will be added to builds with the key inside. What should I do in this case?
I am also interested in knowing how to deal with PlayFabSharedSettings in the Resources folder. I need ENABLE_PLAYFABADMIN_API to be enabled in editor and I was surprised when I realized admin calls also worked in play mode and on device. I could turn off ENABLE_PLAYFABADMIN_API when we ship, but I think the developer key would still be compiled into the app because it's in the Resources folder. I think I will need to fix this unless someone confirms that it doesn't work the way I think it does.
Oops, I meant to reply to @Trisibo. Can't figure out how to fix it.
Is this issue still in effect? The project has the Developer Secret Key and I don't see anyway to remove it. I assume it is stripped out on build - is that not the case?
Using the latest Editor extension
What issue are you referring to? The Unity build will only contain the Secret Key if one of the flags Paul mentioned is set in the code.
@Brendan I was just asking for further clarification because in an older thread you mentioned a removing the key when I asked something similar despite the key being auto-generated.
Yes, you should always make sure no Secret Key is shipped in your project. Since we support a wide variety of development engines and languages, the specifics of that are going to vary from project to project. If you're using our Unity SDK and Editor Extensions, the info from Paul above would be the right guidance.
7 People are following this question.
