What is the "Developer secret key" in PlayfabSharedSettings?
It doesn't match the secret key we have for server or admin APIs, and it doesn't match any other key shown in the playfab dashboard. Does the client API use an autogenerated key? What generates this field and what is it used for? Is it shown anywhere in the dashboard?
Best Answer
Hello everyone. It is good that you are concerned about the security of your title and your game, and I have carefully tested the situation you're asking about.
Here's the line of code that is concerning to everybody: https://github.com/PlayFab/UnitySDK/blob/master/ExampleTestProject/Assets/PlayFabSDK/Shared/Models/PlayFabSharedSettings.cs#L12
You can note the conditions where the value exists, and when it does not:
#ifENABLE_PLAYFABSERVER_API||ENABLE_PLAYFABADMIN_API||UNITY_EDITOR
UNITY_EDITOR exists anytime you're in the editor itself. And that's why you can still see the value.
I've tested this condition in the past and determined it's safe for client builds.
You can repeat my steps like this:
- In the EdEx panel, ensure that CLIENT is the only enabled API. (Entity can be enabled or disabled, it won't affect it either way).
- If you read all your local EDITOR files, such as the scriptable object, you'll see that developerSecretKey continues to exist. This is expected.
- If you make a client build, and enter the resources folder, open the <your_game>_data/resources.assets file in a binary hex editor (I used Beyond Compare 4).
- Search for your titleID, and it should clearly appear in the file, and you should see most of your other PlayFabSharedSettings values there. DeveloperSecretKey will not be there.
- Search other binary files, and you should not find any other PlayFabSharedSettings information
- Thus, you can confirm that you've found the right place in the right file, and that you won't accidentally publish your server secret to your clients.
This was tested earlier this year, with Unity 2017, a little before the release of 2018.
[UPDATE] I just retested with 2018.1.0b13 (My home computer is slightly out of date), and found that this is still true. I also made the test instructions a little clearer.
Well, just checking that ScriptableObject's code would have made that clear to me in a just a few seconds instead of losing my time, and worse, making others lose theirs. I don't know why I didn't do that first. Thanks, and my most sincere apologies, @Paul Gilmore and @Brendan
Please have a look at https://community.playfab.com/questions/810/209678127-Developer-Secret-Key-Title-ID.html
It sounds like the implication is that it's the server+admin api key - if that's true, why doesn't it match the API key that's shown in the playfab dashboard, the one we use for our other tooling?
The developer secret key should be your Secret Key from the Game Manager. It sounds like you're saying you're seeing something pre-populated, which shouldn't be the case. What exactly are you seeing in your developer secret key in your project?
I also have the "DeveloperSecretKey" in the "PlayFabSharedSettings" asset, after just selecting the studio in the editor extensions. I only have the client API enabled (no admin, server, etc.) From what you said, I assume that key shouldn't go anywhere near a public build; however, the "PlayFabSharedSettings" asset is in a "Resources" folder, so it will be added to builds with the key inside. What should I do in this case?
I am also interested in knowing how to deal with PlayFabSharedSettings in the Resources folder. I need ENABLE_PLAYFABADMIN_API to be enabled in editor and I was surprised when I realized admin calls also worked in play mode and on device. I could turn off ENABLE_PLAYFABADMIN_API when we ship, but I think the developer key would still be compiled into the app because it's in the Resources folder. I think I will need to fix this unless someone confirms that it doesn't work the way I think it does.
Oops, I meant to reply to @Trisibo. Can't figure out how to fix it.
@Brendan
Is this issue still in effect? The project has the Developer Secret Key and I don't see anyway to remove it. I assume it is stripped out on build - is that not the case?
Using the latest Editor extension
What issue are you referring to? The Unity build will only contain the Secret Key if one of the flags Paul mentioned is set in the code.
@Brendan I was just asking for further clarification because in an older thread you mentioned a removing the key when I asked something similar despite the key being auto-generated.
Yes, you should always make sure no Secret Key is shipped in your project. Since we support a wide variety of development engines and languages, the specifics of that are going to vary from project to project. If you're using our Unity SDK and Editor Extensions, the info from Paul above would be the right guidance.
