question

trisibo avatar image
trisibo asked

Unlink custom id on password reset

I'm making a game that requires email authentication (or no authentication). Since PlayFab's session ticket isn't valid when starting the game again, to avoid asking the player to log in every time I'm implementing the solution suggested in other questions, to generate and link a unique custom id, store it locally in the device, and log in with that.

The issue I see is that the custom id will basically exist forever, even if the player resets the password; as a user I'd expect not to be able to log in from anywhere without my email & password after resetting it. So I thought about adding a Cloud Script that unlinks the custom id when the password reset event is triggered, but there doesn't seem to be a way to do it from the server API, and it looks like I can't access the client API from a Cloud Script. Is there any way to do so, or other way to achieve what I want?

CloudScriptAuthentication
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

·
brendan avatar image
brendan answered

The link/unlink API calls are specifically only for use from the Client API, as the auth model is designed to require a signed in user, for security. What would be best would be that when the user signs in after resetting the password, you'll want to update to a new Custom ID - so, call UnlinkCustomID to remove the old one, then LinkCustomID with a newly generated one.

2 comments
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

trisibo avatar image trisibo commented ·

The problem is that once the user registers or logs in from a device, the next authentications are done automatically with the custom id, and there doesn't seem to be a direct way to know if the password has been reset, so there wouldn't be a "manual" log in.

About the Server API, wouldn't it be considered secure enough to be able to use authentication-related methods from it?

0 Likes 0 ·
brendan avatar image brendan trisibo commented ·

I suppose "safety" would really better reflect the intent. The idea is that you're only unlinking an account type from an account which is currently logged in, to prevent errors/issues. In either case though, the API call in question is only available in the Client API at the moment, so it would need to be called from the client. One other possibility you could consider would be to simply unlink the Custom ID and generate/link a newly generated GUID on login, regardless.

0 Likes 0 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.