tinyflow avatar image
tinyflow asked

Server-authoritative design in PlayFab ?


im fairly new to BaaS and I wanted to ask how server-authoritative design works in PlayFab.

During my research i often read that it prevents people from cheating.

For example if i want to save a highscore in PlayFab, i would send the temporary value of a variable in a request.

Would this be server-authorative design ? If it is, how does does that prevent people from cheating ?

Also im confused of PlayFabs Economy providing security, since in a request you still need to send a local value/variable, which can be modified by the player?

I'd be really glad if someone can enlighten me.

Thanks in advance & best regards,TinyFloW
Player DataLeaderboards and StatisticsIn-Game Economy
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

Andy avatar image
Andy answered

The primary way in which we enable server-authoritative design (without you needing your own servers) is through cloud script. We allow you to heavily restrict the set of API calls your clients are allowed to make, but you can continue to allow them to call the ExecuteCloudScript API.

In the case of a stat update, for instance, your client would call a cloud script function you've written with a proposed update. Your function could then check the validity of the update. It could do bounds checking and update frequency checks. You could even call off to an Azure Function to do some additional processing or ML. If the checks succeed, then the cloud script writes the statistic on behalf of the player.

This same model works for economy, player data, and many other area in which you, otherwise, would open your game up to malicious actors.

Let me know if you have additional questions about applying this kind of security. It's one of the ways developers of games on PlayFab can differentiate their titles without spending a bunch on server infrastructure.

10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

joel-1 avatar image joel-1 commented ·

@andy, can we dig a little deeper?

We'd like to do a multiplayer server-authoritative design. After a game, we'd like to have the game server notify playfab, have playfab dole out rewards/xp/etc, and users be notified.

The current plan is this:

* Game ends, server notifies playfab

* Playfab records game, runs cloudscript to make reward decisions

* Players' clients wait a reasonable amount of time (0.5s?), then pull those decisions

Is there a different plan you'd suggest?

0 Likes 0 ·
Andy avatar image Andy ♦♦ joel-1 commented ·

The fact that you're running your own servers probably means you can eliminate some of the hassle of needing to call Cloud Script. Before clients disconnect from a sever, the server can update stats and other player data directly in PlayFab without needing to go through Cloud Script. After the update, the server can send the results down to your client, or let them know they can query PlayFab for the update.

That, of course, assumes that you are in control of the server. If the servers are player-hosted, then your flow makes more sense. We're going to have pub-sub for events in the near future (3-ish months). That similifes your last step, as you can just notify client when new player data is available to grab from PlayFab.

0 Likes 0 ·
joel-1 avatar image joel-1 Andy ♦♦ commented ·

We have semi-control of the servers - they're run with a custom Photon Quantum plugin, but having them update the stats might be out of scope for the plugin. Let's assume we don't have control - what would you suggest?

0 Likes 0 ·
Show more comments

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.