question

Canberk Soner avatar image
Canberk Soner asked

Server-only CloudScript function

I'd like to define cloudscript functions that can't be called from a client.

This document has some info but I think it is not complete:

context is an advanced parameter. In this example, it is null. See this guide(link pending) for more information.This parameter is server-controlled and safe.

What is the best way to accomplish this? If this is not possible, what are the possible workarounds?

10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

·
Seth Du avatar image
Seth Du answered

As it mentioned, “This parameter is server-controlled”, hence context is not a parameter that can be freely modified by users. In the documentation Writing Custom Cloud Script, the explanation of context has been given:

Context:

Second parameter to a handler function. Additional information about the request when it is triggered by a PlayStream event action, including the data from the event that triggered the action (context.playStreamEvent) and the profile data for the player associated with it. (context.playerProfile)

A work around solution to your issue is passing a secret key (make sure it is safe) to Cloud Script functions in order to determine if the request is legitimate.

5 comments
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

brendan avatar image brendan commented ·

There's also a more complete explanation of the Context in this tutorial:

https://api.playfab.com/docs/tutorials/landing-automation/using-cloud-script-actions-with-playstream

1 Like 1 ·
Canberk Soner avatar image Canberk Soner commented ·

Thanks for the info. So, I should generate an encryption key and store it in title internal data, then whenever a server-cloudscript is called, read it from title internal data and compare it with the function parameter.

0 Likes 0 ·
brendan avatar image brendan Canberk Soner commented ·

Sure, you can either store it in Title Internal Data, so that you can compare that to what is sent in the data from your server, or you can store it in static data in the Cloud Script directly.

2 Likes 2 ·
Brent Batas (Lisk) avatar image Brent Batas (Lisk) commented ·

Can you explain a bit more how to pass a secret key from the client to cloudscript, securely? Can't someone just decompile the client code and see the secret key easily?

edit: nevermind, just realized in these cases, the client should never have access to the secret key if we're talking about server-only calls. whoops, ignore this!

0 Likes 0 ·
brendan avatar image brendan Brent Batas (Lisk) commented ·

Yes, The Client should never, ever have the Secret Key. For others, the context of this question was, how to create Cloud Script calls that cannot be called from the client. So, using the Secret Key is a simple way to do this, if you're calling it from a server. If you're calling it from PlayStream Actions, the Context will contain the Event that triggered the script, which you can use to drive this logic.

1 Like 1 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.