MGGD avatar image
MGGD asked

Communication with external payment server


I am trying to use a payment method in a specific country, but since it is not supported by Xsolla or Google, we need to implement it on our own.

The payment is basically phone payment. The user inputs their mobile number, and the server handles the rest. The provider sends an SMS to the user's phone.

In general, our approach will be something like this:

  1. Unity ->
  2. Send POST Request containing [Phone number, Playfab player ID, Player's Secret Key, Item ID] ->
  3. Our server will make the payment using the payment provider's API ->
  4. If success, the server will send [Player ID, Item ID, Player's Secret Key] to CloudScript ->
  5. CloudScript will add the item (using GrantItemsToUser) to the player's inventory ->
  6. CloudScript will send a message to the client with the associated player ID, telling the game what to do next (add which item to inventory ...etc).

It looks complex, but we have to use this specific payment provider ..

For more security, the client will only initiate the payment request, and receive the item result. The actual payment processing will be done between our server and CloudScript directly.

My questions related to this scenario are:

  1. Is there a better solution?
  2. Are there any security issues with this approach?
  3. What are the available ways to communicate with CloudScript from an external server?
  4. GrantItemsToUser needs an authentication with "SecretKey". Is this the user's secret key? Is it available to the client API ? Is sending it secure?
  5. Will this approach scale well with tens of thousands of players? (average player will make 1 purchase/day).
  6. Will the player's client get notified automatically that an item was added to their inventory, or is there a different method to do this?

I really appreciate your time and effort. Thanks a lot.

CloudScriptIn-Game Economy
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

Seth Du avatar image
Seth Du answered

As you have mentioned that you have to use that specific payment provider, the work flow of your payment is mostly fine. Here is some suggestions that may help improve it.

      >>Is there a better solution?

      Your solution is feasible, but needs improvement.

          >> Are there any security issues with this approach?

          The data in the communication should be encrypted and session ticket is not necessary.

              >>What are the available ways to communicate with CloudScript from an external server?

              You can call PlayFab API at your external server. PlayFab supports many platform and you just need to decide one to implement at your server. However you still need to figure out a solution to prevent users from abusive use. This is important, for example, you can verify the value or timestamp to see if it is reasonable.

                  >>About Player’s Secret Key

                  We believe Player’s Secret Key you mentioned is actually named Session Ticket, and you don’t have to contain the Session Ticket in the communication. It is because the server for payment and Cloud Script environment should be safe and able to use Server API, where only PlayFab ID is required in most cases.

                  In PlayFab, the concepts we have here are Developer Secret Key, Player Session Ticket, Entity Token. Both Player Session Ticket, Entity Token are generated only after a successful login.

                  You are able to send Session Ticket if you want, but we suggest not doing it unless there are specific needs.

                      >>1 purchase/day

                        It seems fine if one player does 1 purchase/day as long as your external server has capability to handle large numbers of requests. There will be issues if one player calls API too frequently within a short time, and in terms of your case, I believe PlayFab side can handle it.

                            >>Will the player's client get notified automatically

                              No, since you are using custom method for payment, you have to check it on your own. You can see this documentation as reference.

                              10 |1200

                              Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

                              MGGD avatar image MGGD commented ·

                              Thanks a lot!

                              Regarding the last question, will the player get notified that "an item was added to their inventory" event? i.e. Does GrantItemToUser send any event to the client of the granted user? If no, how can I notify the user (send some message from the server to a player client which has a given Player ID) ?

                              Thank you.

                              0 Likes 0 ·
                              brendan avatar image brendan MGGD commented ·

                              No, there's no "push" to the client at this time. So in your flow above, since your server is calling Cloud Script, that Cloud Script cannot send anything to the client - it would only respond to your server, which should notify the client. Also though, why are you using Cloud Script in this case at all? It would be more secure and reliable (not to mention simpler) for your server to use the Grant... API call directly, rather than proxy that through Cloud Script.

                              The Secret Key in the Grant call is actually the Secret Key for your game, which you can find in your title's Settings. It is required for any Server or Admin API call.

                              1 Like 1 ·
                              MGGD avatar image MGGD brendan commented ·

                              Thank you, Brendan.

                              That's a better solution indeed :)

                              The payment had some limitations, and so it had to remain unaware of any Playfab APIs. But, thankfully, things changed, and there is no need for these complications.

                              0 Likes 0 ·

                              Write an Answer

                              Hint: Notify or tag a user in this post by typing @username.

                              Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.