question

Alexandre Ostapenko avatar image
Alexandre Ostapenko asked

Secret keys are not working as expected,Secret keys have no effect?

Hi, i'm trying to use PlayFab with UE4. And have made the "getting started" blueprint, where player is created if not exists. The problem is that i have disabled the "Developer key" secret key and created another one. I have expected, that player accounts will not be created without the active key, but no matter what im' writing in the "Play Fab Secret Api Key" property, new player is successfully created each time. So, it looks like anyone who knows my TitleID will be able to create new players? What i'm doing wrong? :)

10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

2 Answers

·
Seth Du avatar image
Seth Du answered

There are 3 main genres of APIs in PlayFab which are Client API, Server API, Entity API. What you have mentioned, the login related APIs, are Client APIs and they are designed for game players to access PlayFab service. However, the login related APIs are quite special among Client APIs because for example, LoginWithCustomID only needs a proper request. Other APIs besides logins requires a valid session ticket that is returned from login API calls.

Meanwhile, the secret key is an identity of game developers or we can say the game manager, to manage the game. The actions like updating player internal data, changing statistics, directly granting items can be done with the help of secret key, which also means the secret key should not be exposed to any players. All the Server APIs and a part of Entity APIs require secret keys to perform. Cloud Script is a good application scenario to make use of server APIs.

I have noticed you are using UE4 for development. You may notice when inputting a PlayFab API in the Blueprint, there can be 2 options in both server root and client root.

Our suggestion is to avoid server API usage in game clients because storing secret key in your client is not safe and there will be abusive uses when the key is leaked.

In addition, to get started quickly, we highly recommend you to use RESTful API testing tools like Postman to learn PlayFab, you may find more information here: https://docs.microsoft.com/en-us/gaming/playfab/sdks/postman/


snipaste-2019-08-02-10-52-41.png (26.2 KiB)
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Alexandre Ostapenko avatar image
Alexandre Ostapenko answered

Allright, looks like i have wrongly understood the whole concept of secret keys :)

Now, i have removed the secret key from client, but TitleID is still there. So now, if the "Create account" checkbox is checked, than new player will be created.

Is there way to restrict creation of new players from client? As for me this is not very safe. Sure, there are scenarios, where players must be created directly from client, but that's not my case. Or if we can't disable player creation directly from client, than maybe we can make some CloudScript, to delete a player, if the authentication has failed or if it has wrong "CustomID"? Btw, i'm using Steam authentication, so the "LoginWithCustomID" should be disabled somehow...


bp.jpg (411.7 KiB)
10 comments
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Seth Du avatar image Seth Du ♦ commented ·

Sure thing, you may disable it via API Policy and the only way to edit it is to call Admin API: UpdatePolicy and following is the request. since this is Admin API, one-time use and some other concerns, you can use RESTful testing tools like Postman to quickly apply it and it will take few seconds to take effect. Also be aware that ENTITY GLOBAL TITLE POLICY in Settings -> API Features is different from API Policy, you can only check API policy via Admin API GetPolicy.

{
  "PolicyName": "ApiPolicy",
  "Statements": [
    {
      "Resource": "pfrn:api--*",
      "Action": "*",
      "Effect": "Allow",
      "Principal": "*",
      "Comment": "The default allow all policy"
    },
    {
      "Resource": "pfrn:api--/Client/LoginWithCustomID",
      "Action": "*",
      "Effect": "Deny",
      "Principal": "*",
      "Comment": "This will disable LoginWithCustomID"
    }
  ],
  "OverwritePolicy": true
}
0 Likes 0 ·
Seth Du avatar image Seth Du ♦ commented ·

However, you should know that basically creating accounts won't have much negative effects on your title unless there are massive abusive uses and PlayFab won't charge you for redundant accounts. Simply not adding LoginWithCustomID codes in your client will be fine. Client APIs only have very limited permissions and most of the actions can be moved to Cloud Script where you may add verification conditions. Still, Deny LoginWithCustomID in API Policy is a good solution if it is demanded.

0 Likes 0 ·
Denzie Gray avatar image Denzie Gray Seth Du ♦ commented ·

"Still, DenyLoginWithCustomID in API Policy is a good solution if it is demanded."

Have you guys added such a feature yet?

0 Likes 0 ·
Seth Du avatar image Seth Du ♦ Denzie Gray commented ·

Yes. It is supported all the time. Please edit your API policy via UpdatePolicy admin API.

The details are listed in the above comments. You may also check the reference on: https://docs.microsoft.com/en-us/gaming/playfab/api-references/api-access-policy

1 Like 1 ·
Show more comments

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.