Cloud Script http request without logs

Question

question

Kamil Kopański asked Jan 24, '20

Cloud Script http request without logs

Is it possible to disable logging of timout error in cloud script when performing http request?

There is a major security breach when my http request to external server timeouts as in cloud function response we can see logs with full request including SECRET keys from headers.

My call is inside try/catch block but it logs anyway.

CloudScript

10 |1200

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Answer 1 · 2020-02-07T16:21:25Z

Kamil Kopański answered Feb 7, '20

FYI, issue has been resolved super-fast using ticket.

Quote from response:

"The fix has now been fully rolled out. Default behavior will no longer transmit full logs to clients.

If you need to transmit full logs for debug purposes, you may use the logRequest parameter in an HTTP request like so (the last word in the line):"

req = http.request('http://www.google.com:88', 'get',
'{foo:bar}', 'text/plain', null, true);

Notice the last bool "true" for logs to appear.

10 |1200

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Answer 2 · 2020-01-27T07:44:03Z

Sarah Zhang answered Jan 27, '20

It is not possible to disable the error log for CloudScript, but whether the error message is visible to the customer is controllable. Could you provide your detailed application scenarios? Who do you want to hide the log from, customers or administrators?

4

10 |1200

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Kamil Kopański commented · Jan 31, 2020 at 07:12 AM

Customers of course.

I would like to hide my secret keys for all players.

How to control visibility of logs?

0 ·

Sarah Zhang Kamil Kopański commented · Feb 03, 2020 at 09:49 AM

If you mean to hide the log from customers, you can try to not display the log in clients' game UI. The clients' code is controllable. Does it meet your demand?

0 ·

Kamil Kopański commented · Feb 03, 2020 at 03:54 PM

Absolutely not as this is very severe security breach!

If those logs are transmitted from server to client almost anyone can obtain my secret keys.

Also as we all know - client code (game) is not secure. Hacker can just download game and modify it to get secret keys.

I need to disable logs on server side. Especially those on which I have completely no control (http request timeout for example).

0 ·

Sarah Zhang Kamil Kopański commented · Feb 05, 2020 at 06:47 AM

PlayFab doesn't support to disable the error log for CloudScript. You can try to add a feature request to disable the CloudScript error logs to clients.

For your case, there is a temporary workaround. You can refer to the following CloudScript code.

handlers.makeHTTPRequest = function (args, context) {
    var headers = {
        "X-MyCustomHeader": "Some Value"
    };
    
    var body = {
        input: args,
        userId: currentPlayerId,
        mode: "foobar"
    };


    var url = "test";
    var content = JSON.stringify(body);
    var httpMethod = "post";
    var contentType = "application/json";

    var response = http.request(url, httpMethod, content, contentType, headers);
    return { responseContent: response };
};


handlers.makeHTTPRequesttest = function (args, context) {
    server.ExecuteCloudScript({
            PlayFabId: currentPlayerId,
            FunctionName: "makeHTTPRequest",
              GeneratePlayStreamEvent: true


        });
        
};

Then you can execute the CloudScript function "makeHTTPRequestTest" on clients. If so, the error log that contains Http request headers won't be returned to clients.

0 ·

question