question avatar image asked

Set Playfab Settings Necessary. Should'nt be?

Using a brand new empty project (C++). Built on source 4.24.2. For testing. Its impossible to send a properly crafted AuthenticateSessionTicket request. Without first calling a Set Playfab Settings. Requiring filling in the TitleId, And SecretKey with valid data. Which of course opens up the all builds to the threat of accidentally sharing said secretkey with anyone you distribute builds to. As far as i knew. The reason for the Playfab settings to be set in the Project Settings>Plugins>PlayFab>Settings was for the capacity to target those variables OUT of the project when doing Builds meant for distribution. If this is not the purpose and function of this. Then what exactly is this for? And how are developers expected to automate the exclusion of security risk variables such as the SecretKey?

10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total. avatar image answered

The Version of Unreal Engine is the latest source release. Which as of posting is 4.24.2 . The latest version of the PlayFab Unreal Plugin SDK (1.32.200218) as of latest posting. It would appear the PlayFab settings located in the Project Settings>Plugins>PlayFab>Settings is broken. And does not function. Atleast not for the AuthenticateSessionToken blueprint function in my experimentation. Posts found on these board and elsewhere seem to support this hypothesis.

It is necessary instead to use the Set PlayFab Settings blueprint function to have the SDK recognize the variable settings first. After first doing this then AuthenticateSessionTicket (among all the other functions dependent on these vars one can surmise). Blueprint function will work as expected. These functions are all called from the server side for security. However any inclusion of the SecretKey in variables located in classes that get distributed to clients. Which is all classes as far as i can tell. Is a big red flag. And indeed can be found poking around inside the .uassets storing those classes>variables.

A solution i decided to take yesterday involved making a variable that retrieves its string from a game.ini file. Which in the end is not added and doesn't exist in the client side version of the builds. Thus leaving the variable empty. The game.ini holding the secretkey is then placed only into the servers configs after the fact.

For me i have managed to mitigate the risk, and solve the problem. However the original question is still relevant. Placing and Using the Set Playfab Settings function manually in an executed area of code is necessary for pretty much any aspect of the SDK to work correctly. Thus negating the apparent purpose of entering and storing those variables in the project settings area of the project.

Also upon further investigation it would appear that playfab plugin itself just places those variables (however unused) in the defaultengine.ini config of the projects config directory. This would appear to be a glaring security hole as well. Seeing as how the defaultengine.ini IS commonly distributed with all builds of a given project. Client, And Server. Thus giving another location you need to carefully scrutinize for potential leaks of the key.

It would appear the entire SDK would be better off without that piece of code altogether rather then the potential confusion that might swirl up around its implied, or inferred usage. And potentially be overlooked. And end up a rather glaring security issue.

10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Seth Du avatar image Seth Du ♦ commented ·

Thanks for your feedback. I have submitted a report to the team and will update if there are any updates.

0 Likes 0 ·
franklinchen avatar image franklinchen commented ·

The fix should be published soon, please keep an eye on SDK release news, thanks

0 Likes 0 ·
Seth Du avatar image
Seth Du answered

May I ask are you using Unreal SDK? Which version of Unreal Engine and SDK you are currently using? Are they all the latest?

As far as I know If you are developing a game client, the secret key field should be always blank and it is the same when using Set PlayFab settings – for example, only set the title ID for some purpose. Meanwhile, if you are developing a server side build, for example, multiplayer server build, it will be fine to directly input the secret key for server APIs, because players won’t be able to access it.

In terms of AuthenticateSessionTicket API, if you have specific need that need to call this API in a client, you may use Cloud Script and pass the ticket as a parameter to Cloud Script function for retrieving information.

10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.