Brant Steen avatar image
Brant Steen asked

GrantUserToCharacter Client vs. Server


I'm looking at the differences between the client and server APIs for GrantCharacterToUser:


In the client API, the character creation is tied to an inventory item. This happens to work nicely for me, so that I can tie character creation to purchasable character slots. I can make those slots consumable and they are automatically removed from the inventory on character creation/granting. Further, the existence of the item is CHECKED before allowing the grant to happen.

On the server however, the same functionality doesn't seem to exist. When I create a character there, it doesn't consume an item (or even seem to be tied to one).

Is there a reason for this? Is there some option for having it consume an item on the server side as well? And having it check for the item automatically?

10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

brendan avatar image
brendan answered

You've actually stated the exact reason the Character system was designed that way. The token is required when the call is made from the Client API, because otherwise a hacked client could simply create Characters whenever it wanted to. The Server API does not require this because it's server-side. So, it's only available from script (Azure Functions or legacy Cloud Script) or hosted servers that you create - which is not code your players would ever have access to. And since all the logic for server authoritative operations is 100% under your control, there's no need for the additional step. So that way, a game that only creates characters via their server code doesn't have to additionally create inventory items for the process.

10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Brant Steen avatar image Brant Steen commented ·

Thanks, that makes sense to me.

Just so that I'm clear though, for my own understanding: if the client has a call to a cloud function using ExecuteCloudScript, what would prevent a hacked client from calling the same function?

0 Likes 0 ·
brendan avatar image brendan ♦♦ Brant Steen commented ·

Absolutely nothing - it's still just a Web API call. What you need to do is have logic server-side that evaluates the data coming from the client to decide if it's valid. Cheat protection is an ongoing process where you continually evaluate to see if players have found new ways to cheat. When they do, you add in more protection, to cover the exploits found.

0 Likes 0 ·
Brant Steen avatar image Brant Steen brendan ♦♦ commented ·

Got it, thank you. That's what I assumed, I just didnt know if I was missing something.

Thanks for all your help!

0 Likes 0 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Error rendering WebPanel (widgets/consolidation-widget.ftl): org.hibernate.hql.internal.ast.QuerySyntaxException: AvailableConsolidation is not mapped [from AvailableConsolidation up where up.node = :node]