Hello, I saw on some posts that you should not use PlayFabClientApi calls, but call these things by calling CloudScript, which should do that on the server.
But what is the truth? What you should or shouldn't do by CloudScript and what can you securelly do in Unity calls by PlayFab SDK?
Cloud Script/Azure Function will be used when server side logic is necessary. Besides, Cloud Script can call server API and Azure Function is able to call all PlayFab APIs, which is not supported by the client. Developers will never want clients to store a Secret Key.
In the common gaming design, developers will need to disable some players’ permissions of updating certain data to ensure the fairness of all players, for example, statistics will be ranked in the Leaderboard and obviously, it shouldn’t be directly updated by the clients. Without Cloud Script/Azure Function, developers will need to host an external server, exchanging data with clients and call server API for the update. Migrating server API to the server is not enough, before the server API is called, developers will need to add more verification codes before server API is called, such as checking last update time, analyzing the score uploaded by the client is reasonable, etc.
>>What can you securely do in Unity calls by PlayFab SDK?
Basically most Client APIs will be fine. APIs categorized as Client API will have limited permission. For example, Player Data can be updated by client API because usually it stores players’ references settings, meanwhile Player Read-Only Data cannot be updated by client calls because they can be used for storing XP and Levels.
PlayFab also provides official Cloud Script usage samples on: https://github.com/PlayFab/PlayFab-Samples/tree/master/Recipes
So, If I understand, If I read data, I can use SDK methods securelly, and If I write data (increasing currency, giving items, increasing XP) I should use CloudScript executions? So why there is a method in SDK for increasing currency ballance, if it is not secure?
Such API is provided in Client API set, however, by default, it will be rejected due to the permission settings in [Game Manager] -> [Title Settings] -> [API feature]. PlayFab provide those settings for specific requirements of developers. Meanwhile, you may also use API policy to create customized Client API behavior.
3 People are following this question.
