I have a cloud script the awards experience to the user. This is called from our servers at the end of a game, but what's to stop a client running this cloud script too?
I have a cloud script the awards experience to the user. This is called from our servers at the end of a game, but what's to stop a client running this cloud script too?
Why run a script from a server? Why not just call the relevant Server API endpoint from the server?
That said, if you want to make a call from a server and block clients from calling it, just have a generated GUID as a "secret key" that the server sends to the script. The client has no access to the server or script, so if the script is checking for that key, there's no way (short of someone in the team leaking it) for the client to be able to pass that test.
What I've done is created a random string on account creation and assigned it to the player. When the client makes an important call to Cloud Script it first needs to obtain that random string from that player's read only player data and send that through as a parameter. If the string doesn't match it bans the player or doesn't execute the rest of the cloud function. Each time this is called the string is randomly generated and assigned again so it will never be the same between two function calls.
I don't know if this is the best way, or if it actually is effective in the real world... But so far I feel it's working pretty well, as my main goal is to prevent packet manipulation.
So a player might be able to intercept a packet containing the key, modify it and send it through, but this can only be done once and there should also be other ways to validate it through time stamps since it takes a good 10-20 seconds at best to change the packet. Also, they can only do it once and get it right. If they mess up and their first attempt to send a packet with the wrong key fails they get banned instantly. :)
1 Person is following this question.