question

Joe Fender avatar image
Joe Fender asked

Multiplayer inventory security

In my game (mobile, Unity) I am going to create a store where players can purchase items to customize their player avatar.

When they join a multiplayer game (servers are hosted via Photon, not PlayFab) all other players need to be made aware of what items are currently active. What's the best way to do this?

The client could send a JSON representation of which items they are wearing when joining the server but that would lack any security. Is there some API that the clients can call to get the currently worn items for other player IDs without needing an admin API key perhaps?

10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

·
Sarah Zhang avatar image
Sarah Zhang answered

>> When they join a multiplayer game (servers are hosted via Photon, not PlayFab) all other players need to be made aware of what items are currently active. What's the best way to do this?

Do you mean you want to let players see each other’s items, such as some equipment? If so, we would suggest you use Play Read-Only Data to store the corresponding items’ info. Then let players call Client API GetUserReadOnlyData to read other players’ item lists. Clients needn’t send the JSON to servers directly.

You can write a CloudScript function to verify whether the items they want to equip is in their Inventories. If the inventory contains the items, CloudScript can store the item lists to Player Read-Only Data. You can call server API GetUserInventory on CloudScript to get the player’s inventory. If you want to learn about how to set the Player Read-Only Data on CloudScript, you can check this documentation How to modify read-only or internal player data from CloudScript.

>> Is there some API that the clients can call to get the currently worn items for other player IDs without needing an admin API key perhaps?

As the first answer said, clients can call Client API GetUserReadOnlyData to read other players’ read-only data. If you want to let the specific K/V pair can be read by other players, please set the permission of the K/V pair as “Public”.

2 comments
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Joe Fender avatar image Joe Fender commented ·

This is extremely helpful, thank you Sarah.

I'll be using login with Android Device ID and iOS Device ID automatically when players first open the app. Will there be any issues with that auth method and the use of the APIs you mentioned above?

0 Likes 0 ·
Sarah Zhang avatar image Sarah Zhang Joe Fender commented ·

Different login methods would not cause any issue. They will all return the SessionTicket that is the credentials for calling API.

0 Likes 0 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.