question

jspane-1 avatar image
jspane-1 asked

Custom password policy

I like to implement a custom password policy that is enforced when new users are registering. Since this is not natively support, then I assume I need my own custom cloud service that is called by the game.

The server calls RegisterPlayfavUser instead of the game.

To keep this secure I need to disable to the RegisterPlayfabUser so the client could never call that using Postman thus bypassing my password policy. I see the access policy feature but I am unable to figure out the details on how to disable it for the client but not for my custom REST API to call. Can you give any guidance on that? Is this possible?

Thank you.

10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

·
Seth Du avatar image
Seth Du answered

To disable the client API, you may use Admin API UpdatePolicy with the following request:

{
                
 "PolicyName": "ApiPolicy",
 "Statements": [
 {
                
 "Resource": "pfrn:api--/Client/LoginWithEmailAddress",
 "Action": "*",
 "Effect": "Deny",
 "Principal": "*",
 "Comment": "This statement denies
login with email and password"
 }
 ],
 "OverwritePolicy": false
}

You may add any other API calls in the statements as it is a list. To know more about the usage, please refer to : https://docs.microsoft.com/en-us/gaming/playfab/api-references/api-access-policy. Make sure you call GetPolicy to double-check the current policy after all the updates have been done.

2 comments
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

jspane-1 avatar image jspane-1 commented ·

Thanks for the response. This makes sense but what I am confused about is how can the server make the call to LoginWithEmailAddress if it is turned off? Do I just call with the API key even though LoginWithEmailAddress doesn't support it? Thanks.

0 Likes 0 ·
Seth Du avatar image Seth Du ♦ jspane-1 commented ·

Most Login related APIs, along with Link/Unlink APIs are only available in Client API, while API access policy will affect Client APIs, hence, in "server" or any other environment, as long as API access policy has defined, there is no way to call restricted APIs, unless there is server versions of corresponding APIs provided.

It is not a common scenario that the server uses Client's identities for login. The only supported server-side login is LoginWithServerCustomId, LoginWithXbox and LoginWithXboxId, and those APIs cannot be restricted by API access policy.

0 Likes 0 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.