Securing player data updates
Hi all,
I'm new to PlayFab and I'm trying to set up a fairly lightweight POC.
Imagine that in my game, there are 10 levels. A player can unlock levels buy spending 10 virtual currency, and you have to unlock level 2 first before you can unlock level 3, and so on.
Let's say I store the amount of `unlocked_levels` in Player Data.
With a valid SessionTicket for my logged in user, I can now call `https://xxxx.playfabapi.com/Client/UpdateUserData` with body:
`{ "Data": {"unlocked_levels":4} }` and update the data.
Nothing stops malicious users from calling that endpoint though, so you can basically easily change the unlocked_levels data if you grab the SessionTicket for that user, without paying for it with Virtual Currency.
So this is probably not the way to go. What's the best practice to create this basic unlocking mechanic, based and purchases with Virtual Currency?
Best Answer
You can consider using Read-Only Player Data, then use the CloudScript to set it for players.
To set read-only KVPs, you must call the Server API UpdateUserReadOnlyData method from a server process. This is data that the server can modify, but the client can only read.
For the examples of how to set and get the Read-Only Player Data, please check the following documents.
How to set read-only player data - PlayFab | Microsoft Docs
How to get read-only player data - PlayFab | Microsoft Docs
For more details about CloudScript, please refer to the documents of CloudScript -- CloudScript quickstart - PlayFab | Microsoft Docs.
