question

Martin Brandel avatar image
Martin Brandel asked

Best practice for storing login-information for third party sites in cloudscript

Hello, for my game I plan to have players in the game be able to use in-game items to purchase physical game items (The game is both physical and digital). I am planning to do this through a third party E-commerce solution by generating "Discount" codes through a HTTP request over cloudscript.

To do this I would obviously need to hold admin credentials/keys or password for my third party solution accessible in cloudscript to be able to generate my required codes.
What is the best-practice for this?

Obviously storing username/password in plain-text in the function is not ideal, but I do not have much experience with this sort of thing and can't seem to find much information on how to do this although I assume anyone using third-party servers would need to hold credentials in some way as well?

Thanks.

10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

·
Seth Du avatar image
Seth Du answered

In most of the cases, Cloud Script/Azure Function (CSAF) is safe. Any codes included are only available to developers. Client will only see the contents in the callback result. Usually, it is something you return in the function. For security reasons, you may disable logging sentences when the game is launched to avoid accidental leaks.

Besides, CSAF also has an argument “context”, which contains the caller information and how this CSAF is executed (whether it is directly called via API, or triggered in a Rule, or a Task).

Before any data is modified, you could add any necessary verification steps in CSAF to prevent abusive use. However, I highly recommend implementing Azure Function instead of Cloud Script, where the credentials can be stored in the global configurations instead of storing as plain text in the coding field. In addition, in some specific case, Cloud Script execution will contain a null value for context. Please refer to the suggestions in this document -- Securing Azure Functions | Microsoft Docs.

Feel free to let me know if you have any other questions on CSAF.

3 comments
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Martin Brandel avatar image Martin Brandel commented ·

For Cloud Script, would it be safe to store credentials in internal game data? Possibly salted with a code stored in a cloudscript function? Or would you recommend just having a cloudscript function "get credentials" or something to retrieve them as variables.

I have not come across Azure Functions in my development yet, I'd have to go through that from the start so probably will stick with cloudscript for now.

0 Likes 0 ·
Seth Du avatar image Seth Du ♦ Martin Brandel commented ·

Does internal game data mean "Title Internal Data"? It is OK but not necessary. I think it will be fine to define it in the code of function. As I have mentioned, clients can only access limited data via CSAF function execution. They won't be able to see any codes. The concern is verification steps.

0 Likes 0 ·
Martin Brandel avatar image Martin Brandel Seth Du ♦ commented ·

Alright, thank you.

0 Likes 0 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.