question

esk avatar image
esk asked

Why is the currentPlayerId in Azure functions for cloudscript equal to the title player id, not the master account ID?

Everywhere it says that the currentPlayerId is the PlayFabID (which is the master account id), but for me it's the title player id! Is this documented somewhere

CloudScript
5 comments
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

esk avatar image esk commented ·

BTW using the C# sdk

0 Likes 0 ·
Gosen Gao avatar image Gosen Gao commented ·

Have you imported any external file? Is currentPlayerId from context? May I have your code for further research? Please remove any sensitive info.

0 Likes 0 ·
esk avatar image esk commented ·

Well actually I'm looking at the source code here https://github.com/PlayFab/CSharpSDK/blob/d61ba9f23bf459e6b766bc3fd6b0945ede9ef553/Plugins/CloudScript/source/PlayFabFunctionContexts.cs#L2

it seems like currentplayer id is set to titleplayerid!! So this is intentional?? Why? and why isn't it documented? It's actually really incovenient to have title player id instead of master player id since all the apis work with master player id, so I need to do get profile to get the lineage to get the master id.... I'd like to know if there is a reason for this before I ship my game! Or if it's still in beta and is going to be changed to use masterplayerid as the currentplayerid.

This is very important, please let me know. Thanks.

0 Likes 0 ·
esk avatar image esk commented ·

I''m getting the currentplayerid from the functioncontext, just like in the tictactoe example:

                var context = await FunctionContext<MyPayloadType>.Create(req);

0 Likes 0 ·
esk avatar image esk commented ·

In addition, another question I have is:

isn't it insecure to be using contextInternal.CallerEntityProfile.Lineage.TitlePlayerAccountId to get the id? I was under the impression that currentplayerid was secure and only set if the invoker of the executefunction was authenticated from the client. Maybe i'm wrong, I don't know how the sdk works, but i'd like some peace of mind knowing that it is secure and trustworthy, and that I don't have to do my own validation to make sure the request is from an authenticated source. If not, what documentation/steps must I follow to make sure it's secure?

0 Likes 0 ·
Seth Du avatar image
Seth Du answered

Hi @esk. As Gosen has mentioned, you have imported the preview PlayFabFunctionContexts.cs file in your project. If you look into this plugin script, it only encapsules few classes for Azure Function to handle different objects that PlayFab API will use. It has no effects on the security.

For both Azure Function and Cloud Script, there is "context" as an argument when this function is executed, where you can know the caller details and if it is event triggered or a task. Players cannot directly interfere the "context", hence it is safe. You don't need to authenticate players because only with a valid entity token, can a player call ExecuteFunction API. What the function needs to validate is not login identity. It is other things like when the function is called, if this caller finished the game properly or is the value uploaded validly.

In Cloud Script, you can directly use keyword "context", meanwhile in Azure Function, all of the information is stored in HttpRequest, and in this document --PlayFab CloudScript using Azure Functions Quickstart Guide - PlayFab | Microsoft Docs, you can see the first thing to do in the code snippet is to define the context. Please try to return it directly or output in the log.

To be clear, you are able to import any plugin scripts or helper classes, but we highly recommend to use CS2AFHelperClasses.cs. PlayFab also provides a documentation about it --PlayFab CloudScript using Azure Functions Context Models - PlayFab | Microsoft Docs. If you have any further questions, please feel free to ask.

2 comments
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

esk avatar image esk commented ·

This is slightly more convincing, but the fact that you use wording such as "I don't think" and "I believe" is rather concerning. I would rather you are 100% certain in your statements, so that if I get hacked one day down the line I can come back to this forum post and blame official Microsoft support for lying to me, and win a very lucrative lawsuit :)

0 Likes 0 ·
Seth Du avatar image Seth Du ♦ esk commented ·

Hi, I have updated my answer above. Please take a look. Thanks.

0 Likes 0 ·
Gosen Gao avatar image
Gosen Gao answered

As you can see, the source code you mentioned is just for reference.

You can get PlayFabId directly from the requestBody of your Azure Functions. The path is requestBody.CallerEntityProfile.Lineage.MasterPlayerAcountId.

If you refer to the official documentation on -- PlayFab CloudScript using Azure Functions Quickstart Guide - PlayFab | Microsoft Docs, we recommend to import CS2AFHelperClasses.cs

2 comments
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

esk avatar image esk commented ·

What do you mean just for reference? Can you please answer my concerns about security? Surely using requestBody.CallerEntityProfile.Lineage.MasterPlayerAcountId is not safe? I want to use context.CurrentPlayerId because I am under the assumption that it is secure and cannot be modified by a malicious actor.

Also, if that class is recommended, why not include it in the sdk?

0 Likes 0 ·
esk avatar image esk commented ·

Please can you get someone with more knowledge about this to answer, I feel as if you don't really know about this in depth enough, and this stuff is really important for us.

You said CS2AFHelperClasses is recommended, but in the quickstart it is only used for the playfab hello world sample, it is not recommended for all projects.

And in addition, that quickstart says "In the example, the CurrentPlayerId of the caller is available as it is in our traditional CloudScript implementation" which is wrong, because it is the title player id, not the master player id...

0 Likes 0 ·
esk avatar image
esk answered

You know what, I think i'm just going to give up and validate the authentication context entity token myself, and then get the master player account from that lineage. It's the only way I feel it's safe and secure, considering the horrendous lack of documentation...

10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.