question

Martin Brandel avatar image
Martin Brandel asked

Does anything specific need to be done to remove server API functionality from clients?

My client and server share the same game-logic script, which uses serverAPI functionality. Obviously, the client version does not run any serverAPI functions, however, if the client version still has server credentials, a bad actor could alter the script to run serverAPI functions. So my question is:

1. Does building the game as a client (I assume in Unity not ticking the "is server box" in build settings builds it as a client) remove and serverAPI credentials which can be exploited?

2. If not what do I need to do to remove this issue.

I couldn't find any questions or mention of this in the documentation, so seems like there should be an easy answer although this seems rather important?

Thanks.

apis
2 comments
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Seth Du avatar image Seth Du ♦ commented ·

May I ask are you implementing PlayFab in Unity? if you are using PlayFab Unity Extension, as long as you don't hard-code secret key in any script, you can uncheck "Enable Server API" in the extension to remove server functions.

0 Likes 0 ·
Martin Brandel avatar image Martin Brandel Seth Du ♦ commented ·

Unity - Yes.

This does not work because I then get the error:

Assets\PlayFabSDK\MultiplayerAgent\PlayFabMultiplayerAgentView.cs(81,17): error CS0103: The name 'PlayFabMultiplayerAgentAPI' does not exist in the current context

And have errors in the shared server scripts where "PlayFabMultiplayerAgentAPI" and "PlayFabServerAPI" cannot be found.

I cannot remove those references unless I split the code-base.

If I have the "Enable server API" ticked and make a non-server build am I exposing my server secret key?

0 Likes 0 ·

1 Answer

·
Seth Du avatar image
Seth Du answered

PlayFabMultiplayerAgentAPI is part of GSDK, which is independent to PlayFab SDK.

I highly recommend using Platform Dependent Compilation feature of Unity to handle this requirement. You have to remove/comment the reference of Server API and PlayFabMultiplayerAgentAPI" so that you can uncheck "Enable server API" without reporting any error in your script

1 comment
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Seth Du avatar image Seth Du ♦ commented ·

If you enable server API and select a title in Unity Extension, it exposes secret key.

0 Likes 0 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.