question

Tô Chí Thành avatar image
Tô Chí Thành asked

Is it safe to send secret key by HTTP request from cloud script to multiplayer server.

Hello all, I am planning to start a HTTP listener on multiplayer server. After that use cloudscript to send HTTP requests to that listener. Because I do not want other client can send request, I am planning to verify a secret key before process any request.

My cloudscript will send that secret key with HTTP request url (for example: http://10.123.123.11:3000/?key=xxxxxxxxx).

So my question is: Is it safe to send secret key by this way? Can the hacker catch my request from cloudscript to playfab multiplayer server machine? If you have any better suggestion, please let me know.

Thank you a lot.

CloudScriptCustom Game Servers
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

·
Gosen Gao avatar image
Gosen Gao answered

Could you tell us what is the scenario? Cloud Script is aimed at providing server-side logic without manually hosting a server. Since you already have a game server, any actions you want to perform in the Cloud Script can be directly performed by the server build without any runtime limit. There is no need to add additional HTTP listener in server build for requests from Cloud Script.

3 comments
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Tô Chí Thành avatar image Tô Chí Thành commented ·

Hello, thank you for your reply.

My scenario is. I use Photon Fusion to create multiplayer game. After I request a multiplayer server, I need a wait to communicate with that server to process some request like create room. Because I also do not want client communicate with multiplayer server, that why I use Cloud Script to verify the request from client is valid or not, if it valid, cloud script will send the request to multiplayer server.

My solution is implement a simple HTTP listener to handle request from cloud script, the flow is:

- Client press start game ==> send to cloud script

- Could Script request multiplayer server and return server IP to client.

- Client send room name and server IP to cloud script.

- Cloud script use http request (with secret key) to request multiplayer server create room and return result to to cloud script

- Cloud script get response form multiplayer server and return result to client

- If room created, client call join room function to join created room.

I do not want client catch the http request from Cloud script to multipaleyr server, get secret key and direct communicate with multiplayer server.

0 Likes 0 ·
Gosen Gao avatar image Gosen Gao Tô Chí Thành commented ·

CloudScript is a serverless service, its IP address is variable. And it is a black box for the client, the client cannot know that you are sending the HTTP request, they can only get what you want them to know. But CloudScript has a running time limit(10s if not triggered by actions), sending http requests in it may be unstable. If an HTTP request fails to respond within the time limit, it may result in failure to execute subsequent code.

1 Like 1 ·
Jeremy Rose avatar image Jeremy Rose Tô Chí Thành commented ·

I am currently working on something like this. And using an extra server secret in the auth header when making the http calls to my servers. I would suggest using https.This should keep them from sniffing traffic if they are somehow able to get between the playfab server and your game server.

My reason for this is that I want to verify some things on the playfab servers, inventory, characters, login etc. And then pass on the data to my servers keeping them hidden from the clients.


I may move some of the verification to my servers at some point to minimize time in the cloudcode. But still keep the creation of the game in the database more protected. It wouldn't be hard to figure out the ip of my server. I may at some point try and see if possible to white list the incoming ip from playfab side as well.

From my research using a token type of system is basically how most security is being done. Or something like a JWT if you need to verfiy the contents as well.

And expect you may have to change your secrets if they get compromised.

Oh and a secret key based method is how Playfab allows external rest calls to their restrcted server apis.

0 Likes 0 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.