Currently I'm questioning myself and whether I am using the code apis correctly. According to a tutorial I was watching executing cloudscripts aresupposed to be secure from hacking, however I'm concerned that letting a client call ExecuteCloudScript on a cloud script that has impact on things like progression is wrong. For example I'm working on a quest system and once a match is finished I update the quest progress with data from the match. Initially I was doing this with a client execute cloudscript but then though to myself cant the client just call this whenever they want? Or am I over thinking that.
On the other hand switching it to server confuses me as well since I though cloudscripts already ran on some form of server. Then my brain thinks how can I test this without connecting to a server. Should I leave the client calls in the development builds that way I can make sure everything functions before trying to cook a server.
What about calling the client api from the authority?
Will that work, is that a way to secure that client call?
Does the server know about the client api?
What is the best practice on how to go about securing things in the game? This is coming from someone who is used to the Client/Server model in unreal but trying to understand what is actually the secure route on the PlayFab side.
One game that ran into alot of issues is Cycle The Frontier where clients were able to add items and other game changing things by themselves and I want to try to avoid that since my game is progression based.