The idea is that users who pay the game have access to playfab via Steam login allowing them access to official matchmaking and progression, while users who just get the free demo play in a sort of "offline mode" only connected to steam itself so they don't cause any cost to use when it comes to API calls, servers and such. But I have some questions:
-Does steam login actually require full legitimate ownership of the game in your account? Or just knowing the steam id of the game? I am asking just in case crackers can fake a steam login with the full game ID instead of the demo ID and cause playfab costs trough calling API or even maliciously spamming them. Can the Steam ticket string be faked?
-Is there any login method that can require ownership of certain DLC? In this case we could, instead of the demo router, go trough the DLC route for the full version and integrate everything in the same App.
-And at last: How could we go about handing a dedicated server to players that they can set up and make compatible with playfab (client API)? I read that servers use some sort of Anonymous steam login so there is no actual check for ownership going on, right? So in this case, if we enable playfab for dedicated servers we could again encounter hackers who did not buy the game causing costs in API calls.