kristupasstumbrys avatar image
kristupasstumbrys asked

Server authentication for Cloud Scripts and PlayStream events

I'm creating a separate server that uses Playfab to authenticate users that are connecting from client Unity app. I'm using AuthenticateSessionTicket to do it, and I need to provide the request headers with server secret key. Everything works well until I want to update some statistics for leaderboards, my three approaches would be:

Use GetPlayerStatistics, bump up the values that I need and resubmit them with UpdatePlayerStatistics. This apporach is cumbersome since I need an async request from Playfab or to store data between multiple updates.

Use Cloud Scripts with an internal function that can do the same thing, but would be called for a pair of users: who won, who lost, etc...

Use PlayStream events that have a built in increase leaderboard stat Action.

I would prefer to usse the last option, but there is no way to differentiate if a user or a server is calling the event. My only solution would be to pass yet another, self-maintained secret as a parameter for either the cloud script handler or PlayStream Rule (condition).

This isn't suggested anywhere although I think this is the obvious solution, unless there is another way to block some events from being client called (which would be the best option in my opinion). Can anyone elaborate why it was set up this way? Conditions are not documented anywhere, that doesn't help too.

10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

brendan avatar image
brendan answered

For statistics, we have multiple aggregation methods, so that you don't have to do the read-then-write pattern. For example, if you want to just add something to whatever their current value is, you could use "Sum" aggregation. Alternately, if you want to only have the player's highest score be the one that's kept, you could use "Max" aggregation. That would be my primary recommendation for most titles, unless you have more complex, custom aggregation needs.

For Cloud Script handlers which are triggered from PlayStream, there's a bit more info here( and we'll have a write-up available for this soon, but the short answer is that the event info is all in the context passed into the handler (context.playStreamEvent, specifically), allowing you to use that information.

We definitely recommend that you not turn on the Client statistics update API calls (or the Client VC update API calls), as that effectively guarantees cheating for any game with a non-trivial player base. You are correct that there's no difference between the statistic update event whether the call is from the client or the server, as it is the same operation.

10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

kristupasstumbrys avatar image kristupasstumbrys commented ·

Thank you for the answer.

Can you elaborate on how to invoke "Sum" or "Max" aggregation? Is it still is called by UpdatePlayerStatistics? I can't find where it goes in the docs (StatisticUpdate model has only 3 parameters). Please provide an example.

And of course I won't grant clients the ability to call statistics updates, since I'm trying to shift as much logic (that updates stats) to the server as possible :)

0 Likes 0 ·
brendan avatar image brendan kristupasstumbrys commented ·

You can define the aggregation type for any statistic in the Game Manager (via the Leaderboards tab), or by using the UpdatePlayerStatisticDefinition Admin API call.

0 Likes 0 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.