I'm creating a separate server that uses Playfab to authenticate users that are connecting from client Unity app. I'm using AuthenticateSessionTicket to do it, and I need to provide the request headers with server secret key. Everything works well until I want to update some statistics for leaderboards, my three approaches would be:
Use GetPlayerStatistics, bump up the values that I need and resubmit them with UpdatePlayerStatistics. This apporach is cumbersome since I need an async request from Playfab or to store data between multiple updates.
Use Cloud Scripts with an internal function that can do the same thing, but would be called for a pair of users: who won, who lost, etc...
Use PlayStream events that have a built in increase leaderboard stat Action.
I would prefer to usse the last option, but there is no way to differentiate if a user or a server is calling the event. My only solution would be to pass yet another, self-maintained secret as a parameter for either the cloud script handler or PlayStream Rule (condition).
This isn't suggested anywhere although I think this is the obvious solution, unless there is another way to block some events from being client called (which would be the best option in my opinion). Can anyone elaborate why it was set up this way? Conditions are not documented anywhere, that doesn't help too.