question

nfactorial avatar image
nfactorial asked

Forward user location

Hey, very new to playfab but haven't found anything on this previously.

I have a server application that authenticates with Facebook, written in Node.js. Before looking at playfab, I would cross-authenticate the user with Cognito in AWS. Currently I'm investigating switching over to PlayFab, which is going quite nicely so far.

Because our users are authenticating with my node server, I am passing their successful login state to the PlayFabApi "/Client/LoginWithFacebook" whilst supplying the authenticated facebook id and access token (I couldn't find an equivalent for use from the server).

During this research stage, I am running my server via cloud-front/elasticbeanstalk in Ireland.

This has the result that all my playfab users are appearing as though they signed in from Ireland, which makes complete sense as that's where the API call is coming from.

I wondered if:
a) There were some simple way of forwarding the users actual location (perhaps from an X-Forwarded-For header).

b) I was going about it all wrong (entirely possible, I'm just modifying my server code at the moment).

It's all working at the moment, it would just be nice if I could get the correct location in there.

Cheers

10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

·
brendan avatar image
brendan answered

Right now, we're not using X-Forwarded-For - just the actual IP Address for the origin of the call.

But you do have a few options, still. Since you're using Facebook, you could just have the client use LoginWithFacebook, sending up the access token. Alternately, you could pass back a Custom ID that you assign to the player consistently across logins, so that the client could use LoginWithCustomId. Finally, of course, we can work with you on a custom contract where we would add a custom authentication path for you which would take a token that you pass back to the client, and which we use in a call to your service to look up the user. We'll be providing more options in future updates, as well.

10 comments
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

nfactorial avatar image nfactorial commented ·

Hi Brendan, thanks for the information. Those were the alternatives I could come up with too.

Something I am doing (amongst others) we are doing is posting leaderboard scores from the game server rather than from the client, so the score comes from an authoritative machine. As it seems if the client has access to both the PlayFabId and the session token, it would be relatively simple to send a fake request to the playfab server with an entirely made up score using simple javascript (our game clients are in the browser at the moment). Is there some security measure I'm missing to protect against that?

I guess it is possible to add some validation via CloudScript in some form (off the top of my head, I haven't looked deeply into that yet).

0 Likes 0 ·
brendan avatar image brendan nfactorial commented ·

Yes, the ability for the client to submit statistics for leaderboards (as well as add or subtract virtual currencies) is turned off by default for all titles, as that should be coming from an authoritative server call for most titles. Otherwise, you're pretty much guaranteed to see cheating. And yes, Cloud Script is one way to do that - quite a few titles are using it that way, doing boundary and time checks to see if a score is valid, for example.

1 Like 1 ·
Steve Falzon avatar image Steve Falzon commented ·

Hi, I wondered if there has been any change in our ability to use x-forwarded-for headers?

If not, though this answer says not to edit the IP, currently the Azure CDN location is being picked up which serves no useful purpose. Can it be edited, at our own risk?

The way I've set things up I can get round the problem without too much pain but it's extra work, maintenance and probably cost with more api calls required.

@Brendan mentions custom solution. Is that option linked to pricing tier?

I'm on the free tier while testing but will move to paid when live. I'm trying to make the game without breaking-the-bank :), live however, I'm happy to pay for the peace of mind so if custom solutions are available in paid tiers please let me know. Happy to give you more info about Azure and on premise architecture and how it integrates with PlayFab though anything detailed would have to be private.

Thanks for your time

Steve

0 Likes 0 ·
brendan avatar image brendan Steve Falzon commented ·

No, there has been no change to the handling of IP Addresses in headers. In terms of changing the IP Address, we use the IP Address of the packet routing info, so that's not really an option. If you want to maintain your own set of data for IP/location, you certainly should if that's something your title needs.

That said, can you please provide a link to where you're saying I mentioned a "custom solution"? The developer support engineer that answered the question you linked above mentioned that the developer could create a custom solution of their own, but there's no hidden functionality for changing IP/location of the user.

0 Likes 0 ·
Steve Falzon avatar image Steve Falzon brendan commented ·

Hi @Brendan, the best answer to the original question in this post...

"Finally, of course, we can work with you on a custom contract where we would add a custom authentication path for you which would take a token that you pass back to the client, and which we use in a call to your service to look up the user"

0 Likes 0 ·
Show more comments
Show more comments

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.