Sign In Register

How can we help you today?

Start a new topic
Discussions GameSparks Forums Questions and Answers
Answered

Restrict the individual API calls

Hello, how can I restrict the API so GameSparks just uses a couple of parameters I defined before on requests? For example, if someone calls the CreateChallengeRequest he can optionally pass all parameters:


{
  "@class": ".CreateChallengeRequest",
  "accessType": "",
  "autoStartJoinedChallengeOnMaxPlayers": false,
  "challengeMessage": "",
  "challengeShortCode": "",
  "currency1Wager": 0,
  "currency2Wager": 0,
  "currency3Wager": 0,
  "currency4Wager": 0,
  "currency5Wager": 0,
  "currency6Wager": 0,
  "eligibilityCriteria": {},
  "endTime": "2017-04-10T17:11Z",
  "expiryTime": "2017-04-10T17:11Z",
  "maxAttempts": 0,
  "maxPlayers": 0,
  "minPlayers": 0,
  "silent": false,
  "startTime": "2017-04-10T17:11Z",
  "usersToChallenge": [
    ""
  ]
}

 

Can I restrict the request server-side and just take something like challengeShortCode, endTime, usersToChallenge and ignore the rest? Because it is a security vulnerability, if the client can send more stuff, than I need.


It would be possible with using Cloud Code, but then I get some problems with calling LogEvents without authentication.

Best Answer

 Hey David,

A lot of those attributes are not actually required for the request to run properly. You can check out what is needed in the API doc here.
If you want to completely remove those attributes, you could create your own custom request (LogEventRequest) and call the original CreateChallengeRequest from that event.

Something like this...

var req = new SparkRequests.CreateChallengeRequest();
req.challengeShortCode = "xyz";
req.endTime = new Date();
req.usersToChallenge = [];
var resp = req.SendAs(Spark.getPlayer().getPlayerId());

Let me know if that answers your question.
Thanks,
Sean

4 CommentsSorted by Oldest First

Hi David,


This is not possible server-side unfortunately, the request parameters can only be restricted by the client-side interface.


Yes, you could call a LogEvent that would embed the CreateChallengeRequest inside of it. This requires authentication, however, so too does the regular CreateChallengeRequest. Have you been having problems trying to do this?


-Pádraig

Answer

 Hey David,

A lot of those attributes are not actually required for the request to run properly. You can check out what is needed in the API doc here.
If you want to completely remove those attributes, you could create your own custom request (LogEventRequest) and call the original CreateChallengeRequest from that event.

Something like this...

var req = new SparkRequests.CreateChallengeRequest();
req.challengeShortCode = "xyz";
req.endTime = new Date();
req.usersToChallenge = [];
var resp = req.SendAs(Spark.getPlayer().getPlayerId());

Let me know if that answers your question.
Thanks,
Sean

Hey Pádraig & Sean, yep, that's what I was thinking about. There was no problem to restrict a CreateChallengeRequest with a LogEventRequest, but it is impossible to restrict something like a RegistrationRequest or a DeviceAuthenticationRequest with a LogEventRequest, right? Because I'm not able to call LogEventRequests when not authenticated. I think we will start to authenticate every player first through his device and then optionally through Google/FB - that should solve the problem.
Hey David,

Yes, this should work for you, a lot of our customers will preform a device-auth to get info before using social authentication.
Let us know if you have any more questions.

Sean

 

Login to post a comment
More topics in Questions and Answers
See all 2487 topics
Privacy | Site Terms | Cookie preferences | © Game Sparks Technologies Ltd 2020