I'm working on making a game and I'm wondering if GameSparks is right for me.
In my game I will need to have a table of items each with a unique ID, I need players to absolutely NOT be able see these IDs, if so they could brute force unlock them for themselves. When players scan a QR code on certain real life products my app will query the table and check if that is a legitimate item QR (corresponds to the ID). If so the item is unlocked for the user in their game and the item in the table is given a "Locked" state, this is to prevent others from being passed around the same code and unlocking it as well. However, I want users to be able to trade that QR when they want to, so they have to be able to remove the "lock", trade it, which will then "lock" it again to another person. The virtual item is then transfered to the other person and removed from the first person. So essentially a loot system tied to real life objects and tradable.
All of this is also tied into a turn based mutiplayer game, but I see that you're more than suitable for that part.
So my question is, with your combination of cloud code and NoSQL tables does a system like I described work? How secure would that table of items I described be, because if someone found all the IDs and scanned them then a lot of real-world products would lose value. Whats the best way to implement this?
I think a system like this would work pretty well with a combination of using NoSQL and Cloud Code.
I think using a documents unique id generated when a documents is created is the best way of guaranteeing unique items.
1. Players could query a collection of items via a LogEventRequest, and in the query, omit the unique _id from being returned to the player. This can be done with the second argument to find.
2. Another LogEvent can run that will take the code scanned from the QR code and do a findOne against this collection, querying the unique _id. If correct, add the playerId of the player who scanned the code as the "owner" of this item (it could also flag this item as the players own via setting scriptData against the player).
3. The trade functionality can then be done in a separate LogEvent that would verify both the trading players _id and the recipients eligibility to use that code.
In regards to securing your data, the only interface to the Database from your players would be the interfaces you expose to the database from your own LogEventRequest. The only other way to retrieve the data would be for a player to use the NOSQL REST API, which requires authorisation that they will not have access to.
I would play around with this method on your own config and see if it meets your needs. If you have any other questions please let us know, or log a ticket!