How to Secure Cloud Code Functions for Developer-Only Access in Unity UGS?

I am currently using the following module to upload custom data to Cloud Save, but the problem with this method is that it can be exploited and lacks security. How can I create a code that only developers can use? Would the content at the following URL be relevant to this issue?

 [CloudCodeFunction(CloudCodeFunctions.SetGameData)]
    public async Task<SetItemResponse> SetGameData(IExecutionContext context, IGameApiClient gameApiClient, bool isPrivate, string customId, string key, object value)
    {
        if (isPrivate == true)
        {
            var response = await gameApiClient.CloudSaveData.SetPrivateCustomItemAsync(context, context.ServiceToken,
                context.ProjectId, customId, new SetItemBody(key, value));
            return response.Data;
        }
        else
        {
            var response = await gameApiClient.CloudSaveData.SetCustomItemAsync(context, context.ServiceToken,
                context.ProjectId, customId, new SetItemBody(key, value));
            return response.Data;
        }
    }

First and foremost by not embedding privileged calls in your published game! Instead create and use a developer-only servicing tool or frontend or webpage or just the cloud dashboard or the UGS CLI.

You should read the Access Control page and further the service account authentication page.

To secure your calls, or even to enable admin-only calls you have to have a service account with the corresponding permissions created in the cloud dashboard. Being able to enter those credentials in your published app will enable attackers to try and authorize themselves.

At the very least this could be an issue for Unity where your app is generating loads of service account login attempts, potentially causing your account to get (temporarily) blocked - Iā€™m just guessing here but it seems only logical to block apps which generate loads of failing login attempts as this would indicate hacking in progress.

1 Like