The Unreal Engine Bootcamp Suggests Storing The Secret Key In The Game Files

Thanks @Brad-Hester !

First of all - from what you describe - you don't need to set forceCreate: true in your authentication call - because the account was already previously created via the S2S call.

Also - since you are creating the accounts via the S2S call, then yes - when you authenticate, newUser will come back as false - since they previously existing (via the S2S call).

That said - we'll have to look into the analytics of this a bit more. Certainly seems like a mismatch... maybe the "fix" would be to return newUser for any user account that had zero logins... and thus let the analytics take care of themselves based on that.

I'll put this to our devs. Thanks for raising it.

Oh - and for Q3 - certainly NOT pre-creating the accounts via S2S would make all this line up correctly.

Hi - we highly recommend that you use CachePurchasePayloadContext() in all cases. brainCloud will attempt to do a best effort reconstruction of the product and price - but if you start using appStore IAP ids across products than all bets are off. We strongly recommend you add the payload cache in all cases - even for your Apple case that seems to be working so far.

Question 1

Let me clarify how this is normally handled.

The client app gets a list of the available items for purchase by calling GetSalesInventory(). That call take into account who the user is, what segments they are in, etc. to determine which Cash Products to return in that call.

So if you want to use segments to determine who can purchase an item, you would normally:

• Set the item as "Not for Sale" as it's default price
• Then in the segmented Promotions, you set the sale (in this case "Regular") price.

In that way - people normally cannot buy the product - but it the user is in the segment covered by the promotion - it WILL appear at what you call the "regular price" for that user when they call GetSalesInventory().

Do you get how this does what you are asking for?

Question 2 - How is promotionId to be passed.

The promotion is automatically taken into account when calling GetSalesInventory(). The trick is to still know a promotion is involved when we are processing the purchase receipt. That is accomplished by caching the new "payload" field.

So the client should:

• Call GetSalesInventory() to determine what products to show to the user
• Bring up their store UI so the user can view things. Probably involves calling the platform's store APIs to get localized prices of everything.
• When the user selects an item to purchase, the client app world:
  • Call AppStore.CachePurchasePayloadContext() with the "payload" field that was associated with the item the user has chosen.
  • then call the platform's appstore api to initiate the purchase.

Then when brainCloud is processing the purchase it will retrieve the cached "payload" information - which includes information about the promotionId that was involved (if there was one).

So note - in this flow you don't really NEED to call GetEligiblePromotions() - though that can be handy if you need to use that to show some banners in your store or something.

---

Regarding counting of sandbox purchases - I don't think we include those in the stats. We record the purchase so that you can verify that it is happening end-to-end, but we now keep those totals out of the stats.

I hope that helps!

Hi - I'm probably missing the subtleties of your use case.

But in your scenario, what folks would normally do is:

• Set the product as NOT FOR SALE by default.
• Then have Promotion set it as AVAILABLE at the STANDARD price point.

Is there a reason that you don't set the product as NOT FOR SALE initially?

HI @greggoryaddison - maybe I can clarify some terms here:

brainCloud refers to hosted multiplayer servers as [Custom] Room Servers and Relay Servers.

Room Servers are custom software that you write that will implement the authoritative multiplayer session. It is generally implemented as a docker image - using any number of multiplayer technologies. After matchmaking, clients will directly connect to your Room Server to participate in the multiplayer experience.

Relay Servers use brainCloud own Relay Server tech (and Relay Protocol libraries) to implement peer-to-peer multiplayer. The off-the-shelf brainCloud Relay Server tech automatically "relays" the messages to the peer-to-peer host...

Relay Servers are generally hosted natively by brainCloud itself.

For Room Servers there are a number of options:

• Room Servers - native hosting on brainCloud's servers. This is the simplest to set up. Enter the name of the dockerhub-based image for brainCloud to pull and launch.
• EdgeGap integration - very similar - except the docker images are launched on EdgeGap's servers
• GameLift integration - brainCloud will trigger the launching of GameLift-based servers. You need to build Gamelift images, not docker images.
• i3d integration - integration with i3D's orchestrator for true AAA hosting of multiplayer services

Once a Room Server is launched (on any of these services) is communicates back with brainCloud via the S2S API.

We would very much suggest that the easiest path is to get your multiplayer working on brainCloud natively, and then migrate to one of the hosting integrations (if desired) once the basics are working.

Does that help?

Hi @greggoryaddison ,

Good question - and it points out some differences (and similarities) with PlayFab.

Playfab rationalized that they didn't need a client secret because:

• it wouldn't be secure anyway
• and they had separate CLIENT vs. SERVER APIs.

Well - brainCloud actually has the same API separation - in our CLIENT vs. S2S APIs -- but we figure security is all about layering - and so we still require the app secret in the client.

But note that this app secret is SEPARATE from the secrets that get use for privileged SERVER/S2S API calls. When you declare an external server interface a separate secret is generated just for that interface. And that secret you'd normally keep in a .env file on server... Our Builder API uses a similar concept (also with separate API keys).

The brainCloud CLIENT APIs are very sandboxed. You can only access info about your player -- you explicitely can't access information about other players. You can also use API Blocking to prevent even those sandboxed calls from being done from the client. And implement sensitive calculations and operations in cloud code scripts that run on the server.

So - the app secret isn't as sensitive as you'd think.

That said - there are some best practices to improve things:

• Store it in a configuration file (not the source itself). That makes it easier to swap builds across dev/staging/prod versions of your app. Add it to .gitignore to ensure it isn't store in your source repo directly.
• Ideally obfuscate the string in storage - so it's harder [though not impossible] for attackers to read

So - in summary - the app secret that our client uses is an additional layer of security that Playfab doesn't have. It is still separate from the secrets that the privileged S2S and Builder APIs use - so there's no compromise there.

I hope that helps to clarify things!

More info here - https://help.getbraincloud.com/en/articles/14855017-storing-your-app-secret-safely

Paul.

Hi @greggoryaddison ,

Send a message into our support chat with your appId and we'll check it out.

Numbers like these would tend to indicate a low DAU for the app (common in development) - with maybe some background processes that you are debugging. Normally the api counts for those processes would be absorbed across a bunch of Daily Active Users - but since your DAU is low, the API / DAU is going to look very high.

Anyway - send us you appId and we'll take a look.

Paul.

@moondory77 - why would you need/want to update a tournament in progress?

We consider the tournament to be a contract between the player and the game dev. You enter this tournament. You have <X> hours to compete. And you can win <Y> in prizes.

Changing the rules half-way through the tournament seems unfair? You are changing the duration? The prizes? These are both things that the player did not agree to.

Anyway - that was the assumption of the system - and it's why once a tournament is started any changes you make to the tournament get queued up for the NEXT tournament cycle, not the current one.

That said - divisions are even more complicated - as even if we wanted to there would be potentially thousands of records to update to make the change.

I need to better understand your use case to consider this request.

Paul.

@noah - the servers have been patched. You now have the option to exclude division set configs during deploy.