How can we ensure that users data (Entities, Global Entities, Leaderboards, Statistics etc) are *only* writable from cloud-scripts?
While working I thought of a potential vulnerability unless I'm misunderstanding something.
I'm working on a game in which no sensitive inputs could come from the client. As in, never trust the client.
Basically, my app will take non-sensitive inputs, calculate results in cloud scripts, and finally securely update relevant items from cloud-scripts.
But, as I was watching the bootcamp, I realized, what's stopping a bad-actor from doing the following:
- Identify the app runs on braincloud. This part isn't difficult, even email verification links will lead to a braincloud page.
- Once knowing the app is running on braincloud, watch the bootcamp series to learn of the various APIs.
- Authenticate from their machine.
- Start making POST requests to various operations (IE update global entity, update custom entity, update statistic) with their authenticated session.
How can I prevent this? Basically want to lock out all of these api's from outside of cloud-scripts-- its the only way I can see to maintain competitive integrity unless I've missed something.
@Paul-Winterhalder or anyone else, any ideas?