How can we ensure that users data (Entities, Global Entities, Leaderboards, Statistics etc) are *only* writable from cloud-scripts?

kuabs

Hi team,

While working I thought of a potential vulnerability unless I'm misunderstanding something.
I'm working on a game in which no sensitive inputs could come from the client. As in, never trust the client.
Basically, my app will take non-sensitive inputs, calculate results in cloud scripts, and finally securely update relevant items from cloud-scripts.

But, as I was watching the bootcamp, I realized, what's stopping a bad-actor from doing the following:

1. Identify the app runs on braincloud. This part isn't difficult, even email verification links will lead to a braincloud page.
2. Once knowing the app is running on braincloud, watch the bootcamp series to learn of the various APIs.
3. Authenticate from their machine.
4. Start making POST requests to various operations (IE update global entity, update custom entity, update statistic) with their authenticated session.

How can I prevent this? Basically want to lock out all of these api's from outside of cloud-scripts-- its the only way I can see to maintain competitive integrity unless I've missed something.

@Paul-Winterhalder or anyone else, any ideas?

Panagiotis Milios

Use API blocking in the cloud code category to block all apis from client that write your user entities. Then clients can only write their entities using cloud-code and there you have the total control