• Categories
  • Recent
  • Tags
  • Popular
  • Solved
  • Unsolved
  • Users
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor
  • Default (Darkly)
  • No Skin
Collapse
brainCloud Forums

The Unreal Engine Bootcamp Suggests Storing The Secret Key In The Game Files

Scheduled Pinned Locked Moved Unsolved General
3 Posts 2 Posters 30 Views
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • G Offline
    G Offline
    greggoryaddison
    wrote last edited by
    #1

    I know it's just a tutorial to help us get started, but I'm wondering what is the recommended place to store the secret key so that the game can access it if needed but the client can't? What I was doing before with playfab never needed the secret key in the client code so I had it as an Environment Variable on my PC so I could call Admin API's without the need of keeping the secret string around in my code base.

    1 Reply Last reply
    0
  • Paul WinterhalderP Offline
    Paul WinterhalderP Offline
    Paul Winterhalder brainCloudAdmin
    wrote last edited by
    #2

    Hi @greggoryaddison ,

    Good question - and it points out some differences (and similarities) with PlayFab.

    Playfab rationalized that they didn't need a client secret because:

    • it wouldn't be secure anyway
    • and they had separate CLIENT vs. SERVER APIs.

    Well - brainCloud actually has the same API separation - in our CLIENT vs. S2S APIs -- but we figure security is all about layering - and so we still require the app secret in the client.

    But note that this app secret is SEPARATE from the secrets that get use for privileged SERVER/S2S API calls. When you declare an external server interface a separate secret is generated just for that interface. And that secret you'd normally keep in a .env file on server... Our Builder API uses a similar concept (also with separate API keys).

    The brainCloud CLIENT APIs are very sandboxed. You can only access info about your player -- you explicitely can't access information about other players. You can also use API Blocking to prevent even those sandboxed calls from being done from the client. And implement sensitive calculations and operations in cloud code scripts that run on the server.

    So - the app secret isn't as sensitive as you'd think.

    That said - there are some best practices to improve things:

    • Store it in a configuration file (not the source itself). That makes it easier to swap builds across dev/staging/prod versions of your app. Add it to .gitignore to ensure it isn't store in your source repo directly.
    • Ideally obfuscate the string in storage - so it's harder [though not impossible] for attackers to read

    So - in summary - the app secret that our client uses is an additional layer of security that Playfab doesn't have. It is still separate from the secrets that the privileged S2S and Builder APIs use - so there's no compromise there.

    I hope that helps to clarify things!

    More info here - https://help.getbraincloud.com/en/articles/14855017-storing-your-app-secret-safely

    Paul.

    G 1 Reply Last reply
    0
  • G Offline
    G Offline
    greggoryaddison
    replied to Paul Winterhalder last edited by
    #3

    @Paul-Winterhalder Thanks Paul! This clears up a lot. I appreciate it.

    1 Reply Last reply
    0

  • Login
  • Login or register to search.
  • First post
    Last post
0
  • Categories
  • Recent
  • Tags
  • Popular
  • Solved
  • Unsolved
  • Users