The following use-case:
- I have a function which performs some privileged operation on the Server endpoint (e.g. GrantItems).
- This function can be called either from a GameServer or directly from PlayFab (e.g. if a player enters a segment)
- I want to prohibit the client from calling this function.
However, I cannot differentiate between who is calling this function/what the origin is.
I tried using the passed in TitleAuthenticationContext when calling GrantItems, hoping that the EntityToken would contain information of the origin and prohibit calls which come from the client, but to no avail.
Passing 'secret headers' which are only known to the server is also not an option, as I can not set them when the call originates from PlayFab + security through obscurity is a bad idea.
So what would be the correct way of detecting such a call?