question

Markus Henschel avatar image
Markus Henschel asked

Matchmaking Attributes and Security

Hello,

we are using matchmaking 2.0 with a match total rule that relaxes over time to decrease the number of players required if no match is found. We use basically the "Expansion of number of players over time" example from here:

https://docs.microsoft.com/en-us/gaming/playfab/features/multiplayer/matchmaking/config-examples

This works well so far in development but I'm a bit worried about the security aspect of this. It relies on the client supplying correct attributes. What if a malicious client modifies this and sets a really high number. Currently we are even using this for QA to be able to start matches quicker. I'm not really sure if this will be a problem in reality but couldn't a hacked client then cause much smaller matches being created than would happen otherwise?

There seems to be a way to use attributes from an entity which would not suffer from this issue I guess. But I didn't really understand from the documentation how to use this. Could you provide an example how entity attributes in matchmaking are supposed to be used? Can I access title data or player data with this?

Thanks!

Markus

Matchmaking
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

·
Seth Du avatar image
Seth Du answered

You may consider migrating the creating ticket process to the Cloud Script/Azure function so that the attribute is unknown to the client side. Then the clients will handle the rest of the process of matchmaking with the returned ticket.

In addition, another workaround is to read the Entity Object as the attribute. In terms of this scenario, you may modify the Entity Global Title Policy to deny the players’ permission of editing a specific Object. For example, if you have an Object named “MatchmakingObj”, you may add the following policy on Game Manager:

{
    "Resource": "pfrn:data--*!*/Profile/Objects/MatchmakingObj",
    "Action": "Write",
    "Effect": "Deny",
    "Principal": "*",
    "Comment": "Only title can edit user MatchmakingObj Objects",
    "Condition": {
        "CallingEntityType": "title_player_account"
    }
},
{
    "Resource": "pfrn:data--*!*/Profile/Objects/MatchmakingObj",
    "Action": "Write",
    "Effect": "Deny",
    "Principal": "*",
    "Comment": "Only title can edit user MatchmakingObj Objects",
    "Condition": {
        "CallingEntityType": "character"
    }
},
{
    "Resource": "pfrn:data--*!*/Profile/Objects/MatchmakingObj",
    "Action": "Write",
    "Effect": "Deny",
    "Principal": "*",
    "Comment": "Only title can edit user MatchmakingObj Objects",
    "Condition": {
        "CallingEntityType": "master_player_account"
    }
},


Currently it is not supported to restrict entity API via Policy. Even though players won’t know how the matchmaking ticket is created on Cloud Script, malicious clients may still send that API (though I don’t think they will be matched since the attribute should be incorrect.)

3 comments
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

rima avatar image rima commented ·

Hi @SethDu

Since my Question is related to this , i thought i just add a reply instead of a question.

We are planning to Migrate our Create Matchmaking ticket to Cloud Script to have more authority of the attributes such as skill and etc.

but we are having an issue where the cloud script only has access to the "server api" and not the matchmaker API. so we are unable to create a matchmaking ticket.

We looked at the doc but it has stated on this API Doc page as well it only has access to server api.

0 Likes 0 ·
Seth Du avatar image Seth Du ♦ rima commented ·

You may use "multiplayer.xxxx" to call multiplayer related APIs, for example:

multiplayer.CreateServerMatchmakingTicket();

Please also note that Cloud Script doesn't support directly call CreateMatchmakingTicket API because it only allows a “title player account” entity to call, while in Cloud Scirpt, the context will hold a title-level entity token. Hence, CreateServerMatchmakingTicket is the only way. Azure Function won't have this issue via instance API.

1 Like 1 ·
rima avatar image rima Seth Du ♦ commented ·

Hey SethDu, That's great! Thanks a lot for the Quick reply.

0 Likes 0 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.