Search Unity

  1. Unity support for visionOS is now available. Learn more in our blog post.
    Dismiss Notice

Question Players are able to modify their currency and inventory

Discussion in 'Economy' started by perrymok, Jun 29, 2023.

  1. perrymok

    perrymok

    Joined:
    Jun 23, 2023
    Posts:
    1
    I am new to using Unity Gaming Services and realized that players are able to modify their own balance and inventory using the REST API.

    If I didn't get it wrong, they can obtain their access token when logging in, then call the REST API endpoints like POST
    https://economy.services.api.unity.com/v2/projects/{projectId}/players/{playerId}/currencies/{currencyId} to change their balances.

    I am very confused and don't understand the meaning of this service anymore. Why can the players modify their own balances?
     
  2. TomTheMan59

    TomTheMan59

    Joined:
    Mar 8, 2021
    Posts:
    345
    I don't know, but shouldn't you validate this on the server with cloud code? This seems something that should be done with that.
     
  3. erickb_unity

    erickb_unity

    Unity Technologies

    Joined:
    Sep 1, 2021
    Posts:
    86
    Hello
    You can control if these operations can be called from the client by using Access Control.
    By enabling custom rules, you can ensure economy can only be called through cloud-code or your own backend.

    More information can be seen here: https://docs.unity.com/ugs-overview/en/manual/access-control
    This is so we can give developers full control over the security model for their game.

    Let me know if you have any questions.
     
    GabKBelmonte likes this.
  4. sergiusz308

    sergiusz308

    Joined:
    Aug 23, 2016
    Posts:
    231
    @erickb_unity Hi, where I can read about restricting access to economy API to allow only my backend to call it?
    I'm looking for a proxy scenario, where my backend is intermediary between client and the UGS Economy.
    Thanks!
     
  5. erickb_unity

    erickb_unity

    Unity Technologies

    Joined:
    Sep 1, 2021
    Posts:
    86
    Hello

    You'll want to look at Access Control to block the player access and service account authentication to call the economy from your backend.

    Access Control:
    https://docs.unity.com/ugs-overview/en/manual/access-control

    Example of project policy to fully block economy from Player write operations:
    {
    "Sid": "deny-all-economy-access",
    "Effect": "Deny",
    "Action": ["*"],
    "Principal": "Player",
    "Resource": "urn:ugs:economy:*"
    },

    Service Account Authentication:
    https://services.docs.unity.com/docs/service-account-auth/

    You'll need to exchange your service account credentials for a stateless token before using it with the Economy api from your backend using this api: https://services.docs.unity.com/auth/v1/

    Let me know if you have any more questions
     
    sergiusz308 likes this.