Search Unity

  1. Unity 6 Preview is now available. To find out what's new, have a look at our Unity 6 Preview blog post.
    Dismiss Notice
  2. Unity is excited to announce that we will be collaborating with TheXPlace for a summer game jam from June 13 - June 19. Learn more.
    Dismiss Notice

Protected client API and security

Discussion in 'Unity Cloud Content Delivery' started by hadrien23, Oct 28, 2020.

  1. hadrien23

    hadrien23

    Joined:
    Oct 9, 2019
    Posts:
    12
    Hi,
    What is the status regarding a protected client API, and is there any risks at the moment that a third party could access a bucket content using the public client API, or any other way?
    Regards.
     
  2. timtunity3d

    timtunity3d

    Unity Technologies

    Joined:
    Oct 1, 2015
    Posts:
    131
    At the moment all content is public. We are still gathering requirements around protected content. If you have specific requirements we'd love to hear them and I can pass them along to our product managers.
     
  3. ChristinaGuo

    ChristinaGuo

    Unity Technologies

    Joined:
    Feb 20, 2020
    Posts:
    48
    Hi @hadrien_n , I'm the product manager for CCD. We've finally gotten around to private content. We're brainstorming a few solutions and would love to get your thoughts:
    • Option 1 would be to provide bucket level access keys. Only users with the access keys would be able to retrieve content from CCD. We imagine this to be similar to how Github allows users to generate keys.
    • Option 2 would be to support an IP whitelist per bucket (screenshots below). Only IPs on the list would be able to access content from CCD. We imagine this solution would be in addition to Option 1.
    Would either of these solutions work for your needs? Is the bucket level the right level for security?

    image.png image (1).png image (2).png
     
  4. CineTek

    CineTek

    Joined:
    Jul 12, 2013
    Posts:
    98
    To jump into this conversation - we are using an account system (Playfab) for all players including internal developers. At the moment our login screen is the only "protection" from excessive or unauthorized access. For us it would be ideal to have a security layer before CCD that allowed e.g. Playab and other account systems to send an auth token to CCD first.
    Because the login screen is not enough, once a player has access to the CCD bucket links they can easily DDOS the whole system - or at the very least, create huge traffic.
     
  5. ChristinaGuo

    ChristinaGuo

    Unity Technologies

    Joined:
    Feb 20, 2020
    Posts:
    48
    Hi @CineTek, we're implementing bucket level access keys. It seems that this would fit your use case. You can generate an access token that protects a private bucket. You can easily re-generate and update your clients if it gets compromises.

    The only issue I can see is if you wanted to create an access token per user, which may not play well with our caching.

    Do you have a sense for how many access tokens you might need to generate?
     
  6. CineTek

    CineTek

    Joined:
    Jul 12, 2013
    Posts:
    98
    Well, connected to the account system a per-user token that is changing dynamically would be the "ideal" solution.
    My concern with your approach is that the access token is still visible inside the game client and/or can be intercepted from local network which does not stop a maliciuous party from attacking the network? Unless the key cannot be intercepted
     
  7. CineTek

    CineTek

    Joined:
    Jul 12, 2013
    Posts:
    98
    I guess, what we could do internally is figure out if we can forward/push traffic through an internal proxy which uses the playfab auth as a security step - therefore hiding the official CCD servers... .
     
  8. ChristinaGuo

    ChristinaGuo

    Unity Technologies

    Joined:
    Feb 20, 2020
    Posts:
    48
    Hi @CineTek, in case you missed the announcement on the main forum, we've launched Private Buckets! Private buckets protect read access to buckets with an access token, so that only those users with that access token can retrieve content from that bucket. Let us know if you have any feedback!
     
  9. hadrien23

    hadrien23

    Joined:
    Oct 9, 2019
    Posts:
    12
    @ChristinaGuo Login in after a while, sorry I missed your first question. Awesome news about the new private buckets, thanks for the update!
     
    ChristinaGuo likes this.