如何在服务器端验证 FBInstant.context.getID() 以确保它不是伪造的?
[英]How to verify FBInstant.context.getID() on the server side to ensure it is not faked?
问题描述
I have a multiplayer word game in "Facebook Web Games" format and would like to port it to "Instant Games".
我有一个“Facebook Web Games”格式的多人文字游戏,想将它移植到“Instant Games”。
The player id can be fetched by using FBInstant.player.getID();可以使用FBInstant.player.getID();获取玩家 ID FBInstant.player.getID(); and then I could call an URL on my game backend server as in:然后我可以在我的游戏后端服务器上调用一个 URL,如下所示:
FBInstant.startGameAsync()
.then(function() {
var playerName = FBInstant.player.getName();
var playerPic = FBInstant.player.getPhoto();
var playerId = FBInstant.player.getID();
$.post("/my/game/backend", { playerID: playerID });
});
But I don't understand, how to verify the player id at my backend server.但我不明白,如何在我的后端服务器上验证玩家 ID。
If I don't do that, someone else could just use curl to fetch the URL "/my/game/backend" and impersonate some other player.如果我不这样做,其他人就可以使用curl来获取 URL“/my/game/backend”并冒充其他玩家。
There must be some kind of signature or token, which could be passed to the game backend server for verification using a common secret, but I cannot find it in the Instant Games documentation yet.必须有某种签名或令牌,可以使用公共秘密将其传递给游戏后端服务器进行验证,但我在Instant Games 文档中还找不到它。
1 个解决方案
解决方案1
1 已采纳 2020-08-27 06:46:31
https://developers.facebook.com/docs/games/instant-games/sdk/fbinstant6.3#signedplayerinfo https://developers.facebook.com/docs/games/instant-games/sdk/fbinstant6.3#signedplayerinfo
SignedPlayerInfo
Represents information about the player along with a signature to verify that it indeed comes from Facebook.
You need to use getSignedPlayerInfoAsync , then you can get the signature from that, and send that value to your server to verify it there.您需要使用getSignedPlayerInfoAsync ,然后您可以从中获取签名,并将该值发送到您的服务器以在那里进行验证。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.