How to verify FBInstant.context.getID() on the server side to ensure it is not faked?
Question
I have a multiplayer word game in "Facebook Web Games" format and would like to port it to "Instant Games".
The player id can be fetched by using FBInstant.player.getID(); and then I could call an URL on my game backend server as in:
FBInstant.startGameAsync()
.then(function() {
var playerName = FBInstant.player.getName();
var playerPic = FBInstant.player.getPhoto();
var playerId = FBInstant.player.getID();
$.post("/my/game/backend", { playerID: playerID });
});
But I don't understand, how to verify the player id at my backend server.
If I don't do that, someone else could just use curl to fetch the URL "/my/game/backend" and impersonate some other player.
There must be some kind of signature or token, which could be passed to the game backend server for verification using a common secret, but I cannot find it in the Instant Games documentation yet.
1 answers
solution1
1 ACCPTED 2020-08-27 06:46:31
https://developers.facebook.com/docs/games/instant-games/sdk/fbinstant6.3#signedplayerinfo
SignedPlayerInfo
Represents information about the player along with a signature to verify that it indeed comes from Facebook.
You need to use getSignedPlayerInfoAsync , then you can get the signature from that, and send that value to your server to verify it there.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.