Prevent clients from creating rooms

Hello - I am wondering if there is a way to setup my app such that anonymous clients, which access photon using a website and the js sdk, can join rooms, but not create new rooms, and only the "server" for my game, using a custom authentication mechanism, can create rooms.

Because of how my game is intending to function, similar to jack box games, I can't think of a way for the clients to be able use an authentication method and I want to prevent unauthenticated users from being able to essentially hijack my photon app and create their own rooms and the like.

Is such a thing possible?

Comments

  • JohnTube
    JohnTube mod
    edited January 2021
    Hi @MarkZorn,

    Thank you for choosing Photon!

    This is not possible using client logic only.
    The proper way to do this is via custom server plugin which are available for self-hosted (on-premises) Photon Server or private Photon Enterprise Cloud.

    There is another way to do this using webhooks but it's hacky as it was not the intended purpose:
    Webhooks were meant to allow saving and loading room state.
    So if you want to use them to block room creation here is what you need:

    Idea:

    we are going to fake new room creation as old room state loading (via JoinOrCreateRoom).
    or when we want to prevent actual new room creation we do not return a response.

    Config:
    • BaseUrl = required
    • IsPersisent = true
    • AsyncJoin (do not add, keep default or set to true) = true
    • PathCreate = set to actual value that works (valid endpoint)
    • PathDestroy = set to a value, could be not working

    Implementation:

    Client:

    - prefer JoinOrCreateRoom over Create room to create rooms.

    Web Server:

    - in PathCreate handler, if args.Type == "Create" and you don't want this room to be created DO NOT RETURN ANY RESPONSE.
    - in PathCreate handler, if args.Type == "Load" and you don't want this room to be created, return response with ResultCode != 0.
    - in PathCreate handler, if args.Type == "Create" and you want this room to be created return a default success response (ResultCode = 0).
    - in PathCreate handler, if args.Type == "Load" and you want this room to be created return a success response (ResulceCode = 0, State = {}).
  • Hi @JohnTube

    I also finding solution to prevent user create room to avoid hack. My situation as follow:

    Our game using Fusion and has 2 builds.

    - 1 build as headless server -> only allow this build create room

    - 1 build will be shipped to player -> do not allow this build create room, just join room.

    Because I do not see the Webhooks section in dashboard. Do Fusion have another solution to prevent player from create room (only player has secret key can create room or some other solution)

    Thank you a lot.