Support Topics Documentation Slack YouTube Blog

Prevent guest users accessing the SDK methods via browser console

Hi Folks - I have a leaderboard table. Only guest users can post to it. However, through the console window it is possible to post to the leaderboard using the Backendless.Data.of(TABLE_NAME).save({ email: email, nickname: nickname, score: score }). Users will be authenticated as guestusers at this point, so will have full access to read / write. I was thinking of adding some validation against the response, to verify the score was posted through the legitimate method in the game, however, I’m struggling to think of a bulletproof way of doing this.

Any ideas appreciated!

Hi Dan,

take a look at our Security and Permissions API.

Stanislaw

Hi Stanislaw Thanks for replying. I have been through those docs looking for a solution but the issue I have is that users who are posting fake scores have logged on as guestUser ( therefore have full permission to read/write/post for the duration of that session). They are adding fake scores to the db via the SDK directly through the browser console after authentication has passed.

I do not quite understand the logic flow of your program. Why do users post to the table directly and not the program calculates their score? If you gave such an opportunity, then it doesn’t matter whether you forbid the use of the SDK, since there is still a REST route and using cURL you can simulate such requests. You need to forbid users to post directly to the leaderboard table (using Permissions API for Guest User role), and calculate their rating automatically, and give users only the result.

Apologies for not being clear. The program posts their score to the leaderboard and then the leaderboard returns the whole table so users can see where their score appears. The problem is users are bypassing the program flow and posting their fake scores directly.

I’m trying to make sense of the route you describe - if the user can’t post to the leaderboard directly how are you proposing their score is entered to the leaderboard? Am I missing the point?

You need to use Business Logic for this. Sending data from the client is the wrong approach, because in this case it is simply impossible to prevent cheating, it’s not about how Backendless works. I don’t know what exactly your program is (game, I guess), but the flow should be something like this:

  1. Score/Leaderboard table is closed for POST for all roles but BLUser;
  2. When the game starts, you put a flag in the database that the game started for specific user;
  3. During the game, the calculation of the intermediate result / score is made on the server in Business Logic;
  4. When the game ends, a request for completion of the game runs the client and the business logic counts the final result, put it for the current user in the table and marks the game as completed.
  5. Thus, the user will not be able to post any data directly to the table, and score will be counted and recorded not from the client, but on the server, which makes cheating impossible.

Hope it gives you some ides, but the main point is to use server code.

Thanks for this - after wrangling with the problem most of today, I see the necessity of this approach.