0

I have a multiplayer word game in "Facebook Web Games" format and would like to port it to "Instant Games".

The player id can be fetched by using FBInstant.player.getID(); and then I could call an URL on my game backend server as in:

FBInstant.startGameAsync()
  .then(function() {

  var playerName = FBInstant.player.getName();
  var playerPic = FBInstant.player.getPhoto();
  var playerId = FBInstant.player.getID();

  $.post("/my/game/backend", { playerID: playerID });
});

But I don't understand, how to verify the player id at my backend server.

If I don't do that, someone else could just use curl to fetch the URL "/my/game/backend" and impersonate some other player.

There must be some kind of signature or token, which could be passed to the game backend server for verification using a common secret, but I cannot find it in the Instant Games documentation yet.

Alexander Farber
  • 21,519
  • 75
  • 241
  • 416

1 Answers1

1

https://developers.facebook.com/docs/games/instant-games/sdk/fbinstant6.3#signedplayerinfo

SignedPlayerInfo
Represents information about the player along with a signature to verify that it indeed comes from Facebook.

You need to use getSignedPlayerInfoAsync, then you can get the signature from that, and send that value to your server to verify it there.

CBroe
  • 91,630
  • 14
  • 92
  • 150
  • Thanks, when should I call `getSignedPlayerInfoAsync()`? Can it be done in `FBInstant.startGameAsync()`? – Alexander Farber Aug 27 '20 at 07:18
  • 1
    Don’t really know that, sorry. But I guess that should work, `FBInstant` already exists, and I would assume `FBInstant.player` as well at this point, don’t see the docs saying anything about that being available at a later point only. – CBroe Aug 27 '20 at 07:28