I'm working on a peer-to-peer multiplayer game built with Unity and I'm looking to implement stat tracking. I already have unique player identifiers and the types of stats I want to store, like damage and kills. My concern is how to securely call an API to a Lambda function that would save this data to an RDS instance. I've noticed that hardcoding the API endpoint into the code is not secure, especially since players can decompile games. Though I'm aware of AWS Cognito, it would require players to register, and I'm not sure how to manage the authentication token back to the game for API calls. Are there other solutions or best practices I should consider?
5 Answers
If your needs are straightforward, using DynamoDB with Lambda might be a perfect fit for your stats tracking requirement.
You might want to reconsider using RDS with Lambda. It could complicate things since you'd need a VPC setup, and that could lead to increased cold starts. Plus, managing connections with RDS is tricky unless you use RDS Proxy. Instead, consider using DynamoDB, which fits well with serverless architecture. For authentication, Cognito can handle that smoothly. If you're registering users, you can utilize a user pool for authentication, allowing your API to validate user access easily.
Cold starts with VPC attachment have improved recently, but overall, your points are solid!
In a P2P setup, trusting stats is challenging. Even with authentication layers, you can't be sure stats aren't tampered with unless the logic is run on a dedicated server. You could use the Steam Auth Ticket system for player authentication. Some ways to trust the stats could be: 1) Get all clients to send their data to a server where you can validate it collectively, or 2) Run bots that act as judges in each lobby to verify stats. Just remember, in a P2P environment, clients can often fake stats if they reverse-engineer the game.
Right, while you can authenticate players, validating that the stats sent are accurate is tough. I like the consensus-based method, but it depends on how critical the stats are.
If you already have user accounts, consider using Cognito to provision them. You could set up API Gateway with Cognito to manage access to your metrics API. This way, you can streamline the authentication process without needing an elaborate user system.
But our players don’t need accounts. They use Steam IDs to play, so does that mean I should authenticate using the Steam ID directly? Just worried about the public nature of Steam IDs.
Remember, the real challenge is verifying the stats sent to your Lambda function. You'll need to brainstorm how to handle that accurately.
Thanks for the tip about DynamoDB! We'll definitely keep that in mind. We're not actually registering users directly but rather linking with Steam IDs, so I appreciate your insight!