I have a multiplayer word game in "Facebook Web Games" format and would like to port it to "Instant Games".
The player id can be fetched by using FBInstant.player.getID(); and then I could call an URL on my game backend server as in:
FBInstant.startGameAsync()
.then(function() {
var playerName = FBInstant.player.getName();
var playerPic = FBInstant.player.getPhoto();
var playerId = FBInstant.player.getID();
$.post("/my/game/backend", { playerID: playerID });
});
But I don't understand, how to verify the player id at my backend server.
If I don't do that, someone else could just use curl to fetch the URL "/my/game/backend" and impersonate some other player.
There must be some kind of signature or token, which could be passed to the game backend server for verification using a common secret, but I cannot find it in the Instant Games documentation yet.
https://developers.facebook.com/docs/games/instant-games/sdk/fbinstant6.3#signedplayerinfo
SignedPlayerInfo
Represents information about the player along with a signature to verify that it indeed comes from Facebook.
You need to use getSignedPlayerInfoAsync, then you can get the signature from that, and send that value to your server to verify it there.