Technical devblog (GameSparks, PlayFab, Node, JS, mistakes, fixes and decisions) for you guys Thread

Hi, I'm Dylan/Xblade, founder of Imperium42 Game Studio and developer of the Throne of Lies: The Online Game of Lies and Deceit (whew, long name) project for PC, Mac and Linux with Unity/C#. While developing the website with BaaS integration, I learned a lot of things over the past few months, leading up to a 3-minute audio recording:

For those that prefer text, here are the highlights:

Usually our devblogs are much lighter, but this one is aimed towards my fellow indie devs!

I tried both PlayFab and GameSparks. In the end, I'm calling PlayFab the winner -- but barely!

1. GameSparks is more polished and has more flexibility, however PlayFab won by updating weekly (BIG updates, not just "misc fixes"), having an integrated password/email recovery system with 1 line of code, having fantastic recipes and demos, and having a **working** nodeJS SDK (more explained below)

2. (GameSparks techs are great -- except for this subject. It's unfortunate that they couldn't resolve even the basic setup about their own password hashing mechanics for Node. The docs didn't match the basic setup of "Vanilla" JS. I have a feeling their Node SDK was outsourced). Don't get me wrong, **both GS and PF are fantastic**, but if I can't get the basic setup working, the docs don't tell me, and the techs can't resolve it, how am I expected to resolve it

On your website, DON'T USE ANY JAVASCRIPT SDK WITH A SECRET - Use Node and Ajax to call it:

1. This was discovered too late, after I had already coded it. Not just already coded it, but I coded my own Ajax API, realized they had an SDK then replaced with SDK, then before releasing the version with the SDK I realized that the secret key was exposed (in both PlayFab and GameSparks -- this is normal, don't worry).

2. So to resolve it? Ditch the JS sdk and ONLY use Node. Send an Ajax call to the node PF/GS SDK, process it, and send back the response.

So.. What did I learn?

1. As soon as you start getting live customers, stick with your BaaS you chose and don't look into switching to save yourself headache (although it may be a good experience to know both -- if you can spare the time. I'd love to have my next game with the competitor for a learning experience). Both GS and PF are amazing, just choose your flavor and stick with it (like Chrome vs Firefox). If you can get Node working for GS - maybe later.

2. For pretty much ALL your API's, look into NodeJS SDK's instead and ditch your vanilla JS for security so your secret keys aren't exposed. Don't get hacked like everyone else out of laziness. I barely knew Node but I learned it in a few weeks (Google "node express minimal tutorial 2016". Express THEMSELVES have a great guide, believe it or not -- usually overdetailed, but it's really not).

3. Don't forget, anything you code on your website for your BaaS will have knowledge applied for your coding in Unity or other SDK. It's good practice, regardless

Edited by: Imperium42