PlayFab-Login-System

A login system for VR games made for a Oculus Quest.

Dependencies

• The PlayFab Unity SDK (Download)
• Photon VR (I used my forked version of it but I don't think it will be necessary to use it) Forked version
• The Meta XR All-in-One SDK
• TextMeshPro
• Glitched Cat Studios's Wardrobe System

DISCLAIMER:

Yes, AI (Claude) was used in this system. Claude was used as a second pair of eyes, not just something that generates code that I instantly put into this system. I have absolutely no idea if this is a safe and secure way to do authentication. This is an older version of the backend in Monkey Mall.

Credits:

I used large code snippets of SolarisDev09's AdvancedPlayFab and JokerJosh0's EasyPlayFab. I also used some random PlayFab login script from 2023. I think it was made by someone called "MONKI".

The APK hash verification code snippet (line 901 - 930) was made by . .

Setup:

1. Import the dependencies. Import the PlayFab Unity SDK, Photon PUN, Photon Voice, PhotonVR, the GCS Wardrobe System and the Meta XR All-in-One SDK. If you are prompted to import TextMeshPro, do so.

2. Add the scripts. Place main/LoginPF.cs in your project (e.g. Assets/Scripts/). The creditsURL, motdURL, uURL, ltURL and woURL fields near the top of the script point to placeholder URLs (YOUR_USERNAME/YOUR_REPO) — change them to your own remote text files, or remove the features that use them if you don't need a MOTD / credits / version gate.

3. Enable the PlayFab API features. In the PlayFab Game Manager, open Settings → API Features:

   

   Enable the options shown here:

   

4. Set your Title ID. In Unity, click PlayFab → MakePlayFabSharedSettings at the top of the window and enter your Title ID:

   

5. Upload the Cloud Script. LoginPF.cs relies on server-side handlers (VOI, GetPhotonAuth, AnnounceLogin, banPlayer, permBanPlayer, and more). In the Game Manager, go to Automation → Cloud Script, paste the contents of main/cloudscripts.js into a new revision, save it, and deploy it as the live revision.

6. Configure your secrets in Internal Title Data. The Cloud Script reads every secret and endpoint from server-only Internal Title Data — never put these in client-readable Title Data or hard-code them in the scripts. In the Game Manager, open Content → Title Data → Internal Title Data and add the keys you need:

   Key	Purpose
   PUN	Photon Realtime AppId (base64-encoded)
   VOICE	Photon Voice AppId (base64-encoded)
   APP_ID	Meta/Oculus application ID
   APP_SECRET	Meta/Oculus application secret
   MODERATOR_IDS	JSON array of moderator PlayFab IDs, e.g. ["ABC123","DEF456"]
   WEBHOOK_BANS, WEBHOOK_VOICE, WEBHOOK_WARNINGS, WEBHOOK_REPORTS, WEBHOOK_LOGIN, WEBHOOK_LOBBY	Notification endpoints (optional — handlers degrade gracefully if a key is unset)
   META_HASH, IL2CPP_HASH	Expected build hashes for the optional binary-integrity check (optional)

7. Set up the GCS Wardrobe. Follow the GCS Wardrobe setup guide (made by The Tech Wizard).

8. (Optional) Enable the APK signature check. LoginPF.cs has an EXPECTED_SIGNATURE_HASH constant. While it is left at 0 the check is disabled and the game runs normally. To enable it, set it to your release keystore signature's hashCode (see MaxNiftyNine's guide). This is a client-side check and only a speed bump — it can be patched out of a decompiled APK, so never rely on it as your only protection.

Security note: This is client code and cannot be trusted. Keep all secrets in Internal Title Data, and enforce anything that matters — identity validation, currency/purchase grants, bans — inside Cloud Script, never on the client.