Restserver for Unity

Security

Neither NetCoreServer nor Unity's C# implementation and/or source code transformation have been checked against all possible security issues. Needless to say, the server should not be exposed to the internet or to any other insecure network. This component binds against localhost only for this reason by default.

It is possible to disable this default and bind the rest server to Any IP Address. Please be aware of any security implications and test your application accordingly (See the end of the page for an example).

Use as a backend service

                  ┌─ Server ────────────────────────────────────────┐
                  │                                                 │
┌──────────────┐  │   ┌─────────────────┐   ┌────────────────────┐  │
│              │  │   │                 │   │                    │  │
│   API User   ├──┼──►│ Backend Service ├──►│ REST Server (Unity)│  │
│              │  │   │                 │   │                    │  │
└──────────────┘  │   └─────────────────┘   └────────────────────┘  │
                  │                                                 │
                  └─────────────────────────────────────────────────┘

This architectural pattern adds an additional out-of-unity server that handles all incoming calls and is the frontend for the REST API user. This backend service takes care of all security relevant aspects like sanitization, authentication and others. The backend service can also be used to abstract a low level REST API from Unity into a higher application level interface. The Unity REST server, for example, can provide low level calls, like SetPosition or MoveTo as the Backend Service can implement some higher level animation interface like PlayAnimationX.

Bind to any IP and use in a secured network

┌─ Secured/Private Network ──────────────────────────┐
│                                                    │
│                    ┌─ Server ───────────────────┐  │
│                    │                            │  │
│  ┌──────────────┐  │   ┌────────────────────┐   │  │
│  │              │  │   │                    │   │  │
│  │   API User   ├──┼──►│ REST Server (Unity)│   │  │
│  │              │  │   │                    │   │  │
│  └──────────────┘  │   └────────────────────┘   │  │
│                    │                            │  │
│                    └────────────────────────────┘  │
│                                                    │
└────────────────────────────────────────────────────┘

It’s technical possible to expose the REST server to any interface/network. While this can be done by code, the network (or your implementation) should then take care of security. This architecture could be useful if you are using Unity inside a render farm, that is protected from the outside.

The REST Server can be bind to any interface with this example code

public class MyServer : RestServer {
    public override void StartServer() {
        Server?.Stop();

        Server = new LowLevelHttpServer(
            EndpointCollection, 
            IPAddress.Any /* Important change */, 
            port
        );
        Server.Start();
    }
}

Bind to any Interface

It’s technical possible to expose the REST server to any interface/network. While this can be done, the network (or your implementation) should then take care of security. The rest server can be bound to any available IP via the property ListenAddress, like this:

void Start() {
    restServer.ListenAddress = new IPAddress(new byte[] {100, 100, 100, 100});
    restServer.StartServer();
}

Note that the ip must be available as interface on the machine the rest server is running on.

Alternatively, and much easier, the listen interface can be changed in the inspector

Change listening interface/address in the inspector