1.8 KiB
1.8 KiB
Anti-Tampering Implementation
Objective
Implement a robust anti-tampering system to prevent players (including the host) from manipulating the game state via malicious client-side emissions.
Changes
-
Server (
src/server/managers/RoomManager.ts):- Added
getPlayerBySocket(socketId)to securely identify the player associated with a connection, eliminating reliance on client-provided IDs.
- Added
-
Server (
src/server/index.ts):- Refactored all major socket event listeners (
pick_card,game_action,start_draft,player_ready) to useroomManager.getPlayerBySocket(socket.id). - The server now ignores
playerIdandroomIdsent in the payload (where applicable) and uses the trusted session context instead. - This ensures that a user can only perform actions for themselves in the room they are actually connected to.
- Refactored all major socket event listeners (
-
Server (
src/server/managers/GameManager.ts):- Updated
handleActionto accept an authenticactorId. - Added ownership/controller checks to sensitive actions:
moveCard: Only the controller can move a card.updateLife: Only the player can update their own life.drawCard,createToken, etc.: Validated againstactorId.
- Updated
-
Frontend (
GameView.tsx,DraftView.tsx,DeckBuilderView.tsx):- Cleaned up socket emissions to stop sending redundant
roomIdandplayerIdfields, aligning client behavior with the new secure server expectations (though server would safely ignore them anyway).
- Cleaned up socket emissions to stop sending redundant
Result
The system is now significantly more resistant to session hijacking or spoofing. Users cannot act as other players or manipulate game state objects they do not control, even if they manually emit socket events from the console.