Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

hu0603 # Take player id from connection #73

Open
muetsii opened this issue Oct 10, 2020 · 0 comments
Open

hu0603 # Take player id from connection #73

muetsii opened this issue Oct 10, 2020 · 0 comments
Labels
security user-story
Milestone
ms06: polish

Comments

@muetsii
Copy link
Owner

muetsii commented Oct 10, 2020

As a player I want the app to be secure and no one can impersonate me to disconnect me.

Background

There is a security issue with player ids. They are provided by the backend and remembered and used by the client.

The client could use the browser console to change the id to impersonate other players, for example to disconnect them from a room.

Acceptance criteria

  • The playerid is stored in the connection.

  • The id stored in connection is used in the backend for any operation needing a playerid.

  • The playerids are inserted into the method data in a before hook.

  • SHOULD: probably the room name should be managed at the same time.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security user-story
Projects
None yet
Milestone
ms06: polish
Development

No branches or pull requests
1 participant
@muetsii