What am I trying to do?
- I want to create a headless godot “super client” (host?) to handle physics and other game logic that would benefit from godot’s existing libraries.
- I want the “super client” to be the only client that can send updates to nakama about the match state for all players clients. For my game, there is only need for one, ever-persisting match (an open game world). So essentially, the player clients become interfaces, only sending requests to nakama, which are then validated through logic implemented in the godot headless client (“super client”).
What are my concerns/questions?
- The docs on session management says:
As long as the JWT has not expired and has not been tampered with, the server can securely validate the JWT. At the same time, the JWT is not encrypted, so your client code can inspect its contents too.
Sounds good for initiating a secure(ish) server to server connection, by just checking the user id (or absence thereof) to execute any server-specific requests. I say “ish” because I understand the JWT still needs to be sent along a network which can be stolen by a MITM (even local). But I’m not really concerned about this at the moment. So please let me know if I understand this correctly…the user id is decoded from the JWT when received by nakama…which means, no one can spoof server to server requests (by say modifying the context with a null/empty user id) without the “super client”'s JWT? Right? But wait a minute…how do I achieve a blank user id in the authentication process to begin with? 
- By creating an authoritative match manually as shown here, does this mean any player client can still call functions such as “send_match_state_async” or “create_match_async”? (or in other words, does creating an authoritative match override ALL possibility of client relay functionality from the server’s end)? If not, what can be done about it?