Hi guys,
I think the way we can write tournament records with the Javascript client (at least) is very vulnerable and prone to abuse from players. This seem to be the cURL example from the docs:
PUT /v2/tournament/<tournament_id>
Host: 127.0.0.1:7350
Accept: application/json
Content-Type: application/json
Authorization: Bearer <session token>
{
"score": 100,
"subscore": 10,
"metadata": "{\"weather_conditions\": \"sunny\", \"track_name\" : \"Silverstone\" }"
}
This confirms that the score for a tournament can be written with a simple request which the player can make very easily from the browser’s developer tools.
Is there a reason why isn’t there a HMAC signature used for this kind of requests where players write their scores?
Cheers’