Writing tournament records, with JavaScript client

vladmustiata · November 19, 2020, 1:11pm

Hi guys,

I think the way we can write tournament records with the Javascript client (at least) is very vulnerable and prone to abuse from players. This seem to be the cURL example from the docs:

PUT /v2/tournament/<tournament_id>
Host: 127.0.0.1:7350
Accept: application/json
Content-Type: application/json
Authorization: Bearer <session token>

{
  "score": 100,
  "subscore": 10,
  "metadata": "{\"weather_conditions\": \"sunny\", \"track_name\" : \"Silverstone\" }"
}

This confirms that the score for a tournament can be written with a simple request which the player can make very easily from the browser’s developer tools.

Is there a reason why isn’t there a HMAC signature used for this kind of requests where players write their scores?

Cheers’

zyro · November 19, 2020, 3:56pm

Any client-side security is a half-measure at best, and often only gives the illusion of secure submission of scores.

If you want total control and guaranteed security you can enable authoritative mode when the tournament is created. Score submissions will only be allowed from your own server runtime code - for example when a match ends you can update scores for match participants, or only accept submissions from clients via RPC functions that implement any security and validation you choose.

Topic		Replies	Views
Group Tournament Local Setup	8	662	April 9, 2020
Presenting user information on tournament leaderboards Game Design	2	338	November 21, 2022
Arcade-style leaderboards Runtime Framework server-framework , typescript	8	581	November 11, 2022
Authoritative tournament Local Setup server-framework	3	448	October 15, 2020
Ranking system for authoritative multiplayer Game Design server-framework	6	555	April 23, 2021

Writing tournament records, with JavaScript client

Related Topics