Writing tournament records, with JavaScript client

Hi guys,

I think the way we can write tournament records with the Javascript client (at least) is very vulnerable and prone to abuse from players. This seem to be the cURL example from the docs:

PUT /v2/tournament/<tournament_id>
Accept: application/json
Content-Type: application/json
Authorization: Bearer <session token>

  "score": 100,
  "subscore": 10,
  "metadata": "{\"weather_conditions\": \"sunny\", \"track_name\" : \"Silverstone\" }"

This confirms that the score for a tournament can be written with a simple request which the player can make very easily from the browser’s developer tools.

Is there a reason why isn’t there a HMAC signature used for this kind of requests where players write their scores?


Any client-side security is a half-measure at best, and often only gives the illusion of secure submission of scores.

If you want total control and guaranteed security you can enable authoritative mode when the tournament is created. Score submissions will only be allowed from your own server runtime code - for example when a match ends you can update scores for match participants, or only accept submissions from clients via RPC functions that implement any security and validation you choose.