Anonymous can't access their correspondence game

[m4po5]

Exact URL where the bug happened

• https://lishogi.org/yANcOtQW

Steps to reproduce the bug

• Play Correspondence with invite link, accepted by party without account.

What did you expect to happen?

• That the anonymous player could use the invite link in the future to access their own game.

What happened instead?

• After a week or so, the player using the link could only join as spectator.

Operating system and browser version

• Android, Telegram's Internal Browser.
  • Android 14, OneUi 6.1, Buildnr UP1A.231005.007.S928BXXU3AXH7
  • Telegram V11.1.3(5244) storebundled arm64-v8a

[WandererXII]

Thanks for reporting this. Hmm, the player is identified with a cookie and that cookie probably expired or if a different device/browser was used the cookie wasn't present. Possible solutions:

• Not allowing anon players to play correspondence (easiest)
• Show 'code' to anon players with which they can claim the game in case the cookie expires (not really user friendly)
• Storing the cookie for longer and informing the anon player that the can game can only be accessed from current device, maybe using local storage would be even better (game still not playable across devices or if the browser decides to clear cookies or local storage for some reason)

Ideally I would do it the way you suggest 'That the anonymous player could use the invite link in the future to access their own game', but invite link is just a game link after the challenge is accepted and since that link is visible on your profile anyone who would find that game on your profile could play it. I could rework the challenge link and add a 'key' to the invite link, but that would still mean that even players who didn't accept the challenge, but just got or saw the link could play, which would be confusing, although if it's mentioned somewhere that anyone with the link can play, it doesn't sound too bad...

[m4po5]

Sounds about as much the same as what I figured myself, and you are drawing the same conclusions I came to. Easiest would be to deny anon from playing correspondence, true. Special invite link that is different from spectate link also sounds nice, despite the security risk that anyone with the link can play for the invited party - which I think is a fair trade-off. Just give the "host" access to the original invite link, if anon player loses it or something.

If security remains an issue, one could generate a key/pass-code and ask the anon player to store it, but that impairs user-friendliness, in my opinion.

Both cases could also be solved with a "generate new invite link", for the host.

From what I gather of your logic, you seem to have a spectate link and the challenge link atm? Perhaps accepting challenge should generate a "player"-link which the accepting party then stores. Which only leads to the pit of hosts able to play themselves, if that's an issue for you. :smile:

I'd also like to point out we only got into this situation because my buddy couldn't solve the captcha puzzle. He's completely new to the game, so playing anon seemed the easiest solution for the time being.

[WandererXII]

The implementation is something like that the _challenge id turns into a game id, these are 8 characters long and this is the url. Each player also has unique 4 characters long id which is added at the end of the game_id, but these 4 characters at the end of the url are not used for verification. When anon user accepts the challenge, cookie gets stored that identifies them as the game player. If for some reason this cookie disappears they turn into a spectator.

If security remains an issue, one could generate a key/pass-code and ask the anon player to store it, but that impairs user-friendliness, in my opinion.

This would be easy to implement, but as you say, I don't think it's realistic to expect the anon players to keep track of some codes and which games they belong to. At that point it's much easier to create an account.

Both cases could also be solved with a "generate new invite link", for the host.

After the game is created both players are treated equally, so I would like to avoid allowing the host to give access to the game to someone else or even many players taking control from each other...

The issue is that the current implementation doesn't take into account anon players playing correspondence so the more I think about it the more I think I will just disallow correspondence for anon players. There is too many things that would need to be rewritten... Special links are also a viable option, but it would prob add a lot of complexity, which is probably not worth it.

I'd also like to point out we only got into this situation because my buddy couldn't solve the captcha puzzle. He's completely new to the game, so playing anon seemed the easiest solution for the time being.

I will make shogi captchas easier, but there shouldn't be a captcha for registration. Captchas should be used for forum posting, team creation/joining, reporting, account reopening, password resets and magic links? The captchas also have a link to the games they are taken from, so one can copy the move that was made in that game.

[ddugovic]

This is my first time reading this, and I agree that Lichess/Lishogi correspondence play isn't designed for anonymous players. Playing the maximum time control, or registering an account, should both be reliable.