juiceit
commented
3 years ago Hi! I understand your concern, and thanks for raising possible security issues. This is not as bad as it may seem, though. The only thing you can do as a signed-in user is administer a tournament. Someone could start the tournament before everyone has joined or change the game settings before we start, but that's just rude behaviour that we don't expect from our participants. And we would just need to start over again to undo it.
With that being said, you're completely right that we should have this fixed. Authorisation just hasn't been a priority for us :)
Hi cygni / maintainers of paintbot!
I am currently just going through the source code in order to automate some parts of my training model for my bot and I stumble upon how you have implemented authorization. Cool I first thought, I can use it to get the token to authorize some websocket calls. But then out of curiosity, I tried the usercredentials on the live website aswell, and yeah.. Bad news. I got authorized.
I hope this can be changed before the tournament starts, because this will break the fairness of the game, if someone outside of the organizers gets hold on an auth-token.
https://github.com/cygni/paintbot/blob/58c354692313ec597dda7331e65b152a30671425/app/src/main/java/se/cygni/paintbot/security/AuthenticationService.java#L14-L18
Just change the usercredentials for the live server.
Thanks for hosting this, and I hope I will get a seat.
I am currently the 1st on the waiting list (Accordingly to Josefina, A.)