Closed joshuaauerbachwatson closed 1 year ago
Since the server will no longer be involved in generating game tokens, there is a question of what happens when a new token arrives for the first time. I think the server should just go ahead and create the game, but that in turn means that all calls that could result in the commitment of resources must be protected by the app token. Otherwise, a DOS attack could be mounted be just generating arbitrary game tokens.
There are quite a few moving parts here. Will try this ordering:
/create
path and to protect every call with an app token (later to be replaced by an auth0 login in issue #13).It is worth writing down the new server protocol. I am not committing it to a separate document because it will change again under issue #5.
/create
and /delete
. We create on demand and delete by garbage collecting in the existing timer-based regimen./newstate
inputs are appToken, gameToken, player, state./poll
inputs are appToken, gameToken, player. In the gRPC revision this would be eliminated in favor of a push notification./withdraw
inputs are appToken, gameToken, player./reset
and /dump
require only the appToken.This means that for the moment, anyone who has exfiltrated the appToken from the app can do a dump or reset operation (the app itself provides no support for these but it's trivial to write a script to do them from a computer). That's not good, but I would argue that anyone who manages to exfiltrate the app token can mount a variety of attacks. What's needed is a more auditable system of personal identity tokens backed by a login, where these "ordinary" tokens do not confer the ability to use the administrative operations and can be revoked upon evidence of bad behavior.
Having changed the server protocol as indicated, I now see that it is easier to play the game even with the current not-quite-optimal dialogs. The group can just make up a token and use it. In fact, the local game table (which I thought was useless) is actually quite useful in remembering tokens for different games you might want to play. While it's true that the server state associated with a game is garbage collected quite aggressively now when the game goes idle, that is complimented by the fact that game state is entered into the server on demand (there is no longer a "create" operation). The idea of eliminating the min/max confusion, creating a "first to play" indicator, and consolidating the buttons and dialogs remains valid, though, and I will continue with that.
This is looking pretty good now. Will open point issues for any problems discovered later.
Proposed improvements: