feat: support mcosu clients

[kiwec]

Describe your changes

Added some configuration options so server owners can easily tell McOsu clients how to behave.
Defaults match how the clients behave when a server doesn't signal anything: you can connect, but not submit scores.

Related Issues / Projects

https://mcosu.kiwec.net

I'm releasing the score submission build tomorrow - code is already available on the v34.02 branch.

Checklist

• [x] I've manually tested my code

[tsunyoku]

before going into the debate of if we want to support this or not.

let's say we do. is the same header present on score submission? also, how can we assure that a user isn't going to just modify the source code to not pass these headers? i have a few concerns about allowing these clients to connect at all -- and regardless of if we agree to allowing them to be supported in the code, how are we going to enforce literally anything? it's an open source client without any real guarantees (lack of anticheat etc.) so we are kind of stuck in a rock between a hard place here

[kiwec]

let's say we do. is the same header present on score submission?

No. The clients respect the x-mcosu-features header and don't submit scores. If they do, then they would be malicious and remove identifiable headers altogether.

If you really want to detect McOsu in score submission, it names the replay "mcosu-replay.osr".

also, how can we assure that a user isn't going to just modify the source code to not pass these headers?

You can't. The point of this PR is to let the clients who do pass the headers respect the admin's wishes.

i have a few concerns about allowing these clients to connect at all -- and regardless of if we agree to allowing them to be supported in the code, how are we going to enforce literally anything? it's an open source client without any real guarantees (lack of anticheat etc.) so we are kind of stuck in a rock between a hard place here

This is also an open source server, any anticheat features implemented here would be visible to all, which I wouldn't recommend. However, McOsu clients behave quite differently from stable in many ways, and you could detect that and ban them if necessary.

[tsunyoku]

yeah i understand, i'm just afraid that we're opening a bit of a can of worms here...

[kiwec]

[minisbett]

You can't. The point of this PR is to let the clients who do pass the headers respect the admin's wishes.

Do you mean this as in that McOsu by default is capable of connecting to private servers, and this layer of control would provide the best it could in terms of controlling McOsu's behavior?

That sounds quite bad to me, I would not want such thing to exist as it makes it viable for anyone to fairly easy tamper with the intended game experience, adding cheats and whatnot in comparison to the obfuscation etc. the normal osu client provides. I'd rather ask you to remove this functionality from McOsu because let's be real, I feel like this will be used for more bad than good long-term. I mean yeah, score submission is disabled by default, but nothing's probably easier than bypassing that.

And also, for the official osu! client we can be 100% sure that there won't be any game-altering or game-breaking issues, I'm not so sure I would want to rely on some 3rd party open-source software. What if McOsu has a bug that alters the game functionality and "bad" scores submit? That's stuff out of control, and stuff that feels like there's too little of an insurance things go as intended. For me as a private server owner the goal would be to try block McOsu as much as possible, and I think most server owners, including the ones you advertise on your website, would probably go with that as well, rendering this functionality pretty useless.

I also feel like this drifts far off what McOsu is supposed to be, I don't really get the idea of trying to enter territory you shouldn't.

[kiwec]

I would not want such thing to exist as it makes it viable for anyone to fairly easy tamper with the intended game experience, adding cheats and whatnot in comparison to the obfuscation etc. the normal osu client provides.

osu!lazer is open source, osu!stable had its source code leaked also. I'm sure if the cheat apocalypse were to happen, it would've happened already. McOsu having open-source multiplayer is a net positive, when stable is frozen in time and lazer is heading into an unknown direction. It will give players the freedom to play the way they want, not the way peppy wants.

I'd rather ask you to remove this functionality from McOsu because let's be real, I feel like this will be used for more bad than good long-term. I mean yeah, score submission is disabled by default, but nothing's probably easier than bypassing that.

Oh yeah, let me just erase 2 months of work because you want to. lol, no.

And also, for the official osu! client we can be 100% sure that there won't be any game-altering or game-breaking issues, I'm not so sure I would want to rely on some 3rd party open-source software. What if McOsu has a bug that alters the game functionality and "bad" scores submit?

I would store the client version on each score (along with other anti-cheat-related data). That way you can easily hide these scores from the leaderboards if need be. Surely people don't run server software without adding any anti-cheat code? That would be insane.

For me as a private server owner the goal would be to try block McOsu as much as possible, and I think most server owners, including the ones you advertise on your website, would probably go with that as well, rendering this functionality pretty useless.

Prior to release, I've messaged the server owners, or else I wouldn't have listed them on the website. EZPPFarm was the only one to approve of score submission, but the others have approved the rest of multiplayer features (hence the default settings).

You have to understand that I'm doing this in the most open way possible. This PR is to give more options to server admins, in the default state where people naturally cooperate with each other. It's designed specifically for you so you can block McOsu clients easily. The other route was mimicking stable 1:1 and not asking any admins for their opinion.

I also feel like this drifts far off what McOsu is supposed to be, I don't really get the idea of trying to enter territory you shouldn't.

McKay also doesn't want to deal with multiplayer. But this isn't "forbidden" territory. The game is open source.

[minisbett]

It will give players the freedom to play the way they want, not the way peppy wants.

saying peppy decides the direction lazer goes is kinda crazy ngl

[tsunyoku]

osu!lazer is open source, osu!stable had its source code leaked also

they also enforce a client-side anticheat. this is not a fair comparison

[NiceAesth]

As far as I am concerned, this is very low priority for review but I would have appreciated changes like this which introduce new behaviour to be discussed beforehand.

Keeping that in mind, I do believe that this does not fall under our responsibility and I very much disagree with the approach of introducing new client-specific checks.

[Calemy]

"EZPPFarm was the only one to approve of score submission, but the others have approved the rest of multiplayer features (hence the default settings)."

with all due respect to you and the owner of EZPPFarm, me and probably others are not really surprised that they agreed. They're i think the most outlying server out of all private servers since they already do custom clients and are overall not really a good orientation to what other servers think.

WIth this being said, while i really understand and appreciate the thought of making more clients accessable to the game and servers, i do not think it's a good fit for here because of the concerns raised during this discussion.

[minisbett]

Me and a maintainer briefly discussed this, and figured it might make more sense to implement this kind of support via an existing methology, rather than dedicating the functionality in banchopy. It is supposed to be a pretty general osu! server implementation, without any special shenanigans for some custom clients.

IMO, consider using something like the lastfm.php endpoint, and send a flag for someone using McOsu with score-submission or similar in there so that it can be seemlessly blocked there, without adding a lot of fanfare. e.g.

if flags & (LastFMFlags.MCOSU_SCORE_SUB | LastFMFlags.MCOSU_MULTI): # or maybe even a general LastFMFlags.MCOSU
    player.logout()

To me personally that'd seem like an acceptable approach, and makes private servers capable of blocking McOsu easily. Maybe the maintainers can leave their opinion about this here.

[kiwec]

This clearly isn't getting merged, no need to keep this open.