From c8d7480a26ab46f130d2a217b7a392d00fa4f731 Mon Sep 17 00:00:00 2001 From: Joey Yakimowich-Payne Date: Mon, 20 Apr 2026 17:49:55 -0600 Subject: [PATCH] feat(server): host-only custom modifier registration (Q4.4) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Before this commit ANY authenticated player in the room could send custom-modifier.register and have the server accept + broadcast the descriptor — including an opponent mid-match. Fill the 10-slot per-room cap with hostile descriptors, or register a descriptor the host then applies and finds unexpected. Fix: Room gains a hostToken field set at room.create (the creator's token). The register handler gates on room.hostToken === ws.data.token. Non-host registrations are rejected with BAD_TOKEN and a message explaining the gate. Host permissions are stable across reconnects — the host's token is preserved in sessionStorage on the client, so closing + reopening the host's tab retains the permission. A later 'transfer host' flow can mutate hostToken; no such mutation exists today (lobbies have a single creator who remains host for the room's lifetime). New server test 'rejects non-host (opponent) registrations with BAD_TOKEN (Q4.4)' seeds a white+black room, has black try to register (rejected), then white succeeds (proving the gate doesn't leak across players). 1399 → 1400 tests. --- packages/server/src/broadcast.ts | 18 +++++++++++++ packages/server/src/rooms.ts | 13 ++++++++++ .../src/ws.custom-modifier-register.test.ts | 26 +++++++++++++++++++ 3 files changed, 57 insertions(+) diff --git a/packages/server/src/broadcast.ts b/packages/server/src/broadcast.ts index 014c17c..2955afd 100644 --- a/packages/server/src/broadcast.ts +++ b/packages/server/src/broadcast.ts @@ -1527,6 +1527,24 @@ function handleCustomModifierRegister( return; } + // T3 Q4.4 — host-only gate. Only the room creator's token may + // register custom descriptors. Without this an authenticated + // opponent could fill the 10-slot cap or ship a hostile + // descriptor that the host would then apply. The host's token + // is preserved across reconnects, so closing + reopening the + // host's tab doesn't revoke the permission. + if (room.hostToken !== token) { + sendTo( + ws, + errorMessage( + "BAD_TOKEN", + "only the room host can register custom modifiers", + false, + ), + ); + return; + } + // Lazily create the per-room custom registry. if (room.customModifiers === undefined) { room.customModifiers = new Map(); diff --git a/packages/server/src/rooms.ts b/packages/server/src/rooms.ts index 0b7655c..d7087c2 100644 --- a/packages/server/src/rooms.ts +++ b/packages/server/src/rooms.ts @@ -33,6 +33,18 @@ export interface Room { code: string; /** token → player. Using a Map keeps lookup O(1) and keyed on the secret. */ players: Map; + /** + * T3 Q4.4 — room host token. Set to the creator's token at + * room.create; used to gate host-only operations like + * `custom-modifier.register`. Without this check any authenticated + * player (including opponents mid-match) could fill the 10-slot + * custom-descriptor cap or register hostile descriptors. + * + * Stays stable across reconnects — the host's token is preserved + * in sessionStorage on the client, so a host who closes+reopens + * their tab retains host permissions. + */ + hostToken: string; /** Unix milliseconds the room was created — used for TTL/eviction later. */ createdAt: number; /** Rule presets activated for this game (from room.create payload). */ @@ -209,6 +221,7 @@ export class RoomRegistry { const room: Room = { code, players: new Map([[token, player]]), + hostToken: token, createdAt: Date.now(), // Defensive copy — callers shouldn't be able to mutate our state. rulesetIds: [...rulesetIds], diff --git a/packages/server/src/ws.custom-modifier-register.test.ts b/packages/server/src/ws.custom-modifier-register.test.ts index 86c2f02..9fe1af6 100644 --- a/packages/server/src/ws.custom-modifier-register.test.ts +++ b/packages/server/src/ws.custom-modifier-register.test.ts @@ -177,6 +177,32 @@ describe("custom-modifier.register WS handler (T24)", () => { ); }); + it("rejects non-host (opponent) registrations with BAD_TOKEN (Q4.4)", () => { + const { white, black, code } = setupRoom(); + + // Black (the non-host opponent) tries to register — rejected. + sendClient(black, "custom-modifier.register", { + roomCode: code, + descriptor: makeDescriptor("custom:opponent-sneak"), + }); + const err = nextMsgOfType(black, "error"); + expect(err.payload["code"]).toBe("BAD_TOKEN"); + expect(err.payload["message"]).toMatch(/host/i); + + // Nothing should have been stored. + const room = roomRegistry.getRoom(code); + expect(room?.customModifiers?.size ?? 0).toBe(0); + + // Host (white) can still register normally — the gate doesn't + // leak across players. + sendClient(white, "custom-modifier.register", { + roomCode: code, + descriptor: makeDescriptor("custom:host-allowed"), + }); + nextMsgOfType(white, "custom-modifier.registered"); + expect(room?.customModifiers?.has("custom:host-allowed")).toBe(true); + }); + it("re-register with same id replaces the stored descriptor", () => { const { white, black, code } = setupRoom(); const v1 = makeDescriptor("custom:t3-replace", { name: "v1" });