Before this commit ANY authenticated player in the room could send
custom-modifier.register and have the server accept + broadcast the
descriptor — including an opponent mid-match. Fill the 10-slot
per-room cap with hostile descriptors, or register a descriptor the
host then applies and finds unexpected.
Fix: Room gains a hostToken field set at room.create (the creator's
token). The register handler gates on room.hostToken === ws.data.token.
Non-host registrations are rejected with BAD_TOKEN and a message
explaining the gate.
Host permissions are stable across reconnects — the host's token is
preserved in sessionStorage on the client, so closing + reopening
the host's tab retains the permission. A later 'transfer host' flow
can mutate hostToken; no such mutation exists today (lobbies have a
single creator who remains host for the room's lifetime).
New server test 'rejects non-host (opponent) registrations with
BAD_TOKEN (Q4.4)' seeds a white+black room, has black try to
register (rejected), then white succeeds (proving the gate doesn't
leak across players).
1399 → 1400 tests.
Joey Yakimowich-Payne
c8d7480a26