-
Notifications
You must be signed in to change notification settings - Fork 543
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. Weβll occasionally send you account related emails.
Already on GitHub? Sign in to your account
#648 invalid race post request #723
base: main
Are you sure you want to change the base?
#648 invalid race post request #723
Conversation
β¦so avoids replay attack
β¦thub.com/bkbCodes/code-racer into webdevcody#648-invalid-race-post-request
stamp = Math.random().toString(36).substring(2, 7); | ||
signToken = Math.random().toString(36).substring(2, 22); | ||
|
||
await prisma.$transaction(async (tx) => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why do we need transaction in here?)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is needed for data migration part. To introduce new token field into database. As well as to update token every 7 days to strengthen the security
accuracy: calculateAccuracy(code.length - 1, totalErrors), | ||
snippetId: snippet.id, | ||
|
||
getUserTokenAndStamp() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
don't you think it has to be called on the server?
Otherwise I could get the result of it (tokenAndStamp) in the network tab
and then make a call to saveUserResultAction with invalid cpm amount
@bkbCodes I'm not sure I understand what this is doing. Could you explain more how this helps prevent the exploits so as I read through the code it makes more sense? |
@webdevcody @scape76 sure, here you go. Prior to this we directly post the details of race, like, cpm, accuracy, time taken etc. This allowed the exploit of re-sending the same request with updated value such as 10000cpm, 100 accuracy, and to make it work better exploiters also used the newly generated raceID. Since, all details are now legitimate this got accepted, marking the completion of exploit. Now, instead of submitting it directly we do following:
Now at server side:
This is main working. @scape76 this is the reason I used getUserTokenAndStamp() |
Directly posting to API creates invalid races : #648
Discord Username: @.d_k5g_1am_go.
What type of PR is this? (select all that apply)
Description
Added data integrity with hashes to patch the stats boost exploit. This PR deals with 9999 average CPM cheat.
Related Tickets & Documents
QA Instructions, Screenshots, Recordings
UI accessibility concerns?
Added/updated tests?
[optional] Are there any post deployment tasks we need to perform?
Check DB schema update
[optional] What gif best describes this PR or how it makes you feel?