• Mahmoud Aglan's avatar
    security: add auth checks to all game.php mutation handlers · 6f0df09e
    Mahmoud Aglan authored
    - handleGameMove: verify caller is a player in the match before allowing moves
    - handleResign: verify participant before allowing resignation
    - handleDraw: verify participant + use merge_game_state RPC (preserves heartbeat data)
    - handleComplete: verify participant + validate winners are actual match players (prevents coin exploit)
    - handleFindActiveMatch: restrict to own user only (prevents info disclosure)
    - Validate result enum values in handleComplete
    
    Fixes WTF #1-4, #46
    Co-Authored-By: 's avatarClaude Opus 4.6 <noreply@anthropic.com>
    6f0df09e
game.php 19.9 KB