security: add auth checks to all game.php mutation handlers
- handleGameMove: verify caller is a player in the match before allowing moves
- handleResign: verify participant before allowing resignation
- handleDraw: verify participant + use merge_game_state RPC (preserves heartbeat data)
- handleComplete: verify participant + validate winners are actual match players (prevents coin exploit)
- handleFindActiveMatch: restrict to own user only (prevents info disclosure)
- Validate result enum values in handleComplete
Fixes WTF #1-4, #46
Co-Authored-By:
Claude Opus 4.6 <noreply@anthropic.com>
Showing
Please register or sign in to comment