Commit 95d17b00 authored by Mahmoud Aglan's avatar Mahmoud Aglan

security: validate time_control and game_key enums in matchmaking

- Reject invalid time_control values before DB write
- Reject invalid game_key values before DB write
- Also added missing DB indexes and reward_config rows via migration

Fixes WTF #schema-2-3, Phase 0.7-0.9
Co-Authored-By: 's avatarClaude Opus 4.6 <noreply@anthropic.com>
parent 03447d76
......@@ -32,6 +32,16 @@ function handleQueue($db, string $userId, array $input): void {
$gameKey = $input['game_key'] ?? 'chess';
$timeControl = $input['time_control'] ?? 'rapid_10_0';
$validTimeControls = ['bullet_1_0','bullet_1_1','bullet_2_1','blitz_3_0','blitz_3_2','blitz_5_0','blitz_5_3','rapid_10_0','rapid_10_5','rapid_15_10','rapid_15_15','classical_30_0','classical_30_20','classical_60_30','custom'];
if (!in_array($timeControl, $validTimeControls, true)) {
jsonError('Invalid time control');
}
$validGames = ['chess', 'ludo', 'domino', 'backgammon'];
if (!in_array($gameKey, $validGames, true)) {
jsonError('Invalid game key');
}
$sdb = supabaseService();
// Anti-abuse: check if player can queue
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment