-
Notifications
You must be signed in to change notification settings - Fork 19
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Server does not enforce login #363
Comments
Could you provide the server log, too? I think this could be helpful because it would show how the server is treating this client, like what ID's and indexes are being given to it. |
I reproduced the same thing as above, here is the relevant portion of the server log.
The client is assigned a new ID and treated as any other client, albeit with an empty name field. |
This can indeed be a problem. It should definitely be fixed. There might be some message types in the future that may be allowed to be sent without logging in, but most should be forbidden. (I think the only message type that may be allowed is ServerQueryMessage) |
After some discussion and Rubberducking in chat: I would prefer using two separate methods: http://chat.stackexchange.com/transcript/message/23538713#23538713 |
Currently, a login message from the client is no more than a way to set their user name. It's possible to run any command on the server without first authenticating. Below is a proof of concept I made by connecting to the server with
telnet
and running a query and a start game command without any prior login.Tested on ed3a80b (current
develop
).This related to #347, I ran into it when trying to fix that issue. Closing the socket would raise socket IO exceptions because the server immediately after sending an error back would start to process any other messages received from that client.
The server should keep track of which clients are authenticated and limit most commands to only those clients. The only command that should be run by an unauthenticated client that I know of is the login command.
The text was updated successfully, but these errors were encountered: