Fixes issue #115 (logging in with invalid character results in creating a new character) #132
Conversation
…ng a new character) The HELLO message was replaced with two new message types, CREATE and LOGIN, which are now handled separately on the server.
|
Tried this out and it's working, though there is a security problem with the general approach that needs to be fixed before it's merged. With the four states:
In general good security practise, we shouldn't distinguish between "valid user but an incorrect password" and "non-existent user" when we communicate back to the user. So, if a user tries to log in with their account but gets the password wrong, we should issue an error message like "Unknown username / password combination". If a user tries with a non-existent user, they get the same response. It's done this way so evil hacker types can't sent thousands/millions of different login messages to a server to "guess" a valid username, then when they get one they could brute force the password much easier. Does that make sense? If not, I can dig up references to pages that explain it much better. |
…esent both cases as the same error (for security reasons).
…f launching the game This can happen if, for example, you hit enter more than once while logging in. The only visible impact seemed to be that they play button text (either "Login" or "Create") did not get restored properly (it stayed as "Loading"), but this has potential to cause other problems as well, and should be fixed.
|
I fixed it so we don't differentiate between invalid usernames and invalid passwords. I also noticed a couple other minor bugs along the way (respawn didn't work properly after some refactoring I did, and I also noticed funny things happen if you hit Enter multiple times at the login form when the game it already loading - it basically tries to start the game multiple times). I fixed these in the last two commits. |
justinclift
merged commit 7537e98
into
browserquest:master
|
Excellent @sergkr. Just tried it out here, and that works well. This means our Login form now operates much more in line with other web apps, using a well known/familiar approach for people. Good stuff! |
|
As a data point, I've just tagged this commit in git with "v1.4.0": https://github.com/browserquest/BrowserQuest/releases/tag/v1.4.0 I think this commit is where we first break backwards compatibility with the original BQ server codebase. From here onwards, we likely can't use our BQ client with the original Mozilla BQ server. |
The HELLO message was replaced with two new message types, CREATE and LOGIN, which are now handled separately on the server. Quite a few changes, but fairly straightforward.
As of this pull request, there are at least four error conditions that could occur during the login / new character creation process:
Let me know if you can think of any other wonky cases we might not be handling at the moment.
There are two gray areas I wasn't too sure about:
If anyone is familiar with any of the above functionality and its current status, please let me know!