BreakEscape

cybersecurity/BreakEscape

Fork 0

mirror of https://github.com/cliffe/BreakEscape.git synced 2026-02-21 11:18:08 +00:00

Commit Graph

Author	SHA1	Message	Date
Z. Cliffe Schreuders	a945859730	Implement comprehensive server-side validation and data filtering for client actions Server-side changes: - Game model: Initialize starting items in player inventory from scenario - Game model: Add filter_requires_and_contents_recursive to hide solutions and locked contents - Game model: Fix filtered_room_data to preserve lockType while removing requires - GamesController: Add scenario_map endpoint for minimal layout metadata - GamesController: Update room endpoint with access control and NPC encounter tracking - GamesController: Add container endpoint for lazy-loading locked container contents - GamesController: Update inventory endpoint with comprehensive validation - Validates item exists in scenario - Checks item is takeable - Verifies container is unlocked if item is in container - Verifies room is unlocked if room is locked - Checks NPC is encountered if item held by NPC - GamesController: Update unlock endpoint with transaction safety - GamesController: Update sync_state to verify room accessibility - Routes: Add scenario_map and container routes Client-side changes: - inventory.js: Make addToInventory async and add server validation before local updates - container-minigame.js: Add lazy-loading of container contents from server - game.js: Update to use scenario_map endpoint for reduced initial payload - api-client.js: Add getScenarioMap method alongside getScenario Security improvements: - Prevents client-side cheating by validating all actions server-side - Hides solution fields (requires) from client responses - Hides locked container contents until unlocked - Enforces room and container access controls - Tracks NPC encounters automatically - All validation failures return clear error messages Implements plans from: - planning_notes/validate_client_actions/GOALS_AND_DECISIONS.md - planning_notes/validate_client_actions/IMPLEMENTATION_PLAN.md	2025-11-22 00:46:55 +00:00
Z. Cliffe Schreuders	09e0631b08	refactor: reorganize API routes and remove unused bootstrap endpoint	2025-11-21 15:27:54 +00:00
Z. Cliffe Schreuders	006ed4af3e	feat: Add client-side API integration layer - Add config.js for API configuration and CSRF token handling - Add api-client.js wrapper for server communication - Add state-sync.js for periodic state synchronization - Support multiple CSRF token sources (config object and meta tag) - Provide detailed error messages for configuration issues - Enable GET/POST/PUT requests with proper auth headers - Expose ApiClient globally for game code integration	2025-11-21 15:27:54 +00:00

Author

SHA1

Message

Date

Z. Cliffe Schreuders

a945859730

Implement comprehensive server-side validation and data filtering for client actions

Server-side changes:
- Game model: Initialize starting items in player inventory from scenario
- Game model: Add filter_requires_and_contents_recursive to hide solutions and locked contents
- Game model: Fix filtered_room_data to preserve lockType while removing requires
- GamesController: Add scenario_map endpoint for minimal layout metadata
- GamesController: Update room endpoint with access control and NPC encounter tracking
- GamesController: Add container endpoint for lazy-loading locked container contents
- GamesController: Update inventory endpoint with comprehensive validation
  - Validates item exists in scenario
  - Checks item is takeable
  - Verifies container is unlocked if item is in container
  - Verifies room is unlocked if room is locked
  - Checks NPC is encountered if item held by NPC
- GamesController: Update unlock endpoint with transaction safety
- GamesController: Update sync_state to verify room accessibility
- Routes: Add scenario_map and container routes

Client-side changes:
- inventory.js: Make addToInventory async and add server validation before local updates
- container-minigame.js: Add lazy-loading of container contents from server
- game.js: Update to use scenario_map endpoint for reduced initial payload
- api-client.js: Add getScenarioMap method alongside getScenario

Security improvements:
- Prevents client-side cheating by validating all actions server-side
- Hides solution fields (requires) from client responses
- Hides locked container contents until unlocked
- Enforces room and container access controls
- Tracks NPC encounters automatically
- All validation failures return clear error messages

Implements plans from:
- planning_notes/validate_client_actions/GOALS_AND_DECISIONS.md
- planning_notes/validate_client_actions/IMPLEMENTATION_PLAN.md

2025-11-22 00:46:55 +00:00

Z. Cliffe Schreuders

09e0631b08

refactor: reorganize API routes and remove unused bootstrap endpoint

2025-11-21 15:27:54 +00:00

Z. Cliffe Schreuders

006ed4af3e

feat: Add client-side API integration layer

- Add config.js for API configuration and CSRF token handling
- Add api-client.js wrapper for server communication
- Add state-sync.js for periodic state synchronization
- Support multiple CSRF token sources (config object and meta tag)
- Provide detailed error messages for configuration issues
- Enable GET/POST/PUT requests with proper auth headers
- Expose ApiClient globally for game code integration

2025-11-21 15:27:54 +00:00

3 Commits