mirror of
https://github.com/cliffe/BreakEscape.git
synced 2026-02-21 11:18:08 +00:00
424f69186c
Critical security fix: Removed client-side lock state checking that allowed bypass of server validation. Clients can no longer manipulate lock states to gain unauthorized access. Previous vulnerability: - Client checked props.locked (client-side data) - If false, directly called notifyServerUnlock with method='unlocked' - Server trusted this without validating its own scenario data - Attacker could: set doorSprite.doorProperties.locked = false, then access New secure flow: - Client ALWAYS calls handleUnlock regardless of perceived lock state - handleUnlock calls server with method='unlocked' for unlocked items - Server ALWAYS validates against its own scenario_data - Server only grants access if item is actually unlocked in server state - Client state is never trusted for authorization decisions Changes: - doors.js: Removed client-side lock check, always call handleUnlock - unlock-system.js: Handle unlocked items by verifying with server - interactions.js: Removed client-side container lock check - interactions.js: Removed notifyServerForUnlockedContainer helper Security principle: Never trust the client. All authorization must be server-side based on server state, not client-reported state.