Security, stability & performance quick wins#166
Open
Sparksx wants to merge 1 commit into
Open
Conversation
Security: - Enable Content Security Policy (CSP) via helmet with game-appropriate directives - Hash refresh tokens (SHA-256) before storing in DB to protect against DB compromise - Add PvP fight rate limit (20/min) to prevent Elo farming - Restrict usernames to alphanumeric + underscores/dots/dashes (prevent homoglyph spoofing) - Whitelist allowed settings keys to block arbitrary data injection Stability: - Fix expedition join race condition: count members inside transaction - Wrap clan leave + ownership transfer in a single transaction - Fix home screen event listener leak (CHAT_UPDATED accumulated on tab switches) - Remove dead shopState extraction from game state save endpoint Performance & DB: - Add missing index on User.updatedAt (used by PvP opponent search) - Add missing index on RefreshToken.expiresAt (used by cleanup job) Functionality: - Expand PvP leaderboard: pagination, total count, and caller's own rank - Add periodic chat message cleanup (prune messages older than 30 days) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01F16HznhBWwnw2J8unBvXr3
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Comprehensive audit of the game across 4 axes (security, performance, stability, functionality) followed by implementation of the highest-priority quick wins — changes that are high-impact but low-risk.
Security
contentSecurityPolicy: falsereplaced with a game-appropriate directive set (scripts, styles, connect-src for OAuth/Stripe/WS)POST /api/pvp/fightto prevent Elo farming (was only covered by the global 100/min)[A-Za-z0-9_.-]on register and change-username to prevent homoglyph spoofingPUT /api/auth/settingsnow rejects unknown keys instead of merging arbitrary JSONStability
count()inside the interactive transaction instead of using a pre-loaded_countthat could be stale under concurrent joinsCHAT_UPDATEDhandler accumulated on every tab switch; now properly cleaned up inonHide()shopStateextraction removed from game state save endpointPerformance & DB
User.updatedAt— used by PvP opponent search (ORDER BY updatedAt DESC LIMIT 100); was a sequential scanRefreshToken.expiresAt— used by the daily cleanup jobFunctionality
?page=&limit=, returns total count and the caller's own rankTest plan
npm test)🤖 Generated with Claude Code
https://claude.ai/code/session_01F16HznhBWwnw2J8unBvXr3
Generated by Claude Code