Harden auth flow against timing and event-loop blocking
This commit is contained in:
Jage9
@@ -87,6 +87,10 @@ This is a behavior guide for packet semantics beyond raw schemas.
|
||||
- Server is authoritative for all action validation and normalization.
|
||||
- Server is authoritative for movement acceptance (bounds + rate/delta checks).
|
||||
- Server persists account state (last nickname + last position) and restores spawn from that state on auth login/resume.
|
||||
- Server applies auth hardening before accepting login/register/resume:
|
||||
- login/register PBKDF2 work runs off the event loop in bounded worker concurrency
|
||||
- repeated auth failures are rate-limited by IP and IP+identity windows
|
||||
- auth failures include small randomized response jitter to reduce high-resolution probing
|
||||
- Client validates incoming packet shapes and applies runtime behavior.
|
||||
- Sound/media field normalization uses shared server policy helpers:
|
||||
- `none/off` normalize to empty values
|
||||
|
||||
Reference in New Issue
Block a user