Skip to content

Authenticate player identity against Steam; stable IPlayer.UniqueId + permission-check hook#148

Open
bdazzledev wants to merge 2 commits into
AMacro:betafrom
bdazzledev:feature/player-identity-permissions
Open

Authenticate player identity against Steam; stable IPlayer.UniqueId + permission-check hook#148
bdazzledev wants to merge 2 commits into
AMacro:betafrom
bdazzledev:feature/player-identity-permissions

Conversation

@bdazzledev

@bdazzledev bdazzledev commented Jul 10, 2026

Copy link
Copy Markdown

Summary

One step closer to being a dedicated server!

Adds a proven, stable player identity and a per-player permission-check hook, and authenticates that identity against Steam at login.

  • Stable IPlayer.UniqueId (Guid) surfaces the server-side ServerPlayer.Guid so API consumers have a key that survives reconnects/sessions instead of the reassignable PlayerId. Server-only; the client wrapper returns Guid.Empty.
  • Per-player permission-check hookIServer.RegisterPermissionCheck / UnregisterPermissionCheck. All registered checks must return true or the server-authoritative action (PermissionAction) is denied (any veto = deny; a throwing check fails closed). Wired at the control-authority grant; Rerail/Restore reserved for the same pattern.
  • Steam-backed authentication. The client mints a Steam auth ticket and sends it with its SteamID in the login packet; the server validates via SteamUser.BeginAuthSession and derives ServerPlayer.Guid from a deterministic name-based UUID of the SteamID (PlayerIdentity.FromSteamId). The client's self-asserted guid is ignored. Verification is asynchronous, so the peer is accepted but no ServerPlayer is created until Steam answers — an unverified peer can do nothing. IPlayer.IsAuthenticated reports whether ownership was proven.
  • Settings.RequireSteamAuth (default on) turns this off for LAN / non-Steam / Oculus / Steam-offline play, falling back to the self-asserted guid (IsAuthenticated false).
  • Bumps the MultiplayerAPI version to 1.3.0.0 for the new API surface.

Log line

On a successful authenticated login the host's player.log shows:

[Multiplayer] [Server] `PLAYER` logged in as `UUIDPART-`… (SteamID `STEAMID`)

(unauthenticated logins log (unauthenticated) instead of the SteamID.)

🤖 Generated with Claude Code - Created by me, the human!

bdazzledev and others added 2 commits July 10, 2026 15:24
Harden player identity and allow external mods to gate server-authoritative
actions on a per-player basis.

- IPlayer.UniqueId (Guid): stable identity surfaced from the server-side
  ServerPlayer.Guid, giving consumers a persistent key instead of the
  reassignable PlayerId. Server-only; the client wrapper returns Guid.Empty.
- IServer.RegisterPermissionCheck / UnregisterPermissionCheck + PermissionAction
  enum: registered checks are consulted before the server grants an authoritative
  action; all must allow or the action is denied (any veto denies, a throwing
  check fails closed). Consulted via NetworkServer.CheckPermission and wired at
  the control-authority grant in NetworkedTrainCar.Server_ReceiveAuthorityRequest.

API bumped 1.1.0.0 -> 1.2.0.0.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Previously the login packet carried a Guid the client read from its own
settings file, and the server checked only that the 16 bytes parsed. That
Guid was both the identifier and the sole evidence for it, while appearing
in host logs and in plaintext on every client. Anyone who learned another
player's Guid could log in as them and inherit their server-side save data,
which NetworkedSaveGameManager keys by ServerPlayer.Guid.

Identity is now derived from a platform account the player proves they own:

- ClientAuthTicket mints a Steam auth session ticket; the client sends it
  with its SteamID in ServerboundClientLoginPacket, and cancels it on stop.
- SteamSessionValidator verifies it via SteamUser.BeginAuthSession and
  Steam's OnValidateAuthTicketResponse, ends every session it starts, and
  expires sessions Steam never answers for.
- PlayerIdentity.FromSteamId maps the account to an RFC 4122 v5 UUID, so a
  player is the same Guid on every server but cannot claim one that is not
  theirs. The client's self-asserted Guid is ignored.

Verification is asynchronous while a ConnectionRequest must be answered
synchronously, so the peer is accepted and the ServerPlayer is withheld
until Steam answers: an unverified peer has no player object, so every
handler's TryGetServerPlayer fails and it can do nothing. Pending peers
occupy a MaxPlayers slot and time out.

Steam will not verify a ticket an account issued to itself, so the host's
local client is trusted on loopback plus a matching local SteamID.
NetworkLifecycle.IsHost is unusable here as it compares Client.PlayerId,
which is not assigned until after login.

Also fixes a latent NRE in OnPeerDisconnected, which dereferenced the
player immediately after logging that it was null. Peers that drop while
being verified now reach that path routinely.

Settings.RequireSteamAuth (default on) disables this for LAN or non-Steam
play, where identities are self-asserted and interchangeable.

IPlayer.IsAuthenticated exposes, per player, whether their UniqueId is a
proof or a claim, so API consumers keying sensitive state on identity can
fail closed. API bumped 1.2.0.0 -> 1.3.0.0.

Note: enabling authentication changes every player's Guid, orphaning
existing per-player save data. A migration keyed off the old self-asserted
Guid would reopen the hole this closes.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant