Authenticate player identity against Steam; stable IPlayer.UniqueId + permission-check hook#148
Open
bdazzledev wants to merge 2 commits into
Open
Conversation
Harden player identity and allow external mods to gate server-authoritative actions on a per-player basis. - IPlayer.UniqueId (Guid): stable identity surfaced from the server-side ServerPlayer.Guid, giving consumers a persistent key instead of the reassignable PlayerId. Server-only; the client wrapper returns Guid.Empty. - IServer.RegisterPermissionCheck / UnregisterPermissionCheck + PermissionAction enum: registered checks are consulted before the server grants an authoritative action; all must allow or the action is denied (any veto denies, a throwing check fails closed). Consulted via NetworkServer.CheckPermission and wired at the control-authority grant in NetworkedTrainCar.Server_ReceiveAuthorityRequest. API bumped 1.1.0.0 -> 1.2.0.0. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Previously the login packet carried a Guid the client read from its own settings file, and the server checked only that the 16 bytes parsed. That Guid was both the identifier and the sole evidence for it, while appearing in host logs and in plaintext on every client. Anyone who learned another player's Guid could log in as them and inherit their server-side save data, which NetworkedSaveGameManager keys by ServerPlayer.Guid. Identity is now derived from a platform account the player proves they own: - ClientAuthTicket mints a Steam auth session ticket; the client sends it with its SteamID in ServerboundClientLoginPacket, and cancels it on stop. - SteamSessionValidator verifies it via SteamUser.BeginAuthSession and Steam's OnValidateAuthTicketResponse, ends every session it starts, and expires sessions Steam never answers for. - PlayerIdentity.FromSteamId maps the account to an RFC 4122 v5 UUID, so a player is the same Guid on every server but cannot claim one that is not theirs. The client's self-asserted Guid is ignored. Verification is asynchronous while a ConnectionRequest must be answered synchronously, so the peer is accepted and the ServerPlayer is withheld until Steam answers: an unverified peer has no player object, so every handler's TryGetServerPlayer fails and it can do nothing. Pending peers occupy a MaxPlayers slot and time out. Steam will not verify a ticket an account issued to itself, so the host's local client is trusted on loopback plus a matching local SteamID. NetworkLifecycle.IsHost is unusable here as it compares Client.PlayerId, which is not assigned until after login. Also fixes a latent NRE in OnPeerDisconnected, which dereferenced the player immediately after logging that it was null. Peers that drop while being verified now reach that path routinely. Settings.RequireSteamAuth (default on) disables this for LAN or non-Steam play, where identities are self-asserted and interchangeable. IPlayer.IsAuthenticated exposes, per player, whether their UniqueId is a proof or a claim, so API consumers keying sensitive state on identity can fail closed. API bumped 1.2.0.0 -> 1.3.0.0. Note: enabling authentication changes every player's Guid, orphaning existing per-player save data. A migration keyed off the old self-asserted Guid would reopen the hole this closes. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
One step closer to being a dedicated server!
Adds a proven, stable player identity and a per-player permission-check hook, and authenticates that identity against Steam at login.
IPlayer.UniqueId(Guid) surfaces the server-sideServerPlayer.Guidso API consumers have a key that survives reconnects/sessions instead of the reassignablePlayerId. Server-only; the client wrapper returnsGuid.Empty.IServer.RegisterPermissionCheck/UnregisterPermissionCheck. All registered checks must returntrueor the server-authoritative action (PermissionAction) is denied (any veto = deny; a throwing check fails closed). Wired at the control-authority grant;Rerail/Restorereserved for the same pattern.SteamUser.BeginAuthSessionand derivesServerPlayer.Guidfrom a deterministic name-based UUID of the SteamID (PlayerIdentity.FromSteamId). The client's self-asserted guid is ignored. Verification is asynchronous, so the peer is accepted but noServerPlayeris created until Steam answers — an unverified peer can do nothing.IPlayer.IsAuthenticatedreports whether ownership was proven.Settings.RequireSteamAuth(default on) turns this off for LAN / non-Steam / Oculus / Steam-offline play, falling back to the self-asserted guid (IsAuthenticatedfalse).Log line
On a successful authenticated login the host's
player.logshows:(unauthenticated logins log
(unauthenticated)instead of the SteamID.)🤖 Generated with Claude Code - Created by me, the human!