Am I understanding this correctly in that the client has to send its own ID to the server to invoke a function? The server doesn’t know what ID actually sent the message?
Basically means I can’t trust any command as the client could provide another users ID
Hey Berg, you are correct that this value is provided by the client and potentially open to a bad actor.
The good news is that the RS and our system as a whole has all the information in place to enforce the commands are identified by the actual sender based on connection info. This enforcement just has not found it’s way up to the public SDK yet - it’s on our roadmap though to make this enforcement available to your simulator. I don’t have a timeframe right now but it’s one of our top concerns!
Sharing my reply here too from Discord, otherwise it gets lost.
One thing that comes to my mind is:
- When any client joins, the Simulator sends them a token (format is up to you) that they use as a sort of Private Client ID (let’s call it PCID). They can message the Client’s ClientConnection to do so.
- The Simulator holds a map PICD ↔ Client ID (or ↔ Prefab they own)
- The Client now has this PICD that they only use to sign NetworkCommands
- Upon receiving them, the Sim knows which character to direct
Details in the very last part of the page: https://docs.coherence.io/manual/client-connections#id-3-create-a-client-connection-prefab-3
