Ember security, user modified properties concerns


#1

Hi. So I have some concerns regarding security in an Emberjs application. Let’s assume I’m building a game, that has a “Remaining lives” count, stored in a “lives” property in the controller. By using the ember inspector, you can easily write something like $E.set(“lives”, 20) and instantly get 20 lives remaining.

This is a big problem and I wanted to know how would I address this issue, To go even further, at the end of the game, I send the score to the backend and store it for the current user. Again, the score could be modified by the user. (not the average user, but still … )

Any help? Thanks!


#2

What you are describing is not an Emberism, but a JavaScript problem.

Here’s a link to some discussion on StackOverflow that describes some of the possible approaches and has some links. This posts discuss more of a persistence perspective, so it helps specifically with some of your issue. It doesn’t help so much with the runtime aspect, but it’s a good start.

http://stackoverflow.com/questions/4733175/safest-way-to-update-game-score-from-client-to-server-database-javascript


#3

Yes, I agree. So I can only make it harder. How would that apply in an Ember Controller? Should I just change the name of the property from “Score” to “Whatever” … ?


#4

The only way to be confident that no malicious user is “hacking” the game, is to also run the game logic server side and treat that as the canonical truth. With this approach it is also incredibly important to verify that user actions themselves are valid server side.

In practice you can do the replay serverside after the fact, only to validate correctness. But this depends on the game.

On this note, although not totally ready the following (now merged PR) https://github.com/emberjs/ember.js/pull/9941 begins the process of letting us run ember apps server side.


#5

Ok. Cool. Thank you. I guess I should also uglify the code, and maybe obfuscate? I am still reading about obfuscation.


#6

Don’t waste your time on obfuscation. It’s not going to work. You really need to validate this stuff server-side.