Skip to content

Server-side validation for priority-metatype-path consistency #253

New issue
New issue
Closed
#270
Closed
Server-side validation for priority-metatype-path consistency#253
#270
Assignees
Jasrags
Labels
creationcriticalUrgent - security vulnerability or blocking issueenhancementNew feature or requestvalidationValidation rules and error checking
Milestone
0.9 - Character Creation Validation
@Jasrags

Description

@Jasrags
Jasrags
opened on Feb 4, 2026

Problem

The server trusts client-sent selections without verifying they are valid for the chosen priority levels:

  1. Metatype vs priority: No server check that the selected metatype is available at the chosen metatype priority (e.g., Troll at Priority E)
  2. Magic path vs priority: No server check that the selected magic path is available at the chosen magic priority (e.g., Full Mage at Priority E)
  3. Priority uniqueness: No server check that each priority level (A-E) is used exactly once — the client-side canFinalize only counts to 5

The UI enforces these via option filtering and swap logic, but a crafted API request could bypass all of it.

Acceptance Criteria

  • New server-side validator checks metatype is valid for the metatype priority level
  • New server-side validator checks magic path is valid for the magic priority level
  • Server validates all 5 priority categories are assigned with unique A-E levels
  • Tests cover invalid combinations

Priority

P1 — Critical — Data integrity issue; bypasses core creation rules.

Files

  • lib/rules/validation/character-validator.ts (new validator)
  • data/editions/sr5/core-rulebook.json (priority table reference)

Metadata

Metadata

Assignees

Labels

creationcriticalUrgent - security vulnerability or blocking issueenhancementNew feature or requestvalidationValidation rules and error checking

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions