fix: check world password before spawning player (#227)

ferreira-tb · web-flow · commit cf6ed6f0fe33 · 2026-01-30T14:19:09.000-03:00
diff --git a/app/src/commands/player.ts b/app/src/commands/player.ts
@@ -121,9 +121,10 @@ export async function setPlayerStatus(status: PlayerStatus) {
   await invoke('set_player_status', { req });
 }
 
-export async function spawnPlayer(options: PlayerOptions) {
+export async function spawnPlayer(options: PlayerOptions, worldPassword: Option<string>) {
   const req: SpawnPlayerRequest = {
     world: NIL.world.getIdStrict(),
+    worldPassword: worldPassword ?? null,
     options,
   };
 
diff --git a/app/src/core/game.ts b/app/src/core/game.ts
@@ -9,6 +9,7 @@ import { exit } from '@tauri-apps/plugin-process';
 
 async function joinGame(options: {
   worldId: NonNullable<ClientOptions['worldId']>;
+  worldPassword: ClientOptions['worldPassword'];
   playerId: NonNullable<ClientOptions['playerId']>;
 }) {
   await NIL.world.setId(options.worldId);
@@ -22,7 +23,8 @@ async function joinGame(options: {
     }
   }
   else {
-    await commands.spawnPlayer({ id: playerId });
+    const playerOptions: PlayerOptions = { id: playerId };
+    await commands.spawnPlayer(playerOptions, options.worldPassword);
   }
 
   await NIL.player.setId(playerId);
@@ -48,6 +50,7 @@ export async function joinLocalGame(options: {
   if (options.worldId) {
     return joinGame({
       worldId: options.worldId,
+      worldPassword: null,
       playerId: options.playerId,
     });
   }
@@ -58,17 +61,23 @@ export async function joinLocalGame(options: {
 
 export async function joinRemoteGame(options: {
   worldId: NonNullable<ClientOptions['worldId']>;
+  worldPassword: ClientOptions['worldPassword'];
   authorizationToken: NonNullable<ClientOptions['authorizationToken']>;
 }) {
   const playerId = await commands.validateToken(options.authorizationToken);
   if (playerId) {
     await commands.updateClient({
       serverAddr: { kind: 'remote' },
       worldId: options.worldId,
+      worldPassword: options.worldPassword,
       authorizationToken: options.authorizationToken,
     });
 
-    return joinGame({ worldId: options.worldId, playerId });
+    return joinGame({
+      worldId: options.worldId,
+      worldPassword: options.worldPassword,
+      playerId,
+    });
   }
   else {
     throw new Error('Invalid token');
diff --git a/app/src/lib/request/player.ts b/app/src/lib/request/player.ts
@@ -57,5 +57,6 @@ export interface SetPlayerStatusRequest {
 
 export interface SpawnPlayerRequest {
   readonly world: WorldId;
+  readonly worldPassword: Option<string>;
   readonly options: PlayerOptions;
 }
diff --git a/app/src/scenes/online/join-remote-game/Box.vue b/app/src/scenes/online/join-remote-game/Box.vue
@@ -8,6 +8,6 @@ defineProps<{
 <template>
   <div class="flex h-16 flex-col items-center justify-center">
     <span class="text-muted-foreground text-xs md:text-sm break-all wrap-anywhere">{{ label }}</span>
-    <span class="text-base md:text-lg font-semibold break-all wrap-anywhere">{{ content }}</span>
+    <span class="text-sm md:text-base font-semibold break-all wrap-anywhere">{{ content }}</span>
   </div>
 </template>
diff --git a/app/src/scenes/online/join-remote-game/index.vue b/app/src/scenes/online/join-remote-game/index.vue
@@ -9,6 +9,7 @@ import { computed, ref } from 'vue';
 import { useMutex } from '@tb-dev/vue';
 import { useRouter } from 'vue-router';
 import { formatToday } from '@/lib/date';
+import { joinRemoteGame } from '@/core/game';
 import { useUserStore } from '@/stores/user';
 import Loading from '@/components/Loading.vue';
 import { isValidPassword } from '@/lib/schema';
@@ -34,19 +35,27 @@ const { authorizationToken } = storeToRefs(userStore);
 
 const { remoteWorld, loading } = useRemoteWorld(worldId);
 
-const password = ref<Option<string>>();
+const worldPassword = ref<Option<string>>();
 
 const { locked, lock } = useMutex();
 const canJoin = computed(() => {
   return (
     Boolean(remoteWorld.value) &&
     Boolean(authorizationToken.value) &&
-    (!remoteWorld.value?.hasPassword || isValidPassword(password.value))
+    (!remoteWorld.value?.hasPassword || isValidPassword(worldPassword.value))
   );
 });
 
 async function join() {
-  await lock(async () => {});
+  await lock(async () => {
+    if (remoteWorld.value && authorizationToken.value) {
+      await joinRemoteGame({
+        worldId: remoteWorld.value.id,
+        worldPassword: worldPassword.value,
+        authorizationToken: authorizationToken.value,
+      });
+    }
+  });
 }
 </script>
 
@@ -69,11 +78,8 @@ async function join() {
           <Box :label="t('updated-at')" :content="formatToday(remoteWorld.updatedAtDate)" />
         </div>
 
-        <div class="w-full flex justify-center items-center">
-          <span
-            v-if="remoteWorld.description"
-            class="md:max-w-6/8 break-all wrap-anywhere text-center text-muted-foreground"
-          >
+        <div v-if="remoteWorld.description" class="w-full flex justify-center items-center py-2">
+          <span class="md:max-w-6/8 text-sm md:text-base text-center text-muted-foreground break-all wrap-anywhere">
             {{ remoteWorld.description }}
           </span>
         </div>
@@ -82,7 +88,7 @@ async function join() {
       <CardFooter class="w-full flex flex-col gap-4!">
         <Input
           v-if="remoteWorld.hasPassword"
-          v-model="password"
+          v-model="worldPassword"
           type="password"
           :placeholder="t('password')"
           :disabled="locked"
diff --git a/app/src/types/player.d.ts b/app/src/types/player.d.ts
@@ -16,5 +16,4 @@ type PlayerStatus = 'active' | 'inactive';
 
 interface PlayerOptions {
   readonly id: PlayerId;
-  readonly password?: Option<string>;
 }
diff --git a/crates/nil-database/src/database/game.rs b/crates/nil-database/src/database/game.rs
@@ -9,6 +9,8 @@ use crate::sql_types::hashed_password::HashedPassword;
 use crate::sql_types::zoned::SqlZoned;
 use diesel::prelude::*;
 use diesel::result::Error as DieselError;
+use nil_util::password::Password;
+use nil_util::result::WrapOk;
 
 macro_rules! decl_get {
   ($fn_name:ident, $model:ident) => {
@@ -81,4 +83,19 @@ impl Database {
       .execute(&mut *self.conn())
       .map_err(Into::into)
   }
+
+  pub fn verify_game_password(
+    &self,
+    game_id: impl Into<GameId>,
+    password: Option<&Password>,
+  ) -> Result<bool> {
+    if let Some(hash) = self.get_game_password(game_id)? {
+      password
+        .filter(|it| !it.trim().is_empty())
+        .is_some_and(|it| hash.verify(it))
+        .wrap_ok()
+    } else {
+      Ok(true)
+    }
+  }
 }
diff --git a/crates/nil-payload/src/player.rs b/crates/nil-payload/src/player.rs
@@ -3,6 +3,7 @@
 
 use nil_core::player::{PlayerId, PlayerOptions, PlayerStatus};
 use nil_core::world::WorldId;
+use nil_util::password::Password;
 use serde::{Deserialize, Serialize};
 
 #[derive(Clone, Debug, Deserialize, Serialize)]
@@ -87,5 +88,7 @@ pub struct SetPlayerStatusRequest {
 #[serde(rename_all = "camelCase")]
 pub struct SpawnPlayerRequest {
   pub world: WorldId,
+  #[serde(default)]
+  pub world_password: Option<Password>,
   pub options: PlayerOptions,
 }
diff --git a/crates/nil-server/src/router/mod.rs b/crates/nil-server/src/router/mod.rs
@@ -219,18 +219,11 @@ async fn websocket(
   if app.server_kind().is_remote() {
     match app
       .database()
-      .get_game_password(query.world_id)
+      .verify_game_password(query.world_id, query.world_password.as_ref())
     {
-      Ok(Some(hash))
-        if query
-          .world_password
-          .filter(|it| !it.trim().is_empty())
-          .is_none_or(|it| !hash.verify(&it)) =>
-      {
-        return Error::IncorrectWorldCredentials(query.world_id).into();
-      }
+      Ok(true) => {}
+      Ok(false) => return Error::IncorrectWorldCredentials(query.world_id).into(),
       Err(err) => return from_database_err(err),
-      _ => {}
     }
   }
 
diff --git a/crates/nil-server/src/router/player.rs b/crates/nil-server/src/router/player.rs
@@ -2,9 +2,10 @@
 // SPDX-License-Identifier: AGPL-3.0-only
 
 use crate::app::App;
+use crate::error::Error;
 use crate::middleware::authorization::CurrentPlayer;
 use crate::res;
-use crate::response::EitherExt;
+use crate::response::{EitherExt, from_database_err};
 use axum::extract::{Extension, Json, State};
 use axum::response::Response;
 use itertools::Itertools;
@@ -146,6 +147,17 @@ pub async fn set_status(
 }
 
 pub async fn spawn(State(app): State<App>, Json(req): Json<SpawnPlayerRequest>) -> Response {
+  if app.server_kind().is_remote() {
+    match app
+      .database()
+      .verify_game_password(req.world, req.world_password.as_ref())
+    {
+      Ok(true) => {}
+      Ok(false) => return Error::IncorrectWorldCredentials(req.world).into(),
+      Err(err) => return from_database_err(err),
+    }
+  }
+
   app
     .world_mut(req.world, |world| {
       world.spawn_player(Player::new(req.options))

Original file line number	Diff line number	Diff line change
`@@ -57,5 +57,6 @@ export interface SetPlayerStatusRequest {`
`57`	`57`
`58`	`58`	`export interface SpawnPlayerRequest {`
`59`	`59`	`readonly world: WorldId;`
	`60`	`+ readonly worldPassword: Option<string>;`
`60`	`61`	`readonly options: PlayerOptions;`
`61`	`62`	`}`
Original file line number	Diff line number	Diff line change
`@@ -16,5 +16,4 @@ type PlayerStatus = 'active' \| 'inactive';`
`16`	`16`
`17`	`17`	`interface PlayerOptions {`
`18`	`18`	`readonly id: PlayerId;`
`19`		`- readonly password?: Option<string>;`
`20`	`19`	`}`