during testing a tester was able to continue purchasing after they had run out of virtual currency for quite a while
during testing a tester was able to continue purchasing after they had run out of virtual currency for quite a while
Wait, what?? This is a big security hole - it allows a player who is a mildly competent coder to spend 100x their actual currency balance. This isn't the sort of thing that should be client authoritative!
No, it allows a hacked client to spend slightly over their current balance, after which they would have to wait for their balance to come back up to normal. Bear in mind that if the client hammers the service with many requests, it's going to get throttled. The currency balance is not client authoritative in this case, either. The client cannot, for example, add or subtract currency directly. What the client can do, potentially, is send too many purchase calls at once. Again, this will be made atomic with the inventory update we'll be rolling out in an upcoming release.
And to be clear, yes, we very much agree that this isn't optimal currently. It would allow a hacked client to spend more VC than he has. That's specifically one of the reasons we are looking to update the inventory system.
Still a bug in 2019
Title FB3, player 712350AB0EEE5A19.
I had similar issue using Firebase database for something else but it was very easy to fix using their write timestamp
1. Read value with its update timestamp
2. Set value only and update timestamp if timestamp is correct
Example with 2 calls A,B:
1A. Read value with timestamp
1B: Read value with timestamp
2A. Set value and update timestamp
2B: Error can't set value as timestamp is different
3 People are following this question.
