Couch + desktop game?

[ash oakenfold <co...@gmail.com>]

Hi,

Learning CouchDB and very excited about it. Finally, a DB that makes sense!

As a 1st project, I thought I would try making a game (desktop only app). If
the player has a bunch of properties (cash, health, energy, etc) in a
document, and the server is running locally, what's to stop a player from
changing their player stats directly? I don't need super air-tight security
(if you're determined to cheat, go ahead) but it would be nice if only the
application (game logic) could update the user stats.

In my early tests, my app fires up curl in the background to create/update
documents. At this point, I'm not worried about end users having curl, or an
instance of CouchDB. I also know preventing users from editing documents
goes against the grain of Couch, but for a game it would be necessary to
restrict access only to the application as a "user". How would I do that?
Even if I create an admin account, how would I pass credentials along in
curl without it being plainly readable? It's all fuzzy to me right now.

Cheers,
Ash

Re: Couch + desktop game?

[Leszek Lach <le...@gmail.com>]

You can try to make it like an online game and instead - run it locally.
This way - the player won't be able to modify the data, directly.. Unless he
will know how the data is computed server-side and how it is stored in the
couchdb.

When it comes to the online games - the client can't send or put ANY
information that would trigger the updates server-side.
It should just send the INPUT information events (keyboard/mouse, etc). It
shouldnt be even able to know if the server has received it or not.
Its up to server-side software to parse the incoming data and to decide if
it's complete, correct (you need to check if the player hasn't changed the
packets), to recompute (for example) the position of the player on the map
based on these discrete values that have been received over time  and then -
to inform inform the client about his CHANGE in position, status
(hp/ammo/whatever), etc.

In short: client should only be able to GET the data from the server and
display it - thats all.
All the operation, math should be done server-side.

Pattern:
1. client is sending discrete values over the time and listening for server
data to update the visual representation
2. server is receiving the discrete values from the client (registered
events. for example - which buttons were pushed/un-pushed plus the time
stamps, etc and based on this information - it's doing all the math like
calculating the [x,y,z] position based on the last direction vector, etc).
Then - the server is sending the information to the client.
3. Client is changing the visual representation, based on the solution that
has been received from the server. And then - sending a new information
about events triggered by the user.. Again - back to the point 1.

-- 
Leszek Lach

Re: Couch + desktop game?

[Wordit Ltd <wo...@googlemail.com>]

On Sat, Feb 12, 2011 at 12:20 AM, ash oakenfold
<co...@gmail.com> wrote:
>
> for a game it would be necessary to
> restrict access only to the application as a "user". How would I do that?


I just released my first couchdb game and have been grappling with the
same question. Here are a few thoughts.

Client-side you can't stop anybody seeing the app's login data and
using curl to change their scores, posing as the app.
You can prevent revealing credentials server-side...BUT, then it would
be just as easy to send false score data to the server, using the same
method the app does.

The only way I can think of, is to not reveal the correct responses on
the client-side. The client only sends user responses and has no clue
of the answers, then server-side check the response, and update the
scores. But that means informing the app whether the response was
correct and waiting for the server response...slows down or stops game
flow.

Another way, if correct responses are concealed, is to store all
player responses, and then have a verification procedure to check that
scores were attained correctly. Maybe after each level.

I don't see any way of achieving it for a desktop app. Encrypting the
data means the key is visible in the code, and then it's easy to
decrypt.

IMO, it all depends on the type of game. If its sole purpose is social
competitiveness, then many players may look for cheats, which may hurt
the game's reputation. But if the main reason for playing is to test
one's own knowledge or skills, then the player has little gain in
cheating.

If anybody can think of another way please share it.

Marcus