Originally Posted by
Genesis
Modified thread.
Verification logic is still incorrect; you delete the players items without verifying that their action (the API request) was actually successful.
Originally Posted by
Genesis
Code:
if (playerCommand.equalsIgnoreCase("verify")) {
String[] args = playerCommand.split(" ");
if (args.length != 1) {
c.sendMessage("Please use the command ::verify id");
return;
}
String verificationId = args[1];
try {
final com.teamgames.gamepayments.PlayerStoreResponse usernameVerificationResponse = com.teamgames.gamepayments.PlayerStore
.confirmUsername("API_KEY", c.playerName, verificationId);
if (!usernameVerificationResponse.getMessage().equalsIgnoreCase("SUCCESS")) {
c.sendMessage(usernameVerificationResponse.getExtendedMessage());
return;
}
c.sendMessage(usernameVerificationResponse.getExtendedMessage());
} catch (Exception e) {
c.sendMessage("Api Services are currently offline. Please check back shortly");
e.printStackTrace();
}
}
if (playerCommand.equalsIgnoreCase("sellproduct")) {
String[] args = playerCommand.split(" ");
if (args.length != 3) {
c.sendMessage("Please use the command ::verify id");
return;
}
try {
int productId = Integer.valueOf(args[1]);
double price = Double.valueOf(args[2]);
int quantity = Integer.valueOf(args[3]);
if (!c.getItems().playerHasItem(productId, quantity)) {
return;
}
c.getItems().deleteItem(productId, quantity);
final com.teamgames.gamepayments.PlayerStoreResponse sellProductResponse = com.teamgames.gamepayments.PlayerStore
.sellProduct("API_KEY", c.playerName, productId, c.getItems().getItemName(productId), price,
quantity);
if (!sellProductResponse.getMessage().equalsIgnoreCase("SUCCESS")) {
c.sendMessage(sellProductResponse.getExtendedMessage());
return;
}
c.sendMessage(sellProductResponse.getExtendedMessage());
} catch (Exception e) {
c.sendMessage("Api Services are currently offline. Please check back shortly");
e.printStackTrace();
}
}
Also once again, the code is not thread safe. What if the player has the items in their inventory, submits the request, logs out and then the request succeeds and the items are deleted from the now disconnected (and already serialized) player - the player will be able to log in having not lost their items.
Originally Posted by
Genesis
Thanks for the replies
, I rate limit on my end. I've also fixed the threading issue.
Doesn't matter - still presents a denial of service attack vector against the server using this code; wasn't worried about the rate limiting on your end (though you should also consider that too).
The rate limiting on the server side needs to prevent users from creating an unchecked, arbitrary amount of threads / outbound connections on the host server, and should ideally enqueue requests for execution in a manner that disallows a user from maliciously or unintentionally over-saturating the queue with requests, and reduces the load on the game server.