pagefaultgames / rogueserver Goto Github PK

Running this commit to rogueserver breaks my local PokeRogue instance.

Behavior:
Server loads, I can open a running Session, I can win that session and select a reward, it saves the session but then refuses to move to the next wave. Started a brand new run and this behavior repeated after completing Wave 1 of the new run (it hung on moving to Wave 2).

Screenshot of DEV console during issue:

Rolling back to previous rogueserver commit 656a935 restored functionality.

When I updated to last night's commit for rogueserver, I also had done the same for the web server. I've tried various web server commits released today with rogueserver commit f9cce33. Each one of them provided the same behavior (could not move to next wave).

The Docker image on ghcr.io isn't set to be publicly viewable.
https://github.com/orgs/pagefaultgames/packages?repo_name=rogueserver

$ docker-compose -f docker-compose.Example.yml up -d

[+] Running 1/1
 ✘ server Error                                                                                                                                                                                                                                                                        0.5s 
Error response from daemon: Head "https://ghcr.io/v2/pagefaultgames/pokerogue/manifests/latest": denied

I think it should be public available

How do I take my exported Data from Live PokeRogue, and change the Secret ID to match the user on my Privately Hosted when importing?

The Session Data comes over fine, lets me load a Save File, and the Trainer ID changes to my private user.

But when I import the "Data" I'm getting the following in Dev Tools:

Any ideas how to make exported data happy when importing?

I did a 'git pull' for both Pokerogue & Rogueserver this morning, and it seems accounts/saves have broken on my private instance.

After git pull, I restarted the services, and my pm2 was having a fit. So I then ran "npm install" in the Pokerogue directory, which resolved that issue. The game then loaded in my browser.

Once the game loaded, it was throwing "failed to load save data". There is no way to progress from that page, so I reset my local cookies for the site. I then was able to get to the Login/Register screen. At that point, when I tried to login with my 2 local accounts, it would just fail and return to the login screen (with no visible error).

When I try to login with the correct password, it returns to the login screen with login cleared:


Throwing an unauthorized error in the Dev Tools console.

So I tried to use the "wrong" password, and I get this:


This throws the "Internal Server Error" when using the wrong password, so I'm pretty sure it's checking the password and failing.

Also, I tried to make a new account, and it acts like the correct account failure. Returns to the login screen. When I look into the MariaDB, the new account is created under the "accounts" database - but with no "lastActivity" time, and no TrainerID or SecretID assigned.

Sorry for the dump of data... just stuck here now, unsure how to log into my accounts properly.

p.s. I take regular backups of the save data, so I haven't lost anything, but I am unsure how to rollback the git pull if needed.

I am running exact git clone of live Pokerogue and Rogueserver, no adjustments to the codebase (except one environment variable in .env). I would love to bring my progress from the Live Pokerogue game into my Private Pokerogue. Is this possible at all?

Or if that's not easily feasible... is it possible to mark/edit the Pokemon I have caught in Live, and just enable them on my Private Pokerogue? I dug around in the MariaDB on my Private instance and can't find a place where to add/edit the list of "caught" Pokemon.

Any advice/direction would be great - thank you :)

After closing my previous issue regarding how to switch from cookie to account login... which I was able to resolve by passing the proper env variable.

But now, I am unable to create an account on my locally hosted pokerogue/rogueserver install. I get the login pop, but when I enter any sort of account into to Register, it just throws the error sound and fails. Yes I'm entering the same password in each field. I've tried different passwords and different usernames, all the same.

I'm pretty sure the DB is connected to my MariaDB as the structure of the DB was setup (tables, etc).

Is there a way to watch a log where I could see failures?

NOTES: I am on Ubuntu 20, MariaDB for the DB. Not using Docker. Just installing into Ubuntu 20 VM.

Hello! I'm a newb to building with Go, so sorry for my lack of understanding. I can usually follow a guide and hack my way around well enough. I think there are many assumptions in the guide that people building this will be Go experts... but I'm not, and I really want to run my own server for myself and my friends/family. So maybe it's not for me, but I was hoping I could pull it off.

Anyways. I'm trying to build this on an Ubuntu 22.04.3 server. I have the pre-reqs installed.

Go version go1.13.8 linux/amd64
Node v18.3.0
npm 8.11.0

Everytime I try to build or test it, I get this error:

build github.com/pagefaultgames/rogueserver: cannot load slices: malformed module path "slices": missing dot in first path element

It seems to referencing a call to slices in "account.go"

Any idea how to pass this error? Been banging my head against it for 3-4 hours now.

Hey!

So far i didnt found the time to spin up a copy of this server, i am also no expert in those fields in general, but i wanted to propose some Ideas alrady and might spin up a copy locally over the coming days and try a bit aswell.

Cheating currently is getting very rampant and beloved. They only cheat themselfs, but since u seemed to start caring here some ideas;

JWT Token

Short-Lived JWT Tokens These tokens can ensure that even if someone captures a token, it will expire quickly. The tokens are also generated and validated server-side, making it difficult to forge valid tokens. Ideally this secret is set to an enviroment variable.

Protection against injected javascript

• Integrity Checks
  • Subresource Integrity & Strict CSP
• More secure headers

X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block

Nonce Token

Add another token to prevet replay attacks, basically editing and resending a payload, the dumb-mans devtool option. So that each request can only be used once. This would add to the payload some extra data, and the token generation and validaiton would be server sided.

We just need to ensure that even if you run the same generation code in for exampe javascript, the result is different if not ran at the exact same time and hide each secret ideally with a enviroment variable.

Ideas regarding game-code itself

• Move the saving mechanism to the start of each wave, and validate that the save got triggered by a transfer between waves. Reject any data that does not follow this rule.
• Or keep it at the end and validate that the save can only be triggered by a pokemon's faint
• At most theyre should be just minimal value increases.
  • Client side validate minimum constraints; Not more than 6x Pokemon at a time can change theyre data at once etc.
    • Define thresholds client sided how much values can change over a given time; Total HP cant increase by 500 in a second, neither can money or such unless tied to a state (saving)
• Game State Validation; Implement logic to validate the game state, ensuring it adheres to expected progression of save data.

Most of those approaches would add onto the savadata and just minimally highering the payload size and server load.
Nonce-tokens would already protect against the usual "Edit and resend payload". Unsure how impactful JWT tokens are in this case.

type Payload struct {
    #AlreadyExistingData    string   `json:"data"`
    Nonce                   string   `json:"nonce"`
    JWTToken                string   `json:"token"`
    ClientSessionId         string   `json:"sessionId"`
}```

After battling with this, I got it working privately hosted on my own server. (hooray!)

Working great so far! So how do I switch from cookie saves to the server-side save to the DB with user accounts?

Thanks!

EDIT: Resolution for anyone reading this later... you can read the long thread below, or just know you need to pass an environment variable to your OS or Docker VITE_BYPASS_LOGIN=-1 -- how you pass the variable will depend on your implementation.

Hello, I'm back with more trouble...

From my last issue I was able to continue after upgrading the version of Go. Now I've successfully built "rogueserver"

I then created a database in my mariadb called "pokeroguedb" and created a user called "pokerogue" with the same password. I then run:

./rogueserver --debug --dbuser pokrogue --dbpass pokerogue &

Which then spits out:

failed to execute query: Error 1067 (42000): Invalid default value for 'lastLoggedIn', query: CREATE TABLE IF NOT EXISTS accounts (uuid BINARY(16) NOT NULL PRIMARY KEY, username VARCHAR(16) UNIQUE NOT NULL, hash BINARY(32) NOT NULL, salt BINARY(16) NOT NULL, registered TIMESTAMP NOT NULL, lastLoggedIn TIMESTAMP DEFAULT NULL, lastActivity TIMESTAMP DEFAULT NULL, banned TINYINT(1) NOT NULL DEFAULT 0, trainerId SMALLINT(5) UNSIGNED DEFAULT 0, secretId SMALLINT(5) UNSIGNED DEFAULT 0)

So now I'm stuck here, unsure how to proceed.

Also, here is mysql / mariadb version below:

mysql Ver 15.1 Distrib 10.3.39-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2

Sorry for my newbie-ness with this... I'm determined to make this work.

Thank you so much!