increased fake result security by hasing objects and checking duplicate timestamps

2025-10-09 23:25:53 +08:00 · 2021-08-27 21:00:11 +01:00 · 2021-08-27 21:00:11 +01:00 · 82a45bfb7d
commit 82a45bfb7d
parent ce0d7e1bac
3 changed files with 25 additions and 0 deletions
--- a/backend/api/controllers/result.js
+++ b/backend/api/controllers/result.js
@ -7,6 +7,7 @@ const {
  validateResult,
 } = require("../../handlers/validation");
 const { stdDev, roundTo2 } = require("../../handlers/misc");
+const objecthash = require("object-hash");

 class ResultController {
  static async getResults(req, res, next) {
@ -92,6 +93,21 @@ class ResultController {
          .json({ message: "Result data doesn't make sense" });
      }

+      let resulthash = result.hash;
+      delete result.hash;
+      const serverhash = objecthash(result);
+      if (serverhash !== resulthash) {
+        return res.status(400).json({ message: "Incorrect result hash" });
+      }
+
+      let timestampres = await ResultDAO.getResultByTimestamp(
+        uid,
+        result.timestamp
+      );
+      if (timestampres) {
+        return res.status(400).json({ message: "Duplicate result" });
+      }
+
      try {
        result.keySpacingStats = {
          average:
--- a/backend/dao/result.js
+++ b/backend/dao/result.js
@ -47,6 +47,10 @@ class ResultDAO {
    return result;
  }

+  static async getResultByTimestamp(uid, timestamp) {
+    return await mongoDB().collection("results").findOne({ uid, timestamp });
+  }
+
  static async getResults(uid, start, end) {
    start = start ?? 0;
    end = end ?? 1000;
--- a/src/js/test/test-logic.js
+++ b/src/js/test/test-logic.js
@ -37,6 +37,8 @@ import * as Wordset from "./wordset";
 import * as ChallengeContoller from "./challenge-controller";
 import * as RateQuotePopup from "./rate-quote-popup";

+const objecthash = require("object-hash");
+
 let glarsesMode = false;

 export function toggleGlarses() {
@ -1781,6 +1783,9 @@ export async function finish(difficultyFailed = false) {
              completedEvent.challenge = ChallengeContoller.verify(
                completedEvent
              );
+              console.time("hash");
+              completedEvent.hash = objecthash(completedEvent);
+              console.timeEnd("hash");
              axiosInstance
                .post("/results/add", {
                  result: completedEvent,