From 68e298fe270030dfce880cde8b8e39544a67d4c3 Mon Sep 17 00:00:00 2001
From: xxu <xuxs.fn@gmail.com>
Date: Tue, 17 Feb 2026 01:38:45 +0900
Subject: [PATCH] fix: restrict WebSocket message routing to prevent non-host
 room disruption

Non-host players could broadcast arbitrary messages (e.g. empty gamestate)
to all other players via the server's default and direct message handlers,
effectively allowing them to dissolve the room. Apply the same host-check
pattern already used for ping messages to both handlers, ensuring
player messages only reach the host and never other players.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 server/index.js | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/server/index.js b/server/index.js
index 334a1aa..9b864f1 100644
--- a/server/index.js
+++ b/server/index.js
@@ -185,6 +185,7 @@ wss.on("connection", function connection(ws, req) {
             if (
               client !== ws &&
               client.readyState === WebSocket.OPEN &&
+              (ws.playerId === "host" || client.playerId === "host") &&
               dataToPlayer[client.playerId]
             ) {
               client.send(JSON.stringify(dataToPlayer[client.playerId]));
@@ -205,7 +206,11 @@ wss.on("connection", function connection(ws, req) {
           data
         );
         channels[ws.channel].forEach(function each(client) {
-          if (client !== ws && client.readyState === WebSocket.OPEN) {
+          if (
+            client !== ws &&
+            client.readyState === WebSocket.OPEN &&
+            (ws.playerId === "host" || client.playerId === "host")
+          ) {
             client.send(data);
             metrics.messages_outgoing.inc();
           }