Skip to content

認証・認可ロジックの強化と結果操作APIの不正リクエスト防止#127

Merged
tknkaa merged 3 commits intomainfrom
copilot/fix-69282268-844863754-4e1c5f65-d707-44a4-b602-d4816228b76a
Apr 14, 2026
Merged

認証・認可ロジックの強化と結果操作APIの不正リクエスト防止#127
tknkaa merged 3 commits intomainfrom
copilot/fix-69282268-844863754-4e1c5f65-d707-44a4-b602-d4816228b76a

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 13, 2026
edited
Loading

各ページ/APIの認証・認可ロジックを点検し、ゲーム結果を確定するエンドポイントでクライアント由来値を信頼していた箇所を是正しました。あわせて、状態変更系APIに対する不正/不適切なリクエストをサーバー側で拒否するようにしています。

  • 和了確定 (/api/agari) のサーバー側認可を強化

    • クライアント送信の junme 採用を廃止し、DB上の現在状態を唯一のソースに統一
    • 手牌+ツモ牌をサーバーで再判定し、和了形でない場合は結果確定を拒否
    • ツモ牌が存在しない状態での和了確定を拒否

  • 流局確定 (/api/ryukyoku) の状態遷移制約を明確化

    • remainTsumo > 0 の間は流局確定不可に変更
    • 早期POSTでの不正な局終了を防止

  • 打牌API (/api/tedashi) の入力検証を厳格化

    • indexint かつ >= 0 に制約し、異常値入力を早期拒否

  • シードAPI (/api/seed) のメソッド境界を明確化

    • GET での状態変更を廃止し、POST のみに限定(405 Method Not Allowed
const tsumohai = gameStateRecord.tsumohai[0];
if (!tsumohai) {
  return new Response("No tile drawn - cannot declare win", { status: 400 });
}
const canAgari = judgeAgari(sortTehai([...gameStateRecord.tehai, tsumohai]));
if (!canAgari) {
  return new Response("Hand does not form a valid winning combination", { status: 400 });
}

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • sparrow.cloudflare.com
    • Triggering command: /opt/hostedtoolcache/node/24.14.1/x64/bin/node /opt/hostedtoolcache/node/24.14.1/x64/bin/node --no-warnings --experimental-vm-modules /home/REDACTED/work/hitori-mahjong/hitori-mahjong/node_modules/wrangler/wrangler-dist/cli.js types (dns block)
    • Triggering command: /opt/hostedtoolcache/node/24.14.1/x64/bin/node /opt/hostedtoolcache/node/24.14.1/x64/bin/node --no-warnings --experimental-vm-modules /home/REDACTED/work/hitori-mahjong/hitori-mahjong/node_modules/wrangler/wrangler-dist/cli.js types _ _ _ _ _ --print-diagnostics-summary --print-metrics-summary conf�� get --global t http.https://gitrm (dns block)
  • workers.cloudflare.com
    • Triggering command: /opt/hostedtoolcache/node/24.14.1/x64/bin/node /opt/hostedtoolcache/node/24.14.1/x64/bin/node --no-warnings --experimental-vm-modules /home/REDACTED/work/hitori-mahjong/hitori-mahjong/node_modules/wrangler/wrangler-dist/cli.js types (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI linked an issue Apr 13, 2026 that may be closed by this pull request
認証・認可のロジックが不安 #122
Closed
Copilot AI changed the title [WIP] Copilot Request 認証・認可ロジックの強化と結果操作APIの不正リクエスト防止 Apr 13, 2026
Copilot AI requested a review from tknkaa April 13, 2026 14:38
@tknkaa tknkaa marked this pull request as ready for review April 14, 2026 00:42
@tknkaa tknkaa merged commit c129022 into main Apr 14, 2026
@tknkaa tknkaa deleted the copilot/fix-69282268-844863754-4e1c5f65-d707-44a4-b602-d4816228b76a branch April 14, 2026 00:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tknkaa tknkaa Awaiting requested review from tknkaa

Assignees

@tknkaa tknkaa

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

認証・認可のロジックが不安

2 participants

@tknkaa