infrastructure audit

Guide for infrastructure audit

Infrastructure Audit: Zone Tokens & Tick Sync

Zone Token TTL

Status: ✅ SECURE
The TransferToken implementation in logic-core/src/zone_manager.rs enforces Time-To-Live (TTL) correctly.

Mechanism

  • Tokens are created with a timestamp.
  • TOKEN_EXPIRY_SECONDS is set to 60 seconds.
  • validate() method explicitly checks:
    if now - self.timestamp > Self::TOKEN_EXPIRY_SECONDS {
   anyhow::bail!("Transfer token expired");
}
  • Redis is used for Anti-Replay (tokens are deleted after use).
  • Redis keys also have a TTL (SETEX) to auto-expire unused tokens.

Client Tick Drift

Status: ⚠️ KNOWN ISSUE

Problem

The client and server run independent game loops.
  • Server runs strict 600ms ticks.
  • Client attempts to run at 600ms but relies on requestAnimationFrame or setTimeout which are subject to browser throttling and lag.
  • Over time, or during lag spikes, the client's tick count desynchronizes from the server's.

Consequences

  • Animations may play out of sync.
  • Prediction logic (where client predicts movement) may be corrected by server "snaps" (rubber-banding).
  • Timers on client (e.g., potion duration) may drift from server reality.
Implement a Server Authoritative Tick Sync packet:
  1. Server includes server_tick in every GamePacket.
  2. Client adjusts its local client_tick to match server_tick if drift > 1 tick.
  3. Client speeds up or slows down loop to catch up smoothly (tick rate adjustment).