Protecting Purely Client-Side Backbone Applications

Question

So say I was to implement a scrabble game, and I wanted it to be 100 percent client-side, i.e. backbone handles all game logic. Is it possible to protect such a solution so that users weren't able to spoof game moves?

Is this possible?

Answer 1

I think that several things must stay in the server side, even in an (almost) all-client solution

1. Security - you must have some sort of authorization and authentication outside your client side
2. Validation - you can never trust user generated content, and a JSON model sent to the server during a backbone sync, is, in some way, user generated content (as anyone can open a console and mess with your models and save)

I know that solutions like Firebase handle #1 very well, but I'm not sure they handle #2

Therefore in this case, Sébastien's answer is a great solution, instead of server validation, you have the peers validate that what they get from other peers is a valid move according to their representation of the game. however, how do you know who is right? the majority wins? I don't see a way to avoid having some sort of server side state, which is the "master" and validating that each move is a "valid" move.

One way of doing it is having your server side be running on Node.js, this way you can avoid rewriting your validation logic in two different places. You don't need to run the entire logic on the server side, just the validation part.

There are also ways to run your entire Backbone app in the server side (e.g. this approach) but I'm not sure this is needed here.

Few other reasons you need server side validation: how do you know what the user is saving? e.g. if you don't have a size limit, what stops them from storing their entire pirated ebook database in your app, if you have no validation on the server side, anyone with a console can push anything theoretically.

Answer 2

This is not possible unless you also build in a way for one client to tell the other client to stop cheating, or in other words, to locally validate every move. This has the reverse problem of allowing cheaters to block every move by their adversary, however.

You could extend this by having a third person with the client "indirectly observe" the game, and provide a third point of view on the moves. If two people out of three deem a move legal, it goes through. This only breaks down if you get a significant amount of cheaters/people modifying the script.

I think this will be one of your only solutions, as, if the app is entirely client-side, you can deem nothing in the code to be safe or unbreakable. You'll need to rely on peer validation more than building checks in the code, I think.