From 3a01f4637d2081c66fe37c7f8cfee229442ec744 Mon Sep 17 00:00:00 2001
From: Thomas Hallock <thomas@evolutioniq.com>
Date: Thu, 9 Oct 2025 08:20:18 -0500
Subject: [PATCH] fix: convert guestId to internal userId for player ownership
 check
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The authorization check was failing because it was comparing two
different ID types:
- Player ownership map uses internal database userId (e.g., 'xlk...')
- Validation context was receiving guestId from cookie (e.g., 'ac9d...')

Solution:
- Call getUserIdFromGuestId() to convert guestId to internal userId
- Pass the internal userId to validator for room-based games
- Add logging to show which internal userId is being used
- Return error if user not found during conversion

This fixes the "You can only move your own players" error that was
incorrectly blocking legitimate moves from local players.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 apps/web/src/lib/arcade/session-manager.ts | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/apps/web/src/lib/arcade/session-manager.ts b/apps/web/src/lib/arcade/session-manager.ts
index eeba0e94..2bca98cb 100644
--- a/apps/web/src/lib/arcade/session-manager.ts
+++ b/apps/web/src/lib/arcade/session-manager.ts
@@ -161,8 +161,19 @@ export async function applyGameMove(userId: string, move: GameMove): Promise<Ses
 
   // Fetch player ownership for authorization checks (room-based games)
   let playerOwnership: Record<string, string> | undefined
+  let internalUserId: string | undefined
   if (session.roomId) {
     try {
+      // Convert guestId to internal userId for ownership comparison
+      internalUserId = await getUserIdFromGuestId(userId)
+      if (!internalUserId) {
+        console.error('[SessionManager] Failed to convert guestId to userId:', userId)
+        return {
+          success: false,
+          error: 'User not found',
+        }
+      }
+
       const players = await db.query.players.findMany({
         columns: {
           id: true,
@@ -171,14 +182,15 @@ export async function applyGameMove(userId: string, move: GameMove): Promise<Ses
       })
       playerOwnership = Object.fromEntries(players.map((p) => [p.id, p.userId]))
       console.log('[SessionManager] Player ownership map:', playerOwnership)
+      console.log('[SessionManager] Internal userId for authorization:', internalUserId)
     } catch (error) {
       console.error('[SessionManager] Failed to fetch player ownership:', error)
     }
   }
 
-  // Validate the move with authorization context
+  // Validate the move with authorization context (use internal userId, not guestId)
   const validationResult = validator.validateMove(session.gameState, move, {
-    userId,
+    userId: internalUserId || userId, // Use internal userId for room-based games
     playerOwnership,
   })