fix: enforce playerId must be explicitly provided in arcade moves

Player IDs (database avatar IDs) must never be conflated with or fall back to user/guest IDs. This commit makes playerId a required field in all game moves and throws an error if missing. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-06 13:26:49 -05:00
parent 22541df99f
commit d5a8a2a14c
1 changed files with 7 additions and 2 deletions
--- a/apps/web/src/hooks/useArcadeSession.ts
+++ b/apps/web/src/hooks/useArcadeSession.ts
@@ -126,10 +126,15 @@ export function useArcadeSession<TState>(
  }, [connected, autoJoin, userId, joinSession])

  // Send move with optimistic update
-  const sendMove = useCallback((move: Omit<GameMove, 'playerId' | 'timestamp'>) => {
+  const sendMove = useCallback((move: Omit<GameMove, 'timestamp'>) => {
+    // IMPORTANT: playerId must always be explicitly provided by caller
+    // playerId is the database player ID (avatar), never the userId/viewerId
+    if (!('playerId' in move) || !move.playerId) {
+      throw new Error('playerId is required in all moves and must be a valid player ID')
+    }
+
    const fullMove: GameMove = {
      ...move,
-      playerId: userId,
      timestamp: Date.now(),
    } as GameMove