chore(release): 2.10.2 [skip ci]

## [2.10.2](https://github.com/antialias/soroban-abacus-flashcards/compare/v2.10.1...v2.10.2) (2025-10-09) ### Bug Fixes * convert guestId to internal userId for player ownership check ([3a01f46](3a01f4637d))
fix: convert guestId to internal userId for player ownership check
2025-10-09 13:21:14 +00:00 · 2025-10-09 08:20:18 -05:00 · 2025-10-09 08:18:17 -05:00 · 2025-10-09 13:09:10 +00:00 · 2025-10-09 08:08:15 -05:00
7 changed files with 156 additions and 16 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,17 @@
+## [2.10.2](https://github.com/antialias/soroban-abacus-flashcards/compare/v2.10.1...v2.10.2) (2025-10-09)
+
+
+### Bug Fixes
+
+* convert guestId to internal userId for player ownership check ([3a01f46](https://github.com/antialias/soroban-abacus-flashcards/commit/3a01f4637d2081c66fe37c7f8cfee229442ec744))
+
+## [2.10.1](https://github.com/antialias/soroban-abacus-flashcards/compare/v2.10.0...v2.10.1) (2025-10-09)
+
+
+### Bug Fixes
+
+* enforce player ownership authorization for multiplayer games ([71b0aac](https://github.com/antialias/soroban-abacus-flashcards/commit/71b0aac13c970c03fe8d296d41e9472ad72a00fa))
+
 ## [2.10.0](https://github.com/antialias/soroban-abacus-flashcards/compare/v2.9.0...v2.10.0) (2025-10-09)


--- a/apps/web/src/app/arcade/matching/components/PlayerStatusBar.tsx
+++ b/apps/web/src/app/arcade/matching/components/PlayerStatusBar.tsx
@@ -26,8 +26,13 @@ export function PlayerStatusBar({ className }: PlayerStatusBarProps) {
    displayEmoji: player.emoji,
    score: state.scores[player.id] || 0,
    consecutiveMatches: state.consecutiveMatches?.[player.id] || 0,
+    isLocalPlayer: player.isLocal !== false, // Local if not explicitly marked as remote
  }))

+  // Check if current player is local (your turn) or remote (waiting)
+  const currentPlayer = activePlayers.find((p) => p.id === state.currentPlayer)
+  const isYourTurn = currentPlayer?.isLocalPlayer === true
+
  // Get celebration level based on consecutive matches
  const getCelebrationLevel = (consecutiveMatches: number) => {
    if (consecutiveMatches >= 5) return 'legendary'
@@ -250,14 +255,16 @@ export function PlayerStatusBar({ className }: PlayerStatusBarProps) {
                  {isCurrentPlayer && (
                    <span
                      className={css({
-                        color: 'red.600',
+                        color: player.isLocalPlayer ? 'red.600' : 'blue.600',
                        fontWeight: 'black',
                        fontSize: isCurrentPlayer ? { base: 'sm', md: 'lg' } : 'inherit',
-                        animation: 'none',
-                        textShadow: '0 0 15px currentColor',
+                        animation: player.isLocalPlayer
+                          ? 'none'
+                          : 'gentle-pulse 2s ease-in-out infinite',
+                        textShadow: player.isLocalPlayer ? '0 0 15px currentColor' : 'none',
                      })}
                    >
-                      {' • Your turn'}
+                      {player.isLocalPlayer ? ' • Your turn' : ' • Their turn'}
                    </span>
                  )}
                  {player.consecutiveMatches > 1 && (
--- a/apps/web/src/app/arcade/matching/context/ArcadeMemoryPairsContext.tsx
+++ b/apps/web/src/app/arcade/matching/context/ArcadeMemoryPairsContext.tsx
@@ -146,22 +146,77 @@ export function ArcadeMemoryPairsProvider({ children }: { children: ReactNode })
  // Computed values
  const isGameActive = state.gamePhase === 'playing'

+  const { players } = useGameMode()
+
  const canFlipCard = useCallback(
    (cardId: string): boolean => {
-      if (!isGameActive || state.isProcessingMove) return false
+      console.log('[canFlipCard] Checking card:', {
+        cardId,
+        isGameActive,
+        isProcessingMove: state.isProcessingMove,
+        currentPlayer: state.currentPlayer,
+        hasRoomData: !!roomData,
+        flippedCardsCount: state.flippedCards.length,
+      })
+
+      if (!isGameActive || state.isProcessingMove) {
+        console.log('[canFlipCard] Blocked: game not active or processing')
+        return false
+      }

      const card = state.gameCards.find((c) => c.id === cardId)
-      if (!card || card.matched) return false
+      if (!card || card.matched) {
+        console.log('[canFlipCard] Blocked: card not found or already matched')
+        return false
+      }

      // Can't flip if already flipped
-      if (state.flippedCards.some((c) => c.id === cardId)) return false
+      if (state.flippedCards.some((c) => c.id === cardId)) {
+        console.log('[canFlipCard] Blocked: card already flipped')
+        return false
+      }

      // Can't flip more than 2 cards
-      if (state.flippedCards.length >= 2) return false
+      if (state.flippedCards.length >= 2) {
+        console.log('[canFlipCard] Blocked: 2 cards already flipped')
+        return false
+      }

+      // Authorization check: Only allow flipping if it's your player's turn
+      if (roomData && state.currentPlayer) {
+        const currentPlayerData = players.get(state.currentPlayer)
+        console.log('[canFlipCard] Authorization check:', {
+          currentPlayerId: state.currentPlayer,
+          currentPlayerFound: !!currentPlayerData,
+          currentPlayerIsLocal: currentPlayerData?.isLocal,
+        })
+
+        // Block if current player is explicitly marked as remote (isLocal === false)
+        if (currentPlayerData && currentPlayerData.isLocal === false) {
+          console.log('[canFlipCard] BLOCKED: Current player is remote (not your turn)')
+          return false
+        }
+
+        // If player data not found in map, this might be an issue - allow for now but warn
+        if (!currentPlayerData) {
+          console.warn(
+            '[canFlipCard] WARNING: Current player not found in players map, allowing move'
+          )
+        }
+      }
+
+      console.log('[canFlipCard] ALLOWED: All checks passed')
      return true
    },
-    [isGameActive, state.isProcessingMove, state.gameCards, state.flippedCards]
+    [
+      isGameActive,
+      state.isProcessingMove,
+      state.gameCards,
+      state.flippedCards,
+      state.currentPlayer,
+      roomData,
+      players,
+    ]
  )

  const currentGameStatistics: GameStatistics = useMemo(
--- a/apps/web/src/lib/arcade/session-manager.ts
+++ b/apps/web/src/lib/arcade/session-manager.ts
@@ -159,8 +159,40 @@ export async function applyGameMove(userId: string, move: GameMove): Promise<Ses
    gameStatePhase: (session.gameState as any)?.gamePhase,
  })

-  // Validate the move
-  const validationResult = validator.validateMove(session.gameState, move)
+  // Fetch player ownership for authorization checks (room-based games)
+  let playerOwnership: Record<string, string> | undefined
+  let internalUserId: string | undefined
+  if (session.roomId) {
+    try {
+      // Convert guestId to internal userId for ownership comparison
+      internalUserId = await getUserIdFromGuestId(userId)
+      if (!internalUserId) {
+        console.error('[SessionManager] Failed to convert guestId to userId:', userId)
+        return {
+          success: false,
+          error: 'User not found',
+        }
+      }
+
+      const players = await db.query.players.findMany({
+        columns: {
+          id: true,
+          userId: true,
+        },
+      })
+      playerOwnership = Object.fromEntries(players.map((p) => [p.id, p.userId]))
+      console.log('[SessionManager] Player ownership map:', playerOwnership)
+      console.log('[SessionManager] Internal userId for authorization:', internalUserId)
+    } catch (error) {
+      console.error('[SessionManager] Failed to fetch player ownership:', error)
+    }
+  }
+
+  // Validate the move with authorization context (use internal userId, not guestId)
+  const validationResult = validator.validateMove(session.gameState, move, {
+    userId: internalUserId || userId, // Use internal userId for room-based games
+    playerOwnership,
+  })

  console.log('[SessionManager] Validation result:', {
    valid: validationResult.valid,
--- a/apps/web/src/lib/arcade/validation/MatchingGameValidator.ts
+++ b/apps/web/src/lib/arcade/validation/MatchingGameValidator.ts
@@ -15,10 +15,14 @@ import { canFlipCard, validateMatch } from '@/app/games/matching/utils/matchVali
 import type { GameValidator, MatchingGameMove, ValidationResult } from './types'

 export class MatchingGameValidator implements GameValidator<MemoryPairsState, MatchingGameMove> {
-  validateMove(state: MemoryPairsState, move: MatchingGameMove): ValidationResult {
+  validateMove(
+    state: MemoryPairsState,
+    move: MatchingGameMove,
+    context?: { userId?: string; playerOwnership?: Record<string, string> }
+  ): ValidationResult {
    switch (move.type) {
      case 'FLIP_CARD':
-        return this.validateFlipCard(state, move.data.cardId, move.playerId)
+        return this.validateFlipCard(state, move.data.cardId, move.playerId, context)

      case 'START_GAME':
        return this.validateStartGame(state, move.data.activePlayers, move.data.cards)
@@ -37,7 +41,8 @@ export class MatchingGameValidator implements GameValidator<MemoryPairsState, Ma
  private validateFlipCard(
    state: MemoryPairsState,
    cardId: string,
-    playerId: string
+    playerId: string,
+    context?: { userId?: string; playerOwnership?: Record<string, string> }
  ): ValidationResult {
    // Game must be in playing phase
    if (state.gamePhase !== 'playing') {
@@ -63,6 +68,22 @@ export class MatchingGameValidator implements GameValidator<MemoryPairsState, Ma
      }
    }

+    // Check player ownership authorization (if context provided)
+    if (context?.userId && context?.playerOwnership) {
+      const playerOwner = context.playerOwnership[playerId]
+      if (playerOwner && playerOwner !== context.userId) {
+        console.log('[Validator] Player ownership check failed:', {
+          playerId,
+          playerOwner,
+          requestingUserId: context.userId,
+        })
+        return {
+          valid: false,
+          error: 'You can only move your own players',
+        }
+      }
+    }
+
    // Find the card
    const card = state.gameCards.find((c) => c.id === cardId)
    if (!card) {
--- a/apps/web/src/lib/arcade/validation/types.ts
+++ b/apps/web/src/lib/arcade/validation/types.ts
@@ -49,14 +49,25 @@ export type MatchingGameMove =
 // Generic game state union
 export type GameState = MemoryPairsState // Add other game states as union later

+/**
+ * Validation context for authorization checks
+ */
+export interface ValidationContext {
+  userId?: string
+  playerOwnership?: Record<string, string> // playerId -> userId mapping
+}
+
 /**
 * Base validator interface that all games must implement
 */
 export interface GameValidator<TState = unknown, TMove extends GameMove = GameMove> {
  /**
   * Validate a game move and return the new state if valid
+   * @param state Current game state
+   * @param move The move to validate
+   * @param context Optional validation context for authorization checks
   */
-  validateMove(state: TState, move: TMove): ValidationResult
+  validateMove(state: TState, move: TMove, context?: ValidationContext): ValidationResult

  /**
   * Check if the game is in a terminal state (completed)
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
  "name": "soroban-monorepo",
-  "version": "2.10.0",
+  "version": "2.10.2",
  "private": true,
  "description": "Beautiful Soroban Flashcard Generator - Monorepo",
  "workspaces": [
Author	SHA1	Message	Date
semantic-release-bot	963d9ec618	chore(release): 2.10.2 [skip ci] ## [2.10.2](https://github.com/antialias/soroban-abacus-flashcards/compare/v2.10.1...v2.10.2) (2025-10-09) ### Bug Fixes * convert guestId to internal userId for player ownership check ([`3a01f46`](`3a01f4637d`))	2025-10-09 13:21:14 +00:00
Thomas Hallock	3a01f4637d	fix: convert guestId to internal userId for player ownership check The authorization check was failing because it was comparing two different ID types: - Player ownership map uses internal database userId (e.g., 'xlk...') - Validation context was receiving guestId from cookie (e.g., 'ac9d...') Solution: - Call getUserIdFromGuestId() to convert guestId to internal userId - Pass the internal userId to validator for room-based games - Add logging to show which internal userId is being used - Return error if user not found during conversion This fixes the "You can only move your own players" error that was incorrectly blocking legitimate moves from local players. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>	2025-10-09 08:20:18 -05:00
Thomas Hallock	97378b70b7	debug: add extensive logging to canFlipCard authorization check Add detailed console logging to diagnose why tile clicks aren't working: - Log all card flip attempts with game state details - Show authorization check results (player found, isLocal value) - Warn if current player not found in players map - Log exact reason for each blocked attempt This will help identify if the issue is: - Game state (not active, processing, etc.) - Card state (already flipped, matched, etc.) - Authorization logic (player ownership check) - Missing player data in the map 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>	2025-10-09 08:18:17 -05:00
semantic-release-bot	3158addda1	chore(release): 2.10.1 [skip ci] ## [2.10.1](https://github.com/antialias/soroban-abacus-flashcards/compare/v2.10.0...v2.10.1) (2025-10-09) ### Bug Fixes * enforce player ownership authorization for multiplayer games ([`71b0aac`](`71b0aac13c`))	2025-10-09 13:09:10 +00:00
Thomas Hallock	71b0aac13c	fix: enforce player ownership authorization for multiplayer games Add comprehensive authorization checks to prevent room members from moving opponents' players in multiplayer games like matching pairs. Server-side validation: - Add ValidationContext interface with userId and playerOwnership map - Update GameValidator interface to accept optional context parameter - Modify MatchingGameValidator.validateFlipCard to check player ownership - Update session-manager.applyGameMove to fetch player ownership from DB and pass it to validator - Reject moves with error "You can only move your own players" if user tries to move opponent's player Client-side authorization: - Update ArcadeMemoryPairsContext.canFlipCard to check if current player is local (owned by current user) - Prevent clicking/flipping cards when it's a network player's turn - Log helpful console messages when authorization fails UI improvements: - Update PlayerStatusBar to distinguish local vs network players - Show "Your turn" (red, glowing) when it's your player's turn - Show "Their turn" (blue, pulsing) when it's opponent's player's turn - Add isLocalPlayer property to player display data This fixes the security issue where any room member could move for any player, regardless of ownership. Now moves are properly authorized at both client and server levels, and the UI clearly indicates whose turn it is. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>	2025-10-09 08:08:15 -05:00