| Both sides previous revisionPrevious revisionNext revision | Previous revision |
| moss:initial_notes_for_v0.1 [2026/06/26 10:13] – appledog | moss:initial_notes_for_v0.1 [2026/06/26 10:21] (current) – appledog |
|---|
| |
| The bridge is a one-time **ticket**: | The bridge is a one-time **ticket**: |
| # You log in on the web → a normal PHP session marks you as authenticated. | # You log in on the web and the PHP session marks you as authenticated. |
| # When the game page (''index.php'') loads, it checks that session. No session → you are redirected to the sign-in page (**there are no guests**). | # When the game page (''index.php'') loads, it checks that session. No session and you are redirected to the sign-in page (//"there are no guests"//). |
| # If you //are// logged in, the page mints a random **ticket**, stores it in a ''tickets'' table (your uid + a timestamp), and embeds it in the page. | # If you //are// logged in, the page mints a random **ticket**, stores it in a ''tickets'' table (your uid + a timestamp), and embeds it in the page. |
| # The browser opens the WebSocket and **its very first message is** ''auth <ticket>''. | # The browser opens the WebSocket and **its very first message is** ''auth <ticket>''. |
| == Deployment Protocol | == Deployment Protocol |
| * ''deploy.sh'' pushes the whole tree to the live server in **one rsync** over SSH (fast, delta-only), skipping editor/tooling files. | * ''deploy.sh'' pushes the whole tree to the live server in **one rsync** over SSH (fast, delta-only), skipping editor/tooling files. |
| * The daemon runs unprivileged on ''127.0.0.1:2346'' speaking plain ''ws:/\/''. **Apache** sits in front, terminates TLS using the real certificate, and proxies ''wss://helloneo.ca/mossworld/ws'' through to the local daemon. This way the daemon needs no privileges and never touches the private key. | * The daemon runs unprivileged on ''127.0.0.1:2346'' speaking plain ''ws:%%//%%''. **Apache** sits in front, terminates TLS using the real certificate, and proxies ''wss:%%//%%helloneo.ca/mossworld/ws'' through to the local daemon. This way the daemon needs no privileges and never touches the private key. |
| * ''server/moss-ctl.sh'' starts/stops/restarts the daemon. A **restart is required after changing daemon code.** | * ''server/moss-ctl.sh'' starts/stops/restarts the daemon. A **restart is required after changing daemon code.** |
| |
| * ''chrome.php'' -- a slim Bootstrap-5 (dark) page header/nav/footer used **only** by the web pages (login, admin). The game does not use Bootstrap. | * ''chrome.php'' -- a slim Bootstrap-5 (dark) page header/nav/footer used **only** by the web pages (login, admin). The game does not use Bootstrap. |
| * ''sign-in.php'' / ''login.php'' -- the login **form** and its **handler**. | * ''sign-in.php'' / ''login.php'' -- the login **form** and its **handler**. |
| * ''new-user-form.php'' / ''create-new-user.php'' -- the signup **form** and its | * ''new-user-form.php'' / ''create-new-user.php'' -- the signup **form** and its **handler** (CSRF-checked; on success you're logged in and sent to the game). |
| **handler** (CSRF-checked; on success you're logged in and sent to the game). | |
| * ''logout.php'' -- clears the session and remember-me key. | * ''logout.php'' -- clears the session and remember-me key. |
| * ''bootstrap.php'', ''doing.php'', ''new.php'', ''settings.php'' -- legacy nelsonacademy auth scaffolding, unused (kept for future forums/ticketing). | * ''bootstrap.php'', ''doing.php'', ''new.php'', ''settings.php'' -- legacy nelsonacademy auth scaffolding, unused (kept for future forums/ticketing). |
| * Vendored **Bootstrap 5** (CSS/JS) and a couple of jQuery helpers, used only by the web pages. Static assets. | * Vendored **Bootstrap 5** (CSS/JS) and a couple of jQuery helpers, used only by the web pages. Static assets. |
| |
| === Known gaps and next steps | === Immediate improvements |
| * No brute-force rate-limiting on login/signup yet. | v0.1 is a proof-of-concept / prototype. It's the basis for the whole system; the structural bones of it all. So there is naturally a lot of room for improvement. |
| | * No rate-limiting on login/signup or on game commands. |
| | * No filters on chat. |
| * The WebSocket ticket is reusable within a short TTL (convenient for reconnects; could be hardened to strictly one-time). | * The WebSocket ticket is reusable within a short TTL (convenient for reconnects; could be hardened to strictly one-time). |
| * Half-open sockets aren't actively reaped yet (a heartbeat/ping would do it). | * Half-open sockets aren't actively reaped yet (a heartbeat/ping would do it). |
| * The world is a 4-room placeholder; the object model (objects, properties, verbs, containment) is the real next chapter. | |
| * Legacy files noted above are candidates to remove or adapt. | Lots of other little things are sure to come out under analysis. But as milestones go, v0.1 is a big one. |
| | |
| | <blockquote>"When in doubt, just start coding."</blockquote> |