Fixes timed caches.

Allowing a refresh of the timer opened the door to exploits.

2 files changed, 8 insertions, 4 deletions

diff --git a/src/query/character_turn.erl b/src/query/character_turn.erl
index 392f632..f406efd 100644
--- a/src/query/character_turn.erl
+++ b/src/query/character_turn.erl
@@ -44,10 +44,12 @@
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 parse_input (Req) ->
    JSONReqMap = jiffy:decode(Req, [return_maps]),
+   PlayerID = maps:get(<<"player_id">>, JSONReqMap),
+   SessionToken =  maps:get(<<"session_token">>, JSONReqMap),
+   database_shim:assert_session_is_valid(PlayerID, SessionToken),
    #input
    {
-      session_token = maps:get(<<"session_token">>, JSONReqMap),
-      player_id = maps:get(<<"player_id">>, JSONReqMap),
+      player_id = PlayerID,
       battlemap_id = maps:get(<<"battlemap_id">>, JSONReqMap),
       instance_id = maps:get(<<"instance_id">>, JSONReqMap),
       char_id = maps:get(<<"char_id">>, JSONReqMap),
diff --git a/src/query/load_state.erl b/src/query/load_state.erl
index 1ffbbf8..9c28d2f 100644
--- a/src/query/load_state.erl
+++ b/src/query/load_state.erl
@@ -26,10 +26,12 @@
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 parse_input (Req) ->
    JSONReqMap = jiffy:decode(Req, [return_maps]),
+   PlayerID = maps:get(<<"player_id">>, JSONReqMap),
+   SessionToken =  maps:get(<<"session_token">>, JSONReqMap),
+   database_shim:assert_session_is_valid(PlayerID, SessionToken),
    #input
    {
-      session_token = maps:get(<<"session_token">>, JSONReqMap),
-      player_id = maps:get(<<"player_id">>, JSONReqMap),
+      player_id = PlayerID,
       battlemap_id = maps:get(<<"battlemap_id">>, JSONReqMap),
       instance_id = maps:get(<<"instance_id">>, JSONReqMap)
    }.