From e427351a6d767f6dc5fd8cb76072d37cae7f8d4a Mon Sep 17 00:00:00 2001
From: Henry Sanger <henry@sanger.io>
Date: Wed, 16 Oct 2024 22:55:12 -0400
Subject: [PATCH] fix: exploit allowing joining a game at any point

---
 server/src/game.ts | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/server/src/game.ts b/server/src/game.ts
index 64c9fafe4..928055a21 100644
--- a/server/src/game.ts
+++ b/server/src/game.ts
@@ -267,8 +267,8 @@ export class Game implements GameData {
                     const { simultaneousConnections, joinAttempts } = This;
 
                     if (
-                        (simultaneousConnections[ip] >= (maxSimultaneousConnections ?? Infinity))
-                        || (joinAttempts[ip] >= (maxJoinAttempts?.count ?? Infinity))
+                        simultaneousConnections[ip] >= (maxSimultaneousConnections ?? Infinity)
+                        || joinAttempts[ip] >= (maxJoinAttempts?.count ?? Infinity)
                     ) {
                         Logger.log(`Game ${This.id} | Rate limited: ${ip}`);
                         forbidden(res);
@@ -285,16 +285,16 @@ export class Game implements GameData {
                     }
                 }
 
-                const searchParams = new URLSearchParams(req.getQuery());
-
                 //
                 // Ensure IP is allowed
                 //
-                if ((This.allowedIPs.get(ip) ?? Infinity) < This.now) {
+                if ((This.allowedIPs.get(ip) ?? 0) < This.now) {
                     forbidden(res);
                     return;
                 }
 
+                const searchParams = new URLSearchParams(req.getQuery());
+
                 //
                 // Validate and parse role and name color
                 //