Improve rules for userGames

eltoder · eltoder · commit 98b66d244ce7 · 2026-01-10T19:27:44.000-05:00
Also, don't calculate unfinished games when starting a private game.
diff --git a/database.rules.json b/database.rules.json
@@ -13,7 +13,7 @@
         },
         "users": {
           "$userId": {
-            ".write": "auth != null && auth.uid == $userId && data.parent().parent().child('status').val() == 'waiting' && !(root.hasChild('users/' + auth.uid + '/banned') && now < root.child('users/' + auth.uid + '/banned').val())",
+            ".write": "auth != null && auth.uid == $userId && data.parent().parent().child('status').val() == 'waiting' && newData.parent().parent().parent().parent().hasChild('userGames/' + $userId + '/' + $gameId) == newData.exists() && !(root.hasChild('users/' + auth.uid + '/banned') && now < root.child('users/' + auth.uid + '/banned').val())",
             ".validate": "newData.isNumber() && newData.val() == now"
           }
         },
@@ -117,7 +117,7 @@
         ".read": "auth != null",
         ".indexOn": ".value",
         "$gameId": {
-          ".write": "auth != null && auth.uid == $userId",
+          ".write": "auth != null && auth.uid == $userId && newData.parent().parent().parent().hasChild('games/' + $gameId + '/users/' + $userId) == newData.exists()",
           ".validate": "newData.isNumber() && newData.val() == root.child('games/' + $gameId + '/createdAt').val()"
         }
       }
diff --git a/functions/src/index.ts b/functions/src/index.ts
@@ -258,58 +258,56 @@ export const createGame = functions.https.onCall(async (data, context) => {
       "The function must be called while authenticated."
     );
   }
-
   const userId = context.auth.uid;
-  const oneHourAgo = Date.now() - 3600000;
-  const recentGameIds = await admin
-    .database()
-    .ref(`userGames/${userId}`)
-    .orderByValue()
-    .startAt(oneHourAgo)
-    .once("value");
 
-  const recentGames = await Promise.all(
-    Object.keys(recentGameIds.val() || {}).map((recentGameId) =>
-      admin.database().ref(`games/${recentGameId}`).once("value")
-    )
-  );
+  if (access === "public") {
+    const oneHourAgo = Date.now() - 3600000;
+    const recentGameIds = await admin
+      .database()
+      .ref(`userGames/${userId}`)
+      .orderByValue()
+      .startAt(oneHourAgo)
+      .once("value");
 
-  let unfinishedGames = 0;
-  for (const snap of recentGames) {
-    if (
-      snap.child("host").val() === userId &&
-      snap.child("status").val() !== "done" &&
-      snap.child("access").val() === "public"
-    ) {
-      ++unfinishedGames;
+    const recentGames = await Promise.all(
+      Object.keys(recentGameIds.val() || {}).map((recentGameId) =>
+        admin.database().ref(`games/${recentGameId}`).once("value")
+      )
+    );
+
+    let unfinishedGames = 0;
+    for (const snap of recentGames) {
+      if (
+        snap.child("access").val() === "public" &&
+        snap.child("status").val() !== "done" &&
+        snap.child("host").val() === userId
+      ) {
+        ++unfinishedGames;
+      }
+    }
+    if (unfinishedGames >= MAX_UNFINISHED_GAMES_PER_HOUR) {
+      throw new functions.https.HttpsError(
+        "resource-exhausted",
+        "Too many unfinished public games were recently created."
+      );
     }
   }
 
   const { committed, snapshot } = await admin
     .database()
     .ref(`games/${gameId}`)
     .transaction((currentData) => {
-      if (currentData === null) {
-        if (
-          unfinishedGames >= MAX_UNFINISHED_GAMES_PER_HOUR &&
-          access === "public"
-        ) {
-          throw new functions.https.HttpsError(
-            "resource-exhausted",
-            "Too many unfinished public games were recently created."
-          );
-        }
-        return {
-          host: userId,
-          createdAt: admin.database.ServerValue.TIMESTAMP,
-          status: "waiting",
-          access,
-          mode,
-          enableHint,
-        };
-      } else {
-        return;
+      if (currentData !== null) {
+        return; // the game already exists, bail out
       }
+      return {
+        host: userId,
+        createdAt: admin.database.ServerValue.TIMESTAMP,
+        status: "waiting",
+        access,
+        mode,
+        enableHint,
+      };
     });
   if (!committed) {
     throw new functions.https.HttpsError(
diff --git a/src/pages/RoomPage.js b/src/pages/RoomPage.js
@@ -61,8 +61,7 @@ function RoomPage({ match, location }) {
   useEffect(() => {
     if (
       !leaving &&
-      game &&
-      game.status === "waiting" &&
+      game?.status === "waiting" &&
       (!game.users || !(user.id in game.users))
     ) {
       const updates = {

Original file line number	Diff line number	Diff line change
`@@ -13,7 +13,7 @@`
`13`	`13`	`},`
`14`	`14`	`"users": {`
`15`	`15`	`"$userId": {`
`16`		`- ".write": "auth != null && auth.uid == $userId && data.parent().parent().child('status').val() == 'waiting' && !(root.hasChild('users/' + auth.uid + '/banned') && now < root.child('users/' + auth.uid + '/banned').val())",`
	`16`	`+ ".write": "auth != null && auth.uid == $userId && data.parent().parent().child('status').val() == 'waiting' && newData.parent().parent().parent().parent().hasChild('userGames/' + $userId + '/' + $gameId) == newData.exists() && !(root.hasChild('users/' + auth.uid + '/banned') && now < root.child('users/' + auth.uid + '/banned').val())",`
`17`	`17`	`".validate": "newData.isNumber() && newData.val() == now"`
`18`	`18`	`}`
`19`	`19`	`},`
`@@ -117,7 +117,7 @@`
`117`	`117`	`".read": "auth != null",`
`118`	`118`	`".indexOn": ".value",`
`119`	`119`	`"$gameId": {`
`120`		`- ".write": "auth != null && auth.uid == $userId",`
	`120`	`+ ".write": "auth != null && auth.uid == $userId && newData.parent().parent().parent().hasChild('games/' + $gameId + '/users/' + $userId) == newData.exists()",`
`121`	`121`	`".validate": "newData.isNumber() && newData.val() == root.child('games/' + $gameId + '/createdAt').val()"`
`122`	`122`	`}`
`123`	`123`	`}`