I read something that says that V8 doesn't optimize any code inside
try-blocks. I hope this means that this change will lead to better-
performing code, but I suspect the difference will be relatively
small.
Now, when a user logs into a registered username that was previously
locked/banned, that user is also locked/banned.
The main reason this matters is because users who log in under an
autoconfirmed username are permanently autoconfirmed, even if they
log out and in to a new username. So when they're banned, they can
switch IP and regain autoconfirmed status. This change bans the
username that was autoconfirmed as well, so attempting to use it
to regain autoconfirmed status will result in an automatic re-ban.
Teams are now sent using our new packTeam/unpackTeam code, rather
than JSON. This compresses teams from an average of 2000 bytes to
an average of 500 bytes.
The main process no longer does any JSON parsing/stringifying of
teams. The communication protocol with validator processes has
been changed from JSON to a string protocol delimited by pipes.
A variety of more minor optimizations have also been done.
Now that we're using proxy processes, this heavily optimizes the
communication between the main process and the proxy processes
by sending broadcasted messages once, instead of once per user.
Instead of handling all connections in the master process, we now
use Node's cluster module to push them to worker processes. These
worker processes are pretty lightweight and do nothing but proxy
connections so far.
This introduces a new file cidr.js, which handles matching CIDR IP
blocks. It replaces our dependency on node-ip.
The old proxy IP system is also moved to cidr.js.
The PM blocking tool is available for all regular users and admins.
Regular users can use it as a global ignore rule, allowing them to
avoid harassers that are able to ban, mute, or ignore evade and PM
spam them.
Administrators are often bombarded with PMs and often they don't have
the time nor the means to entertain them, so this tool allows them
to work or just use the simulator in peace. Generally, administrators
are not required to be available to all PMs as the rest of the members
of staff, whom are not allowed to use this tool, are.
This fixes a bug that allows any user with `forcerenameto` permission
(which by default includes the entire ~ group) to escalate to console
permissions, which is much more powerful.
Suppose user "Jasmine" has the ~ group, but not console permissions and
suppose user "Zarel" is on the console list on config.js. Jasmine could
escalate to console permissions with these commands:
/frt Jasmine, Zarel
/trn Zarel
The use of the /trn command sets her User object's `forceRenamed`
property to false, allowing the console userid check to pass.
This bug meant that the attack surface area to completely take over the
sim server was as large as the ~ group, not just the list of console
users. This commit fixes the bug by correctly propagating the
`forceRenamed` property when using /trn.
Implemented some changes from #306.
The bans are checked now on User.prototype.joinRoom.
Redirect command now does not override room bans.
Commands now control if the room is designed for room bans.
Several small style improvements.
Now, most rooms inherit auth from global auth. In other words, if
you're a global driver but a room leader, you'll be a leader
in that room, but if you're a global driver but have no room
auth, you'll be a room driver.
The exception is private rooms with private auth: These don't
inherit, and in general are not bound by chat rules, so /warn
doesn't work in these rooms at all.
The function getNextGroupSymbol now takes an extra parameter to exclude room only ranks, which are defined in config.
The function will try to find the closest non room only rank with a safeguard against maliciously or badly crafted config.js to crash the server.
If no rank is found regardless of room only or not status, the first or last rank are returned accordingly.
This refactor allows getNextGroupSymbol's name to keep true to its functionality, while also providing a way to exclude crafted ranks for rooms or otherwise from the global demote/promote scheme.
Previously, /cmd was exempt from the throttler. This allowed an
amplification attack by sending a lot of /cmd's in one message,
which was responsible for the recent DoS attacks.
/cmd is now throttled normally, except for userdetails, which
happens instantly but is limited to once/message, so it can't
be used for anywhere near as much amplification.
Per-room auth is now less hardcoded. Promotion/demotion is still
done manually in commands.js, but at least users.js doesn't have
as much hardcoded.
A result of this is that /roomvoice is now possible.
- if room.auth exists, the room will have its own authority instead
of global authority
- # is room owner, % is room moderator, admins are still there, and
every other auth becomes voice
- % can mute/unmute/announce
- # can additionally roommod/deroommod/declare/modchat
- modchat is now per-room
- Rooms now stay in existence through restarts
- Room data is stored in config/chatrooms.json
- By default, there's a staff room autojoined by staff and joinable
only by staff
