From 2b3ee604b5b89ad660c643b8fc920ba4e0fd62af Mon Sep 17 00:00:00 2001
From: Thibault Duplessis <thibault.duplessis@gmail.com>
Date: Sun, 20 May 2012 22:50:00 +0200
Subject: [PATCH] Don't trust the client username for websockets, use auth
 instead

---
 app/controllers/Main.scala  | 2 +-
 app/controllers/Round.scala | 4 ++--
 public/javascripts/ctrl.js  | 3 ---
 public/javascripts/hook.js  | 3 +--
 4 files changed, 4 insertions(+), 8 deletions(-)

diff --git a/app/controllers/Main.scala b/app/controllers/Main.scala
index 29ac00bfed228..f7b242c7a6054 100644
--- a/app/controllers/Main.scala
+++ b/app/controllers/Main.scala
@@ -13,6 +13,6 @@ object Main extends LilaController {
     implicit val ctx = reqToCtx(req)
     env.site.socket.join(
       uidOption = get("uid"),
-      username = get("username"))
+      username = ctx.me map (_.username))
   }
 }
diff --git a/app/controllers/Round.scala b/app/controllers/Round.scala
index 485c2a29fc92f..1367b36c7074e 100644
--- a/app/controllers/Round.scala
+++ b/app/controllers/Round.scala
@@ -25,14 +25,14 @@ object Round extends LilaController {
   def websocketWatcher(gameId: String, color: String) = WebSocket.async[JsValue] { req ⇒
     implicit val ctx = reqToCtx(req)
     socket.joinWatcher(
-      gameId, color, getInt("version"), get("uid"), get("username")
+      gameId, color, getInt("version"), get("uid"), ctx.me map (_.username)
     ).unsafePerformIO
   }
 
   def websocketPlayer(fullId: String) = WebSocket.async[JsValue] { req ⇒
     implicit val ctx = reqToCtx(req)
     socket.joinPlayer(
-      fullId, getInt("version"), get("uid"), get("username")
+      fullId, getInt("version"), get("uid"), ctx.me map (_.username)
     ).unsafePerformIO
   }
 
diff --git a/public/javascripts/ctrl.js b/public/javascripts/ctrl.js
index ad891ecb39fd9..74c4c6f8a58d1 100644
--- a/public/javascripts/ctrl.js
+++ b/public/javascripts/ctrl.js
@@ -8,9 +8,6 @@ var lichess_translations = [];
 var lichess = {
   socket: null,
   socketDefaults: {
-    params: {
-      username: $('#username_tag').text()
-    },
     events: {
       n: function(e) {
         var $tag = $('#nb_connected_players');
diff --git a/public/javascripts/hook.js b/public/javascripts/hook.js
index 515d1085f99cd..fd368b1505779 100644
--- a/public/javascripts/hook.js
+++ b/public/javascripts/hook.js
@@ -18,7 +18,6 @@ $(function() {
     var $userTag = $('#user_tag');
     var isRegistered = $userTag.length > 0
     var myElo = isRegistered ? parseInt($userTag.data('elo')) : null;
-    var username = isRegistered ? $('#username_tag').text() : "Anonymous";
     var hookOwnerId = $hooks.data('my-hook');
 
     if (chatExists) {
@@ -38,7 +37,7 @@ $(function() {
                 return false;
             }
             $input.val('');
-            lichess.socket.send('talk', { u: username, txt: text });
+            lichess.socket.send('talk', { txt: text });
             return false;
         });
         $chat.find('a.send').click(function() { $input.trigger('click'); $form.submit(); });