rP18140 made it so that the Server identifies the "host" (able to kick...) by listening to clients telling it they're the host. Yes, this is as secure as it sounds.
elexis rightfully raised a concern with it, suggesting that client and server should instead share a secret that the client uses to authenticate itself.
I agree, and in the short term the simplest secret is "I'm in the same process as you are". #3953 was concerned with data races, but this is safe.
Here's the breakdown of things:
- The client handshakes.
- The server generates a GUID and sends it to the client (handshake response).
- The client receives that response, sets m_GUID, then sends an Authenticate request to the server
- The server receives the authenticate request, compares the GUID with that of g_NetClient, and assigns host-ness.
It is thus rather obvious that the server cannot read from m_GUID while it is being written to, nor before it is written to.
---
One might wonder how this interacts with dedicated servers (#3556). It doesn't. For one thing, dedicated servers don't start a client, so the point is somewhat moot, and dedicated clients don't really need a host able to ban players so much as a players being able to vote or something.
_should_ we want dedicated-servers-host to be able to start a "host" client, we probably should go the whole way to an actual 'i am host' secret, but this is un-necessary for now.