Search code examples
javascriptrubyclojureclojurescript

Online Betting Games and Security: How to?


I've developed a betting game (using bitcoins). This is how it is set up:

Using javascript, clojurescript, ruby on sinatra.

Initial Way (Plan A)

  • Client side: JavaScript is evaluated. This includes all game logic and requests to server. Yes, all of the game is evaluated on the client-side.

  • Server side: Handles requests from client side, such as update user balance in database on win. Note that the JavaScript on client's side handles game logic, including evaluation of victory conditions.

I am currently under the impression that I have made an astronomically grave error and I seek guidance so that I may put myself on the right track.

My New Way? (Plan B)

  • Client side: Places bets via GET or PUT along with betsize and perhaps other initial parameters that follow each bet.

  • Server side: Server receives requests and uses the information as arguments to the program which will sit on the server precompiled and run for each request. The program output will then be sent to the client side where the relevant JavaScript will know what to do (animations and displaying of results).

Thanks

p.s. Plan B is going to put the onus on my server. I suppose I need to consider many new things now. Suggestions on taking care of performance matters will also be appreciated.


Solution

  • Your Plan A is impossible to secure easily, because client-side results are generally not trustable.

    Your Plan B is a good plan.

    You are correct this puts the onus on your server.

    Server performance is a huge topic.

    Some tools you may want to look at as you grow:

    • Memcache - a simple key-value memory cache
    • Varnish - a reverse-proxy cache
    • Redis - a key-value store, especially good for game stats such as leaderboards
    • Ruby memoist gem - cache a method's params and return result
    • Any database with a good cache, such as Postgres with materialized views

    Aim for two kinds of requests:

    • read-only requests - typically HTTP GET
    • write-only requests - typically HTTP PUT, PATCH, DELETE