
Firebase 404 - ca98am79
https://www.firebase.com/404.html
======
jaredsohn
The 404 page now shows MMO Asteroids. After the game came out last year, I
forked it to create MMO Spacewar
([http://www.mmospacewar.com](http://www.mmospacewar.com)) where the rules
were adjusted to be more like the iconic game (user now has a single life but
also an energy bar, new warp command, and movement, shooting and getting hit
costs energy but you regain energy over time) and additional improvements were
made (you cannot get killed right after spawning, fixed sound effects, and
users can choose the instance via a hashtag URL.)

The fork also lets you create asteroids and spaceships (added back from the
original one-player version of the game), although at the moment they are not
shared among clients so other players may be confused at what you're shooting
at or is killing you.

One interesting aspect of this is that while developing I originally had my
client playing on the MMO Asteroids Firebase table which in effect made this a
cheat client (it can warp, not instantly killed). But it is a slightly more
ethical cheat client in that the player still can be killed, the total amount
of mobility is limited, and you only get one ship so instead of pure cheating
it is like adding another spaceship class to MMO Asteroids.

Edit: I didn't have a lot of people to playtest with, so I'm not sure how much
fun this actually is. My early observation is that it might be too hard to
kill people and that you tend to have the best luck if your opponent moves
around a bunch to deplete their energy.

~~~
AsymetricCom
The leaderboard is already hacked.

~~~
Rhapso
Yup. You can set your score to a string and it just puts the latest as
highest. You can also manually rename yourself. Are all firebase apps this
vulnerable?

edit* I left a message in the high score box for anybody looking for something
proofy

~~~
Kiro
I love Firebase but these kind of security holes make me hesitant to use it
for anything serious. Is it even possible to prevent without adding an extra
server layer?

~~~
Rhapso
well, you are exposing the database at the javascript level. If it is
javascript then you can mess with it in your browser via the developer
console. So if you are using firebase via javascript your application is
fundamentally insecure. You cannot even put serverside sanity checks like
"this person should not ask for this value" or "nobody should have a string
for a score" because of firebase's limitations.

~~~
mikelehen
There was a time when that was true, but these days you can easily do those
sorts of things using Firebase security rules:
[https://www.firebase.com/docs/security/security-
rules.html](https://www.firebase.com/docs/security/security-rules.html)

~~~
Kiro
I still don't see how setting security rules would prevent cheating. I would
love to know how to fix this issue as I'm making a similar MMO game with
Firebase.

------
Oculus
I love the Ehh messages:

 _It 's not working on my browser! A patch by Bill Gates is imminent. In the
meantime, use telnet as your browser._

------
ngoel36
It's probably not a good thing that your 404 page features _multiple other_
users that are also experiencing some sort of error at the exact same time

~~~
emiliobumachar
It's probably fellow HN'ers following the link.

~~~
CaveTech
Whoosh? Yes, in this context. But in the wild having several users viewing 404
pages at the same time probably means you're handling your URL's wrong.

~~~
autotravis
But it sure does sooth my 404-induced anger.

------
mischanix
I may have sorta kinda broke it completely.

    
    
      Game.score = [];
      for (var i = 0; i < 10000; ++i) {   
        Game.score.push(String.fromCharCode(Math.floor(Math.random() * 65536)));
      }
      Game.score = Game.score.join('');
    

One of those random characters needs to be escaped in the javascript returned
by firebase, but isn't.

------
fidz
For me this is bad UX. Look at the small 404 message above. For some non-
techie people, they won't read the top 404 message and they think "Oh this is
the page i am looking for. But, my friend said that i would see a cat; why now
i am seeing this multiplayer game?"

------
philfreo
See also: [http://kickassapp.com/](http://kickassapp.com/)

------
nine_k
Is the game powered by FireBase somehow?

~~~
vikrum
Yep—we took the single player HTML5 game and added Firebase to make it
multiplayer; here's the diff between single & multiplayer:
[https://github.com/firebase/HTML5-Asteroids/commit/f42ae8b9f...](https://github.com/firebase/HTML5-Asteroids/commit/f42ae8b9f88f927f2532b234b70b5606cc38c849)

------
nawitus
I was at 3600 with many lives but the game froze :/.

------
msutherl
Hi score! I'm Guest8124 with 7400. Challenge me.

------
critium
LOL! Its full of HN'ers!

