Looks like a good improvement but still some things:
You really have to consider all the situations from a perspective where both MP and you (BB) want to cheat the player and how they could possibly do that
You are sending now the next clientseed to "the gambling site" (from player perspective MP+BB could be colluding and the same) before the player gets the next serverseed hash. I adjusted a previous example slightly, but still almost the same is possible:
TBH with the "per roll" implementation, I think it's fine to only save the clientseed locally and not on the server/profile. This would actually make things easier for you too, I think?
Each bet just has a clientseed (loaded from localStorage or generated in browser) and sent to server only upon making a bet (so after user got serverhash for that bet.) After a successful bet, a new clientseed will be generated in the browser (and saved.) This new clientseed is shown to user, unknown to server, adjustable locally and again sent upon betting.
Also showing every bet as list might be too much. I personally think just showing the last bet (and current/net info) is fine.
Very nice
You only check the roll number though (indeed properly in browser.) You should also check: if the hash that you got before the bet is the same as "SHA256(server_roll+'|'+server_salt)". Because now if MP changes the hash, you will still say it's verified. The whole idea of the hash is to ensure that MP generated the server_roll before they knew your clientseed and therefor couldn't influence to a preferable outcome. That only works when you verify the hash that you got before the bet though.
Ideally you could check if wager is same as loss (in case of loss) or the expected bet return is same as actual profit of that bet. I don't do that on my verifier because I don't have access to it. But since this is all on your site, it makes perfect sense to verify that info too.
Small detail: personally I would probably add a JS alert when something goes wrong, rather than only coloring that column red.
Personally I would do something like this:
So:
1. Clearly show the clientseed and hash for next.
2. Allow player to change clientseed right there (no need to click "Save" button either, like previously mentioned: just save in localStorage upon change or focusout.)
3. Only show last 1 bet. In theory it's better that you show multiple last bets, but I think that might be too much for user. Up to you though
4. I renamed "ServerSeed" to "ServerHash". My previous post was probably not very clear about that either, but I think that makes more sense to call it hash.
5. You could make the salt/hash to a disable input box, so there is no overlay problem but still easy to copy-paste.
Almost there
When a bet is placed, a new client seed is generated and sent along with the bet data and then saved to the user profile in the DB.
Yeh, you shouldn't do that You really have to consider all the situations from a perspective where both MP and you (BB) want to cheat the player and how they could possibly do that You are sending now the next clientseed to "the gambling site" (from player perspective MP+BB could be colluding and the same) before the player gets the next serverseed hash. I adjusted a previous example slightly, but still almost the same is possible:
If I make 10 low bets and my next clientseed will be "1,523,456,648" - MP can just give results between 602,552,164 - 2,771,510,647 and it would be a high result. Of course this would also allow a player to cheat if he tricks MP and makes a high bet instead of the "expected low bet". So it is not likely at all that casinos (in this case MP) cheat in situations like this ("based on previous plays".) Still it is a flaw in the implementation and should be fixed.
I understand that you don't actually send the next clientseed to MP, so MP has no idea what the next clientseed will be, but there is no way for the player to verify that you really don't send this information.TBH with the "per roll" implementation, I think it's fine to only save the clientseed locally and not on the server/profile. This would actually make things easier for you too, I think?
Each bet just has a clientseed (loaded from localStorage or generated in browser) and sent to server only upon making a bet (so after user got serverhash for that bet.) After a successful bet, a new clientseed will be generated in the browser (and saved.) This new clientseed is shown to user, unknown to server, adjustable locally and again sent upon betting.
I've added a box on the side where upon placement of the bet, the locally available info (client seed + server seed) are displayed right away.
Looks good, but for the first bet, the serverseed hash is still not shown. This way a player cannot verify if the first bet was generated fairly (unless checking in source/requests.)Also showing every bet as list might be too much. I personally think just showing the last bet (and current/net info) is fine.
Using this info, the system then re-calculates the bet result (on the client using a JS function) and displays this as "Verified result".
Very nice
You only check the roll number though (indeed properly in browser.) You should also check: if the hash that you got before the bet is the same as "SHA256(server_roll+'|'+server_salt)". Because now if MP changes the hash, you will still say it's verified. The whole idea of the hash is to ensure that MP generated the server_roll before they knew your clientseed and therefor couldn't influence to a preferable outcome. That only works when you verify the hash that you got before the bet though.
Ideally you could check if wager is same as loss (in case of loss) or the expected bet return is same as actual profit of that bet. I don't do that on my verifier because I don't have access to it. But since this is all on your site, it makes perfect sense to verify that info too.
Small detail: personally I would probably add a JS alert when something goes wrong, rather than only coloring that column red.
Done. Player can set client seed and then the previously discussed local client seed generation resumes.
Yeh, I am not sure if it really makes sense in the account settings though. I understand it from your technical perspective, but for the user it doesn't make much sense. Also it seems like it doesn't really use the clientseed I choose even after I click save?Personally I would do something like this:
So:
1. Clearly show the clientseed and hash for next.
2. Allow player to change clientseed right there (no need to click "Save" button either, like previously mentioned: just save in localStorage upon change or focusout.)
3. Only show last 1 bet. In theory it's better that you show multiple last bets, but I think that might be too much for user. Up to you though
4. I renamed "ServerSeed" to "ServerHash". My previous post was probably not very clear about that either, but I think that makes more sense to call it hash.
5. You could make the salt/hash to a disable input box, so there is no overlay problem but still easy to copy-paste.
EDIT3: One of our users has reported a "Server Seed mismatch" error the first time he visits the site after this update. I can't reproduce it so far but I'll try to figure out why.
I had this too. I am guessing that loading the demo site makes an empty serverseed (which isn't null). I would probably change:Code:
if (_serverSeed === null) {
localStorage.setItem("serverSeed", serverSeed);
} else if (serverSeed != _serverSeed) {
alert ('ServerSeed mismatch detected! If you previously used a bot to do API betting, you can ignore this error. Otherwise please report this to our staff');
}
to:localStorage.setItem("serverSeed", serverSeed);
} else if (serverSeed != _serverSeed) {
alert ('ServerSeed mismatch detected! If you previously used a bot to do API betting, you can ignore this error. Otherwise please report this to our staff');
}
Code:
if (serverSeed !== null && serverSeed != '') {
if (_serverSeed === null || _serverSeed == '') {
localStorage.setItem("serverSeed", serverSeed);
} else if (serverSeed != _serverSeed) {
alert ('ServerSeed mismatch detected! If you previously used a bot to do API betting, you can ignore this error. Otherwise please report this to our staff');
}
}
if (_serverSeed === null || _serverSeed == '') {
localStorage.setItem("serverSeed", serverSeed);
} else if (serverSeed != _serverSeed) {
alert ('ServerSeed mismatch detected! If you previously used a bot to do API betting, you can ignore this error. Otherwise please report this to our staff');
}
}
Almost there
Once again, thanks for your feedback. I'll be implementing these sometime this week, but I've got a ton of customer work I have to take care of right now, because if I don't, I (or rather my company) will be in trouble.
I'll report back when I have an update.