UWorld and UPendingNetGame have a login procedure involving NMT_Challenge/NMT_Login messages. But UPendingNetGame’s login response is hardcoded to TEXT(“0”). It does not expose any delegates or virtual functions and we have no way to override this behavior. In the other hand, UWorld does not verify the response either. So this login procedure does nothing and is not very useful.
(btw UWorld does not produce a secure nonce. The challenge should be a random nonce, not exactly the current time. But the whole login procedure is doing nothing so it doesn’t matter.)
So our dedicated server cannot verify that the client’s UniqueId truly belongs to the (human) player. It can’t even in a platform (e.g. steam) where connections are made through platform servers, because UniqueId is sent by client and not tested against anything in the online session system.
I’m thinking about how to fix this.
UPendingNetGame does send URL and UniqueId, so maybe we should pack the actual response into URL or UniqueId. URL is obtained via LocalPlayer->GetGameLoginOptions(), which has no knowledge of the server sent challenge. Maybe we can get world get net driver get server connection and get challenge, I’m not sure.
Another way is to override NotifyControlMessage and implement a totally new login procedure. But I think inheriting UWorld is somewhat overkill.
Maybe the best way is to modify the engine code a little bit and add calls to gamemode or onlinesession to generate/verify login responses. Is it legally permitted for me to do so? Or can I submit a pull request?