I have an RPC sent to the player that notifies them that they have been hurt. It plays a staggered animation and blocks movement.
As a small test, I had a player 3 call player 2 via an RPC (with a send to owner modifier). To my surprise, it worked.
I can imagine a griefer would be able to exploit calling this client RPC over and over again.
How do I solve this?
Best case scenario is to check if the RPC is sent by the server, but I can’t think of a way that is tamper proof.
Please post the code you used.
Note that if you program the RPC to do a specific thing, then that thing will of course happen if it is legally allowed within the RPC system. This does not indicate that the same thing is possible when the client executable has been modified.
If you used SendTo.Owner attribute parameter for instance, then the message is routed through the server. If that attribute was modified in the client, the Server side RPC will not relay it to the owner but the original target (or perhaps throw an error due to mismatching targets).
Hey hey, many thanks. I’ve managed to find a solution.
Originally, I was looking in Rpc Attributes, the solution is to use RpcParams. I did a quick test to inject RpcParams and the injection got overwritten with the real values.
The below is an example solution that uses rpcParams to check if the sender is the server
[Rpc(SendTo.Owner)]
private void HurtOwnerRPC(RpcParams rpcParams = default)
{
// if the sender is not the server, ignore
if (rpcParams.Receive.SenderClientId != 0)
{
return;
}
IsStaggered = true;
Debug.Log(rpcParams.Receive.SenderClientId);
}