aether-security
Anti-cheat, authentication, encryption, and rate limiting
The aether-security crate provides server-side security for Aether, including anti-cheat validation (movement, teleport, hit), JWT authentication, OAuth providers, encryption policies, action rate limiting, interest management, and WASM sandboxing.
Overview
Security is enforced server-side to prevent cheating and unauthorized access. The crate covers:
- Movement validation that detects impossible speeds and accelerations.
- Teleport detection that flags unauthorized position changes.
- Hit validation that verifies combat interactions against server state.
- JWT authentication with configurable claims and token pair rotation.
- OAuth integration with Google and Discord providers.
- Action rate limiting to prevent spam and abuse.
- Interest management that controls entity visibility per player.
- WASM sandboxing policies for script execution.
Key Types
AuthService
Handles user registration and login with password hashing and JWT issuance.
use aether_security::{AuthService, UserStore, LoginResult};
let auth = AuthService::new(user_store);
let result: LoginResult = auth.login("user@example.com", "password")?;
JwtProvider
Issues and validates JWT tokens with configurable claims.
use aether_security::{JwtProvider, JwtConfig, Claims, TokenPair};
let provider = JwtProvider::new(JwtConfig {
secret: jwt_secret,
issuer: "aether".into(),
access_ttl_seconds: 3600,
refresh_ttl_seconds: 86400,
});
let pair: TokenPair = provider.issue(&claims)?;
let validated: Claims = provider.validate(&pair.access_token)?;
validate_movement
Checks whether a player's reported movement is physically plausible.
use aether_security::{validate_movement, MovementConfig, MovementResult, Vec3};
let config = MovementConfig {
max_speed: 10.0,
max_acceleration: 50.0,
};
let result: MovementResult = validate_movement(
&config,
&previous_position,
¤t_position,
dt,
);
TeleportDetector
Detects unauthorized teleportation by comparing position deltas against thresholds.
use aether_security::{TeleportDetector, TeleportConfig, TeleportResult};
let detector = TeleportDetector::new(TeleportConfig {
max_distance_per_tick: 15.0,
grace_ticks: 2,
});
let result: TeleportResult = detector.check(&old_pos, &new_pos);
validate_hit
Verifies that a reported combat hit is consistent with server-side state.
use aether_security::{validate_hit, HitClaim, HitValidationConfig, HitResult};
let config = HitValidationConfig {
max_range: 50.0,
max_angle_degrees: 45.0,
position_tolerance: 1.0,
};
let result: HitResult = validate_hit(&config, &claim, &server_state);
InterestManager
Controls which entities are visible to each player based on distance and relevance.
use aether_security::{InterestManager, InterestConfig, Visibility};
let manager = InterestManager::new(InterestConfig {
max_visible_entities: 200,
relevance_radius: 100.0,
});
let visible = manager.compute_visibility(player_id, &entities);
ActionRateLimiter
Rate limits player actions (e.g., chat messages, item uses) to prevent abuse.
use aether_security::{ActionRateLimiter, ActionRateConfig, RateLimitResult};
let limiter = ActionRateLimiter::new(ActionRateConfig {
max_actions_per_second: 5,
burst_allowance: 3,
});
let result: RateLimitResult = limiter.check(player_id, "chat_message");
Usage Examples
OAuth Login
use aether_security::{GoogleOAuthProvider, OAuthConfig, OAuthUserInfo};
let provider = GoogleOAuthProvider::new(OAuthConfig {
client_id: google_client_id,
client_secret: google_client_secret,
redirect_uri: "https://auth.example.com/callback".into(),
});
let user_info: OAuthUserInfo = provider.exchange(auth_code).await?;
WASM Sandboxing
use aether_security::{ScriptSandboxPolicy, SandboxCapability};
let policy = ScriptSandboxPolicy {
allowed: vec![
SandboxCapability::ReadEntities,
SandboxCapability::SpawnEntities,
],
denied: vec![SandboxCapability::NetworkAccess],
};