PaimaStudios · robkorn · Jun 30, 2023 · Jun 28, 2023 · Jun 28, 2023 · Jun 28, 2023
diff --git a/paima-concise/src/consumer.ts b/paima-concise/src/consumer.ts
@@ -9,6 +9,7 @@ import { EncodingVersion } from './types.js';
 import { isHexString } from './utils.js';
 import { separator } from './v1/consts.js';
 import { toConciseValue } from './v1/utils.js';
+import { checkSecurityPrefix, stripSecuirtyPrefix } from './security.js';
 
 const initializeSpecific = (input: string, version: EncodingVersion): ConciseConsumer => {
   const { conciseValues, concisePrefix, conciseInput } = preParse(input, version);
@@ -62,6 +63,12 @@ const preParse = (input: string, version: EncodingVersion): ConciseConsumerInter
       return getEmptyInternals();
     }
 
+    if (!checkSecurityPrefix(conciseInput)) {
+      // Invalid input, discard entire message.
+      return getEmptyInternals();
+    }
+    conciseInput = stripSecuirtyPrefix(conciseInput);
+
     const [inputPrefix, ...stringValues] = conciseInput.split(separator);
     const hasImplicitUser = inputPrefix.match(/^@(\w+)/);
     if (hasImplicitUser) {

diff --git a/paima-concise/src/index.ts b/paima-concise/src/index.ts
@@ -1,4 +1,4 @@
 export { builder } from './builder.js';
 export { consumer } from './consumer.js';
-
+export { checkSecurityPrefix, stripSecuirtyPrefix } from './security.js';
 export * from './types';
diff --git a/paima-concise/src/security.ts b/paima-concise/src/security.ts
@@ -0,0 +1,25 @@
+import { ENV } from '@paima/utils';
+import { separator } from './v1/consts';
+
+// For security, we add the .env CONCISE_GAME_NAME to the string.
+export const getSecurityPrefix = (): string => {
+  return ENV.CONCISE_GAME_NAME
+    ? `${separator}${ENV.CONCISE_GAME_NAME}${separator}`
+    : '';
+};
+
+export const checkSecurityPrefix = (conciseInput: string): boolean => {
+  const securityPrefix = getSecurityPrefix();
+  if (securityPrefix) {
+    return conciseInput.startsWith(securityPrefix);
+  }
+  return true;
+};
+
+export const stripSecuirtyPrefix = (conciseInput: string): string => {
+  const securityPrefix = getSecurityPrefix();
+  if (securityPrefix) {
+    return conciseInput.slice(securityPrefix.length);
+  }
+  return conciseInput;
+};
diff --git a/paima-concise/src/v1/builder.ts b/paima-concise/src/v1/builder.ts
@@ -1,5 +1,6 @@
 import type { ConciseValue, UTF8String } from '../types.js';
 import { separator, stateIdentifier } from './consts.js';
+import { getSecurityPrefix } from '../security.js';
 
 const toString = (val: ConciseValue): string => {
   return val.isStateIdentifier ? `${stateIdentifier}${val.value}` : val.value;
@@ -9,9 +10,9 @@ const build = (concisePrefix: string, conciseValues: ConciseValue[]): UTF8String
   if (!concisePrefix) {
     throw new Error(`Missing prefix value in concise builder for input: ${conciseValues}`);
   }
-
+  const securityPrefix = getSecurityPrefix();
   const conciseValueInput = conciseValues.map(toString).join(separator);
-  const conciseInput = `${concisePrefix}${separator}${conciseValueInput}`;
+  const conciseInput = `${securityPrefix}${concisePrefix}${separator}${conciseValueInput}`;
 
   return conciseInput;
 };

diff --git a/paima-sm/src/index.ts b/paima-sm/src/index.ts
@@ -28,6 +28,7 @@ import Prando from '@paima/prando';
 
 import { randomnessRouter } from './randomness.js';
 import { cdeTransitionFunction, getProcessedCdeDatumCount } from './cde-processing.js';
+import { checkSecurityPrefix, stripSecuirtyPrefix } from '@paima/concise';
 
 const SM: GameStateMachineInitializer = {
   initialize: (
@@ -214,7 +215,10 @@ async function processScheduledData(
   for (const data of scheduledData) {
     const inputData: SubmittedData = {
       userAddress: SCHEDULED_DATA_ADDRESS,
-      inputData: data.input_data,
+      // security prefix is optional in scheduled data.
+      inputData: checkSecurityPrefix(data.input_data)
+        ? stripSecuirtyPrefix(data.input_data)
+        : data.input_data,
       inputNonce: '',
       suppliedValue: '0',
       scheduled: true,
@@ -261,10 +265,17 @@ async function processUserInputs(
       doLog(`Skipping inputData with duplicate nonce: ${inputData}`);
       continue;
     }
+    if (!checkSecurityPrefix(inputData.inputData)) {
+      doLog(`Skipping inputData with invalid security prefix: ${inputData}`);
+      continue;
+    }
 
     // Trigger STF
     const sqlQueries = await gameStateTransition(
-      inputData,
+      {
+        ...inputData,
+        inputData: stripSecuirtyPrefix(inputData.inputData),
+      },
       latestChainData.blockNumber,
       randomnessGenerator,
       readonlyDBConn

diff --git a/paima-utils/src/config.ts b/paima-utils/src/config.ts
@@ -83,6 +83,13 @@ export class ENV {
   static get ENABLE_DRY_RUN(): boolean {
     return process.env.ENABLE_DRY_RUN === 'true';
   }
+  static get CONCISE_GAME_NAME(): string {
+    const prefix = process.env.CONCISE_GAME_NAME || '';
+    if (prefix && prefix.match(/\|/)) {
+      throw new Error('Concise security prefix cannot contain the pipe character.');
+    }
+    return prefix;
+  }
 
   // Middleware config:
   static get BACKEND_URI(): string {