#Is (!IsServer) Check Passable?

The question is pretty self-explanatory. I am using IsServer check as a security measure but is it passable. Like can hackers pass it or modify it? If no, please elaborate, how does it work. If yes, please tell me the ways of making a more robust security check.

Hackers can potentially modify just about any code that’s on their client application. So if you’re checking IsServer on the client, assume it could be modified.

In newer versions of NGO you can use RpcInvokePermission to prevent clients from calling certain RPCs. From a security standpoint it’s pretty sound.

In general you just need to make things server authoritative and do server validation where needed. At a high level this just means that for any sensitive action that needs to be performed the client makes a request to the server. The server then checks if that request makes sense and is okay to carry out. If it is, usually the result is sent back for the client to use to update their game world.

in the backend stuff (updating user score, getting profile instances etc.), i used server authoritative system

but in in game, players just call serverrpc, in the serverrpc, there is an internal method that has (!IsServer) check, after that check server controls if the request sounds reasonable or not

my concern is, if hackers pass that request, they could do as they will

!code

    private void PasClicked()
    {
        PasServerRpc();
    }

    [ServerRpc(RequireOwnership = false)]
    private void PasServerRpc(ServerRpcParams rpcParams = default)
    {
        if (!IsServer) return;

        ulong senderClientId = rpcParams.Receive.SenderClientId;

        PlayerData senderPlayerData = GetPlayerDataByClientId(senderClientId);
        if (senderPlayerData == null)
        {
            Debug.LogWarning($"[PAS] Could not find PlayerData for ClientId: {senderClientId}");
            return;
        }

        if (currentPlayerIndex.Value != senderPlayerData.PlayerIndex.Value)
        {
            Debug.LogWarning($"[PAS] Wrong turn! Current: {currentPlayerIndex.Value}, Sender: {senderPlayerData.PlayerIndex.Value}");
            return;
        }

        Debug.Log($"[PAS] Player {senderPlayerData.PlayerIndex.Value} passed their turn");
        EndTurn();
    }

this is an example

what would you suggest doing?

You'll need to use [RPC] with InvokePermission.Server
https://docs.unity3d.com/Packages/com.unity.netcode.gameobjects@2.8/manual/advanced-topics/message-system/rpc.html#rpcattribute-parameters

I will definitely look into that. Btw i've come up with a solution. Everything in the server is synced with client, so if I leave the body of the serverrpc blank in the client build, and in the server build, i leave it as it is, so client can not reach inside the code.

Is this okay?

Sounded pretty logical

Yea. That is the other option. You can use compiler defines to strip out code that shouldn't be on the clients. As long as the RPC signature remains the same it will work. I'll need to check if InvokePermission is doing that for you.

thanks man, i appreciate it