fix: prevent client from bypassing random spawn selection 🛡️

[FloPinguin]

Description:

When random spawn mode is active, players are supposed to receive randomly chosen spawns rather than choosing their own. However, SpawnExecution.getSpawn() checks center !== undefined first, which means if a player manually injects coordinates into the spawn intent (bypassing the client-side UI guard), the random selection logic is completely bypassed and the player gets their chosen coordinates.

This was fully exploitable in singleplayer (where no pre-created SpawnExecution objects exist) and was a defense-in-depth gap in multiplayer (relying on execution order of pre-created spawns to block it via the hasSpawned() guard).

The fix forces center to undefined in getSpawn() when random spawns are enabled, ensuring the random selection code path is always taken regardless of what the client sends.

Changes:

• src/core/execution/SpawnExecution.ts: Pass undefined to getSpawn() when isRandomSpawn() is true, ignoring any client-specified tile
• tests/core/execution/SpawnExecution.test.ts: Added test verifying that a client-specified tile is ignored when random spawn is enabled

Please complete the following:

• I have added screenshots for all UI updates
• I process any text displayed to the user through translateText() and I've added it to the en.json file
• I have added relevant tests to the test directory

Please put your Discord username so you can be contacted if a bug or regression is found:

FloPinguin

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 3c6b42fd-73b3-40ae-ac92-1ded3825a09f

📥 Commits

Reviewing files that changed from the base of the PR and between 95171fd and 0761607.

📒 Files selected for processing (2)

• src/core/execution/SpawnExecution.ts
• tests/core/execution/SpawnExecution.test.ts

---

Walkthrough

SpawnExecution.tick() now checks config().isRandomSpawn() and passes undefined to getSpawn when true, letting the server pick a random center. When false, it passes this.tile as before. A new test confirms a malicious client-specified tile is ignored under randomSpawn: true.

Changes

Random Spawn Fix

Layer / File(s)	Summary
Random spawn logic and test src/core/execution/SpawnExecution.ts, tests/core/execution/SpawnExecution.test.ts	tick() passes undefined to getSpawn when isRandomSpawn() is true; new test checks the player lands on a different, valid land tile when a malicious tile is given.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🎲 The client said "spawn here, right there!"
But the server just laughed in the air.
With undefined passed,
The cheat couldn't last —
A random safe tile, fair and square! 🗺️

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: blocking clients from overriding random spawn selection.
Description check	✅ Passed	The description matches the code changes and test coverage for random spawn selection.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}