Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR hardens the card-play flow to prevent invalid “play card” requests from breaking gameplay, by adding frontend drag/drop validation and backend request validation with clearer error responses.
Changes:
- Frontend: restrict drag/drop to valid hand cards and block requests missing required identifiers.
- Frontend: attempt UI recovery when the API call fails.
- Backend: return explicit
400JSON errors for missing/invalidplay_cardparams, plus add test coverage for missingdealt_card_id.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| copi.owasp.org/assets/js/app.js | Tightens Dragula drag/drop validation and adds client-side blocking/recovery around the play-card API call. |
| copi.owasp.org/lib/copi_web/controllers/api_controller.ex | Adds 400 Bad Request handling for missing/invalid play_card parameters. |
| copi.owasp.org/test/copi_web/controllers/api_controller_test.exs | Adds a controller test to ensure missing dealt_card_id returns 400 with an explicit error message. |
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
cw-owasp
previously approved these changes
Jun 26, 2026
Collaborator
Author
|
The dragging got broken. I needed to change the hook to resolve to the nearest draggable card container that has data-* attributes before validating the drag and sending the card request. |
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
cw-owasp
approved these changes
Jun 26, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
These changes fix the “players get kicked out / stuck after game start” issue by preventing bad card-play requests and handling them safely when they still happen.
Net effect: fewer broken turns, clearer errors, and players are much less likely to feel like their session vanished.
AI Tool Disclosure
Github CoPilorGPT-5.5Some players have reported that they get thrown out of the game after the game is started. I am getting the following logs:2026-06-22 19:52:00.146
17:52:00.145 request_id=GLt4o0J868KdTy8AABDx [info] Sent 400 in 211µs
2026-06-22 19:52:00.146
17:52:00.145 request_id=GLt4o0J868KdTy8AABDx [info] PUT /api/games/undefined/players/undefined/card
2026-06-22 19:51:54.562
17:51:54.561 request_id=GLt4ofWkFgsgozoAABDh [info] Sent 400 in 231µs
2026-06-22 19:51:54.561
17:51:54.561 request_id=GLt4ofWkFgsgozoAABDh [info] PUT /api/games/undefined/players/undefined/card
2026-06-22 19:51:44.003
17:51:44.002 request_id=GLt4n4BIXYzZfroAABDR [info] Sent 400 in 323µs
2026-06-22 19:51:44.003
17:51:44.002 request_id=GLt4n4BIXYzZfroAABDR [info] PUT /api/games/undefined/players/undefined/card
2026-06-22 19:49:41.832
17:49:41.832 request_id=GLt4gw5dwwZuZc4AABBR [info] GET /health
2026-06-22 19:48:41.829
17:48:41.828 request_id=GLt4dQzC4OPTtmcAABAx [info] Sent 200 in 152ms
2026-06-22 19:48:41.676
17:48:41.675 request_id=GLt4dQzC4OPTtmcAABAx [info] GET /health
2026-06-22 19:47:47.312
Parameters: %{"_csrf_token" => "[FILTERED]", "_live_referer" => "undefined", "_mount_attempts" => "0", "_mounts" => "0", "_track_static" => %{"0" => "https://copi.owasp.org/assets/css/app-d56dac94ce4c782a69486e9e3dfdef37.css?vsn=d", "1" => "https://copi.owasp.org/assets/css/cards-2f94d8ab8082cc6adf2fb73420415aee.css?vsn=d", "2" => "https://copi.owasp.org/assets/js/app-a4190763c05732670d116af312cfacbf.js?vsn=d"}, "vsn" => "2.0.0"}
2026-06-22 19:47:47.312
Serializer: Phoenix.Socket.V2.JSONSerializer
2026-06-22 19:47:47.312
Transport: :websocket
2026-06-22 19:47:47.312
17:47:47.311 [info] CONNECTED TO Phoenix.LiveView.Socket in 35µs
2026-06-22 19:47:46.807
17:47:46.806 request_id=GLt4aCoyPRv4FvMAAA-x [info] Sent 200 in 472ms
2026-06-22 19:47:46.774
Parameters: %{"_csrf_token" => "[FILTERED]", "_live_referer" => "undefined", "_mount_attempts" => "0", "_mounts" => "0", "_track_static" => %{"0" => "https://copi.owasp.org/assets/css/app-d56dac94ce4c782a69486e9e3dfdef37.css?vsn=d", "1" => "https://copi.owasp.org/assets/css/cards-2f94d8ab8082cc6adf2fb73420415aee.css?vsn=d", "2" => "https://copi.owasp.org/assets/js/app-a4190763c05732670d116af312cfacbf.js?vsn=d"}, "vsn" => "2.0.0"}
2026-06-22 19:47:46.774
Serializer: Phoenix.Socket.V2.JSONSerializer
2026-06-22 19:47:46.774
Transport: :websocket
2026-06-22 19:47:46.774
17:47:46.773 [info] CONNECTED TO Phoenix.LiveView.Socket in 36µs
2026-06-22 19:47:46.405
17:47:46.404 request_id=GLt4aBcP8XHScKUAAA-R [info] Sent 200 in 390ms
2026-06-22 19:47:46.335
17:47:46.334 request_id=GLt4aCoyPRv4FvMAAA-x [info] GET /games/01KVR609VVH2FE19P3WBR63A09/players/new
2026-06-22 19:47:46.014
17:47:46.013 request_id=GLt4aBcP8XHScKUAAA-R [info] GET /games/01KVR609VVH2FE19P3WBR63A09/players/new
2026-06-22 19:47:45.977
17:47:45.976 [warning] navigate event to "https://copi.owasp.org/games/01KVR609VVH2FE19P3WBR63A09/players/new" failed because you are redirecting across live_sessions. A full page reload will be performed instead
2026-06-22 19:47:45.818
17:47:45.817 [warning] navigate event to "https://copi.owasp.org/games/01KVR609VVH2FE19P3WBR63A09/players/new" failed because you are redirecting across live_sessions. A full page reload will be performed instead
2026-06-22 19:47:42.025
17:47:42.024 request_id=GLt4ZxIo7Y4escAAAA8R [info] Sent 200 in 387ms
2026-06-22 19:47:41.672
17:47:41.671 request_id=GLt4ZwreLt6KMnAAAA8B [info] Sent 200 in 157ms
2026-06-22 19:47:41.637
17:47:41.636 request_id=GLt4ZxIo7Y4escAAAA8R [info] GET /games/01KVR609VVH2FE19P3WBR63A09
The call: PUT /api/games/undefined/players/undefined/card
seems to indicate that something has gone wrong for the player, but what?
Affirmation