Skip to content

Comments

Enforce FriendsOnly lobby privacy during handshake#10022

Open
trende2001 wants to merge 1 commit intoFacepunch:masterfrom
trende2001:enforce-friendsonly-privacy
Open

Enforce FriendsOnly lobby privacy during handshake#10022
trende2001 wants to merge 1 commit intoFacepunch:masterfrom
trende2001:enforce-friendsonly-privacy

Conversation

@trende2001
Copy link
Contributor

@trende2001 trende2001 commented Feb 13, 2026

Summary

Adds server-side enforcement for LobbyPrivacy.FriendsOnly lobbies during the handshake phase. When a lobby is set to FriendsOnly, the host now validates the joining player's SteamId against its own Steam friend list and kicks non-friends with the message "This lobby is Friends Only."

Previously, non-friends could connect and remain in the lobby.

Motivation & Context

Players expect that setting their lobby to "Friends Only" actually prevents non-friends from joining. This change closes that gap at the engine level so game code doesn't need to reimplement it.

Implementation Details

  • The check runs in On_Handshake_ClientInfo after the SteamId is resolved from the trusted SteamLobbyConnection, using Friend.IsFriend against the host's local friend list.
  • The host always bypasses the check. Steam API failures fail closed (deny access).

Screenshots / Videos (if applicable)

Checklist

  • Code follows existing style and conventions
  • No unnecessary formatting or unrelated changes
  • Public APIs are documented (if applicable)
  • Unit tests added where applicable and all passing
  • I’m okay with this PR being rejected or requested to change 🙂

Copilot AI review requested due to automatic review settings February 13, 2026 13:07
Copilot AI reviewed Feb 13, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds server-side enforcement for FriendsOnly lobby privacy during the handshake phase. When a lobby is configured with LobbyPrivacy.FriendsOnly, the host now validates the joining player's SteamId against its Steam friend list and kicks non-friends before they can fully connect.

Changes:

  • Adds FriendsOnly validation in the On_Handshake_ClientInfo method after SteamId resolution
  • Implements fail-closed error handling for Steam API failures
  • Adds clear logging for both allowed and rejected connection attempts

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@Kaydax
Copy link
Contributor

Kaydax commented Feb 13, 2026

LGTM

handsomematt
handsomematt requested changes Feb 18, 2026
View reviewed changes
Copy link
Member

@handsomematt handsomematt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is there a huge try catch around isFriend = joiningFriend.IsFriend;?

This is a good place to do this friend check, but your implementation can be a lot tighter.

@trende2001
Enforce FriendsOnly lobby privacy during handshake
9623d7f 
Adds host-side enforcement for LobbyPrivacy.FriendsOnly lobbies. Previously, non-friends could still connect and remain in the lobby, which is now fixed.
@trende2001 trende2001 force-pushed the enforce-friendsonly-privacy branch from 5bcf20d to 9623d7f Compare February 21, 2026 16:43
@trende2001
Copy link
Contributor Author

trende2001 commented Feb 21, 2026

Why is there a huge try catch around isFriend = joiningFriend.IsFriend;?

This is a good place to do this friend check, but your implementation can be a lot tighter.

I made the implementation a lot more tighter without over defensive checks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@handsomematt handsomematt Awaiting requested review from handsomematt

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@trende2001 @Kaydax @handsomematt