Mint game ids on the server, randomly route create-game across workers (#4393)

## What

Game creation no longer requires the caller to pick the `gameID` or
compute its owning worker. The client POSTs to a prefix-less
`/api/create_game`; **nginx (prod) and the vite dev proxy randomly route
it to a worker**, which **mints an id that hashes back to itself** and
returns it along with its `workerIndex`.

## Why it stays correct

The minted id still hashes to the creating worker (via the existing
`generateGameIdForWorker`), so everything downstream that derives the
worker from the gameID — websocket connect, share URL, join flow — keeps
working unchanged. The only thing that moved is *who picks the id and
worker*.

## Changes

- **`src/server/Worker.ts`** — factor create into a shared
`createGameForId`; add `POST /api/create_game` (no id) that mints a
self-owned id and returns `gameInfo` + `workerIndex`/`workerPath`. The
existing `POST /api/create_game/:id` stays.
- **`nginx.conf`** — `location = /api/create_game` proxies to a `random`
worker upstream.
- **`generate-nginx-upstream.sh` + `Dockerfile`** — the entrypoint
generates that upstream from `NUM_WORKERS` at container **start** time.
`NUM_WORKERS` isn't known at image build time (the image is built once
and deployed with different env), so it can't be baked into `nginx.conf`
— hence runtime generation of exactly the live worker ports (no
dead-server padding).
- **`vite.config.ts`** — dev-only middleware forwards `POST
/api/create_game` to a random worker. Vite's `http-proxy` can't pick a
per-request random target, so this is a small middleware plugin (same
pattern as the existing `serveProprietaryDir`), registered before the
`/api` proxy.
- **`src/client/HostLobbyModal.ts`** — stop generating the id
client-side; use the server's.

## Behavior change to note

The host's share link used to be copied **instantly** from a
client-generated id. Now the id comes from the server, so the copy waits
one create round-trip — I moved the URL build/copy into the create
`.then` (and kept the failure path that clears the clipboard). Brief
empty-link state in the modal until create resolves.

## Verification

- tsc + eslint clean; full suite green (1543 tests).
- nginx additions validated with `nginx -t` in isolation (the full file
references container-only paths like `/etc/nginx/mime.types`); upstream
+ `proxy_pass` resolve.
- `generate-nginx-upstream.sh` tested with `NUM_WORKERS` set and unset
(defaults to 1).

Not yet exercised live end-to-end (needs a dev-server restart —
`vite.config.ts` + `Worker.ts` changes aren't hot-reloaded).

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

src/client/HostLobbyModal.ts

@@ -24,7 +24,6 @@ import {
   TeamCountConfig,
   isValidGameID,
 } from "../core/Schemas";
-import { generateID } from "../core/Util";
 import { getPlayToken } from "./Auth";
 import "./components/baseComponents/Modal";
 import { BaseModal } from "./components/BaseModal";
@@ -487,26 +486,24 @@ export class HostLobbyModal extends BaseModal {
 
   protected onOpen(): void {
     this.startLobbyUpdates();
-    this.lobbyId = generateID();
-    // Note: clientID will be assigned by server when we join the lobby
-    // lobbyCreatorClientID stays empty until then
-
-    // Copy immediately so the host can share the link without waiting for the
-    // server. If lobby creation fails, clear the clipboard to avoid a dead link.
-    void this.constructUrl().then(async (url) => {
-      this.updateLobbyHistory(url);
-      await this.updateComplete;
-      void (this.querySelector("copy-button") as CopyButton)?.handleCopy();
-    });
+    // The server mints the game id, so we don't know it until createLobby
+    // resolves. clientID is assigned by the server when we join the lobby.
 
     // Pass auth token for creator identification (server extracts persistentID from it)
-    createLobby(this.lobbyId)
+    createLobby()
       .then(async (lobby) => {
         this.lobbyId = lobby.gameID;
         if (!isValidGameID(this.lobbyId)) {
           throw new Error(`Invalid lobby ID format: ${this.lobbyId}`);
         }
         crazyGamesSDK.showInviteButton(this.lobbyId);
+
+        // Now that we have the id, build and copy the share link. If lobby
+        // creation fails, the catch below clears the clipboard.
+        const url = await this.constructUrl();
+        this.updateLobbyHistory(url);
+        await this.updateComplete;
+        void (this.querySelector("copy-button") as CopyButton)?.handleCopy();
       })
       .then(() => {
         this.dispatchEvent(
@@ -1149,21 +1146,20 @@ export class HostLobbyModal extends BaseModal {
   }
 }
 
-async function createLobby(gameID: string): Promise<GameInfo> {
+async function createLobby(): Promise<GameInfo> {
   // Send JWT token for creator identification - server extracts persistentID from it
   // persistentID should never be exposed to other clients
   const token = await getPlayToken();
   try {
-    const response = await fetch(
-      `/${ClientEnv.workerPath(gameID)}/api/create_game/${gameID}`,
-      {
-        method: "POST",
-        headers: {
-          "Content-Type": "application/json",
-          Authorization: `Bearer ${token}`,
-        },
+    // No worker prefix and no id: nginx (prod) / the vite dev proxy randomly
+    // routes to a worker, which mints a self-owned id and returns it.
+    const response = await fetch(`/api/create_game`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${token}`,
       },
-    );
+    });
 
     if (!response.ok) {
       const errorText = await response.text();

src/server/Master.ts

@@ -82,10 +82,6 @@ export async function startMaster() {
 
   lobbyService = new MasterLobbyService(playlist, log);
 
-  // Generate admin token for worker authentication
-  const ADMIN_TOKEN = crypto.randomBytes(16).toString("hex");
-  process.env.ADMIN_TOKEN = ADMIN_TOKEN;
-
   const INSTANCE_ID =
     ServerEnv.env() === GameEnv.Dev
       ? "DEV_ID"
@@ -98,7 +94,6 @@ export async function startMaster() {
   for (let i = 0; i < ServerEnv.numWorkers(); i++) {
     const worker = cluster.fork({
       WORKER_ID: i,
-      ADMIN_TOKEN,
       INSTANCE_ID,
     });
 
@@ -125,7 +120,6 @@ export async function startMaster() {
     // Restart the worker with the same ID
     const newWorker = cluster.fork({
       WORKER_ID: workerId,
-      ADMIN_TOKEN,
       INSTANCE_ID,
     });
 

src/server/ServerEnv.ts

@@ -156,16 +156,6 @@ export class ServerEnv {
   static apiKey(): string {
     return process.env.API_KEY ?? "";
   }
-  static adminHeader(): string {
-    return "x-admin-key";
-  }
-  static adminToken(): string {
-    const token = process.env.ADMIN_TOKEN;
-    if (!token) {
-      throw new Error("ADMIN_TOKEN not set");
-    }
-    return token;
-  }
   static allowedFlares(): string[] | undefined {
     const raw = process.env.ALLOWED_FLARES;
     if (!raw) return undefined;

src/server/Worker.ts

@@ -139,73 +139,60 @@ export async function startWorker() {
     next();
   });
 
-  app.post("/api/create_game/:id", async (req, res) => {
-    const id = req.params.id;
-
-    // Extract persistentID from Authorization header token
-    // Never accept persistentID directly from client
-    let creatorPersistentID: string | undefined;
+  // Create a new private game. The worker mints an id that belongs to itself
+  // and returns it, so callers don't need to know the sharding. nginx (and the
+  // vite dev proxy) randomly route here to spread new games across workers.
+  app.post("/api/create_game", async (req, res) => {
+    // Identify the creator from their token. Never accept persistentID directly.
     const authHeader = req.headers.authorization;
-    if (authHeader?.startsWith("Bearer ")) {
-      const token = authHeader.substring("Bearer ".length);
-      const result = await verifyClientToken(token);
-      if (result.type === "success") {
-        creatorPersistentID = result.persistentId;
-      } else {
-        log.warn(`Invalid creator token: ${result.message}`);
-        return res.status(401).json({ error: "Invalid creator token" });
-      }
-    } else if (
-      !req.headers[ServerEnv.adminHeader()] // Public games use admin token instead
-    ) {
+    if (!authHeader?.startsWith("Bearer ")) {
       return res
         .status(400)
         .json({ error: "Authorization header required to create a game" });
     }
-
-    if (!id) {
-      log.warn(`cannot create game, id not found`);
-      return res.status(400).json({ error: "Game ID is required" });
+    const auth = await verifyClientToken(
+      authHeader.substring("Bearer ".length),
+    );
+    if (auth.type !== "success") {
+      log.warn(`Invalid creator token: ${auth.message}`);
+      return res.status(401).json({ error: "Invalid creator token" });
     }
-    // eslint-disable-next-line @typescript-eslint/prefer-nullish-coalescing
-    const clientIP = req.ip || req.socket.remoteAddress || "unknown";
-    const result = CreateGameInputSchema.safeParse(req.body);
-    if (!result.success) {
-      const error = z.prettifyError(result.error);
-      return res.status(400).json({ error });
+    const creatorPersistentID = auth.persistentId;
+
+    const parsed = CreateGameInputSchema.safeParse(req.body);
+    if (!parsed.success) {
+      return res.status(400).json({ error: z.prettifyError(parsed.error) });
+    }
+    const gc = parsed.data;
+    // Public games are scheduled by the master over IPC, never created here.
+    if (gc?.gameType === GameType.Public) {
+      return res
+        .status(400)
+        .json({ error: "Cannot create public games via this endpoint" });
     }
 
-    const gc = result.data;
-    if (
-      gc?.gameType === GameType.Public &&
-      req.headers[ServerEnv.adminHeader()] !== ServerEnv.adminToken()
-    ) {
-      log.warn(
-        `cannot create public game ${id}, ip ${ipAnonymize(clientIP)} incorrect admin token`,
-      );
-      return res.status(401).send("Unauthorized");
+    const id = generateGameIdForWorker();
+    if (id === null) {
+      log.warn(`Failed to mint game id on worker ${workerId}`);
+      return res.status(500).json({ error: "Could not allocate game id" });
     }
 
-    // Double-check this worker should host this game
-    const expectedWorkerId = ServerEnv.workerIndex(id);
-    if (expectedWorkerId !== workerId) {
-      log.warn(
-        `This game ${id} should be on worker ${expectedWorkerId}, but this is worker ${workerId}`,
-      );
-      return res.status(400).json({ error: "Worker, game id mismatch" });
-    }
-
-    // Pass creatorPersistentID to createGame
     const game = gm.createGame(id, gc, creatorPersistentID);
     if (game === null) {
       log.warn(`cannot create game, id ${id} already exists`);
       return res.status(409).json({ error: "Game ID already exists" });
     }
 
+    // eslint-disable-next-line @typescript-eslint/prefer-nullish-coalescing
+    const clientIP = req.ip || req.socket.remoteAddress || "unknown";
     log.info(
-      `Worker ${workerId}: IP ${ipAnonymize(clientIP)} creating ${game.isPublic() ? GameType.Public : GameType.Private}${gc?.gameMode ? ` ${gc.gameMode}` : ""} game with id ${id}${creatorPersistentID ? `, creator: ${creatorPersistentID.substring(0, 8)}...` : ""}`,
+      `Worker ${workerId}: IP ${ipAnonymize(clientIP)} creating private${gc?.gameMode ? ` ${gc.gameMode}` : ""} game with id ${id}, creator: ${creatorPersistentID.substring(0, 8)}...`,
     );
-    res.json(game.gameInfo());
+    res.json({
+      ...game.gameInfo(),
+      workerIndex: workerId,
+      workerPath: ServerEnv.workerPath(id),
+    });
   });
 
   app.get("/api/game/:id/exists", async (req, res) => {