Evan 0a44f4d3db feat(crazygames): backend login + surface the signed-in user (#4542)
Client-side CrazyGames login: exchange the SDK user token for our
session, then surface that identity in the UI. Implements the client
side of the [CrazyGames login handoff
guide](https://docs.crazygames.com/sdk/user/).

On CrazyGames we exchange the SDK's user token for our own session via
`POST /auth/crazygames`, instead of the cookie-based `/auth/refresh`
(the refresh cookie is `SameSite=Lax` and unusable from the CrazyGames
iframe).

- **`CrazyGamesSDK.ts`** — `getUserToken()` wrapper (awaits `ready()`,
gates on `isUserAccountAvailable`, returns `null` on throw / no
signed-in user).
- **`Auth.ts`** — `doRefreshJwt()` routes to `doCrazyGamesLogin()` when
on CrazyGames with a signed-in account; a `null` token (guest / no
account) falls through to the existing `/auth/refresh` flow.
`reauthAfterCrazyGamesChange()` drops the cached session on a
mid-session sign-in.
- **`Main.ts`** — `addAuthListener` re-runs auth + `getUserMe()` when
the player signs into CrazyGames mid-session.

Everything funnels through the existing `userAuth()` → `refreshJwt()`
path, so **startup login and the 15-min re-exchange on expiry come for
free** — no new expiry/polling code.

- **Account button** shows the CrazyGames avatar + username when signed
in (clicking opens the account modal), or a **"Sign in"** that opens
CrazyGames' own `showAuthPrompt()` when a guest. Wired across every
entry point: the desktop nav pill, the mobile hamburger item (un-hidden
on CrazyGames by dropping `.no-crazygames`), and — since CrazyGames
renders below the `lg` breakpoint where the desktop nav is hidden — a
new button in the **homepage top bar's** right slot.
- **AccountModal** treats the CrazyGames user as logged-in: "Connected
as" avatar + username, currency/subscription, and stats/games/friends.
**No Discord/Google/email login+link buttons and no logout** (CrazyGames
owns the account). A guest who reaches the modal gets a CrazyGames
sign-in button, never Discord/Google.
- **`CrazyGamesSDK.ts`** — `getUserProfile()` + `showAuthPrompt()`
wrappers; `profilePictureUrl` added to the user type.

Identity comes from the SDK (`getUser()`), not `/users/@me`, which
doesn't surface CrazyGames identity yet.

- **Signed-in CrazyGames account** → real backend session; avatar +
username in the top bar; CrazyGames-only account modal.
- **CrazyGames guest / not signed in** → silent fallback to guest; "Sign
in" button opens `showAuthPrompt()`; auto-logged-in the moment they sign
in (via `addAuthListener`).
- **Not on CrazyGames** → completely unchanged.

- `npx tsc --noEmit` — clean
- `npx eslint` on changed files — clean
- No new i18n keys (reuses `main.sign_in`, `account_modal.*`).
- No unit tests: this repo tests core sim only, and CrazyGames only
initializes inside a crazygames.com iframe, so the CG paths can't run
locally (the localhost SDK mock returns unsigned tokens the backend
rejects). **Needs a manual pass on the CrazyGames game page (gameId
`64178`)** covering: signed-in avatar/username + account modal, guest
"Sign in" → prompt, and mid-session sign-in.

1. The `/auth/crazygames` JWT carries the same `iss` (`getApiBase()`)
and `aud` (`getAudience()`) as normal openfront.io tokens and satisfies
`TokenPayloadSchema` (incl. base64url `sub`) — otherwise `userAuth()`
will `logOut()`.
2. CrazyGames iframes our own origin (so `getApiBase()` →
`https://api.openfront.io`), consistent with the existing integration.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-09 09:53:32 -07:00

OpenFrontIO Logo

OpenFront.io is an online real-time strategy game focused on territorial control and alliance building. Players compete to expand their territory, build structures, and form strategic alliances in various maps based on real-world geography.

This is a fork/rewrite of WarFront.io. Credit to https://github.com/WarFrontIO.

CI Crowdin CLA assistant License: AGPL v3 Assets: CC BY-SA 4.0

License

OpenFront source code is licensed under the GNU Affero General Public License v3.0

Current copyright notices appear in:

  • Footer: "© OpenFront and Contributors"
  • Loading screen: "© OpenFront and Contributors"

Modified versions must preserve these notices in reasonably visible locations.

See the LICENSE for complete requirements.

For asset licensing, see LICENSE-ASSETS.
For license history, see LICENSING.md.

🌟 Features

  • Real-time Strategy Gameplay: Expand your territory and engage in strategic battles
  • Alliance System: Form alliances with other players for mutual defense
  • Multiple Maps: Play across various geographical regions including Europe, Asia, Africa, and more
  • Resource Management: Balance your expansion with defensive capabilities
  • Cross-platform: Play in any modern web browser

📋 Prerequisites

  • npm (v10.9.2 or higher)
  • A modern web browser (Chrome, Firefox, Edge, etc.)

🚀 Installation

  1. Clone the repository

    git clone https://github.com/openfrontio/OpenFrontIO.git
    cd OpenFrontIO
    
  2. Install dependencies

    npm run inst
    

    Do NOT use npm install nor npm i but instead use our npm run inst. It runs the safer npm ci --ignore-scripts to install dependencies exactly according to the versions in package-lock.json and doesn't run scripts. This can prevent being hit by a supply chain attack.

🎮 Running the Game

Development Mode

Run both the client and server in development mode with live reloading:

npm run dev

This will:

  • Start the webpack dev server for the client
  • Launch the game server with development settings
  • Open the game in your default browser (to disable this behavior, set SKIP_BROWSER_OPEN=true in your environment)

Client Only

To run just the client with hot reloading:

npm run start:client

Server Only

To run just the server with development settings:

npm run start:server-dev

Connecting to staging or production backends

Sometimes it's useful to connect to production servers when replaying a game, testing user profiles, purchases, or login flow.

To replay a production game, make sure you're on the same commit that the game you want to replay was executed on, you can find the gitCommit value via https://api.openfront.io/game/[gameId]. Unfinished games cannot be replayed on localhost.

To connect to staging api servers:

npm run dev:staging

To connect to production api servers:

npm run dev:prod

🛠️ Development Tools

  • Format code:

    npm run format
    
  • Lint code:

    npm run lint
    
  • Lint and fix code:

    npm run lint:fix
    
  • Testing

    npm test
    

🏗️ Project Structure

  • /src/client - Frontend game client
  • /src/core - Deterministic game simulation
  • /src/server - Backend game server
  • /resources - Static assets (images, maps, etc.)

🤝 Contributing

Contributions and translations are welcome! See CONTRIBUTING.md for the workflow, the approved-issue process, project governance, and translation info.

S
Description
Languages
TypeScript 91.4%
GLSL 2.5%
JavaScript 2%
HTML 1.5%
Go 1%
Other 1.5%