Understand Authority

What about Authority?

Authoritative Server design is standard today and any weaknesses in your code can easily be exploited by an interested individual. Rather effective hacking can be performed by any script kiddies with tools from the internet these days. With this in mind it is critical that clients have extremely limited access to actually changing things on the server and the server must always operate on it's own data as the final authority on all matters.

If you're building on the Host concept where a Client operates as the Server then it may as well be considered compromised on the Host side. You can of course make an effort to detect mismatches in client runtime and try to deny connections between them but Vault does not solve that problem for you.

With these problems in view, what does Vault do?

Vault assumes the Clients are peasant criminals.

Here the Client's never say "Hey I picked up this Item ok thanks". No, instead they say "I would like to perform an operation between these two slots, and these two inventories" and then the Server goes and does the actual work, checking if this peasant Client even has the authority to request this change, checking what content is there, what actions should be taken, what values are resulted, which slots are changed and who should get updates on this data - then the Server executes and updates clients if necessary. If the request is invalid then the server might try something that makes sense, or not do anything at all. Thus, any client-side exploitation results in nothing and there's no built in function which could result in the client suggesting that it be given an absurd result.

Advanced packet manipulation is the only exploit I currently am aware of that could succeed in giving a user unexpected results.

Clients cannot suggest the results

In general, clients can only request basic actions and those actions are checked for validity on the server, then executed and finally clients are updated where appropriate. In the demo example notice how the Advanced Chest is handled. The Server handles everything of importance - the trigger check, assigning authority over the chest, etc. The Client just moves around the world and drags UI items around which triggers requests for action on the Server.