The seat token is the authority

2026-05-08

The first live-room reconnect path in Bichess had the right user goal and the wrong authority model.

Bichess is a Fog of War chess site, which makes reconnect behavior more sensitive than a normal chess board. A reconnecting player should recover their seat and their private view. A spectator should not be able to copy some browser-visible identifier and inherit that private view. The hidden-information contract applies during reconnect, not only during moves.

The tempting shortcut was clientId. It already represented a browser session, and it was useful for continuity. But it was not a secret. It could appear in local storage, logs, URLs, or copied tabs. Letting it reclaim White or Black would make display identity double as authority.

The fix split the jobs. clientId remains a browser/session label. A room-scoped seatToken is now the authority to act as White or Black. The server issues it only to a seated client, stores only the hash, accepts it back through the WebSocket subprotocol, and uses a valid token to reclaim the seat while displacing the older socket. The token is not sent in snapshots, replay APIs, or spectator payloads.

The tests describe the contract better than the implementation diff does: seated clients receive tokens only in the hello payload; a valid token reclaims a seat; a copied client id without a token cannot reclaim a private PvP seat; a wrong token cannot reclaim either. Separate privacy smokes also cover PvE redaction so the human side receives the human perspective, not the engine’s truth.

That turned reconnect from a convenience feature into an authorization boundary. The UI still says “Trying to restore your room state and seat,” but the server is asking a narrower question: does this socket possess the room-scoped credential for this color?

Identifiers that make screens stable are not automatically identifiers that grant power. When a reconnect path restores privileged state, the credential has to be scoped to the privilege, not borrowed from the label that made the session easy to recognize.