Authoritatively kicking users

Hi, I’m just checking to make sure normcore allows us to kick a user from a room even if they have a hacked/uncooperative client. Ideally we’d assign moderation authority to a player - the in-game ‘host’ or creator of the room should have this by default.

Ideally some code somewhere, whether that’s the moderator player or a private authoritative server, would have access to a list of connections and be able to drop/refuse them. But I don’t see that in the documentation.

If we’re talking about a workaround, the main issue is that a kicked player shouldn’t be perceived by the other players or affect the world in any way, but it’s also good if they’re not able to get any data from the room - for example they shouldn’t be able to hear an in-game voice chat session. Any suggestions?

Normcore doesn’t have a permissions / host system built for you, but the datastore APIs will allow you to build this yourself. You can create a custom RealtimeComponent in the scene that is owned by the host and you can have other clients follow along with changes to that component in order to signal that a client has been kicked and should disconnect from the room.


But doesn’t this assume we control the client code? If I understand it correctly, a hacked client could just ignore the request to kick itself - right?

That’s correct, but in theory, a hacked client could also claim to be the host as the servers have no way to authenticate any of the clients. It’s worth mentioning that Normcore Private does support Webhooks that can talk to your backend service to determine if clients are allowed to be in a room, but this is not a feature that’s possible to use on the public infrastructure.


Ok, normcore private is an answer to this question.

About a client claiming to be a host - isn’t ownership in Normcore first come first serve? So if the real host takes ownership of the host model when the room first starts, even a hacked client shouldn’t be able to claim to be the host later on, right?

That’s correct. You can use the preventOwnershipTakeover setting to prevent other clients from stealing ownership.