Back from the Backend - GK - Aug. 28th 2025

Hello, my name is Garrett. I am part of the Syntax Error Studios team, working to bring you Hypertrack.

This marks the conclusion of the prototype phase! We're so incredibly happy and proud of what we've accomplished these past three weeks. I'll continue providing weekly updates for Hypertrack as we progress further into production.

Now, you may be thinking, "What was my problem this week?" Well, this week I was focused on building the backend and client implementation for the Leaderboard system. The portion I'll be talking about today is its security. Unfortunately due to it being backend code that should stay private, I can't share as many images as I would like, but I still have some to share at the end.

Problem: Securing and Restricting Access to the Leaderboard API

Building the leaderboard API in TypeScript with MongoDB wasn’t difficult on the data side. Storing player scores, sorting them, and returning results was fairly straightforward. The real challenge came from security. I needed to make sure the API was only usable by Hypertrack’s Unreal clients and not exposed to the outside world. Without proper protection, anyone could try to spoof requests, post fake scores, or scrape player data. On top of that, I wanted a lightweight but reliable authentication method that wouldn’t slow down development or add unnecessary complexity. (This is a portfolio project for college, mind you.)

The Solution: JWT Authentication and Unreal-Only Access

The fix was to implement JWT (JSON Web Token) authentication for all leaderboard requests. The Unreal client receives a valid token when connecting, and every API call must include this token to be processed. On the backend, each request is validated to ensure the token is authentic and hasn’t expired. Beyond that, I restricted access so only Unreal clients could communicate with the API, blocking outside connections and preventing misuse. Together, this system ensures that only legitimate game sessions can submit or retrieve leaderboard data, keeping the integrity of the scores intact while still being fast and efficient for the players.

User Agent Validation:

Submit Score client code to show part of the auth: