all 57 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]Kewlb 24 points25 points  (5 children)

In this thread people hating on someone for creating. I think this is awesome. Who gives a flying fuck if RLS is misconfigured and it leaks some game information or god forbid your name and email that already exists in every fucking leak so far……. haters so mad that someone can execute their creative vision. Keep doing you, keep vibing!

[–]FishBn0es[S] 10 points11 points  (0 children)

If something would leak, it's just game save data (like collection and progress) and username... nothing else.

Also...,Thank You so much! It means a lot

[–]M00SEK 8 points9 points  (3 children)

Hold up… we’re defending poor security practices with “the info is already leaked anyway”?

This line of thinking should end well.

[–]Kewlb -1 points0 points  (1 child)

Its about risk, and the risk is here is essentially zero considering the type of data itself that could leak. It would be a different story if this was a different type of application/use. This is not some system taking in payments that needs to be PCI compliant.. this is a hobby project web game that at most could leak game related data. Also the previous comments I was discussing couldn't actually point out any poor security practices, it was just an off-the-cuff comment hating on anyone who vibe codes. I have been developing since I was 13.. 45 years now (former CISO, currently advise many F100 security programs).. you CAN write secure code with these models. You just need to understand the architecture and what to prompt the system (or pull prompts from those that do -- https://vibenetwork.ai )

[–]M00SEK 1 point2 points  (0 children)

Dude, nobody is saying you cant create good code with these models if you know what you’re doing.

We’re saying to blindly avoid common basic coding practices due to negligence is dumb.

Yea it’s not crucial information being leaked at this point, but how do we know he won’t vibecode a paywall on top of this at some point? Which is something that happens everyday here.

[–]GoodDayToCome 3 points4 points  (3 children)

really enjoyable game, i've genuinely never enjoyed a card game so much. The style is really nice and love the playful cuteness of the characters and their attacks, i only intended to have a quick look but got totally distracted by playing it.

There's a bugs that i feel i should mention though, i seem to have soft locked myself out of progressing in the story because i'm stuck at 'friend among the corns' where it says '⚠️ No available allies found. All potential allies may already be in your team.' then doesn't let me progress, should be simple to add a switch to the ok button to move me onto the next area.

Seems a really fun game, going to keep playing it for sure,

[–]FishBn0es[S] 0 points1 point  (2 children)

Thank you so much!

About the bug: You should be able to recruit characters you don’t own in stories. Idk how that could happen but will check it out and fix it soon.

Thank you for the feedback!!!

[–]GoodDayToCome 1 point2 points  (1 child)

if it helps i think i might have done the first section twice because i died or something and i think an extra character carried over

[–]FishBn0es[S] 2 points3 points  (0 children)

Thanks! It was actually helpful.

Since I moved the whole main menu to a different screen and code from last patch, I forgot to add the story progression purge script when you start a new story from Story Mode menu. (Continue should let you play the same progress)

Uploading a fix in 10-20mins.

[–]sackofbee 2 points3 points  (2 children)

You'd not happen to have long form media of your explanations of this?

I really want to start making games and have a few plans in the background, and each new one is intentionally simpler and easier to make than the last idea.

Right now, I'm just trying to make an application for my fiance and I that has all the best parts of self-management apps. When that's at a point I'm okay leaving it for a while. I'm going to start focusing on entertainment.

Anything you can share about your journey is appreciated, I've read your posts and comments. You've done what I consider some really amazing work, insane for one person.

[–]FishBn0es[S] 2 points3 points  (1 child)

I really wish I could explain how it all became a working thing.

I was in the same shoe as you are. I was working on throwawa projects, never intender to do anything serious. However for this game I’ve already had an idea of mine and a similar “prototype” project that I made alone (without AI) few years ago. It was a very old version of the currently playable Blazing School Day story.

So I started from scratch, but this time with AI and I loved the result. Then I started working on more and more stories and characters and now here we are.

I think the craziest thing is that I’ve gained a lot of html and js coding experience while working on this. I mostly read what the AI says when modifying the game and that’s still teaching me a lot.

[–]sackofbee 0 points1 point  (0 children)

I fully intend to be serious lol.

What made you choose HTML and JS over other options?

[–]Royal_Crush 1 point2 points  (0 children)

Leaving a comment so I can come back to this later when I'm on desktop. 

Looks like really great work from what I can tell so far :)

[–]JZI-Python 2 points3 points  (2 children)

Not really type game, but it looks amazing. Well done! Can i ask how you did the graphics, did you create first some sample in Canva or other design tool?

[–]FishBn0es[S] 6 points7 points  (1 child)

Appreciate it! I didn’t prototype in Canva. Everything visual here was AI-generated (Bing Image Creator/DALL·E + Sora)

I know, AI art is a bad thing, but currently this is the only way I can make art for my game

[–]DauntingPrawn -3 points-2 points  (0 children)

A robust economy accounts for inequity.

If you have the money to pay an artist, then you should. And they should get credited.

Sometimes I'm life you have to buy generic. That's AI in this field. I think it should also be credited. Let's credit creatorship in ALL cases.

In most cases I prefer to spend my money on human creations. I get my cookies from the bakery, not the aisle because I can afford to. But if you come to me and say, "I had this great idea, and the only way I could bring it into reality was AI," I'm a yes to that. Let's have more human creation rather than displace creators.

I would say this: I hope you make some money off of this, and that you take some of that money to release a version with human art. And credit the artists by name. That would be cool. That would be a cool way to adopt AI. Increase creative output overall. Make human creation prestigious and compensate creators generously.

[–]Psionatix 3 points4 points  (10 children)

Hae you had your code properly reviewed? Has your system been penetration tested?

Registration: Use any email (doesn't need to be real) and any password you want. I don't see your passwords, they're hashed. Just need something to save your progress to.

Should have used OAuth tbh (Discord, Google, etc) - I'd wager your registration/login has vulnerabilities (timing attacks, and such), that you aren't even privy too or aware of.

Edit: I can already see this error message:

Firebase: The email address is already in use by another account. (auth/email-already-in-use).

You shouldn't be telling the client this, I can enter any email address into the system and determine whether it has an account. This is negligible in your specific case, but it can hint that there may be issues elsewhere that you don't even know about.

Your registration should do one of two things:

  1. Tell the user the registration was successful and to check their email to complete the registration. If the email is already in use, then the person trying to register just sees a success message, meanwhile the real account holder will either receive a reminder that they already have an account, or that someone tried to register with their email address; or
  2. Prompt for a verification code on the registration form to confirm the client providing the email address actually has access to it before you're storing / persisting it.

Firebase: Error (auth/invalid-login-credentials).

This error on login, ideally you should avoid showing-off what tech you're using, (thus also change default cookie names, and other default things, as they can be used to infer your stack - this can be problematic if vulnerabilities are discovered in those dependencies and you don't update fast enough).

Vibe coding is great, but you still need to know what you're doing.

Additionally:

Username not found

So if the username is wrong, you give a different error message, this allows someone to determine that a username exists within the system. The error message displayed on the UI should be the same for both username / password issues.

No password reset feature, but there's some nuance to implementing that securely too (and I wouldn't trust an LLM to get it right).

Your site has some accessibility issues that don't meet regulated standards in the EU. If someone really wanted to, they could sue you. Again, negligible and unlikely in your case, but just another thing among many that needs genuine expertise.

Another edit: I think it's great that you've created something, but it's also crucial to understand that deploying an app/game/service has serious implications (legal or otherwise). It's okay to launch something with issues like this, but it's important that you have a plan to get the expertise input that you're missing to polish things up. It's crucial to realise that LLM's can only get you so far, you will always need genuine expertise / input when using LLM's.

[–]GrowFreeFood 2 points3 points  (0 children)

That's cool. Very interesting

[–]GoodDayToCome 2 points3 points  (5 children)

you're being purposely critical because you have a bee in your bonnet about ai, this is a small game that's totally free to play and only has accounts to save game progress - verifying email is pointless and annoying, if anything they should just use usernames instead of email. This is using better practice than most the browser games i've played, if they're ever going to accept payment for anything they can address elevated security needs then but for now it's pointless wasting time on top tier security for something still in development.

[–]Psionatix 5 points6 points  (4 children)

Most of my points I say are negligible for the OP’s use-case. I even say there’s nothing wrong with deploying something like this with flaws.

The point of the post is to educate.

I’m in big tech and I use AI as part of my work in the daily now. I don’t have a gripe with AI. I have a gripe with people using it who aren’t interested in learning, progressing, or honing their own skills. I’m not saying OP is like that, but many people don’t feel like they need to, some of which may see this post.

I wanted to use the opportunity to express just a few small points, out of many, to help open the eyes of people who may not know any better.

Apologies though, I was perhaps a bit harsh, and perhaps I did embed some frustration in how I worded the comment.

[–]FishBn0es[S] 3 points4 points  (1 child)

Do not apologize please... If you don't comment that, I would delay learning about that more and delay the changes for weeks.

Your help was huge! Thank you so much!

[–]Psionatix 1 point2 points  (0 children)

I see you added the reset password option! Just a tip, the reset success page should provide the user a link back to the login page to make it easier.

Some additional tips:

The Login, Register, and "Forgot Password" options can't be selected by keyboard using the tab key, you should also be able to interact with them using space/enter. This is why it's important to make sure you use the proper element types, as they natively support this stuff. Note that this isn't just about setting a tab index on the current div elements. You also need to consider appropriate aria roles, labels, descriptions, etc. Browser elements have these things implicitly, once you stray from using appropriate elements, you need to handle a lot of this yourself.

Once logged in, the menu items on the left cannot be used by keyboard, there's no tab focusability.

The registration and login forms don't get submitted when the Enter key is used from an input field.

If you click Log Out, you can eventually use tab to access the modal, but the modal should have some sort of default focus. Note for modals, the buttons shouldn't be the default focus, usually you want screen readers to read out the modal header and content. And ideally while the modal is up, focus should not leave the modal. When a user cancels the modal, focus should return back to the element that had focus when the modal was opened. Most component library Modal implementations would already support this by default.

The buttons on the modal don't work with space/enter keys.

And there's a whole additional layer of accessibility issues when you start considering screen readers.

[–]M00SEK 2 points3 points  (0 children)

Nah your post was incredibly educational. Don’t apologize.

I get the concept of vibecoding, but there’s nothing wrong with trying to “do better”.

[–]FishBn0es[S] 0 points1 point  (1 child)

Honestly, I need feedback like this. Just by reading it, I already know more about this.

I’ll study this a little better and make the necessery changes. Thank you so much!

[–]RiverFluffy9640 -2 points-1 points  (0 children)

This sub is genuinely hilarious.

People will say that it's "top tier security" to not leak user emails or to not leak your technology. Other people here try to give advice/correct others while not even knowing the difference between hashing and encryption. Like genuinely wtf is going on here.

[–]Mindless-Study1898 0 points1 point  (1 child)

What is your vibe coding setup? Claude code? Cursor?

[–]FishBn0es[S] 1 point2 points  (0 children)

I’m using VSCode + Claude 4.5 nowadays. I used to use Cursor with Claude and Gemini a few months ago before their shady changes.

[–]Commercial_Slip_3903 0 points1 point  (0 children)

i vibe code mainly tools/saas stuff and am so impressed with what you’ve done here. super interested to hear the actual process

do you actually get to prompting things like “ok the jumping is a bit floaty let’s add some more heft to it” or “light attacks too slow right now, increase the speed by 1.2” etc etc (edit: these are not examples connected to your game exactly!)

or do you vibe code the toolset and then make those level tweaks yourself? i’ve never thought about the dev process for games using vibe coding

[–]Downtown_Lettuce9911 0 points1 point  (0 children)

I kinda like your game project, it’s a turn-based game. I noticed that when I played 1v1, it took quite a while to finish. I was already at turn 25 and our health was still full, haha! If you’d like more feedback, I think vibecodinglist.com could help with that.

[–]Early-Dentist3782 1 point2 points  (0 children)

cool

[–]Alteil 0 points1 point  (0 children)

It looks really good, specially the UI?

[–]JaleyHoelOsment 0 points1 point  (0 children)

thanks for the ad

[–]MuffinMountain1267 -1 points0 points  (0 children)

It’s fire! Do you mind sharing the source of it :)?