Skip to content

feat(avatars): persist player avatars beyond room sleep + website ava…#51

Merged
lallaria merged 1 commit into
mainfrom
feat/persistent-avatars
Jun 17, 2026
Merged

feat(avatars): persist player avatars beyond room sleep + website ava…#51
lallaria merged 1 commit into
mainfrom
feat/persistent-avatars

Conversation

@lallaria

Copy link
Copy Markdown
Contributor

…tars

Avatars previously lived only on live client connections (profile_data over the socket) and were never rendered on the web, so they went useless once a room slept. This makes the avatar a durable, web-session-linked attribute that survives until the room is pruned, settable from the website, and able to flow into the desktop client. Four logical parts:

  1. Website avatar (per web session): new SessionAvatar table + cookie-authed /me/avatar upload/remove, reusing the avatar.py pipeline via a per-session AvatarToken (no schema change to the existing avatar tables). Nav avatar wired through a context processor.

  2. Tracker rendering: new SlotAvatar table + per-slot resolution (explicit web-set > client-set profile_data, honored only when HTTPS on the trusted-host allowlist > the slot's lobby player's session avatar). /api/tracker gains player_avatars; the multitracker and per-player tracker render avatars; a rate-limited, non-exclusive "set avatar" control lives on the per-player tracker. This is what makes avatars visible on the web and persist through sleep.

  3. Live-server bridge: customserver seeds profile_data from web-set SlotAvatars at boot (denormalized avatar_url, best-effort) so connected desktop clients render them too.

  4. mwgg:// deep-link: MultiWorld.py now accepts the protocol URL (the flags-only parser previously rejected it) and persists last_server_hostname/port/username + the gated avatar before the GUI starts, so the launcher opens pre-filled with the room and the player's website avatar. macros.html carries &avatar=; CommonClient gains parse_connect_url and safe_avatar_source.

Web and client render both honor the same trusted-host allowlist (multiworld.gg, mw.prismativerse.com), mirroring mwgg_gui.safe_avatar_source.

Tests: test/webhost/test_session_avatar.py, test_slot_avatar.py, test/general/test_connect_url.py; full webhost suite green.

Please format your title with what portion of the project this pull request is
targeting and what it's changing.

…tars

Avatars previously lived only on live client connections (profile_data over the
socket) and were never rendered on the web, so they went useless once a room
slept. This makes the avatar a durable, web-session-linked attribute that
survives until the room is pruned, settable from the website, and able to flow
into the desktop client. Four logical parts:

1. Website avatar (per web session): new SessionAvatar table + cookie-authed
   /me/avatar upload/remove, reusing the avatar.py pipeline via a per-session
   AvatarToken (no schema change to the existing avatar tables). Nav avatar
   wired through a context processor.

2. Tracker rendering: new SlotAvatar table + per-slot resolution (explicit
   web-set > client-set profile_data, honored only when HTTPS on the
   trusted-host allowlist > the slot's lobby player's session avatar).
   /api/tracker gains player_avatars; the multitracker and per-player tracker
   render avatars; a rate-limited, non-exclusive "set avatar" control lives on
   the per-player tracker. This is what makes avatars visible on the web and
   persist through sleep.

3. Live-server bridge: customserver seeds profile_data from web-set
   SlotAvatars at boot (denormalized avatar_url, best-effort) so connected
   desktop clients render them too.

4. mwgg:// deep-link: MultiWorld.py now accepts the protocol URL (the
   flags-only parser previously rejected it) and persists
   last_server_hostname/port/username + the gated avatar before the GUI starts,
   so the launcher opens pre-filled with the room and the player's website
   avatar. macros.html carries &avatar=; CommonClient gains parse_connect_url
   and safe_avatar_source.

Web and client render both honor the same trusted-host allowlist
(multiworld.gg, mw.prismativerse.com), mirroring mwgg_gui.safe_avatar_source.

Tests: test/webhost/test_session_avatar.py, test_slot_avatar.py,
test/general/test_connect_url.py; full webhost suite green.
@lallaria lallaria merged commit 16de7d6 into main Jun 17, 2026
35 checks passed
@lallaria lallaria deleted the feat/persistent-avatars branch June 17, 2026 12:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant