Code Room
Vibe codingHardvc-g367
Subject Ai code reviewLevel Senior–Staff~20 minCommon in Security interviewsIndustries Computer games, Software development

Question

An AI assistant wrote this server endpoint (Go) for an online RPG's loot pickup. It validates the request shape and exists on the server, so it looks safe — but players are duping legendary items and granting themselves gold. Review the handler and explain why server-side ≠ authoritative here.

go
func HandlePickup(w http.ResponseWriter, r *http.Request) {    var req struct {        PlayerID string `json:"player_id"`        ItemID   string `json:"item_id"`        Rarity   string `json:"rarity"`        Gold     int    `json:"gold"`    }    json.NewDecoder(r.Body).Decode(&req)    player := LoadPlayer(req.PlayerID)    player.Inventory = append(player.Inventory, Item{req.ItemID, req.Rarity})    player.Gold += req.Gold    SavePlayer(player)    w.WriteHeader(200)}
What a strong answer looks like

Treat the AI’s output as a draft to verify, not an answer to trust. Name the specific flaw and the input that triggers it, say how you’d catch it — tests, edge cases, reading critically — and how you’d re-prompt or decompose to get it right.

Describe your solution

Vibe coding: describe the solution in plain language (or narrate it) and the coach grades your approach. Generating runnable code from your description is coming next.

Run or narrate your approach, then ask the coach.