Netskrafl

Netskrafl - an Icelandic crossword game website

English summary

This repository contains the implementation of an Icelandic crossword game in the genre of SCRABBLE®. The game, which is free-to-play, is accessible on the web at https://malstadur.mideind.is/netskrafl.

The game backend is implemented in Python 3.11 for the Google App Engine Standard Environment.

The frontend is a tablet- and smartphone-friendly web client in HTML5 and JavaScript connecting via Ajax to a Flask-based web server on the backend.

The game contains a robot crossword player written in Python. The algorithm is based on Appel & Jacobson's classic paper "The World's Fastest Scrabble Program". At maximum strength level, the robot always plays the highest-scoring move possible but additional and alternative strategies can be plugged in relatively easily. At the lowest strength level, the robot is limited to a set of common words, about a quarter of the size of the entire word database.

The software has a range of features such as immediate tile-by-tile feedback on word validity and score, real-time synchronized games with clocks, Elo scoring of players, an online chat window, and the ability to view player track records.

The game uses a word database encoded in a Directed Acyclic Word Graph (DAWG). For Icelandic, the graph contains 2.4 million word forms. Further information about the DAWG implementation can be found in README.md in the Skrafl repository on GitHub.

The source code for the game server is located in the src/ directory. The main source files are as follows:

The main entry point for the Flask web server is in main.py.

The game mechanics are mostly found in skraflmechanics.py.

The robot player is implemented in skraflplayer.py.

The DAWG navigation code is in dawgdictionary.py.

Language-specific tile sets, bags and vocabularies are handled in languages.py.

The Game and User classes are found in skraflgame.py and skrafluser.py, respectively.

The persistence layer, using the schemaless App Engine NDB database, is in skrafldb.py.

The various Flask HTML templates are found in templates/*.html.

The DAWG-compressed vocabularies are stored in resources/*.bin.dawg.

Client Authentication

The Netskrafl server supports three types of clients, each with its own authentication mechanism:

1. Direct Web Access (Same-Origin)

The classic Netskrafl web interface served directly from the server. Users authenticate via OAuth2 (Google, Facebook, or Apple), and the server maintains session state using secure HTTP-only cookies with SameSite=Lax.

• Auth mechanism: Flask session cookies
• Login endpoints: /login (initiates OAuth2 flow), /oauth2callback
• Session lifetime: 90 days

2. Explo Mobile App (React Native)

The Explo mobile app (iOS/Android) uses the same OAuth2 providers but through native mobile SDKs. After initial authentication, the server issues an Explo JWT token that can be used for subsequent logins without repeating the OAuth2 flow.

• Auth mechanism: Session cookies (stored in native HTTP client)
• Login endpoints: /oauth_google, /oauth_apple, /oauth_fb, /oauth_explo
• Token lifetime: 30 days (configurable)

3. Cross-Origin Web Clients (e.g., Málstaður)

Third-party web applications that embed Netskrafl functionality cannot use cookies due to browser SameSite restrictions on cross-origin requests. Instead, these clients authenticate using Bearer tokens in the Authorization header.

• Auth mechanism: JWT Bearer token (Authorization: Bearer <token>)
• Login endpoint: /login_malstadur (returns JWT token in response)
• Token lifetime: 30 days (configurable)

Authentication flow for cross-origin clients:

1. Client calls POST /login_malstadur with user credentials, a signed JWT from the parent application, and bearer_auth: true to opt in to Bearer token authentication
2. Server validates the JWT, finds or creates the user, and returns a response containing an Explo token
3. Client stores the token and includes it in subsequent API requests as Authorization: Bearer <token>
4. Server validates the token on each request via the session_user() function

The bearer_auth flag controls whether the server sets a session cookie:

• bearer_auth: true - No session cookie is set; client must use Bearer token for subsequent requests
• bearer_auth: false or omitted - Session cookie is set for backwards compatibility with legacy clients

The CORS configuration allows all origins with the Authorization header permitted, enabling cross-origin clients to authenticate without cookies.

To build and run locally

Follow these steps:

0. Install Python 3.11, preferably in a virtualenv.

1. Download the Google App Engine SDK (GAE) for Python and follow the installation instructions.

2. git clone https://github.com/mideind/Netskrafl to your GAE application directory.

3. Run pip install -r requirements.txt in your virtualenv to install required Python packages so that they are accessible to GAE. To run locally you will also need to install the icegrams package pip install icegrams

4. Run python utils/dawgbuilder.py all to generate the DAWG *.bin.dawg files. This may take a couple of minutes.

5. You will need a secret session key for Flask. The secret session key is stored in Google Cloud secret manager. For information on Flask sessions see Flask Session documentation. For further details on secrets stored and used at runtime, see the Google Cloud Secret Manager documentation, and the source file src/secret_manager.py.

6. Install Node.js if you haven't already. Run npm install to install Node dependencies. Run npm install grunt -g grunt-cli to install Grunt and its command line interface globally.

7. In a separate terminal window, but in the Netskrafl directory, run grunt make. Then run grunt to start watching changes of js and css files.

8. Run either runserver.bat or ./runserver.sh.

Or, alternatively:

Run ./setup-dev.sh (tested on Debian based Linux and OS X).

Deploying to Google App Engine

The project has multiple deployment targets, each with its own deploy script and App Engine configuration file. All deployments use the --no-promote flag, meaning the new version is deployed but does not receive traffic until manually promoted via the Google Cloud Console.

Prerequisites:

• Google Cloud SDK installed and configured
• Appropriate credentials in the resources/ directory
• Run tests before deploying (see CLAUDE.md for test configuration)

Deployment commands:

| Target | Script | Project | Description | |--------|--------|---------|-------------| | Netskrafl | ./deploy-netskrafl.sh default <version> | netskrafl | Production Icelandic web game | | Netskrafl Demo | ./deploy-demo.sh default <version> | netskrafl | Demo/staging environment | | Explo Dev | ./deploy-explo.sh default <version> | explo-dev | Explo development/testing | | Explo Live | ./deploy-explo-live.sh default <version> | explo-live | Explo production |

Each script:

1. Builds frontend assets via grunt make
2. Deploys to Google App Engine with the specified version
3. For Netskrafl, optionally updates the update_online_status Cloud Scheduler job

Example:

# Deploy version "v42" to Netskrafl production
./deploy-netskrafl.sh default v42

# Deploy to Explo development
./deploy-explo.sh default v42

After deployment, promote the new version to receive traffic in the Google Cloud Console.

Generating a new vocabulary file

A new vocabulary file can be fetched from the Icelandic BÍN database (read the licensing information!) by executing the following steps:

$ wget -O SHsnid.csv.zip https://bin.arnastofnun.is/django/api/nidurhal/?file=SHsnid.csv.zip
$ unzip SHsnid.csv.zip
$ rm SHsnid.csv.sha256sum

The following instructions assume a PostgreSQL database. Our vocabulary database table is named sigrunarsnid, has the is_IS collation locale and contains the columns stofn, utg, ordfl, fl, ordmynd, and beyging (all CHARACTER VARYING except utg which can be INTEGER).

The following psql command copies the downloaded vocabulary data into it:

begin transaction read write;
\copy sigrunarsnid(stofn, utg, ordfl, fl, ordmynd, beyging) from 'SHsnid.csv' with (format csv, delimiter ';');
commit;

To generate a new vocabulary file (ordalisti.full.sorted.txt), first use the following psql command to create a view:

begin transaction read write;
create or replace view skrafl as
   select stofn, utg, ordfl, fl, ordmynd, beyging from sigrunarsnid
   where ordmynd ~ '^[aábdðeéfghiíjklmnoóprstuúvxyýþæö]{3,15}$'
   and fl <> 'bibl'
   and not ((beyging like 'SP-%-FT') or (beyging like '