Fighting game Inputs

My projects seem to be leaning towards this big one, A Fighting game that uses inputs akin to Street Fighters famous “QC” or Quarter-Circle movement.

The process is simple, I have a UserInputService check what button was pressed in correlation to a command-layout, so WSAD = UP/DOWN/LEFT/RIGHT and IOP = Weak, Medium, and Strong,

I use a string value to check what the buffer is at, and then run through each move to see what the most accurate move would be, so if you correctly do a Quarter Circle, then move Forward and hit Light, you’ll do a generic fireball, or if you’re a big FGC fan like me, you go 2-3-6-Weak

(If you’re curious on my buffer system, go check out a good article on QCF+Punch: Implementing Street Fighter-style Input | Game Dev Without a Cause)

My Question is: Is the buffer safe to hide on the client? Or is that risk of the player being able to one button spam Fireballs too great? I’d assume since it’s only a string they just have to figure out the context and alter it as they see fit. But having a smooth input with little delay is the key to a Fighting game.

If I’m understanding what you want to do correctly, both solutions are just as unsafe. Both methods read user input, something that can very easily be faked and will be faked given the opportunity. There aren’t really any good methods (that I know of) that will prevent people from faking any kind of user input, at least, not without entering CAPTCHA territory, and even that isn’t secure. I would personally just hold the buffer on the client. No reason to over complicate it.

Alright, so that’ll do!

EDIT: for clarity sake, I was checking if the Input Buffer should be tracked Clientside as either way the client can spoof userinput

Yeah, we are on the same page then. You don’t really gain anything by storing it server-side versus client side since it is user input related. You are just putting a layer of latency on top of every input.