Skip to content

Commit

Permalink
feat: do not reuse the Engine.IO id
Browse files Browse the repository at this point in the history
In previous versions, the Socket#id attribute was equal (or derived,
for a non-default namespace) to the underlying Engine.IO id, which is
used as a mean to authenticate the user throughout the Engine.IO
session and thus is sensitive information that should be kept secret.

The problem with reusing the Engine.IO id is that users could be
tempted to transmit this id to other clients, in order to implement
private messaging for example.

So we'll now generate a new random id for each new socket.

Please note that this id will now be different from the one found in
the query parameters of the HTTP requests.
darrachequesne committed Oct 13, 2020
1 parent 3289f7e commit 2875d2c
Showing 3 changed files with 7 additions and 4 deletions.
5 changes: 3 additions & 2 deletions dist/socket.js
Original file line number Diff line number Diff line change
@@ -9,6 +9,7 @@ const socket_io_parser_1 = require("socket.io-parser");
const has_binary2_1 = __importDefault(require("has-binary2"));
const url_1 = __importDefault(require("url"));
const debug_1 = __importDefault(require("debug"));
const base64id_1 = __importDefault(require("base64id"));
const debug = debug_1.default("socket.io:socket");
/**
* Blacklisted events.
@@ -40,7 +41,7 @@ class Socket extends events_1.EventEmitter {
this._rooms = new Set();
this.server = nsp.server;
this.adapter = this.nsp.adapter;
this.id = nsp.name !== "/" ? nsp.name + "#" + client.id : client.id;
this.id = base64id_1.default.generateId(); // don't reuse the Engine.IO id because it's sensitive information
this.connected = true;
this.disconnected = false;
this.handshake = this.buildHandshake(auth);
@@ -206,7 +207,7 @@ class Socket extends events_1.EventEmitter {
debug("socket connected - writing packet");
this.nsp.connected.set(this.id, this);
this.join(this.id);
this.packet({ type: socket_io_parser_1.PacketType.CONNECT });
this.packet({ type: socket_io_parser_1.PacketType.CONNECT, data: { sid: this.id } });
}
/**
* Called with each packet. Called by `Client`.
5 changes: 3 additions & 2 deletions lib/socket.ts
Original file line number Diff line number Diff line change
@@ -6,6 +6,7 @@ import debugModule from "debug";
import { Client, Namespace, Server } from "./index";
import { IncomingMessage } from "http";
import { Adapter, BroadcastFlags, Room, SocketId } from "socket.io-adapter";
import base64id from "base64id";

const debug = debugModule("socket.io:socket");

@@ -100,7 +101,7 @@ export class Socket extends EventEmitter {
super();
this.server = nsp.server;
this.adapter = this.nsp.adapter;
this.id = nsp.name !== "/" ? nsp.name + "#" + client.id : client.id;
this.id = base64id.generateId(); // don't reuse the Engine.IO id because it's sensitive information
this.connected = true;
this.disconnected = false;
this.handshake = this.buildHandshake(auth);
@@ -288,7 +289,7 @@ export class Socket extends EventEmitter {
debug("socket connected - writing packet");
this.nsp.connected.set(this.id, this);
this.join(this.id);
this.packet({ type: PacketType.CONNECT });
this.packet({ type: PacketType.CONNECT, data: { sid: this.id } });
}

/**
1 change: 1 addition & 0 deletions package.json
Original file line number Diff line number Diff line change
@@ -27,6 +27,7 @@
"format:fix": "prettier --write 'lib/**/*.ts' 'test/**/*.ts'"
},
"dependencies": {
"base64id": "~2.0.0",
"debug": "~4.1.0",
"engine.io": "~4.0.0",
"has-binary2": "~1.0.2",

0 comments on commit 2875d2c

Please sign in to comment.