feat: do not reuse the Engine.IO id

darrachequesne · darrachequesne · commit 2875d2cfdfa4 · 2020-10-13T23:02:07.000+02:00
In previous versions, the Socket#id attribute was equal (or derived,
for a non-default namespace) to the underlying Engine.IO id, which is
used as a mean to authenticate the user throughout the Engine.IO
session and thus is sensitive information that should be kept secret.

The problem with reusing the Engine.IO id is that users could be
tempted to transmit this id to other clients, in order to implement
private messaging for example.

So we'll now generate a new random id for each new socket.

Please note that this id will now be different from the one found in
the query parameters of the HTTP requests.
diff --git a/dist/socket.js b/dist/socket.js
@@ -9,6 +9,7 @@ const socket_io_parser_1 = require("socket.io-parser");
 const has_binary2_1 = __importDefault(require("has-binary2"));
 const url_1 = __importDefault(require("url"));
 const debug_1 = __importDefault(require("debug"));
+const base64id_1 = __importDefault(require("base64id"));
 const debug = debug_1.default("socket.io:socket");
 /**
  * Blacklisted events.
@@ -40,7 +41,7 @@ class Socket extends events_1.EventEmitter {
         this._rooms = new Set();
         this.server = nsp.server;
         this.adapter = this.nsp.adapter;
-        this.id = nsp.name !== "/" ? nsp.name + "#" + client.id : client.id;
+        this.id = base64id_1.default.generateId(); // don't reuse the Engine.IO id because it's sensitive information
         this.connected = true;
         this.disconnected = false;
         this.handshake = this.buildHandshake(auth);
@@ -206,7 +207,7 @@ class Socket extends events_1.EventEmitter {
         debug("socket connected - writing packet");
         this.nsp.connected.set(this.id, this);
         this.join(this.id);
-        this.packet({ type: socket_io_parser_1.PacketType.CONNECT });
+        this.packet({ type: socket_io_parser_1.PacketType.CONNECT, data: { sid: this.id } });
     }
     /**
      * Called with each packet. Called by `Client`.
diff --git a/lib/socket.ts b/lib/socket.ts
@@ -6,6 +6,7 @@ import debugModule from "debug";
 import { Client, Namespace, Server } from "./index";
 import { IncomingMessage } from "http";
 import { Adapter, BroadcastFlags, Room, SocketId } from "socket.io-adapter";
+import base64id from "base64id";
 
 const debug = debugModule("socket.io:socket");
 
@@ -100,7 +101,7 @@ export class Socket extends EventEmitter {
     super();
     this.server = nsp.server;
     this.adapter = this.nsp.adapter;
-    this.id = nsp.name !== "/" ? nsp.name + "#" + client.id : client.id;
+    this.id = base64id.generateId(); // don't reuse the Engine.IO id because it's sensitive information
     this.connected = true;
     this.disconnected = false;
     this.handshake = this.buildHandshake(auth);
@@ -288,7 +289,7 @@ export class Socket extends EventEmitter {
     debug("socket connected - writing packet");
     this.nsp.connected.set(this.id, this);
     this.join(this.id);
-    this.packet({ type: PacketType.CONNECT });
+    this.packet({ type: PacketType.CONNECT, data: { sid: this.id } });
   }
 
   /**
diff --git a/package.json b/package.json
@@ -27,6 +27,7 @@
     "format:fix": "prettier --write 'lib/**/*.ts' 'test/**/*.ts'"
   },
   "dependencies": {
+    "base64id": "~2.0.0",
     "debug": "~4.1.0",
     "engine.io": "~4.0.0",
     "has-binary2": "~1.0.2",
