feat: do not reuse the Engine.IO id

In previous versions, the Socket#id attribute was equal (or derived, for a non-default namespace) to the underlying Engine.IO id, which is used as a mean to authenticate the user throughout the Engine.IO session and thus is sensitive information that should be kept secret. The problem with reusing the Engine.IO id is that users could be tempted to transmit this id to other clients, in order to implement private messaging for example. So we'll now generate a new random id for each new socket. Please note that this id will now be different from the one found in the query parameters of the HTTP requests.
socketio · Oct 13, 2020 · 2875d2c · 2875d2c
1 parent 3289f7e
commit 2875d2c
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 4 deletions.
diff --git a/dist/socket.js b/dist/socket.js
@@ -9,6 +9,7 @@ const socket_io_parser_1 = require("socket.io-parser");
 const has_binary2_1 = __importDefault(require("has-binary2"));
 const url_1 = __importDefault(require("url"));
 const debug_1 = __importDefault(require("debug"));
+const base64id_1 = __importDefault(require("base64id"));
 const debug = debug_1.default("socket.io:socket");
 /**
  * Blacklisted events.
@@ -40,7 +41,7 @@ class Socket extends events_1.EventEmitter {
         this._rooms = new Set();
         this.server = nsp.server;
         this.adapter = this.nsp.adapter;
-        this.id = nsp.name !== "/" ? nsp.name + "#" + client.id : client.id;
+        this.id = base64id_1.default.generateId(); // don't reuse the Engine.IO id because it's sensitive information
         this.connected = true;
         this.disconnected = false;
         this.handshake = this.buildHandshake(auth);
@@ -206,7 +207,7 @@ class Socket extends events_1.EventEmitter {
         debug("socket connected - writing packet");
         this.nsp.connected.set(this.id, this);
         this.join(this.id);
-        this.packet({ type: socket_io_parser_1.PacketType.CONNECT });
+        this.packet({ type: socket_io_parser_1.PacketType.CONNECT, data: { sid: this.id } });
     }
     /**
      * Called with each packet. Called by `Client`.

diff --git a/lib/socket.ts b/lib/socket.ts
@@ -6,6 +6,7 @@ import debugModule from "debug";
 import { Client, Namespace, Server } from "./index";
 import { IncomingMessage } from "http";
 import { Adapter, BroadcastFlags, Room, SocketId } from "socket.io-adapter";
+import base64id from "base64id";
 
 const debug = debugModule("socket.io:socket");
 
@@ -100,7 +101,7 @@ export class Socket extends EventEmitter {
     super();
     this.server = nsp.server;
     this.adapter = this.nsp.adapter;
-    this.id = nsp.name !== "/" ? nsp.name + "#" + client.id : client.id;
+    this.id = base64id.generateId(); // don't reuse the Engine.IO id because it's sensitive information
     this.connected = true;
     this.disconnected = false;
     this.handshake = this.buildHandshake(auth);
@@ -288,7 +289,7 @@ export class Socket extends EventEmitter {
     debug("socket connected - writing packet");
     this.nsp.connected.set(this.id, this);
     this.join(this.id);
-    this.packet({ type: PacketType.CONNECT });
+    this.packet({ type: PacketType.CONNECT, data: { sid: this.id } });
   }
 
   /**

diff --git a/package.json b/package.json
@@ -27,6 +27,7 @@
     "format:fix": "prettier --write 'lib/**/*.ts' 'test/**/*.ts'"
   },
   "dependencies": {
+    "base64id": "~2.0.0",
     "debug": "~4.1.0",
     "engine.io": "~4.0.0",
     "has-binary2": "~1.0.2",