Fix critical socket authorization issues#170
Merged
Merged
Conversation
Prevent the session secret from becoming an Engine.IO cookie name, authorize deletion against the target room, and use the Socket.IO 4 eviction API for kicks and bans.
Reject events from kicked or banned room members and safely contain malformed socket handlers so hostile payloads cannot terminate the process.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
remoteLeavecalls with Socket.IO 4socketsLeaveinRoomis false or the user is bannedRoot Cause
The Socket.IO configuration reused
AUTH_SECRETas an Engine.IO cookie name. Room deletion checked authority on the caller's current room while deleting an arbitrary client-supplied room ID. The Socket.IO 4 adapter no longer implementsremoteLeave.Replacing
remoteLeavealone was insufficient: it removed adapter room membership but leftsocket.roomIdintact, so a hostile client could ignore the kick/ban notification and keep sending mutations. Async Socket.IO listeners were also registered directly, allowing malformed payloads or missing acknowledgement callbacks to escape as unhandled rejections under Node 22.Security Behavior
Room event middleware now reloads persisted room state and requires authenticated users to remain present and unbanned. Kick and ban operations save that state before notifying and removing sockets from adapter rooms. A shared handler wrapper catches synchronous and asynchronous failures and returns a generic error without exposing internal details.
Validation
yarn workspace letscube-server lintyarn workspace letscube-server test --runInBand— 4 suites, 10 testsyarn lint && yarn test— client and server checks passed