From 2875d2cfdfa463e64cb520099749f543bbc4eb15 Mon Sep 17 00:00:00 2001
From: Damien Arrachequesne <damien.arrachequesne@gmail.com>
Date: Thu, 8 Oct 2020 02:51:25 +0200
Subject: [PATCH] feat: do not reuse the Engine.IO id

In previous versions, the Socket#id attribute was equal (or derived,
for a non-default namespace) to the underlying Engine.IO id, which is
used as a mean to authenticate the user throughout the Engine.IO
session and thus is sensitive information that should be kept secret.

The problem with reusing the Engine.IO id is that users could be
tempted to transmit this id to other clients, in order to implement
private messaging for example.

So we'll now generate a new random id for each new socket.

Please note that this id will now be different from the one found in
the query parameters of the HTTP requests.
---
 dist/socket.js | 5 +++--
 lib/socket.ts  | 5 +++--
 package.json   | 1 +
 3 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/dist/socket.js b/dist/socket.js
index 3ce0ab7201..a4ef75cac7 100644
--- a/dist/socket.js
+++ b/dist/socket.js
@@ -9,6 +9,7 @@ const socket_io_parser_1 = require("socket.io-parser");
 const has_binary2_1 = __importDefault(require("has-binary2"));
 const url_1 = __importDefault(require("url"));
 const debug_1 = __importDefault(require("debug"));
+const base64id_1 = __importDefault(require("base64id"));
 const debug = debug_1.default("socket.io:socket");
 /**
  * Blacklisted events.
@@ -40,7 +41,7 @@ class Socket extends events_1.EventEmitter {
         this._rooms = new Set();
         this.server = nsp.server;
         this.adapter = this.nsp.adapter;
-        this.id = nsp.name !== "/" ? nsp.name + "#" + client.id : client.id;
+        this.id = base64id_1.default.generateId(); // don't reuse the Engine.IO id because it's sensitive information
         this.connected = true;
         this.disconnected = false;
         this.handshake = this.buildHandshake(auth);
@@ -206,7 +207,7 @@ class Socket extends events_1.EventEmitter {
         debug("socket connected - writing packet");
         this.nsp.connected.set(this.id, this);
         this.join(this.id);
-        this.packet({ type: socket_io_parser_1.PacketType.CONNECT });
+        this.packet({ type: socket_io_parser_1.PacketType.CONNECT, data: { sid: this.id } });
     }
     /**
      * Called with each packet. Called by `Client`.
diff --git a/lib/socket.ts b/lib/socket.ts
index 3735deebcf..fcfc456bb7 100644
--- a/lib/socket.ts
+++ b/lib/socket.ts
@@ -6,6 +6,7 @@ import debugModule from "debug";
 import { Client, Namespace, Server } from "./index";
 import { IncomingMessage } from "http";
 import { Adapter, BroadcastFlags, Room, SocketId } from "socket.io-adapter";
+import base64id from "base64id";
 
 const debug = debugModule("socket.io:socket");
 
@@ -100,7 +101,7 @@ export class Socket extends EventEmitter {
     super();
     this.server = nsp.server;
     this.adapter = this.nsp.adapter;
-    this.id = nsp.name !== "/" ? nsp.name + "#" + client.id : client.id;
+    this.id = base64id.generateId(); // don't reuse the Engine.IO id because it's sensitive information
     this.connected = true;
     this.disconnected = false;
     this.handshake = this.buildHandshake(auth);
@@ -288,7 +289,7 @@ export class Socket extends EventEmitter {
     debug("socket connected - writing packet");
     this.nsp.connected.set(this.id, this);
     this.join(this.id);
-    this.packet({ type: PacketType.CONNECT });
+    this.packet({ type: PacketType.CONNECT, data: { sid: this.id } });
   }
 
   /**
diff --git a/package.json b/package.json
index cb86b9b2ae..6b14335bfa 100644
--- a/package.json
+++ b/package.json
@@ -27,6 +27,7 @@
     "format:fix": "prettier --write 'lib/**/*.ts' 'test/**/*.ts'"
   },
   "dependencies": {
+    "base64id": "~2.0.0",
     "debug": "~4.1.0",
     "engine.io": "~4.0.0",
     "has-binary2": "~1.0.2",