In my website, I am using Socket.io to create chat rooms where two users can join and chat. In order to make the rooms secure, I am creating a random room id with crypto:
const crypto = require("crypto");
module.exports = function () {
const encryption_strength = 8;
return new Promise(function(resolve, reject) {
crypto.randomBytes(encryption_strength, function(err, data) {
var roomID= data.toString("hex");
if (!roomID) {
reject ("Failed to generated Encryption room ID");
}
resolve (roomID);
})
})
}
This room id is only visible by the two users who will potentially be joining the room. And the codes for joining the room exist in the server, and are the following:
tech.on("connection", (socket) => {
let room_temp;
let user_temp;
// emit the message that the user joined the room in that room
socket.on("join", (data) => {
room_temp = data.room;
user_temp = data.displayed_name;
socket.join(room_temp);
tech.in(room_temp).emit("display", user_temp + ` Joined ${room_temp} Room!`);
})
// emit the message to the room
socket.on("message", (msg) => {
console.log(room_temp);
tech.in(room_temp).emit("display", `${user_temp}: ${msg}`);
})
socket.on("disconnect", () => {
tech.in(room_temp).emit("display", `${user_temp} disconnected`);
})
})
I am not sure if some other users outside of the room will be able to obtain this room id and join the room, since all users share the same namespace. Can users who joined the a namespace view all the room_id inside that namespace? The room ID is only visible to the two users who will potentially join the room in my database. But on socket.io should I do something differently to prevent unauthorized users to enter the room and protect the security of the messages?
