Making ID generation securely random

Author: martinthomson

lib/manager.js

@@ -11,6 +11,7 @@
 var fs = require('fs')
   , url = require('url')
   , tty = require('tty')
+  , crypto = require('crypto')
   , util = require('./util')
   , store = require('./store')
   , client = require('socket.io-client')
@@ -139,6 +140,8 @@ function Manager (server, options) {
     self.emit('connection', conn);
   });
 
+  this.sequenceNumber = Date.now() | 0;
+ 
   this.log.info('socket.io started');
 };
 
@@ -702,9 +705,12 @@ Manager.prototype.handleClient = function (data, req) {
  * @api private
  */
 
-Manager.prototype.generateId = function () {
-  return Math.abs(Math.random() * Math.random() * Date.now() | 0).toString()
-    + Math.abs(Math.random() * Math.random() * Date.now() | 0).toString();
+Manager.prototype.generateId = function (data) {
+  var rand = new Buffer(15); // multiple of 3 for base64
+  this.sequenceNumber = (this.sequenceNumber + 1) | 0;
+  rand.writeInt32BE(this.sequenceNumber, 11);
+  crypto.randomBytes(12).copy(rand);
+  return rand.toString('base64').replace(/\//g, '_').replace(/\+/g, '-');
 };
 
 /**
@@ -752,7 +758,7 @@ Manager.prototype.handleHandshake = function (data, req, res) {
     if (err) return error(err);
 
     if (authorized) {
-      var id = self.generateId()
+      var id = self.generateId(newData || handshakeData)
         , hs = [
               id
             , self.enabled('heartbeats') ? self.get('heartbeat timeout') || '' : ''
@@ -872,9 +878,9 @@ Manager.prototype.authorize = function (data, fn) {
   if (this.get('authorization')) {
     var self = this;
 
-    this.get('authorization').call(this, data, function (err, authorized) {
+    this.get('authorization').call(this, data, function (err, authorized, newData) {
       self.log.debug('client ' + authorized ? 'authorized' : 'unauthorized');
-      fn(err, authorized);
+      fn(err, authorized, newData);
     });
   } else {
     this.log.debug('client authorized');

test/manager.test.js

@@ -220,6 +220,86 @@ module.exports = {
     });
   },
 
+  'test authorization gets handshake data': function (done) {
+    var port = ++ports
+      , io = sio.listen(port)
+      , cl = client(port);
+
+    io.configure(function () {
+      function auth (data, fn) {
+        data.query.should.have.foo;
+        data.query.foo.should.eql('bar');
+        fn(null, false);
+      };
+
+      io.set('authorization', auth);
+    });
+
+    cl.get('/socket.io/{protocol}/?foo=bar', function (res, data) {
+      res.statusCode.should.eql(403);
+      data.should.match(/handshake unauthorized/);
+
+      cl.end();
+      io.server.close();
+      done();
+    });
+  },
+
+  'test that authorization can view handshake data': function (done) {
+    var port = ++ports
+      , io = sio.listen(port)
+      , cl = client(port);
+
+    io.configure(function () {
+      function auth (data, fn) {
+        data.query.should.have.foo;
+        data.query.foo.should.eql('bar');
+        fn(null, true);
+      };
+
+      io.set('authorization', auth);
+    });
+
+    cl.get('/socket.io/{protocol}/?foo=bar', function (res, data) {
+      res.statusCode.should.eql(200);
+
+      cl.end();
+      io.server.close();
+      done();
+    });
+  },
+
+  'test that authorization can change handshake data': function (done) {
+    var port = ++ports
+      , io = sio.listen(port)
+      , cl = client(port);
+
+    io.configure(function () {
+      function auth (data, fn) {
+        var replacement = { baz: 'qu' };
+        for (i in data) {
+          if (data.hasOwnProperty(i)) {
+            replacement[i] = data[i];
+          }
+        }
+        fn(null, true, replacement);
+      };
+
+      io.set('authorization', auth);
+    });
+
+    cl.get('/socket.io/{protocol}/', function (res, data) {
+      var id = data.split(':', 2)[0];
+      res.statusCode.should.eql(200);
+      io.handshaken[id].should.have.baz;
+      io.handshaken[id].baz.should.eql('qu');
+
+      cl.end();
+      io.server.close();
+      done();
+    });
+  },
+
   'test a handshake error': function (done) {
     var port = ++ports
       , io = sio.listen(port)