Fix impersonation of web sockets exploit

client/src/views/game/Game.vue

@@ -111,8 +111,7 @@ export default {
     this.unsubscribeToSockets()
     
     let socketData = {
-      gameId: this.$store.state.game._id,
-      userId: this.$store.state.userId
+      gameId: this.$store.state.game._id
     }
 
     let player = GameHelper.getUserPlayer(this.$store.state.game)

server/api/express.ts

@@ -17,13 +17,13 @@ export default async (config: Config, app, container: DependencyContainer) => {
 
     // ---------------
     // Set up MongoDB session store
-    let store = new MongoDBStore({
+    let sessionStorage = new MongoDBStore({
         uri: config.connectionString,
         collection: 'sessions'
     });
 
     // Catch session store errors
-    store.on('error', function(err) {
+    sessionStorage.on('error', function(err) {
         console.error(err);
     });
 
@@ -37,7 +37,7 @@ export default async (config: Config, app, container: DependencyContainer) => {
             secure: config.sessionSecureCookies, // Requires HTTPS
             maxAge: 1000 * 60 * 60 * 24 * 365 // 1 Year
         },
-        store
+        store: sessionStorage
     }));
 
     // ---------------
@@ -86,5 +86,8 @@ export default async (config: Config, app, container: DependencyContainer) => {
 
     console.log('Express intialized.');
 
-    return app;
+    return {
+        app,
+        sessionStorage
+    };
 };

server/api/index.ts

@@ -16,10 +16,12 @@ async function startServer() {
   const app = express();
   const server = http.createServer(app);
 
-  const io = socketLoader(server);
-  const container = containerLoader(config, io);
+  const container = containerLoader(config);
 
-  await expressLoader(config, app, container);
+  const { sessionStorage } = await expressLoader(config, app, container);
+
+  const io = socketLoader(config, server, sessionStorage);
+  container.broadcastService.setIOController(io);
 
   server.listen(config.port, (err) => {
     if (err) {

server/api/sockets.ts

@@ -1,15 +1,53 @@
+import { Config } from "../config/types/Config";
+
 const socketio = require('socket.io');
+const cookieParser = require('cookie-parser');
+const cookie = require('cookie');
 
-export default (server) => {
+export default (config: Config, server, sessionStore) => {
 
     const io = socketio(server);
 
-    io.on('connection', (socket) => {
+    const getUserId = async (socket, data) => {
+        return new Promise((resolve, reject) => {
+            const cookieString = socket.request.headers.cookie;
+
+            if (cookieString) {
+                const cookieParsed = cookie.parse(cookieString);
+                const sid = cookieParsed['connect.sid'];
+
+                if (sid) {
+                    const sidParsed = cookieParser.signedCookie(sid, config.sessionSecret);
+
+                    sessionStore.get(sidParsed, (err, session) => {
+                        if (err) return reject(err);
+
+                        if (session.userId) {
+                            resolve(session.userId.toString())
+                        } else {
+                            resolve(null);
+                        }
+                    });
+                }
+            } else {
+                resolve(null);
+            }
+        })
+    }
+
+
+    io.on('connection', async (socket) => {
+
         // When the user opens a game, they will be put
         // into that room to receive web sockets scoped to the game room.
-        socket.on('gameRoomJoined', (data) => {
+        socket.on('gameRoomJoined', async (data) => {
+            const userId = await getUserId(socket, data);
+
+            if (userId) {
+                socket.join(userId); // Join a private room to receive user/player specific messages.
+            }
+
             socket.join(data.gameId); // Join the game room to receive game-wide messages.
-            socket.join(data.userId); // Join a private room to receive user/player specific messages.
 
             if (data.playerId) {
                 socket.join(data.playerId);
@@ -21,9 +59,14 @@ export default (server) => {
             }
         });
 
-        socket.on('gameRoomLeft', (data) => {
+        socket.on('gameRoomLeft', async (data) => {
+            const userId = await getUserId(socket, data);
+
+            if (userId) {
+                socket.leave(userId)
+            }
+
             socket.leave(data.gameId)
-            socket.leave(data.userId)
 
             if (data.playerId) {
                 socket.leave(data.playerId)

server/package.json

@@ -27,6 +27,8 @@
     "body-parser": "^1.19.0",
     "compression": "^1.7.4",
     "connect-mongodb-session": "^2.4.1",
+    "cookie": "^0.6.0",
+    "cookie-parser": "^1.4.6",
     "discord.js": "^12.5.3",
     "dotenv": "^8.2.0",
     "elo-rating": "^1.0.1",

server/services/broadcast.ts

@@ -9,9 +9,9 @@ import { LedgerType } from "./ledger";
 
 
 export default class BroadcastService {
-    io;
+    io: any;
 
-    constructor(io) {
+    setIOController(io) {
         this.io = io;
     }
 

server/services/index.ts

@@ -107,7 +107,7 @@ const guildRepository = new Repository<Guild>(GuildModel);
 const paymentRepository = new Repository<Payment>(PaymentModel);
 const reportRepository = new Repository<Report>(ReportModel);
 
-export default (config, io): DependencyContainer => {
+export default (config): DependencyContainer => {
 
     // Poor man's dependency injection.
 
@@ -124,7 +124,7 @@ export default (config, io): DependencyContainer => {
     const guildService = new GuildService(GuildModel, guildRepository, userRepository, userService);
     const guildUserService = new GuildUserService(userRepository, guildService);
 
-    const broadcastService = new BroadcastService(io);
+    const broadcastService = new BroadcastService();
     const distanceService = new DistanceService();
     const randomService = new RandomService();
     const cacheService = new CacheService(config);