From 70d018c6665d52abeb1188a14802fb9a823e2ff1 Mon Sep 17 00:00:00 2001
From: Bas van den Aakster <bvdaakster@gmail.com>
Date: Sat, 22 Nov 2025 23:19:16 +0100
Subject: [PATCH] Remove custom peer ID feature for security
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Always generate cryptographically random 128-bit peer IDs to prevent peer ID hijacking vulnerability. This ensures peer IDs are secure through collision resistance rather than relying on expiration-based protection.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 package.json |  2 +-
 src/app.ts   | 31 +++----------------------------
 2 files changed, 4 insertions(+), 29 deletions(-)

diff --git a/package.json b/package.json
index cdbfa0b..39b701b 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@xtr-dev/rondevu-server",
-  "version": "0.1.4",
+  "version": "0.1.5",
   "description": "Topic-based peer discovery and signaling server for distributed P2P applications",
   "main": "dist/index.js",
   "scripts": {
diff --git a/src/app.ts b/src/app.ts
index 8e1d899..30709b4 100644
--- a/src/app.ts
+++ b/src/app.ts
@@ -64,37 +64,12 @@ export function createApp(storage: Storage, config: Config) {
   /**
    * POST /register
    * Register a new peer and receive credentials
-   * Accepts optional peerId in request body for custom peer IDs
+   * Generates a cryptographically random peer ID (128-bit)
    */
   app.post('/register', async (c) => {
     try {
-      let peerId: string;
-
-      // Check if custom peer ID is provided
-      const body = await c.req.json().catch(() => ({}));
-      const customPeerId = body.peerId;
-
-      if (customPeerId !== undefined) {
-        // Validate custom peer ID
-        if (typeof customPeerId !== 'string' || customPeerId.length === 0) {
-          return c.json({ error: 'Peer ID must be a non-empty string' }, 400);
-        }
-
-        if (customPeerId.length > 128) {
-          return c.json({ error: 'Peer ID must be 128 characters or less' }, 400);
-        }
-
-        // Check if peer ID is already in use by checking for active offers
-        const existingOffers = await storage.getOffersByPeerId(customPeerId);
-        if (existingOffers.length > 0) {
-          return c.json({ error: 'Peer ID is already in use' }, 409);
-        }
-
-        peerId = customPeerId;
-      } else {
-        // Generate new peer ID
-        peerId = generatePeerId();
-      }
+      // Always generate a random peer ID
+      const peerId = generatePeerId();
 
       // Encrypt peer ID with server secret (async operation)
       const secret = await encryptPeerId(peerId, config.authSecret);