xtr.dev/rondevu-server
1
0
Fork 0
mirror of https://github.com/xtr-dev/rondevu-server.git synced 2025-12-10 10:53:24 +00:00
Code Issues Packages Projects Releases Wiki Activity

Remove custom peer ID feature for security

Browse Source 
Always generate cryptographically random 128-bit peer IDs to prevent peer ID hijacking vulnerability. This ensures peer IDs are secure through collision resistance rather than relying on expiration-based protection.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Bas van den Aakster
2025-11-22 23:19:16 +01:00
parent 2cff4c8544
commit 70d018c666
2 changed files with 4 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
package.json
View File

@@ -1,6 +1,6 @@
{ {
"name": "@xtr-dev/rondevu-server", "name": "@xtr-dev/rondevu-server",
"version": "0.1.4", "version": "0.1.5",
"description": "Topic-based peer discovery and signaling server for distributed P2P applications", "description": "Topic-based peer discovery and signaling server for distributed P2P applications",
"main": "dist/index.js", "main": "dist/index.js",
"scripts": { "scripts": {

31
src/app.ts
View File

@@ -64,37 +64,12 @@ export function createApp(storage: Storage, config: Config) {
/** /**
* POST /register * POST /register
* Register a new peer and receive credentials * Register a new peer and receive credentials
* Accepts optional peerId in request body for custom peer IDs * Generates a cryptographically random peer ID (128-bit)
*/ */
app.post('/register', async (c) => { app.post('/register', async (c) => {
try { try {
let peerId: string; // Always generate a random peer ID
const peerId = generatePeerId();
// Check if custom peer ID is provided
const body = await c.req.json().catch(() => ({}));
const customPeerId = body.peerId;
if (customPeerId !== undefined) {
// Validate custom peer ID
if (typeof customPeerId !== 'string' || customPeerId.length === 0) {
return c.json({ error: 'Peer ID must be a non-empty string' }, 400);
}
if (customPeerId.length > 128) {
return c.json({ error: 'Peer ID must be 128 characters or less' }, 400);
}
// Check if peer ID is already in use by checking for active offers
const existingOffers = await storage.getOffersByPeerId(customPeerId);
if (existingOffers.length > 0) {
return c.json({ error: 'Peer ID is already in use' }, 409);
}
peerId = customPeerId;
} else {
// Generate new peer ID
peerId = generatePeerId();
}
// Encrypt peer ID with server secret (async operation) // Encrypt peer ID with server secret (async operation)
const secret = await encryptPeerId(peerId, config.authSecret); const secret = await encryptPeerId(peerId, config.authSecret);