Manually securing your application against the forged signature exploit is easy. To do this, you need to check that the socket_id
and channel_name
passed by clients to your auth endpoint match recognized patterns. This avoids the scenario where you could accidentally sign extra data.
Before signing an authentication request, it must be validated that:
- The socket ID is composed of a least one digit, followed by a dot, followed by at least one digit.
Sample regex:
^\d+\.\d+$
- The channel name is composed ONLY the following ASCII characters: A-Z a-z 0-9 _ - = @ , . ;
Sample regex:
^[A-Za-z0-9_\-=@,.;]+$
Note that this validation has been added to the latest versions of our most popular HTTP libraries, and is not a required step if you have already upgraded.
Note also that regex engines for different platforms vary, but that in the above examples ^
and $
are intended to represent the beginning and end of the input respectively, not of the line. Neither socket_id
nor channel_name
should be permitted to include a newline character.