Can someone hack EekChat (again)?
tussiez (1676)

I finally got EekChat working again, and I added a few (hopefully) working anti-hack changes.
Could someone try to hack EekChat again? If my edits work, it should be impossible to change the name of the user on the client-side, as this gets overwritten by the Repl Auth.

You are viewing a single comment. View All
Baconman321 (1103)

@tussiez You might want to try using an array instead of a global variable. It would push an object containing the session key and the username into a variable, then assign the socket connection that sent the data to that variable (via a token). If the user changes the token then they can't send the message because the token doesn't match.

While it might affect performance, generating a long token is a good idea because then the chances of a user guessing another user's token is very low. You could also generate a few more token pairs to make guessing almost impossible. In addition, you could also send the username on the client, but if it doesn't match the token sent with the token associated with that username then it won't send the message.

As for antispam, you could always send 429 error back which the client can then recognise as an antispam measure and alert the user. This would also be effective against botting (window.setInterval) at great speeds, although one could remotely set up a connection and periodically send data via CURL or fetch.