fix(golf): use server-generated UUID for WebSocket client identification#1118
Merged
fix(golf): use server-generated UUID for WebSocket client identification#1118
Conversation
Fixed a security vulnerability where client IDs were derived from RemoteAddr, leading to potential collisions when clients connect via a proxy. - Added ID field (UUID) to hub.Client - Updated ServeWs to initialize client with a unique UUID - Updated GolfHub.getClientID to prefer client.ID over RemoteAddr - Updated hub/BUILD.bazel to include github.com/google/uuid dependency
Deploying with
|
| Status | Name | Latest Commit | Preview URL | Updated (UTC) |
|---|---|---|---|---|
| ✅ Deployment successful! View logs |
1d4-web | 4625c74 | Commit Preview URL Branch Preview URL |
Mar 07 2026, 06:21 AM |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes a security vulnerability where WebSocket client IDs were derived from
RemoteAddr, causing collisions when multiple clients connect through the same proxy. Clients are now identified by a server-generated UUID assigned at connection time.What Changed
hub.Clientgains anID stringfield populated withuuid.New().String()inServeWsGolfHub.getClientIDnow prefersclient.IDoverclient.Conn.RemoteAddr(), with the old behavior as fallback for backward compatibilityhub/BUILD.bazeladds@com_github_google_uuid//:uuiddependencyTesting Done
games_ws_backendtests pass (bazel test //domains/games/apis/games_ws_backend/...)TestGetClientID_UsesIDFieldOverRemoteAddrcovering the proxy collision scenario, ID field precedence, and fallback behaviorDiagram
sequenceDiagram participant P as Proxy participant S as Server (ServeWs) participant H as GolfHub Note over P,H: Before fix — both clients get RemoteAddr "10.0.0.1:443" P->>S: Client A connects S->>H: Register Client{Conn: RemoteAddr="10.0.0.1:443"} P->>S: Client B connects S->>H: Register Client{Conn: RemoteAddr="10.0.0.1:443"} Note over H: ⚠️ getClientID(A) == getClientID(B) — collision Note over P,H: After fix — each client gets a unique UUID P->>S: Client A connects S->>H: Register Client{ID: "uuid-a", Conn: ...} P->>S: Client B connects S->>H: Register Client{ID: "uuid-b", Conn: ...} Note over H: ✅ getClientID(A) != getClientID(B)