search

peers / peerjs-server

Server for PeerJS
https://peerjs.com
MIT License
4.34k stars 1.08k forks source link

Can use any key with ExpressPeerServer GET requests #243

Closed timmo001 closed 3 years ago

timmo001 commented 3 years ago

I'm having an issue:

I have set up a key using ExpressPeerServer but anyone can access /rtc/:id/peers etc. with any key.

For example if I get:

http://localhost:3010/rtc/anythingwilldo/peers

I can see all the peers, using any key I provide, it doesn't check against the one I set.

      const broker = ExpressPeerServer(this.server, {
        allow_discovery: true,
        key: key,
      });
      broker.on("connection", (client) => {
        logger.info(`Broker peer connected: ${client.getId()}`);
      });
      broker.on("disconnect", (client) => {
        logger.info(`Broker peer disconnected: ${client.getId()}`);
      });
      app.use("/rtc", broker);
timmo001 commented 3 years ago

Done some tests with actual connection and calling, they seem to be disallowed

peer.connect(peerID) returns undefined if the key is incorrect.

timmo001 commented 3 years ago

After reading the docs, I can see that the token/key only applies to the POST methods and allow_discovery is used as an 'avaliable sessions' type request, but the sessions can only be connected to with a token/password.

https://github.com/peers/peerjs-server/blob/master/src/api/README.md

peerjs-bot commented 1 year ago

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.