From 0704aae1c3337cc94005a39ca8c520a6fd0d63d9 Mon Sep 17 00:00:00 2001
From: tuanaiseo <tuanaiseo@gmail.com>
Date: Sat, 11 Apr 2026 18:11:52 +0700
Subject: [PATCH] fix(security): weak nodeid validation allows arbitrary
 identifier

The `isNodeID` type guard accepts any string as a valid node identifier. In distributed/federated protocols, permissive identifiers can enable impersonation, collision attacks, log/message confusion, or protocol abuse (e.g., empty strings, extremely long IDs, crafted control characters).

Affected files: types.ts

Signed-off-by: tuanaiseo <221258316+tuanaiseo@users.noreply.github.com>
---
 discojs/src/client/types.ts | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/discojs/src/client/types.ts b/discojs/src/client/types.ts
index a73dc4a75..18fd21a35 100644
--- a/discojs/src/client/types.ts
+++ b/discojs/src/client/types.ts
@@ -1,6 +1,5 @@
 export type NodeID = string
 
-// TODO @s314cy: regexp test just like server-side
 export function isNodeID (raw: unknown): raw is NodeID {
-  return typeof raw === 'string'
+  return typeof raw === 'string' && /^[a-zA-Z0-9_-]{1,64}$/.test(raw)
 }