Skip to content

fix: add lobby verification lock and gateway disconnect handler#140

Open
Flegma wants to merge 3 commits intomainfrom
audit/374-lobby-locking
Open

fix: add lobby verification lock and gateway disconnect handler#140
Flegma wants to merge 3 commits intomainfrom
audit/374-lobby-locking

Conversation

@Flegma
Copy link
Copy Markdown
Contributor

@Flegma Flegma commented Apr 8, 2026

Summary

  • Wraps the matchmaking verifyLobby + setLobbyDetails + addLobbyToQueue sequence in a Redis distributed lock (matchmaking:verify:{lobbyId}) to close the race window where a banned player could bypass verification between the check and queue addition (RACE-API-02)
  • Adds handleDisconnect lifecycle hook to SocketsGateway and makes handleConnection public, since NestJS WebSocket gateway lifecycle methods must be public to be recognized (LEAK-API-03)
  • Imports CacheModule into the matchmaking module and injects CacheService into MatchmakingGateway

Closes 5stackgg/5stack-panel#374

Test plan

  • Verify matchmaking join-queue flow still works end-to-end
  • Confirm that concurrent lobby verification requests for the same lobby are serialized (only one proceeds at a time)
  • Verify JoinQueueError exceptions from verifyLobby are still propagated correctly to the client
  • Confirm WebSocket connections and disconnections are handled without errors in the sockets gateway

Flegma added 2 commits April 8, 2026 12:56
@Flegma
fix: add lobby verification lock and sockets gateway disconnect handler
5a664a1 
Wrap matchmaking verify+setLobbyDetails+addLobbyToQueue in a Redis lock
to prevent a banned player from bypassing verification between the check
and queue addition. Add handleDisconnect lifecycle hook to SocketsGateway
and make handleConnection public for proper NestJS gateway lifecycle support.
@Flegma
fix: implement OnGatewayConnection and OnGatewayDisconnect interfaces
cf3bf65 
Adds compile-time type safety for NestJS WebSocket lifecycle hooks.
lukepolo
lukepolo reviewed Apr 9, 2026
View reviewed changes
src/sockets/sockets.gateway.ts Outdated
await this.sockets.setupSocket(client, request);
}

public handleDisconnect(client: FiveStackWebSocketClient) {
Copy link
Copy Markdown
Contributor

@lukepolo lukepolo Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why add?

Copy link
Copy Markdown
Contributor Author

@Flegma Flegma Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed. The handleDisconnect was a no-op — all cleanup (removing from clients map, deleting Redis keys, marking offline) is already handled by the client.on("close") callback in SocketsService.setupSocket.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lukepolo lukepolo lukepolo left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[API] Lobby verification bypass & concurrent client map corruption

2 participants

@Flegma @lukepolo