Security: Room IDs are generated with non-cryptographic randomness

[tuanaiseo]

Problem

Room identifiers are created with Math.random(), which is predictable and not suitable for security-sensitive identifiers. Predictable room IDs increase the risk of room enumeration and unauthorized access attempts, especially when IDs are part of join URLs.

Severity: medium
File: src/frontend/src/features/rooms/utils/generateRoomId.ts

Solution

Use a cryptographically secure generator (crypto.getRandomValues / crypto.randomUUID) and increase effective entropy of room identifiers. Also enforce server-side authorization regardless of ID secrecy.

Changes

• src/frontend/src/features/rooms/utils/generateRoomId.ts (modified)

Testing

• Existing tests pass
• Manual review completed
• No new warnings/errors introduced

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[lebaudantoine]

@CodeRabbit full review

[coderabbitai]

✅ Actions performed

Full review triggered.

[lebaudantoine]

I guess this would be more suitable to backport the generation of this id on the server side.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: fb2f3ccc-b3ee-4fa3-b5d0-4fe2032ec674

📥 Commits

Reviewing files that changed from the base of the PR and between 6b656ee and 25cf0db.

📒 Files selected for processing (1)

• src/frontend/src/features/rooms/utils/generateRoomId.ts

---

Walkthrough

The getRandomChar function in generateRoomId.ts was updated to replace Math.random() with crypto.getRandomValues() for cryptographically secure randomness. The implementation now employs rejection sampling to eliminate modulo bias when selecting characters from the a–z character set. The function signatures and behavior of dependent functions remain unchanged.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly and clearly summarizes the main security issue being addressed: replacing non-cryptographic randomness with cryptographically secure randomness for room ID generation.
Description check	✅ Passed	The description provides comprehensive context about the security problem, solution, and changes made, directly relating to the implementation of cryptographically secure room ID generation.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}