Thanks for catching that! One thing I really wanted for the project was not having to sign in to use, but that's been causing a lot of security holes like this. Gonna try to fix everything soon
Out of curiosity, what are the motivation(s) for not requiring users to sign in? Is it just lowering the barrier to entry, or are you concerned with privacy?
I'm really not knowledgeable about firestore, firebase or even authentification systems but couldn't an user request a secret key that the user will use to authentificate itself when sending a message into the websocket (that will not be transmitted to the other users)?
For the login-gate, I'm pretty sure 99%+ of the visitor would have not created an account. Even without the login, the HN room shared in that thread was kind of inactive.
Since the rooms are "private' by default (secret token in the URL), authentification is now really necessary for casual usage.
Yes you could generate a rsa key pair in the browser and send a tuple of user id (or just a nonce) and public key to the server as a form of automatic registration. The client could prefix each chat with the user if/nonce and sign it with the private key before sending it to the server. From then on the server could simply retrieve the public key it has associated with the user id prefix and reject any messages that fail signature validation.
This could also work in a peer-to-peer context by only using the server for public key registration (i.e. by chat room). All messages would go directly between clients and the server would never receive chat messages.
