PIX-58 validate lobby access

Author: matteosusca

server/src/middlewares/permissionMiddleware.ts

@@ -2,6 +2,7 @@ import { Response, NextFunction } from "express";
 import { AuthRequest } from "./authMiddleware.js";
 import { Lobby } from "../models/Lobby.js";
 import { Types } from "mongoose";
+import { LobbyService } from "../services/lobby.service.js";
 
 /**
  * Middleware to check if the user is a System Administrator.
@@ -61,9 +62,11 @@ export const requireLobbyAccess = async (req: AuthRequest, res: Response, next:
             return res.status(404).json({ error: "Lobby not found" });
         }
 
-        // Check if user is banned
-        if (lobby.bannedUsers.some((id: Types.ObjectId) => id.toString() === userId)) {
-            return res.status(403).json({ error: "Access denied. You are banned from this lobby." });
+        // reused logic from Service
+        try {
+            LobbyService.validateJoinAccess(lobby, userId);
+        } catch (e: any) {
+            return res.status(403).json({ error: e.message });
         }
 
         // If we implement private lobbies in the future, check allowedUsers here

server/src/services/lobby.service.ts

@@ -35,4 +35,32 @@ export class LobbyService {
   static async delete(id: string) {
     return await Lobby.findByIdAndDelete(id);
   }
+
+  // Common validation logic for joining/accessing a lobby
+  static validateJoinAccess(lobby: ILobby, userId: string): void {
+    if (lobby.bannedUsers.some((id: any) => id.toString() === userId)) {
+      throw new Error("Access denied. You are banned from this lobby.");
+    }
+  }
+
+  static validateCapacity(lobby: ILobby, currentCount: number): void {
+    if (currentCount >= lobby.maxCollaborators) {
+      throw new Error(`Lobby is full`);
+    }
+  }
+
+  static async verifyCanJoin(lobbyName: string, userId: string, currentCount: number) {
+    const lobby = await this.getByName(lobbyName);
+    if (!lobby) {
+      throw new Error("Lobby not found");
+    }
+
+    // 1. Check Banned
+    this.validateJoinAccess(lobby, userId);
+
+    // 2. Check Capacity
+    this.validateCapacity(lobby, currentCount);
+
+    return lobby;
+  }
 }

server/src/sockets/index.ts

@@ -4,6 +4,7 @@ import { CONFIG } from '../config.js';
 import { DrawPayload, DrawBatchPayload, AuthenticatedSocket } from './types.js';
 import { LobbyService } from '../services/lobby.service.js';
 import jwt from 'jsonwebtoken';
+import { getLobbyUserCount, getUsersInLobby, broadcastToLobby, broadcastToOthers } from '../utils/socketUtils.js';
 
 export const setupSocket = (io: Server) => {
   // Authentication Middleware
@@ -33,26 +34,36 @@ export const setupSocket = (io: Server) => {
     socket.on(CONFIG.EVENTS.CLIENT.JOIN_LOBBY, async (lobbyName: string) => {
       console.log(`[Socket] ${socket.id} joining lobby: ${lobbyName}`);
 
-      // 1. Join the Socket.io room channel
-      socket.join(lobbyName);
+      try {
+        // 1. Get User
+        const user = (socket as AuthenticatedSocket).user;
+        if (!user || !user.id) {
+          console.error(`[Socket] Error: User not found on socket ${socket.id}`);
+          return;
+        }
 
-      const user = (socket as AuthenticatedSocket).user;
-      if (!user) {
-        console.error(`[Socket] Error: User not found on socket ${socket.id}`);
-        return;
-      }
+        // 2. Validate Join (Service checks existence, ban status, and capacity)
+        const currentCount = getLobbyUserCount(io, lobbyName);
 
-      try {
-        // 2. Broadcast to others that a new user joined (First, to avoid race conditions)
-        socket.to(lobbyName).emit(CONFIG.EVENTS.SERVER.USER_JOINED, user);
+        try {
+          await LobbyService.verifyCanJoin(lobbyName, user.id, currentCount);
+        } catch (e: any) {
+          console.error(`[Socket] Join blocked: ${e.message}`);
+          socket.emit(CONFIG.EVENTS.SERVER.ERROR, { message: e.message });
+          return;
+        }
+
+        // 3. Join the Socket.io room channel
+        socket.join(lobbyName);
+
+        // 4. Broadcast to others that a new user joined
+        broadcastToOthers(socket, lobbyName, CONFIG.EVENTS.SERVER.USER_JOINED, user);
 
-        // 3. Send list of connected users to the new user
-        // We fetch sockets AFTER joining so the user is included in the list
-        const sockets = await io.in(lobbyName).fetchSockets();
-        const users = sockets.map(s => s.data.user).filter(u => u);
+        // 5. Send list of connected users to the new user
+        const users = await getUsersInLobby(io, lobbyName);
         socket.emit(CONFIG.EVENTS.SERVER.LOBBY_USERS, users);
 
-        // 4. Get current state from Service & Send to user
+        // 6. Get current state from Service & Send to user
         const state = await CanvasService.getState(lobbyName);
         socket.emit(CONFIG.EVENTS.SERVER.INIT_STATE, state);
       } catch (error) {
@@ -75,7 +86,7 @@ export const setupSocket = (io: Server) => {
       // 2. Broadcast if successful
       if (success) {
         // Send to everyone in the room INCLUDING the sender (for consistency)
-        io.to(lobbyName).emit(CONFIG.EVENTS.SERVER.PIXEL_UPDATE, { x, y, color });
+        broadcastToLobby(io, lobbyName, CONFIG.EVENTS.SERVER.PIXEL_UPDATE, { x, y, color });
       }
     });
 
@@ -105,7 +116,7 @@ export const setupSocket = (io: Server) => {
       // 2. Broadcast batch if any successful
       if (successfulUpdates.length > 0) {
         // Send to everyone in the room INCLUDING the sender (for consistency)
-        io.to(lobbyName).emit(CONFIG.EVENTS.SERVER.PIXEL_UPDATE_BATCH, { pixels: successfulUpdates });
+        broadcastToLobby(io, lobbyName, CONFIG.EVENTS.SERVER.PIXEL_UPDATE_BATCH, { pixels: successfulUpdates });
       }
     });
 
@@ -115,10 +126,10 @@ export const setupSocket = (io: Server) => {
       // Notify rooms that user is leaving
       for (const room of socket.rooms) {
         if (room !== socket.id) {
-          socket.to(room).emit(CONFIG.EVENTS.SERVER.USER_LEFT, (socket as AuthenticatedSocket).user);
+          broadcastToOthers(socket, room, CONFIG.EVENTS.SERVER.USER_LEFT, (socket as AuthenticatedSocket).user);
 
           // Check if room is empty (excluding this socket)
-          const socketsInRoom = await io.in(room).fetchSockets();
+          const socketsInRoom = await getUsersInLobby(io, room);
           const remainingUsers = socketsInRoom.length - 1; // fetchSockets includes the disconnecting socket
 
           if (remainingUsers <= 0) {

server/src/utils/socketUtils.ts

@@ -0,0 +1,33 @@
+import { Server, Socket } from 'socket.io';
+
+/**
+ * Gets the number of connected users in a specific lobby.
+ * @param io The Socket.IO server instance
+ * @param lobbyName The name of the lobby (room)
+ * @returns The number of clients in the room
+ */
+export const getLobbyUserCount = (io: Server, lobbyName: string): number => {
+  return io.sockets.adapter.rooms.get(lobbyName)?.size || 0;
+};
+
+/**
+ * Fetches all users currently connected to a lobby.
+ */
+export const getUsersInLobby = async (io: Server, lobbyName: string): Promise<any[]> => {
+  const sockets = await io.in(lobbyName).fetchSockets();
+  return sockets.map(s => s.data.user).filter(u => u);
+};
+
+/**
+ * Broadcasts an event to all users in a lobby (including sender).
+ */
+export const broadcastToLobby = (io: Server, lobbyName: string, event: string, data: any) => {
+  io.to(lobbyName).emit(event, data);
+};
+
+/**
+ * Broadcasts an event to all other users in a lobby (excluding sender).
+ */
+export const broadcastToOthers = (socket: Socket, lobbyName: string, event: string, data: any) => {
+  socket.to(lobbyName).emit(event, data);
+};