fix: Fix Memory Leak in Socket Connection Registry on Disconnect#582
fix: Fix Memory Leak in Socket Connection Registry on Disconnect#582knoxiboy wants to merge 2 commits into
Conversation
📝 WalkthroughWalkthroughThis PR refactors ChangesSocket Connection Lifecycle and Memory Leak Fix
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Possibly related PRs
Suggested labels
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
backend/src/lib/socket.js (1)
86-89:⚠️ Potential issue | 🟡 MinorFix dead/misleading
blockedUsersguard in socket logic
backend/src/models/user.model.jsdefines noblockedUsersfield, and the onlyblockedUsersreference in the repo is this guard inbackend/src/lib/socket.js—so the check will never trigger for normal User documents (receiver.blockedUsersis effectively undefined). Either remove this placeholder code/comment or add and persist a realblockedUsersfield in the User schema (and ensure it’s populated/available onreceiver).// Example: If your User schema has a 'blockedUsers' array if (receiver.blockedUsers && receiver.blockedUsers.includes(senderId)) { return false; }🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@backend/src/lib/socket.js` around lines 86 - 89, The guard in socket.js checking receiver.blockedUsers is dead because the User schema has no blockedUsers; either remove the placeholder check from the message/permission logic in the function where `receiver` is evaluated (delete the if (receiver.blockedUsers ... ) block and its comment) or add and persist a real `blockedUsers` array to the User model (update `backend/src/models/user.model.js` to include a blockedUsers field and ensure the code that fetches `receiver` populates that field so `receiver.blockedUsers.includes(senderId)` works); choose one approach and update associated tests/fetch logic accordingly so the guard is not misleading.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@backend/src/lib/socket.js`:
- Around line 195-198: The callCanceled handler lacks the authorization guard;
update the socket.on("callCanceled", async ({ to }) => { ... }) handler to call
canCommunicate(userId, to) (same pattern used in
callUser/answerCall/iceCandidate/endCall/rejectCall) and only proceed to compute
receiverSockets via getReceiverSocketIds(to) and emit
io.to(s).emit("callCanceled") when canCommunicate returns true; if authorization
fails, do not emit and optionally log or ignore the request.
---
Outside diff comments:
In `@backend/src/lib/socket.js`:
- Around line 86-89: The guard in socket.js checking receiver.blockedUsers is
dead because the User schema has no blockedUsers; either remove the placeholder
check from the message/permission logic in the function where `receiver` is
evaluated (delete the if (receiver.blockedUsers ... ) block and its comment) or
add and persist a real `blockedUsers` array to the User model (update
`backend/src/models/user.model.js` to include a blockedUsers field and ensure
the code that fetches `receiver` populates that field so
`receiver.blockedUsers.includes(senderId)` works); choose one approach and
update associated tests/fetch logic accordingly so the guard is not misleading.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
| socket.on("callCanceled", async ({ to }) => { | ||
| const receiverSockets = getReceiverSocketIds(to); | ||
| receiverSockets.forEach(s => io.to(s).emit("callCanceled")); | ||
| }); |
There was a problem hiding this comment.
Missing authorization check in callCanceled handler.
All other WebRTC signaling handlers (callUser, answerCall, iceCandidate, endCall, rejectCall) include a canCommunicate(userId, to) check, but callCanceled does not. This allows any authenticated user to send callCanceled to any other user, potentially disrupting their call UI by forcing a clearCall() on the client.
🔒 Proposed fix to add authorization check
socket.on("callCanceled", async ({ to }) => {
+ if (!(await canCommunicate(userId, to))) return;
const receiverSockets = getReceiverSocketIds(to);
receiverSockets.forEach(s => io.to(s).emit("callCanceled"));
});🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@backend/src/lib/socket.js` around lines 195 - 198, The callCanceled handler
lacks the authorization guard; update the socket.on("callCanceled", async ({ to
}) => { ... }) handler to call canCommunicate(userId, to) (same pattern used in
callUser/answerCall/iceCandidate/endCall/rejectCall) and only proceed to compute
receiverSockets via getReceiverSocketIds(to) and emit
io.to(s).emit("callCanceled") when canCommunicate returns true; if authorization
fails, do not emit and optionally log or ignore the request.
Closes #568
Changes
Type of Change
Fixes #568
Summary by CodeRabbit
Release Notes
Bug Fixes
Performance