Summary
When connectionStateRecovery is enabled, skipMiddlewares defaults to true (packages/socket.io/lib/namespace.ts:346-354). Reconnecting clients bypass all auth middleware using the pid. Window: 2 min default.
Impact
Revoked users can reconnect and bypass authorization within the recovery window.
Fix
Default skipMiddlewares to false, or document the security implication.
Found during automated security audit.
Summary
When connectionStateRecovery is enabled, skipMiddlewares defaults to true (packages/socket.io/lib/namespace.ts:346-354). Reconnecting clients bypass all auth middleware using the pid. Window: 2 min default.
Impact
Revoked users can reconnect and bypass authorization within the recovery window.
Fix
Default skipMiddlewares to false, or document the security implication.
Found during automated security audit.