I'm making a chat with node.js to integrate with my smf forum. In the chat database i want to insert objects like this:
{
"userid" : "smf_id",
"nick" : "smf_username",
"shout" : "testing",
"date" : 1403554769,
"_id" : ObjectId("53a88bd134ac7be005000001")
}
But anyone can open the console and trigger the emit event with the data they want. They can forge userid and nickname. Is there any way to prevent this?
Your chat server should not blindly add entries to the database directly from the client.
You should have the client send a subset of the data contained in an entry (e.g. send just the "shout" attribute), and have the server infer the rest of the information from the connection-specific and global environment.