Skip to content

Simplifies the format for client IDs. #2072

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Apr 11, 2025
Merged

Simplifies the format for client IDs. #2072

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
10e127c
Simplifies the format for client IDs.
lrhn Apr 10, 2025
3668d93
Remember to add renamed file.
lrhn Apr 10, 2025
b595bc3
Update id.dart
lrhn Apr 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions pkgs/sse/CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,7 @@
## 4.1.8

- Simplify the format of client ID strings.

## 4.1.7

- Move to `dart-lang/tools` monorepo.
Expand Down
9 changes: 4 additions & 5 deletions pkgs/sse/lib/client/sse_client.dart
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ import 'package:pool/pool.dart';
import 'package:stream_channel/stream_channel.dart';
import 'package:web/web.dart';

import '../src/util/uuid.dart';
import '../src/util/id.dart';

/// Limit for the number of concurrent outgoing requests.
///
Expand All @@ -21,7 +21,7 @@ import '../src/util/uuid.dart';
/// Note Chrome's limit is 6000. So this gives us plenty of headroom.
final _requestPool = Pool(1000);

/// A client for bi-directional sse communication.
/// A client for bi-directional SSE communication.
///
/// The client can send any JSON-encodable messages to the server by adding
/// them to the [sink] and listen to messages from the server on the [stream].
Expand All @@ -48,9 +48,8 @@ class SseClient extends StreamChannelMixin<String?> {
/// incoming bi-directional SSE connections. [debugKey] is an optional key
/// that can be used to identify the SSE connection.
SseClient(String serverUrl, {String? debugKey})
: _clientId = debugKey == null
? generateUuidV4()
: '$debugKey-${generateUuidV4()}' {
: _clientId =
debugKey == null ? generateId() : '$debugKey-${generateId()}' {
_serverUrl = '$serverUrl?sseClientId=$_clientId';
_eventSource =
EventSource(_serverUrl, EventSourceInit(withCredentials: true));
Expand Down
22 changes: 22 additions & 0 deletions pkgs/sse/lib/src/util/id.dart
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
// Copyright (c) 2025, the Dart project authors. Please see the AUTHORS file
// for details. All rights reserved. Use of this source code is governed by a
// BSD-style license that can be found in the LICENSE file.

import 'dart:math' show Random;

/// Generates a pseudo-random ID string with 32 bits of entropy.
String generateId() {
final chars = List<int>.filled(6, 0);
final random = Random();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would there be any benefit if we used Random.secure() instead? I'm guessing no, since this isn't actually being used as a secret.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Depends on why an ID is being generated to begin with.

If the goal is just to avoid ID collisions, then it depends on how many simultaneous clients a server will have. Too many, and a 32-bit PRNG generated ID might be insufficient to (statistically) avoid two with the same ID.
Then more randomness is enough, it doesn't have to be secure.

If the goal is to prevent someone deliberately forging the same ID as another client, then being secure might be more important than being more random. Brute force might still not be viable.

var bits = random.nextInt(0x100000000);
for (var i = 0; i < 6; i++) {
chars[i] = _base64Chars.codeUnitAt(bits & 0x3F);
bits >>>= 6;
}
return String.fromCharCodes(chars);
}

// A standard encoding of 6 bits per character, without any non-ASCII,
// non-printable or disallowed characters.
const _base64Chars =
'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/';
32 changes: 0 additions & 32 deletions pkgs/sse/lib/src/util/uuid.dart
View file
Open in desktop

This file was deleted.

2 changes: 1 addition & 1 deletion pkgs/sse/pubspec.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
name: sse
version: 4.1.7
version: 4.1.8
description: >-
Provides client and server functionality for setting up bi-directional
communication through Server Sent Events (SSE) and corresponding POST
Expand Down