Private space showed collaborators when it shouldn't have

I observed this, but don’t know how to reproduce it. I don’t have a screenshot, so you’ll have to take my word for it.

I have a private space. I wasn’t actively in the space, but when I went to the tab, I saw two people in the collaborator section, which surprised me. It was you @pirijan and Fay (I think that is @whichrabbit). I browsed through the console logs and I didn’t see any messages about other clients connecting. It was kinda alarming that others were in the private space (it didn’t have anything sensitive in there, just more the idea), so next thing I did was reload the browser. That fixed it, I guess.

The space is Valiant Rain – Kinopio.

Were you in the space somehow? I also checked to see if I had accidentally put it in the Explore menu, but I hadn’t. Really strange and not many details to go off by, but severe enough that I wanted to report it

I wasn’t in your space and that link shows private for me as it should. I think what you saw is a bug with the collaborators list not resetting when you switched spaces from a previous one that we were both in. Will fix

Ah that makes sense and is reassuring. Thanks.

Extra debugging Qs: Did Valiant Rain used to either have another name? And was it previously public?

No that was the original name. Always private. I shared a collab link with my friend only.

added some mitigations for this issue, but I can’t really repro to verify

If you ever see this issue again could you send me your entire console and your websocket frames logs?

Screen Shot 2020-12-15 at 10.41.55 AM1604×1190 195 KB

also did you see/notice the extra users as soon as you switched to the private space, or did they show up later on while you were in the private space?

They were there when I looked, so presumably appeared some prior time. Yes, if I see this again I can send that information

I’m seeing @pirijan as a spectator on that space right now. can’t collect other info (although I dont see anything under the websocket frames logs) right now because I’m busy, but will add to this thread when I get to it…

image1651×181 28.5 KB

should be diagnosable. A couple more Qs if you can remember:

• did you open the space from the url? or did you switch to it from another space? if so, which was it? Was I, or Fay, in that space?
• can you DM me your localstorage info for that valiant-rain? (paste window.localStorage['space-Qp-m7vXu3DKyQTi6KIixs'] into console)

Another wrinkle. Now the spectator is naveen. I see a userJoinedRoom message, with their id (confirmed by looking at the API call when navigating to his spaces.

image2032×1995 574 KB

This space has been open for a while (hours), and I’m pretty sure I didn’t navigate to it from another space.

ok that helps a lot, looks like a server-side websocket issue. investigating now.

fyi, the user still cannot see your space

ok just released some fixes to prevent this from occurring in the future:

• prevent a user from broadcasting a websocket userJoinedRoom event if they can’t load the space (ie they tried to load a space that they don’t have permission to view)
• Also for extra security: removing a live collaborator kicks them out of the space and deletes the space from their cache

let me know if this happens again

I woke up my computer today and observed a spectator (you) in a private space:

image992×1380 174 KB

I don’t have any other browsers currently open to it, so not sure why it says the client count is 5. I’m using the Todesktop version. I’m pretty sure if I refresh the page, you will no longer show up there. I will DM you the localStorage.

– ben

I just shipped an update that improves the accuracy of spectator user presense and times out idle connections. This update may fix this issue as well. Let me know if you see it again

haven’t heard about a reoccurance of this in a while so I’ll mark as done