Summary
When connectionStateRecovery is enabled, skipMiddlewares defaults to true (packages/socket.io/lib/namespace.ts:346-354). Reconnecting clients bypass all auth middleware using the pid. Window: 2 min default.
Impact
Revoked users can reconnect and bypass authorization within the recovery window.
Fix
Default skipMiddlewares to false, or document the security implication.
Summary
When connectionStateRecovery is enabled, skipMiddlewares defaults to true (packages/socket.io/lib/namespace.ts:346-354). Reconnecting clients bypass all auth middleware using the pid. Window: 2 min default.
Impact
Revoked users can reconnect and bypass authorization within the recovery window.
Fix
Default skipMiddlewares to false, or document the security implication.