I'm building an API with websocket that serializes data through JSON. The App itself is a chat application. I came up with the following structure to send my data:
{date: '2020-05-31', time: '14:28:05', text: "Hey!", to: '<id:int>', from: '<id:int>'}
The user basically sends a message through the browser and this is received in a websocket server. The from: 'id' would be from the user sending the data whereas the to: 'id' would be to the user the data is being sent.
Looking at this I have a very bad feeling. My thoughts; The user using the App would in theory authenticate and that's where he would get his id. Then the receiver would have another id, such that is not the same as the authenticated one (obviously). The server would then look for that id and send the message but I'm not sure if this is secure.
I have some aspects that I think must be dealt correctly to protect the app from any attacker:
- What if the attacker decides to tamper the "from:id" such that it could send arbitrary messages to anyone from any user?
- What if the attacker builds a script that spams millions of messages by taking advantage of the "to:id" field?
Is it possible there is another security issue that I'm not concerned of?