fix(server): prevent duplicate request id attack on peer adapter

[dinwwwh]

Fixes #1473

Summary by CodeRabbit

• Bug Fixes
  • Improved handling of duplicate requests—when an identical request is already in flight, the duplicate is now ignored and returns the original response instead of being processed again.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses a potential vulnerability where duplicate request IDs could be exploited. It introduces a robust mechanism to identify and discard redundant requests, ensuring that each unique request is processed only once. This enhancement improves the server's resilience against malicious or erroneous duplicate message floods, thereby bolstering its stability and security.

Highlights

• Duplicate Request Handling: Implemented a mechanism in experimental_ServerPeerWithoutCodec to detect and ignore duplicate request messages based on their ID, preventing potential attacks.
• Test Coverage: Added a new test case to server.test.ts to verify that duplicate request messages are correctly ignored and the handler is only called once.

Changelog

• packages/standard-server-peer/src/server.test.ts
  • Added a test case to ensure duplicate request messages are ignored.
  • Verified that the request handler is called only once for duplicate requests.
• packages/standard-server-peer/src/server.ts
  • Implemented logic to check for existing client controllers by ID.
  • Added a conditional return to ignore duplicate request messages if a controller for the ID already exists.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 3ac697ee-a79f-4809-8efe-2041c4beebcf

📥 Commits

Reviewing files that changed from the base of the PR and between 2f22852 and 137b498.

📒 Files selected for processing (2)

• packages/standard-server-peer/src/server.test.ts
• packages/standard-server-peer/src/server.ts

---

📝 Walkthrough

Walkthrough

A duplicate request guard is added to the server's message handler to prevent event iterator requests with the same ID from being processed multiple times. When a duplicate request arrives while one is already in flight, the handler returns early without creating a new controller, ensuring only one handler invocation per unique request ID.

Changes

Cohort / File(s)	Summary
Server Implementation packages/standard-server-peer/src/server.ts	Adds an early return guard that checks for duplicate message IDs in clientControllers after EVENT_ITERATOR message handling, preventing redundant request processing.
Server Tests packages/standard-server-peer/src/server.test.ts	Adds test case "duplicate request message should be ignored" verifying that identical duplicate requests are ignored while one is in flight, handler invokes only once, and AbortSignal from original request is returned.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Suggested labels

size:L

Poem

🐰 A message arrives, then twice more it tries,
But we catch duplicates before they take flight,
One handler, one signal, no infinite sighs,
For rabbits know well—don't process twice! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix(server): prevent duplicate request id attack on peer adapter' clearly describes the main change: preventing duplicate request IDs from causing iterator issues.
Linked Issues check	✅ Passed	The PR implements the fix for issue #1473 by adding duplicate request ID detection and early return logic, preventing iterator signal replacement and resource leaks.
Out of Scope Changes check	✅ Passed	All changes are directly related to fixing the duplicate request ID vulnerability; test additions and server-side guard logic align with the stated objective.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request addresses a potential duplicate request ID attack. The change in packages/standard-server-peer/src/server.ts prevents processing a request if another request with the same ID is already being handled. A new test case in packages/standard-server-peer/src/server.test.ts has been added to verify this behavior. The changes are correct and effectively resolve the issue.

[pkg-pr-new]

More templates

• @orpc/astro-playground
• @orpc/browser-extension-playground
• @orpc/bun-websocket-otel-playground
• @orpc/cloudflare-worker-playground
• @orpc/contract-first-playground
• @orpc/electron-playground
• @orpc/nest-playground
• @orpc/next-playground
• @orpc/nuxt-playground
• @orpc/solid-start-playground
• @orpc/svelte-kit-playground
• @orpc/tanstack-start-playground

@orpc/ai-sdk

npm i https://pkg.pr.new/@orpc/ai-sdk@1474

@orpc/arktype

npm i https://pkg.pr.new/@orpc/arktype@1474

@orpc/client

npm i https://pkg.pr.new/@orpc/client@1474

@orpc/contract

npm i https://pkg.pr.new/@orpc/contract@1474

@orpc/experimental-durable-iterator

npm i https://pkg.pr.new/@orpc/experimental-durable-iterator@1474

@orpc/hey-api

npm i https://pkg.pr.new/@orpc/hey-api@1474

@orpc/interop

npm i https://pkg.pr.new/@orpc/interop@1474

@orpc/json-schema

npm i https://pkg.pr.new/@orpc/json-schema@1474

@orpc/nest

npm i https://pkg.pr.new/@orpc/nest@1474

@orpc/openapi

npm i https://pkg.pr.new/@orpc/openapi@1474

@orpc/openapi-client

npm i https://pkg.pr.new/@orpc/openapi-client@1474

@orpc/otel

npm i https://pkg.pr.new/@orpc/otel@1474

@orpc/experimental-pino

npm i https://pkg.pr.new/@orpc/experimental-pino@1474

@orpc/experimental-publisher

npm i https://pkg.pr.new/@orpc/experimental-publisher@1474

@orpc/experimental-publisher-durable-object

npm i https://pkg.pr.new/@orpc/experimental-publisher-durable-object@1474

@orpc/experimental-ratelimit

npm i https://pkg.pr.new/@orpc/experimental-ratelimit@1474

@orpc/react

npm i https://pkg.pr.new/@orpc/react@1474

@orpc/react-query

npm i https://pkg.pr.new/@orpc/react-query@1474

@orpc/experimental-react-swr

npm i https://pkg.pr.new/@orpc/experimental-react-swr@1474

@orpc/server

npm i https://pkg.pr.new/@orpc/server@1474

@orpc/shared

npm i https://pkg.pr.new/@orpc/shared@1474

@orpc/solid-query

npm i https://pkg.pr.new/@orpc/solid-query@1474

@orpc/standard-server

npm i https://pkg.pr.new/@orpc/standard-server@1474

@orpc/standard-server-aws-lambda

npm i https://pkg.pr.new/@orpc/standard-server-aws-lambda@1474

@orpc/standard-server-fastify

npm i https://pkg.pr.new/@orpc/standard-server-fastify@1474

@orpc/standard-server-fetch

npm i https://pkg.pr.new/@orpc/standard-server-fetch@1474

@orpc/standard-server-node

npm i https://pkg.pr.new/@orpc/standard-server-node@1474

@orpc/standard-server-peer

npm i https://pkg.pr.new/@orpc/standard-server-peer@1474

@orpc/svelte-query

npm i https://pkg.pr.new/@orpc/svelte-query@1474

@orpc/tanstack-query

npm i https://pkg.pr.new/@orpc/tanstack-query@1474

@orpc/trpc

npm i https://pkg.pr.new/@orpc/trpc@1474

@orpc/valibot

npm i https://pkg.pr.new/@orpc/valibot@1474

@orpc/vue-colada

npm i https://pkg.pr.new/@orpc/vue-colada@1474

@orpc/vue-query

npm i https://pkg.pr.new/@orpc/vue-query@1474

@orpc/zod

npm i https://pkg.pr.new/@orpc/zod@1474

commit: 7bb002f

[Copilot]

Pull request overview

Prevents a duplicate request-id attack against the standard server peer adapter that could leave earlier request AbortSignals un-aborted (causing event iterators to continue running after the client disconnects), as described in #1473.

Changes:

• Ignore duplicate REQUEST messages when an id is already active (clientControllers.has(id)).
• Add a unit test asserting duplicate request messages are ignored while the first request is in flight.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
packages/standard-server-peer/src/server.ts	Adds a guard to ignore duplicate request ids while the original request is still open.
packages/standard-server-peer/src/server.test.ts	Adds a test case intended to validate the duplicate-id guard behavior.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!