Validate admin namespace and event

[0xf00sec]

Added validation methods for namespace and room in admin functions.

[miguelgrinberg]

What problem does this change solve?

[0xf00sec]

What problem does this change solve?

Actually, it’s pretty simple, I should’ve made this clear first. This change adds input validation.
I noticed that the admin control functions accepted user input without any validation and directly executed privileged operations. While authentication is required to access the admin namespace, once authenticated, an attacker could still perform a number of actions such as emitting fake events or manipulating rooms.

This validation layer blocks operations on the admin namespace and make sure that event names and namespaces are properly validated before execution.

[miguelgrinberg]

an attacker could still perform a number of actions such as emitting fake events or manipulating rooms.

But as far as I can see you are just making sure the namespaces and rooms are known to the server. Anything this potential attacker can do that can have an effect on the server is going to be based on valid namespaces and rooms. The server already ignores unknown namespaces and rooms, so I don't see how this is making the server more secure. If there is anything I'm missing please explain more clearly or provide an actual example where this change helps. Thanks.