--- issue: 028 title: "delivery-code-generated socket event broadcasts raw 6-digit code to entire request room including seller" severity: major domain: Delivery labels: [security, bug, backend, major, delivery] status: resolved resolved: 2026-05-29 fix: "Removed 'code' field from the delivery-code-generated socket payload in deliveryService.ts — only metadata (requestId, expiresAt, timestamp) is now broadcast to the room." status: open created: 2026-05-29 source: Doc vs Code Audit 2026-05-29 --- # 🟠 delivery-code-generated socket event broadcasts raw 6-digit code to entire request room including seller **Severity:** major **Domain:** Delivery **Labels:** security, bug, backend, major, delivery ## Description DeliveryService.generateDeliveryCode emits 'delivery-code-generated' with the raw 6-digit code to the room request-{id}. Both buyer and seller are subscribers of this room. A seller with socket access can intercept the code before physical handoff, defeating the security purpose of the code-based handoff verification. ## Current Behavior DeliveryService.ts line 55 broadcasts {requestId, code, expiresAt, timestamp} to all room subscribers. Seller receives the code via socket before physically receiving the goods. ## Expected Behavior The code should only be emitted to the buyer's personal room (user-{buyerId}), not the shared request room. ## Affected Files - `backend/src/services/deliveryService.ts` ## References - [Doc vs Code Audit Report](../09%20-%20Audits/Doc%20vs%20Code%20Audit%20Report%20-%202026-05-29.md)