BurnChat v2.9 — Claim Your Name, Lock It Down 🔐
Two new commands let you own your nickname in any room. Plus a major security pass: password hashing, XSS protection across the board, rate-limited admin endpoints, and a dozen bug fixes. Same ephemeral promise. Much harder to break.
Nickname Registration & Login
BurnChat is anonymous by design. No accounts, no emails, no sign-ups. But there was a problem: anyone could join a room and take your name. If you stepped away for five minutes, someone else could show up as "you."
Now you can reserve your nickname inside any room. Two new commands make it work:
| Command | What it does |
|---|---|
| /register nickname password | Reserve your current nickname with a password. Must be your active nick. Password must be at least 4 characters. Limit: 100 registrations per room. |
| /login nickname password | Reclaim a registered nickname. If someone else is using it, they get bumped to a random name. Your password is hashed with SHA-256 — even BurnChat can't read it. |
How it works
When you register, the server stores only a SHA-256 hash of your password — the plaintext is never saved. If someone tries to join with your registered name, they're automatically assigned a random suffix (like yourname-742) and told to use /login to reclaim it.
If you /login while someone else is squatting on your nick, they get force-renamed to a random fallback. Your identity follows your password, not your connection.
This is still ephemeral. Registrations live in RAM, scoped to the room. When the room burns or the server restarts, every registration vanishes. No database. No persistence. No trace. It's identity protection that's as temporary as the conversation itself.
Security Hardening
This release includes a comprehensive security audit and fixes across the entire codebase. Here's what changed:
Passwords are now hashed everywhere
Room passwords, admin passwords, and registered nickname passwords are all stored as SHA-256 hashes. Previously, room and admin passwords were stored in plaintext in RAM. Now an attacker with memory access would only see hashes.
XSS protection
Every piece of server-supplied data rendered via innerHTML is now escaped through a client-side escHtml() function. This covers room rules, announcements, warnings, poll options, the online list, dice results, /me actions, room info, and snake game stats. Defense in depth: the server already escapes most data, and now the client does too.
Admin endpoint hardening
The admin API now uses timing-safe password comparison (crypto.timingSafeEqual) to prevent timing attacks. We also added rate limiting: more than 10 failed attempts per minute from the same IP will lock you out. Brute force won't work.
Bug Fixes
We squashed a lot of bugs in this release. The highlights:
- security
const safeNamecrash when registered nick triggered a name change — fixed tolet - security Poll double-voting by changing nickname — votes now tracked by socket ID
- security Widget iframe
postMessageaccepted any origin — now validatesburnchat.io - security Iframe embed sandbox missing
allow-same-origin— widget couldn't connect to Socket.IO - bug
arguments.calleein room expiry timer — breaks in strict mode. Replaced with named function - bug Missing
addListenerDot()function — voice message listener dots crashed with ReferenceError - bug Missing HTML elements for pinned messages and snake game overlays — caused null reference errors
- bug ~170 lines of dead duplicate snake code removed (old
SNobject, duplicate event listeners) - bug Snake battle mode: score reset and
snake-diedevent fired after elimination — now only in classic mode - bug Dead ternary:
room.messages ? [] : []— both branches were identical - ux Burn overlay used hardcoded dark background — now uses
var(--bg)for light mode - ux No
scrollToBottom()after image messages — images didn't auto-scroll into view - ux Chat room flashed briefly before password validation on locked rooms
- ux Password prompt added duplicate keydown listeners on every show
- ux Version meta tag said v2.7.0 while the footer showed v2.9.0 — now consistent
- ux Mobile footer links were cramped — now wrap cleanly with hidden dot separators
Memory safety
Unbounded collections were a slow memory leak. The banned list, mute list, and registered nicknames map all now have hard caps (200, 200, and 100 respectively). A malicious admin can no longer grow these lists indefinitely.
New Commands Summary
| Command | Description |
|---|---|
| /register name pass | Reserve your current nickname with a password |
| /login name pass | Reclaim a registered nickname in the current room |
These join the existing 39+ slash commands. Type /help in any room to see the full list.