From 2d49a4ddb9cdf13616a0072077b404c0ff247732 Mon Sep 17 00:00:00 2001
From: Pascal Bourque <pascal@cosmos.moi>
Date: Sun, 9 Nov 2025 10:57:45 -0500
Subject: [PATCH] Hash username in MQTT client ID generation

Replaces the plain username in the MQTT client ID with a SHA-1 hash for improved privacy and to avoid exposing usernames in client identifiers.
---
 src/api/MysaApiClient.ts | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/api/MysaApiClient.ts b/src/api/MysaApiClient.ts
index 11c94be..1c9932f 100644
--- a/src/api/MysaApiClient.ts
+++ b/src/api/MysaApiClient.ts
@@ -19,6 +19,7 @@ import {
   CognitoUserSession
 } from 'amazon-cognito-identity-js';
 import { iot, mqtt } from 'aws-iot-device-sdk-v2';
+import { hash } from 'crypto';
 import dayjs from 'dayjs';
 import duration from 'dayjs/plugin/duration.js';
 import { customAlphabet } from 'nanoid';
@@ -713,7 +714,9 @@ export class MysaApiClient {
 
     // Per-process stable client id. Random suffix avoids collisions with other running processes.
     if (!this._mqttClientId) {
-      this._mqttClientId = `mysa-js-sdk-${this.session?.username ?? 'anon'}-${process.pid}-${getRandomClientId()}`;
+      const username = this.session?.username ?? 'anon';
+      const usernameHash = hash('sha1', username);
+      this._mqttClientId = `mysa-js-sdk-${usernameHash}-${process.pid}-${getRandomClientId()}`;
     }
 
     const builder = iot.AwsIotMqttConnectionConfigBuilder.new_with_websockets()