diff --git a/internal/signaling/peer.go b/internal/signaling/peer.go
index 1f3728c..941741c 100644
--- a/internal/signaling/peer.go
+++ b/internal/signaling/peer.go
@@ -376,16 +376,18 @@ func (p *Peer) HandleJoinPacket(ctx context.Context, packet JoinPacket) error {
 	if packet.Lobby == "" {
 		return fmt.Errorf("no lobby code supplied")
 	}
+	if len(packet.Lobby) > 20 {
+		return fmt.Errorf("lobby code too long")
+	}
 
-	p.Lobby = packet.Lobby
-
-	p.store.Subscribe(ctx, p.Game+p.Lobby+p.ID, p.ForwardMessage)
-
-	others, err := p.store.JoinLobby(ctx, p.Game, p.Lobby, p.ID)
+	others, err := p.store.JoinLobby(ctx, p.Game, packet.Lobby, p.ID)
 	if err != nil {
 		return err
 	}
 
+	p.Lobby = packet.Lobby
+	p.store.Subscribe(ctx, p.Game+p.Lobby+p.ID, p.ForwardMessage)
+
 	err = p.Send(ctx, JoinedPacket{
 		RequestID: packet.RequestID,
 		Type:      "joined",
diff --git a/internal/signaling/stores/postgres.go b/internal/signaling/stores/postgres.go
index fa3a428..fcaf1c8 100644
--- a/internal/signaling/stores/postgres.go
+++ b/internal/signaling/stores/postgres.go
@@ -299,12 +299,18 @@ func (s *PostgresStore) ListLobbies(ctx context.Context, game, filter string) ([
 }
 
 func (s *PostgresStore) TimeoutPeer(ctx context.Context, peerID, secret, gameID string, lobbies []string) error {
-
 	if len(peerID) > 20 {
 		logger := logging.GetLogger(ctx)
 		logger.Warn("peer id too long", zap.String("peerID", peerID))
 		return ErrInvalidPeerID
 	}
+	for _, lobby := range lobbies {
+		if len(lobby) > 20 {
+			logger := logging.GetLogger(ctx)
+			logger.Warn("lobby code too long", zap.String("lobbyCode", lobby))
+			return ErrInvalidLobbyCode
+		}
+	}
 
 	now := util.Now(ctx)
 	_, err := s.DB.Exec(ctx, `