sockjs / sockjs-node Goto Github PK

In SockJS 0.2.1 we removed the Origin header from the white list of not-terribly-bad headers that can be exposed to the app.

Apparently, there are some proper uses of that header - namely for logging. We should bring back this header, just clear it up for the iframe transports.

There is no way for a client to "gracefully" close the SockJS connection (.close on the client just drops the connection on the floor). But there is a way to request the client to disconnect from the server. It would be nice to be able to distinguish on the server side between:

• client was requested to go away and went away
• client never received a close message and just disappeared.

Although, I'm not sure how useful that is in practice.

Protocol changes: sockjs/sockjs-protocol#7

Hi!

At webjs.coffee L#74 sheduled is an unconditional call to log function. When connection rate is high, these ordinary messages do flood. Please, consider making them optional.

TIA,
--Vladimir

WebSocket disconnect_delay should be 15ms or less. The current delay of 5 seconds makes no sense for this transport.

With about 3k users connected we're getting a ridiculous number of logs like:

GET /sockets/568/40y6ze7z/websocket 2ms (unfinished)
GET /sockets/664/qoj9_gr2/websocket 1ms (unfinished)

What do they mean and how can I stop them?
Thanks!

Some people suggest sockjs-node is not very good in terms of memory usage:

I did a few simple benchmarks and it went well. Under real load it seems to be performing well, but the memory usage is a bit high ( ~400 MB for 1000 connections)!

We should investigate what's happening.

Sockjs responds with ws:// while safari expects wss://, see:

https://sockjs.popcnt.org/tests-qunit.html?filter=websocket%3A%20echo1

We should give the user an option to opt-in to repond with wss to all requests that come from https Origin.

In #16 we've refactored the API. We should keep the old API for a while (and print 'deprectated' warning) to avoid annoying our users.

How do we relate to http://blog.silktide.com/2011/05/cookie-law-makes-most-uk-websites-illegal-what-you-need-to-know/ ?
Shouldn't we drop cookies in favor of other techniques?

So that you can stream from/to other sockets to the browser
http://nodejs.org/docs/v0.5.7/api/streams.html#stream.pipe

As reported by gdamjan in sockjs/sockjs-client#11

1. Some say that banner is stupid.
2. It's not clear for me what actually should be printed on screen what not. It would be nice to log requests, (apache-style?) but I'm not sure if that should be done within sockjs-node or not. Or maybe a debug flag or something?
3. Is there a popular logging module for node? What other frameworks use?

A banner is a must-have for any decent server. Matthew proposes:

 _---\
\     \
 \     \
  \     \
   \    \
    \    \
    /     |
   /    -/
,-'    /
\___--'

It's used only for $.extend, not enough to justify a heavy dependency.

Opera claims that they have implemented WebSockets. They can be enabled using this config item: opera:config#UserPrefs|EnableWebSockets . Currently, it doesn't work with SockJS-node, it would be nice if it worked.

http://dev.w3.org/html5/websockets/ :

When the WebSocket connection is closed, possibly cleanly, the user agent must queue a task to run the following substeps:

Create an event that uses the CloseEvent interface, with the event name close, which does not bubble, is not
cancelable, has no default action, whose wasClean attribute is initialized to true if the connection closed cleanly and
false otherwise, whose code attribute is initialized to the WebSocket connection close code, and whose reason
attribute is initialized to the WebSocket connection close reason decoded as UTF-8, with error handling, and dispatch
the event at the WebSocket object. [WSP]

Please, consider replacing (or aliasing) status property with code property, and introducing wasClean property which is code === 1000

TIA,
--Vladimir

FF 6.0.2 (at least) sends Connection: keep-alive, Upgrade. Not surprisingly, receives 400, Connection must be "Upgrade".
Please, consider introducing more flexible analysis, or invalidate the way FF opens WebSocket connections.

TIA,
--Vladimir

We should expose origin on a session.

We should also expose referrer

as per: https://twitter.com/#!/jcoglan/status/157945867360419844

Instead of having a custom websocket implementation, let's use @jcoglan 's one:

https://github.com/jcoglan/faye-websocket-node

Just thought I would put this in here so someone else can find it maybe this could go in a readme/wiki page somewhere.

I couldn't get npm working. It doesn't even download the "src" folder (it gets "examples", "node_modules" and the top level files) but gives me no errors just the following output:

npm http GET https://registry.npmjs.org/sockjs
npm http 304 https://registry.npmjs.org/sockjs
npm http GET https://registry.npmjs.org/faye-websocket/0.4.0
npm http GET https://registry.npmjs.org/node-uuid/1.3.3
npm http 304 https://registry.npmjs.org/faye-websocket/0.4.0
npm http 304 https://registry.npmjs.org/node-uuid/1.3.3
[email protected] ./node_modules/sockjs
├── [email protected]
└── [email protected]

But I got it working manually with the following steps:

1. Cloned the git repo and check out the latest stable tag.
2. cd into it and then run "npm install coffee-script"
3. Run the following commands (each of the files in src):

.\node_modules.bin\coffee -o lib -c src\chunking-test.coffee
.\node_modules.bin\coffee -o lib -c src\iframe.coffee
.\node_modules.bin\coffee -o lib -c src\sockjs.coffee

(for some reason coffee didn't like *.coffee in windows)

1. Import the following libraries from npm:

npm install faye-websocket
npm install node-uuid
npm install node-static```

5. Try to run the echo sample with "node examples\echo\server.js" and browse to "http://127.0.0.1:9999".

6. It failed for me with the error:

Error: The "sys" module is now called "util".
at sys.js:1:69
at NativeModule.compile (node.js:548:5)

7. So I replaced the "node_modules\node-static\examples\file-server.js" and "node_modules\node_static\lib\node-static.js" :
```require('sys')```
to be
```require('util')```

Then the echo sample works.

Released examples are wrong, and are using old 0.0 sockjs javascript. Need to do a new release.

eg, what happens if there is not a transport available? (I have disabled all transports other than websockets for our server - was necessary)

var sock = this.socket = new SockJS(this.server_url + '/sockets', ['websocket']);
      sock.onopen = function() {

      };
      sock.onmessage = function(e) {
        if (e.data === self.channel) self.retrieve();
      };
      sock.onclose = function() {
        self.failures++;
        if (self.failures > 5) self.start_polling();
        else setTimeout(function() { self.connect(); }, 1000);
      };

So in that case, is there a way for me to recognize that the websocket will not work?
(btw, I have tested this app with socket.io, the native node-websocket implementation, and sockjs, and so far sockjs is the best all-around)

How does sockjs deal with cluster (node 0.6.x baked-in)? Is this somewhere in the documentation? What will happen when opening a socket on several cluster workers simultaneously?

Installing sockjs with npm submodule sockjs installs the old repository (github.com/majek).

WebSocket transports are inefficient, especially trans-websocket-hybi10.coffee, which iterates character-by-character.

In #36 we started using faye-websocket. Einaros brougt up the question about faye speed: http://twitter.com/einaros/status/147303616439533568 . And his previous benchmarks: http://einaros.github.com/ws/fast.html

We should try to reproduce the results and understand what is the problem.

Need it to know how many users use each particular protocol.
For now it's possible to get it this way:
connection._session.recv.protocol
But this way uses private member of connection and is not documented.

I'm seeing an issue where the connection event is fired twice for XHR requests from the Android browser.

Here is a log of what I'm seeing, the extra logging happens directly after the connection and close events, the source code is available here: https://github.com/lucaspiller/sockjs-demo/blob/master/server.js

SockJS v0.3.0 bound to "/echo"
GET /echo/info 1ms 200
POST /echo/275/_v9pbtqj/xhr_streaming 4ms (unfinished)
new connection d679ef6e-c99f-4665-a452-f4a747708d43
disconnect d679ef6e-c99f-4665-a452-f4a747708d43
POST /echo/275/rhczkkuz/xhr 3ms 200
new connection c4fca7d9-9824-4066-afdd-a21aa24b63b9
POST /echo/275/rhczkkuz/xhr 1ms (unfinished)
POST /echo/275/rhczkkuz/xhr 0ms (unfinished)

I'm new to sockjs (I've played with websockets and socketio before though), so I'm not sure whether this is actually a bug or just a misunderstanding of how it works.

Browser: Android 2.3.7
NodeJs: 0.6.14
SockJS: 0.3.0
Express: 2.5.8

Currently, any char can be passed as a callback paramter for jsonp protocol, this allows a trivial XSS attack, for example:

• https://sockjs1.popcnt.org/echo/a/b/jsonp?callback=%3C!DICTYPE%20html%3E%0A%3Chtml%3E%0A%3Chead%3E%0A%3Cscript%3Ealert%281%29;//

For now, there isn't a known way to exploit this feature, (as with other json-p implementations), but I may be wrong.

To limit the possible attack surface let's alllow only a certain set of characters to be passed to calback paramter, namely:

[a-zA-Z0-9-_.]

supplying any other char shall result in a 500-something error

Because node-waf doesn't work on windows the c++ extension can't be compiled. Can npm differ dependecies depending on the os? sockjs does work without it doesn't it? (i haven't seen any problems).

That error is what Chrome produces in some very rare cases. I'm suspecting, because I'm relaying information from other sources, that some funky Unicode has slipped it, but I'm not sure what.

Socket.io has a similar bug report open: socketio/socket.io#572

Sorry if this is vague. Figured it'd be a good idea to at least document it. I hope to be able to reproduce this soon.

Spec says that send method should accept string, Blob, and ArrayBuffer data types as a parameter. We should support that.

https://github.com/sockjs/sockjs-node/blob/master/src/trans-eventsource.coffee#L11 -- is it still needed now that we always JSON encode strings?

The server sends heartbeats once in a while. This should be configurable.

Hi!

I can't distinguish orderly "close" (one after close frame received) from "disconnect" (when session is timed out)?
"close" event seems to always get 1001 as status. This makes it hard to manage persistent connections.

If close frame is very specific to native WebSocket, should I implement orderly close by sending a special message?
Or do you see another solution?

TIA,
--Vladimir

For example event names: connect not open, end not close and so on

Hi!

I would be more flexible to de-hardcode cookie name, use cookie: 'JSESSIONID' instead of cookie: true, and let options.cookie define actual cookie name.

What do you think?

Best regards,
--Vladimir

Or is it already implemented, and I don't know how to?

Tim raised a very intersting point:
http://groups.google.com/group/sockjs/browse_thread/thread/4a51e07e2fc26aa0

Flushing buffer should be optimized, we should do it on nextTick.

Please, consider providing interface to safely access overwise private MAPS in transport.coffee.
The rationale is to provide means for authors to implement broadcasting and filtering.

TIA,
--Vladimir

In 296a921 we introduced connection.remoteAddress. This kind of makes sense in a context of a web server exposed to the internet, but SockJS will often work behind a proxy.

In such case connection.remoteAddress would be useless (ie: it will always point to proxy).

We should expose X-Forwarded-For in similar matter (for example take a look at haproxy config).

Also proxies (squid?) usually add some magical header (is it x-forwarded-for?).

Maybe connection.remoteAddress should be list? But that introduces a potential security risk - what if user is able to add arbitrary x-forwarded-for (think: ajax) and the application is looking only at the last IP number in the list.

What other frameworks are dealing with that?

For example during ticker we should not see heartbeat frames:

curl http://localhost:8081/ticker/0/0/xhr_streaming -v -X POST

Also, investigate how sockjs-erlang behaves.

It'd be great to be able to do something like the following:

var handler = sockjs.createServer(options);
handler.on('connection', function(conn) {
    console.log(conn.request.path);
});

@msackman suggests that for various reasons user may be late with installing on('close') handler on a connection.

The user should be able to check if the close is going to be fired in future, or in other words - what is the state of the conneciton. This is quite similar to readyState websocket property

Hi!

In order to ease commonjs pattern, wonder if you could consider making Session expose WebSocket-like interface: #sendUTF, #sendBinary, incoming messages of form {type: 'utf8', utf8Data: ...}.

TIA,
--Vladimir

Hello im experimenting with sockjs and when testing on localhost the close event fires and gives all connected users the message that a user just leave. But when i put my app on a online server it doesn´t fire that event!!

You can check it here.
http://er-u-count.herokuapp.com/

var cons = {};

var sockjs_echo = sockjs.createServer(sockjs_opts);
sockjs_echo.on('connection', function(conn) {
console.log('connection' + conn);

//SAY WELCOME
conn.write("Welcome");
//NOTIFY OTHER USERS THAT WE HAVE ARRIVED
broadcastmsg(conn.sesion+" Joined");

cons[conn.id] = conn;

conn.on('data', function(message){
    broadcastmsg(conn.sesion+" SAY: "+message);
});

conn.on('close', function() {
    console.log('close ' + conn);
    delete cons[conn.sesion];
    broadcastmsg(conn.sesion+" is leaving");
});

});

//HELPERS
function broadcastmsg(msg){
for(c in cons){
cons[c].write(msg);
}
}

Is there any way to see if a connection is still on?

At the moment SockJS-node doesn't do any form of flow control, this can lead to a trivial out-of-memory segfault.