etherpad-lite/src/node/hooks/express/socketio.js

var settings = require('../../utils/Settings');
var socketio = require('socket.io');
var socketIORouter = require("../../handler/SocketIORouter");
var hooks = require("ep_etherpad-lite/static/js/pluginfw/hooks");
var webaccess = require("ep_etherpad-lite/node/hooks/express/webaccess");

var padMessageHandler = require("../../handler/PadMessageHandler");

var cookieParser = require('cookie-parser');
var sessionModule = require('express-session');
const util = require('util');

exports.expressCreateServer = function (hook_name, args, cb) {
  //init socket.io and redirect all requests to the MessageHandler
  // there shouldn't be a browser that isn't compatible to all
  // transports in this list at once
  // e.g. XHR is disabled in IE by default, so in IE it should use jsonp-polling
  var io = socketio({
    transports: settings.socketTransportProtocols
  }).listen(args.server, {
    /*
     * Do not set the "io" cookie.
     *
     * The "io" cookie is created by socket.io, and its purpose is to offer an
     * handle to perform load balancing with session stickiness when the library
     * falls back to long polling or below.
     *
     * In Etherpad's case, if an operator needs to load balance, he can use the
     * "express_sid" cookie, and thus "io" is of no use.
     *
     * Moreover, socket.io API does not offer a way of setting the "secure" flag
     * on it, and thus is a liability.
     *
     * Let's simply nuke "io".
     *
     * references:
     *   https://socket.io/docs/using-multiple-nodes/#Sticky-load-balancing
     *   https://github.com/socketio/socket.io/issues/2276#issuecomment-147184662 (not totally true, actually, see above)
     */
    cookie: false,
  });

  // REQUIRE a signed express-session cookie to be present, then load the session. See
  // http://www.danielbaulig.de/socket-ioexpress for more info. After the session is loaded, ensure
  // that the user has authenticated (if authentication is required).
  //
  // !!!WARNING!!! Requests to /socket.io are NOT subject to the checkAccess middleware in
  // webaccess.js. If this handler fails to check for a signed express-session cookie or fails to
  // check whether the user has authenticated, then any random person on the Internet can read,
  // modify, or create any pad (unless the pad is password protected or an HTTP API session is
  // required).
  const cookieParserFn = util.promisify(cookieParser(webaccess.secret, {}));
  const getSession = util.promisify(args.app.sessionStore.get).bind(args.app.sessionStore);
  io.use(async (socket, next) => {
    const req = socket.request;
    if (!req.headers.cookie) {
      // socketio.js-client on node.js doesn't support cookies (see https://git.io/JU8u9), so the
      // token and express_sid cookies have to be passed via a query parameter for unit tests.
      req.headers.cookie = socket.handshake.query.cookie;
    }
    if (!req.headers.cookie && settings.loadTest) {
      console.warn('bypassing socket.io authentication check due to settings.loadTest');
      return next(null, true);
    }
    try {
      await cookieParserFn(req, {});
      const expressSid = req.signedCookies.express_sid;
      const needAuthn = settings.requireAuthentication;
      if (needAuthn && !expressSid) throw new Error('signed express_sid cookie is required');
      if (expressSid) {
        const session = await getSession(expressSid);
        if (!session) throw new Error('bad session or session has expired');
        req.session = new sessionModule.Session(req, session);
        if (needAuthn && req.session.user == null) throw new Error('authentication required');
      }
    } catch (err) {
      return next(new Error(`access denied: ${err}`), false);
    }
    return next(null, true);
  });

  // var socketIOLogger = log4js.getLogger("socket.io");
  // Debug logging now has to be set at an environment level, this is stupid.
  // https://github.com/Automattic/socket.io/wiki/Migrating-to-1.0
  // This debug logging environment is set in Settings.js

  //minify socket.io javascript
  // Due to a shitty decision by the SocketIO team minification is
  // no longer available, details available at:
  // http://stackoverflow.com/questions/23981741/minify-socket-io-socket-io-js-with-1-0
  // if(settings.minify) io.enable('browser client minification');

  //Initalize the Socket.IO Router
  socketIORouter.setSocketIO(io);
  socketIORouter.addComponent("pad", padMessageHandler);

  hooks.callAll("socketio", {"app": args.app, "io": io, "server": args.server});
}
Moved all the hooks into a hooks directory 2012-02-25 17:23:44 +01:00			`var settings = require('../../utils/Settings');`
really recreate socketio-client in expressCreateServer, fixes #2342 When using plugins, the express server gets restarted. When we do that, the socketio-server should also get restarted. It doesn't. That means that all the events in SocketIORouter.js are bound twice, which causes chaos all over etherpad. This changes our socketio.js so it fully recreates the io-instance when we restart the server. introduced in 95e7b0f15609fc850b71717a672abd02237a0f33, but catching that would have been hard. 2014-11-25 22:38:22 +01:00			`var socketio = require('socket.io');`
Moved all the hooks into a hooks directory 2012-02-25 17:23:44 +01:00			`var socketIORouter = require("../../handler/SocketIORouter");`
Removed old pluginfw stuff 2012-03-01 19:00:58 +01:00			`var hooks = require("ep_etherpad-lite/static/js/pluginfw/hooks");`
Fix socket.io auth: Use connect to parse signed cookies (migrate to express v3) 2012-09-22 16:03:40 +02:00			`var webaccess = require("ep_etherpad-lite/node/hooks/express/webaccess");`
Moved socketio 2012-02-25 16:44:37 +01:00
Moved all the hooks into a hooks directory 2012-02-25 17:23:44 +01:00			`var padMessageHandler = require("../../handler/PadMessageHandler");`
Moved socketio 2012-02-25 16:44:37 +01:00
update for express 4.x 2015-04-07 07:55:05 -05:00			`var cookieParser = require('cookie-parser');`
			`var sessionModule = require('express-session');`
security: Don't require express_sid if authn not required This should make it possible to embed a pad in an iframe from another site as long as `settings.requireAuthentication` is false. 2020-09-23 17:13:07 -04:00			`const util = require('util');`
Remove trailing whitespaces Hoping to minimize future diffs. Not touching vendorized libraries. 2019-04-16 00:34:29 +02:00
Moved socketio 2012-02-25 16:44:37 +01:00			`exports.expressCreateServer = function (hook_name, args, cb) {`
			`//init socket.io and redirect all requests to the MessageHandler`
really recreate socketio-client in expressCreateServer, fixes #2342 When using plugins, the express server gets restarted. When we do that, the socketio-server should also get restarted. It doesn't. That means that all the events in SocketIORouter.js are bound twice, which causes chaos all over etherpad. This changes our socketio.js so it fully recreates the io-instance when we restart the server. introduced in 95e7b0f15609fc850b71717a672abd02237a0f33, but catching that would have been hard. 2014-11-25 22:38:22 +01:00			`// there shouldn't be a browser that isn't compatible to all`
			`// transports in this list at once`
			`// e.g. XHR is disabled in IE by default, so in IE it should use jsonp-polling`
			`var io = socketio({`
			`transports: settings.socketTransportProtocols`
security: stop setting the "io" cookie The "io" cookie is created by socket.io, and its purpose is to offer an handle to perform load balancing with session stickiness when the library falls back to long polling or below. In Etherpad's case, if an operator needs to load balance, he can use the "express_sid" cookie, and thus "io" is of no use. Moreover, socket.io API does not offer a way of setting the "secure" flag on it, and thus is a liability. Let's simply nuke it. References: https://socket.io/docs/using-multiple-nodes/#Sticky-load-balancing https://github.com/socketio/socket.io/issues/2276#issuecomment-147184662 (not totally true, actually, see above) 2019-12-07 04:20:12 +01:00			`}).listen(args.server, {`
			`/*`
			`* Do not set the "io" cookie.`
			`*`
			`* The "io" cookie is created by socket.io, and its purpose is to offer an`
			`* handle to perform load balancing with session stickiness when the library`
			`* falls back to long polling or below.`
			`*`
			`* In Etherpad's case, if an operator needs to load balance, he can use the`
			`* "express_sid" cookie, and thus "io" is of no use.`
			`*`
			`* Moreover, socket.io API does not offer a way of setting the "secure" flag`
			`* on it, and thus is a liability.`
			`*`
			`* Let's simply nuke "io".`
			`*`
			`* references:`
			`* https://socket.io/docs/using-multiple-nodes/#Sticky-load-balancing`
			`* https://github.com/socketio/socket.io/issues/2276#issuecomment-147184662 (not totally true, actually, see above)`
			`*/`
			`cookie: false,`
			`});`
Moved socketio 2012-02-25 16:44:37 +01:00
security: Fix authentication bypass vulnerability Before, anyone who could create a socket.io connection to Etherpad could read, modify, and create pads at will without authenticating first. The `checkAccess` middleware in `webaccess.js` normally handles authentication and authorization, but it does not run for `/socket.io` requests. This means that the connection handler in `socketio.js` must handle authentication and authorization. However, before this change: * The handler did not require a signed `express_sid` cookie. * After loading the express-session state, the handler did not check to see if the user had authenticated. Now the handler requires a signed `express_sid` cookie, and it ensures that `socket.request.session.user` is non-null if authentication is required. (`socket.request.session.user` is non-null if and only if the user has authenticated.) 2020-09-11 15:07:33 -04:00			`// REQUIRE a signed express-session cookie to be present, then load the session. See`
			`// http://www.danielbaulig.de/socket-ioexpress for more info. After the session is loaded, ensure`
			`// that the user has authenticated (if authentication is required).`
			`//`
			`// !!!WARNING!!! Requests to /socket.io are NOT subject to the checkAccess middleware in`
			`// webaccess.js. If this handler fails to check for a signed express-session cookie or fails to`
			`// check whether the user has authenticated, then any random person on the Internet can read,`
			`// modify, or create any pad (unless the pad is password protected or an HTTP API session is`
			`// required).`
security: Don't require express_sid if authn not required This should make it possible to embed a pad in an iframe from another site as long as `settings.requireAuthentication` is false. 2020-09-23 17:13:07 -04:00			`const cookieParserFn = util.promisify(cookieParser(webaccess.secret, {}));`
			`const getSession = util.promisify(args.app.sessionStore.get).bind(args.app.sessionStore);`
			`io.use(async (socket, next) => {`
			`const req = socket.request;`
			`if (!req.headers.cookie) {`
tests: Add authentication, authorization bypass tests 2020-09-14 00:39:10 -04:00			`// socketio.js-client on node.js doesn't support cookies (see https://git.io/JU8u9), so the`
			`// token and express_sid cookies have to be passed via a query parameter for unit tests.`
security: Don't require express_sid if authn not required This should make it possible to embed a pad in an iframe from another site as long as `settings.requireAuthentication` is false. 2020-09-23 17:13:07 -04:00			`req.headers.cookie = socket.handshake.query.cookie;`
tests: Add authentication, authorization bypass tests 2020-09-14 00:39:10 -04:00			`}`
security: Don't require express_sid if authn not required This should make it possible to embed a pad in an iframe from another site as long as `settings.requireAuthentication` is false. 2020-09-23 17:13:07 -04:00			`if (!req.headers.cookie && settings.loadTest) {`
socketio: Use Error objects for socket.io connection errors socket.io expects Error objects, otherwise it won't propagate the message to the client. Also do some cleanup. 2020-09-14 00:49:16 -04:00			`console.warn('bypassing socket.io authentication check due to settings.loadTest');`
			`return next(null, true);`
			`}`
security: Don't require express_sid if authn not required This should make it possible to embed a pad in an iframe from another site as long as `settings.requireAuthentication` is false. 2020-09-23 17:13:07 -04:00			`try {`
			`await cookieParserFn(req, {});`
			`const expressSid = req.signedCookies.express_sid;`
			`const needAuthn = settings.requireAuthentication;`
			`if (needAuthn && !expressSid) throw new Error('signed express_sid cookie is required');`
			`if (expressSid) {`
			`const session = await getSession(expressSid);`
			`if (!session) throw new Error('bad session or session has expired');`
			`req.session = new sessionModule.Session(req, session);`
			`if (needAuthn && req.session.user == null) throw new Error('authentication required');`
			`}`
			`} catch (err) {`
			return next(new Error(`access denied: ${err}`), false);
			`}`
			`return next(null, true);`
More general basic auth 2012-04-19 14:25:12 +02:00			`});`

transports 2014-11-04 19:11:06 +00:00			`// var socketIOLogger = log4js.getLogger("socket.io");`
			`// Debug logging now has to be set at an environment level, this is stupid.`
			`// https://github.com/Automattic/socket.io/wiki/Migrating-to-1.0`
			`// This debug logging environment is set in Settings.js`
Moved socketio 2012-02-25 16:44:37 +01:00
			`//minify socket.io javascript`
working handling of setting client ip and anonymizing etc 2014-11-04 23:25:18 +00:00			`// Due to a shitty decision by the SocketIO team minification is`
			`// no longer available, details available at:`
			`// http://stackoverflow.com/questions/23981741/minify-socket-io-socket-io-js-with-1-0`
			`// if(settings.minify) io.enable('browser client minification');`
Remove trailing whitespaces Hoping to minimize future diffs. Not touching vendorized libraries. 2019-04-16 00:34:29 +02:00
Moved socketio 2012-02-25 16:44:37 +01:00			`//Initalize the Socket.IO Router`
			`socketIORouter.setSocketIO(io);`
			`socketIORouter.addComponent("pad", padMessageHandler);`

Differentiate between http server and express app 2012-09-21 17:12:22 +02:00			`hooks.callAll("socketio", {"app": args.app, "io": io, "server": args.server});`
Moved socketio 2012-02-25 16:44:37 +01:00			`}`