etherpad-lite/src/node/hooks/express/socketio.js

var settings = require('../../utils/Settings');
var socketio = require('socket.io');
var socketIORouter = require("../../handler/SocketIORouter");
var hooks = require("ep_etherpad-lite/static/js/pluginfw/hooks");
var webaccess = require("ep_etherpad-lite/node/hooks/express/webaccess");

var padMessageHandler = require("../../handler/PadMessageHandler");

var cookieParser = require('cookie-parser');
var sessionModule = require('express-session');

exports.expressCreateServer = function (hook_name, args, cb) {
  //init socket.io and redirect all requests to the MessageHandler
  // there shouldn't be a browser that isn't compatible to all
  // transports in this list at once
  // e.g. XHR is disabled in IE by default, so in IE it should use jsonp-polling
  var io = socketio({
    transports: settings.socketTransportProtocols
  }).listen(args.server, {
    /*
     * Do not set the "io" cookie.
     *
     * The "io" cookie is created by socket.io, and its purpose is to offer an
     * handle to perform load balancing with session stickiness when the library
     * falls back to long polling or below.
     *
     * In Etherpad's case, if an operator needs to load balance, he can use the
     * "express_sid" cookie, and thus "io" is of no use.
     *
     * Moreover, socket.io API does not offer a way of setting the "secure" flag
     * on it, and thus is a liability.
     *
     * Let's simply nuke "io".
     *
     * references:
     *   https://socket.io/docs/using-multiple-nodes/#Sticky-load-balancing
     *   https://github.com/socketio/socket.io/issues/2276#issuecomment-147184662 (not totally true, actually, see above)
     */
    cookie: false,
  });

  // REQUIRE a signed express-session cookie to be present, then load the session. See
  // http://www.danielbaulig.de/socket-ioexpress for more info. After the session is loaded, ensure
  // that the user has authenticated (if authentication is required).
  //
  // !!!WARNING!!! Requests to /socket.io are NOT subject to the checkAccess middleware in
  // webaccess.js. If this handler fails to check for a signed express-session cookie or fails to
  // check whether the user has authenticated, then any random person on the Internet can read,
  // modify, or create any pad (unless the pad is password protected or an HTTP API session is
  // required).
  var cookieParserFn = cookieParser(webaccess.secret, {});
  io.use((socket, next) => {
    var data = socket.request;
    if (!data.headers.cookie && settings.loadTest) {
      console.warn('bypassing socket.io authentication check due to settings.loadTest');
      return next(null, true);
    }
    const fail = (msg) => { return next(new Error(msg), false); };
    cookieParserFn(data, {}, function(err) {
      if (err) return fail('access denied: unable to parse express_sid cookie');
      const expressSid = data.signedCookies.express_sid;
      if (!expressSid) return fail ('access denied: signed express_sid cookie is required');
      args.app.sessionStore.get(expressSid, (err, session) => {
        if (err || !session) return fail('access denied: bad session or session has expired');
        data.session = new sessionModule.Session(data, session);
        if (settings.requireAuthentication && data.session.user == null) {
          return fail('access denied: authentication required');
        }
        next(null, true);
      });
    });
  });

  // var socketIOLogger = log4js.getLogger("socket.io");
  // Debug logging now has to be set at an environment level, this is stupid.
  // https://github.com/Automattic/socket.io/wiki/Migrating-to-1.0
  // This debug logging environment is set in Settings.js

  //minify socket.io javascript
  // Due to a shitty decision by the SocketIO team minification is
  // no longer available, details available at:
  // http://stackoverflow.com/questions/23981741/minify-socket-io-socket-io-js-with-1-0
  // if(settings.minify) io.enable('browser client minification');

  //Initalize the Socket.IO Router
  socketIORouter.setSocketIO(io);
  socketIORouter.addComponent("pad", padMessageHandler);

  hooks.callAll("socketio", {"app": args.app, "io": io, "server": args.server});
}
Moved all the hooks into a hooks directory 2012-02-25 17:23:44 +01:00			`var settings = require('../../utils/Settings');`
really recreate socketio-client in expressCreateServer, fixes #2342 When using plugins, the express server gets restarted. When we do that, the socketio-server should also get restarted. It doesn't. That means that all the events in SocketIORouter.js are bound twice, which causes chaos all over etherpad. This changes our socketio.js so it fully recreates the io-instance when we restart the server. introduced in 95e7b0f15609fc850b71717a672abd02237a0f33, but catching that would have been hard. 2014-11-25 22:38:22 +01:00			`var socketio = require('socket.io');`
Moved all the hooks into a hooks directory 2012-02-25 17:23:44 +01:00			`var socketIORouter = require("../../handler/SocketIORouter");`
Removed old pluginfw stuff 2012-03-01 19:00:58 +01:00			`var hooks = require("ep_etherpad-lite/static/js/pluginfw/hooks");`
Fix socket.io auth: Use connect to parse signed cookies (migrate to express v3) 2012-09-22 16:03:40 +02:00			`var webaccess = require("ep_etherpad-lite/node/hooks/express/webaccess");`
Moved socketio 2012-02-25 16:44:37 +01:00
Moved all the hooks into a hooks directory 2012-02-25 17:23:44 +01:00			`var padMessageHandler = require("../../handler/PadMessageHandler");`
Moved socketio 2012-02-25 16:44:37 +01:00
update for express 4.x 2015-04-07 07:55:05 -05:00			`var cookieParser = require('cookie-parser');`
			`var sessionModule = require('express-session');`
Remove trailing whitespaces Hoping to minimize future diffs. Not touching vendorized libraries. 2019-04-16 00:34:29 +02:00
Moved socketio 2012-02-25 16:44:37 +01:00			`exports.expressCreateServer = function (hook_name, args, cb) {`
			`//init socket.io and redirect all requests to the MessageHandler`
really recreate socketio-client in expressCreateServer, fixes #2342 When using plugins, the express server gets restarted. When we do that, the socketio-server should also get restarted. It doesn't. That means that all the events in SocketIORouter.js are bound twice, which causes chaos all over etherpad. This changes our socketio.js so it fully recreates the io-instance when we restart the server. introduced in 95e7b0f15609fc850b71717a672abd02237a0f33, but catching that would have been hard. 2014-11-25 22:38:22 +01:00			`// there shouldn't be a browser that isn't compatible to all`
			`// transports in this list at once`
			`// e.g. XHR is disabled in IE by default, so in IE it should use jsonp-polling`
			`var io = socketio({`
			`transports: settings.socketTransportProtocols`
security: stop setting the "io" cookie The "io" cookie is created by socket.io, and its purpose is to offer an handle to perform load balancing with session stickiness when the library falls back to long polling or below. In Etherpad's case, if an operator needs to load balance, he can use the "express_sid" cookie, and thus "io" is of no use. Moreover, socket.io API does not offer a way of setting the "secure" flag on it, and thus is a liability. Let's simply nuke it. References: https://socket.io/docs/using-multiple-nodes/#Sticky-load-balancing https://github.com/socketio/socket.io/issues/2276#issuecomment-147184662 (not totally true, actually, see above) 2019-12-07 04:20:12 +01:00			`}).listen(args.server, {`
			`/*`
			`* Do not set the "io" cookie.`
			`*`
			`* The "io" cookie is created by socket.io, and its purpose is to offer an`
			`* handle to perform load balancing with session stickiness when the library`
			`* falls back to long polling or below.`
			`*`
			`* In Etherpad's case, if an operator needs to load balance, he can use the`
			`* "express_sid" cookie, and thus "io" is of no use.`
			`*`
			`* Moreover, socket.io API does not offer a way of setting the "secure" flag`
			`* on it, and thus is a liability.`
			`*`
			`* Let's simply nuke "io".`
			`*`
			`* references:`
			`* https://socket.io/docs/using-multiple-nodes/#Sticky-load-balancing`
			`* https://github.com/socketio/socket.io/issues/2276#issuecomment-147184662 (not totally true, actually, see above)`
			`*/`
			`cookie: false,`
			`});`
Moved socketio 2012-02-25 16:44:37 +01:00
security: Fix authentication bypass vulnerability Before, anyone who could create a socket.io connection to Etherpad could read, modify, and create pads at will without authenticating first. The `checkAccess` middleware in `webaccess.js` normally handles authentication and authorization, but it does not run for `/socket.io` requests. This means that the connection handler in `socketio.js` must handle authentication and authorization. However, before this change: * The handler did not require a signed `express_sid` cookie. * After loading the express-session state, the handler did not check to see if the user had authenticated. Now the handler requires a signed `express_sid` cookie, and it ensures that `socket.request.session.user` is non-null if authentication is required. (`socket.request.session.user` is non-null if and only if the user has authenticated.) 2020-09-11 15:07:33 -04:00			`// REQUIRE a signed express-session cookie to be present, then load the session. See`
			`// http://www.danielbaulig.de/socket-ioexpress for more info. After the session is loaded, ensure`
			`// that the user has authenticated (if authentication is required).`
			`//`
			`// !!!WARNING!!! Requests to /socket.io are NOT subject to the checkAccess middleware in`
			`// webaccess.js. If this handler fails to check for a signed express-session cookie or fails to`
			`// check whether the user has authenticated, then any random person on the Internet can read,`
			`// modify, or create any pad (unless the pad is password protected or an HTTP API session is`
			`// required).`
update for express 4.x 2015-04-07 07:55:05 -05:00			`var cookieParserFn = cookieParser(webaccess.secret, {});`
socketio: Use Error objects for socket.io connection errors socket.io expects Error objects, otherwise it won't propagate the message to the client. Also do some cleanup. 2020-09-14 00:49:16 -04:00			`io.use((socket, next) => {`
auth fix 2014-11-04 18:17:39 +00:00			`var data = socket.request;`
socketio: Use Error objects for socket.io connection errors socket.io expects Error objects, otherwise it won't propagate the message to the client. Also do some cleanup. 2020-09-14 00:49:16 -04:00			`if (!data.headers.cookie && settings.loadTest) {`
			`console.warn('bypassing socket.io authentication check due to settings.loadTest');`
			`return next(null, true);`
			`}`
			`const fail = (msg) => { return next(new Error(msg), false); };`
security: Fix authentication bypass vulnerability Before, anyone who could create a socket.io connection to Etherpad could read, modify, and create pads at will without authenticating first. The `checkAccess` middleware in `webaccess.js` normally handles authentication and authorization, but it does not run for `/socket.io` requests. This means that the connection handler in `socketio.js` must handle authentication and authorization. However, before this change: * The handler did not require a signed `express_sid` cookie. * After loading the express-session state, the handler did not check to see if the user had authenticated. Now the handler requires a signed `express_sid` cookie, and it ensures that `socket.request.session.user` is non-null if authentication is required. (`socket.request.session.user` is non-null if and only if the user has authenticated.) 2020-09-11 15:07:33 -04:00			`cookieParserFn(data, {}, function(err) {`
socketio: Use Error objects for socket.io connection errors socket.io expects Error objects, otherwise it won't propagate the message to the client. Also do some cleanup. 2020-09-14 00:49:16 -04:00			`if (err) return fail('access denied: unable to parse express_sid cookie');`
			`const expressSid = data.signedCookies.express_sid;`
			`if (!expressSid) return fail ('access denied: signed express_sid cookie is required');`
			`args.app.sessionStore.get(expressSid, (err, session) => {`
			`if (err \|\| !session) return fail('access denied: bad session or session has expired');`
security: Fix authentication bypass vulnerability Before, anyone who could create a socket.io connection to Etherpad could read, modify, and create pads at will without authenticating first. The `checkAccess` middleware in `webaccess.js` normally handles authentication and authorization, but it does not run for `/socket.io` requests. This means that the connection handler in `socketio.js` must handle authentication and authorization. However, before this change: * The handler did not require a signed `express_sid` cookie. * After loading the express-session state, the handler did not check to see if the user had authenticated. Now the handler requires a signed `express_sid` cookie, and it ensures that `socket.request.session.user` is non-null if authentication is required. (`socket.request.session.user` is non-null if and only if the user has authenticated.) 2020-09-11 15:07:33 -04:00			`data.session = new sessionModule.Session(data, session);`
			`if (settings.requireAuthentication && data.session.user == null) {`
socketio: Use Error objects for socket.io connection errors socket.io expects Error objects, otherwise it won't propagate the message to the client. Also do some cleanup. 2020-09-14 00:49:16 -04:00			`return fail('access denied: authentication required');`
ux: Better ux for if cookies are disabled or not available. 2020-06-01 20:17:48 +01:00			`}`
socketio: Use Error objects for socket.io connection errors socket.io expects Error objects, otherwise it won't propagate the message to the client. Also do some cleanup. 2020-09-14 00:49:16 -04:00			`next(null, true);`
Fix socket.io auth: Use connect to parse signed cookies (migrate to express v3) 2012-09-22 16:03:40 +02:00			`});`
security: Fix authentication bypass vulnerability Before, anyone who could create a socket.io connection to Etherpad could read, modify, and create pads at will without authenticating first. The `checkAccess` middleware in `webaccess.js` normally handles authentication and authorization, but it does not run for `/socket.io` requests. This means that the connection handler in `socketio.js` must handle authentication and authorization. However, before this change: * The handler did not require a signed `express_sid` cookie. * After loading the express-session state, the handler did not check to see if the user had authenticated. Now the handler requires a signed `express_sid` cookie, and it ensures that `socket.request.session.user` is non-null if authentication is required. (`socket.request.session.user` is non-null if and only if the user has authenticated.) 2020-09-11 15:07:33 -04:00			`});`
More general basic auth 2012-04-19 14:25:12 +02:00			`});`

transports 2014-11-04 19:11:06 +00:00			`// var socketIOLogger = log4js.getLogger("socket.io");`
			`// Debug logging now has to be set at an environment level, this is stupid.`
			`// https://github.com/Automattic/socket.io/wiki/Migrating-to-1.0`
			`// This debug logging environment is set in Settings.js`
Moved socketio 2012-02-25 16:44:37 +01:00
			`//minify socket.io javascript`
working handling of setting client ip and anonymizing etc 2014-11-04 23:25:18 +00:00			`// Due to a shitty decision by the SocketIO team minification is`
			`// no longer available, details available at:`
			`// http://stackoverflow.com/questions/23981741/minify-socket-io-socket-io-js-with-1-0`
			`// if(settings.minify) io.enable('browser client minification');`
Remove trailing whitespaces Hoping to minimize future diffs. Not touching vendorized libraries. 2019-04-16 00:34:29 +02:00
Moved socketio 2012-02-25 16:44:37 +01:00			`//Initalize the Socket.IO Router`
			`socketIORouter.setSocketIO(io);`
			`socketIORouter.addComponent("pad", padMessageHandler);`

Differentiate between http server and express app 2012-09-21 17:12:22 +02:00			`hooks.callAll("socketio", {"app": args.app, "io": io, "server": args.server});`
Moved socketio 2012-02-25 16:44:37 +01:00			`}`