feat: remove the 'origins' option

darrachequesne · darrachequesne · commit a8c06006098b · 2020-10-13T23:02:08.000+02:00
The underlying Engine.IO server now supports a 'cors' option, which will be forwarded to the cors module. Breaking change: the 'origins' option is removed Before: ```js new Server(3000, { origins: ["https://example.com"] }); ``` The 'origins' option was used in the allowRequest method, in order to determine whether the request should pass or not. And the Engine.IO server would implicitly add the necessary Access-Control-Allow-xxx headers. After: ```js new Server(3000, { cors: { origin: "https://example.com", methods: ["GET", "POST"], allowedHeaders: ["content-type"] } }); ``` The already existing 'allowRequest' option can be used for validation: ```js new Server(3000, { allowRequest: (req, callback) => { callback(null, req.headers.referer.startsWith("https://example.com")); } }); ```
diff --git a/dist/index.d.ts b/dist/index.d.ts
@@ -97,10 +97,6 @@ interface ServerOptions extends EngineAttachOptions {
      * the adapter to use. Defaults to an instance of the Adapter that ships with socket.io which is memory based.
      */
     adapter: any;
-    /**
-     * the allowed origins (*:*)
-     */
-    origins: string | string[] | ((origin: string, cb: (err: Error, allow: boolean) => void) => void);
     /**
      * the parser to use. Defaults to an instance of the Parser that ships with socket.io.
      */
@@ -115,7 +111,6 @@ export declare class Server extends EventEmitter {
     nsps: Map<string, Namespace>;
     private parentNsps;
     private _adapter;
-    private _origins;
     private _serveClient;
     private eio;
     private engine;
@@ -130,13 +125,6 @@ export declare class Server extends EventEmitter {
     constructor(opts?: Partial<ServerOptions>);
     constructor(srv: http.Server, opts?: Partial<ServerOptions>);
     constructor(srv: number, opts?: Partial<ServerOptions>);
-    /**
-     * Server request verification function, that checks for allowed origins
-     *
-     * @param {http.IncomingMessage} req request
-     * @param {Function} fn callback to be called with the result: `fn(err, success)`
-     */
-    private checkRequest;
     /**
      * Sets/gets whether client code is being served.
      *
@@ -168,13 +156,6 @@ export declare class Server extends EventEmitter {
      * @return {Server|Adapter} self when setting or value when getting
      */
     adapter(v: any): any;
-    /**
-     * Sets the allowed origins for requests.
-     *
-     * @param {String|String[]} v origins
-     * @return {Server|Adapter} self when setting or value when getting
-     */
-    origins(v: any): any;
     /**
      * Attaches socket.io to a server or port.
      *
diff --git a/dist/index.js b/dist/index.js
@@ -33,7 +33,6 @@ const namespace_1 = require("./namespace");
 const parent_namespace_1 = require("./parent-namespace");
 const socket_io_adapter_1 = require("socket.io-adapter");
 const parser = __importStar(require("socket.io-parser"));
-const url_1 = __importDefault(require("url"));
 const debug_1 = __importDefault(require("debug"));
 const debug = debug_1.default("socket.io:server");
 const clientVersion = require("socket.io-client/package.json").version;
@@ -56,42 +55,10 @@ class Server extends events_1.EventEmitter {
         this.parser = opts.parser || parser;
         this.encoder = new this.parser.Encoder();
         this.adapter(opts.adapter || socket_io_adapter_1.Adapter);
-        this.origins(opts.origins || "*:*");
         this.sockets = this.of("/");
         if (srv)
             this.attach(srv, opts);
     }
-    /**
-     * Server request verification function, that checks for allowed origins
-     *
-     * @param {http.IncomingMessage} req request
-     * @param {Function} fn callback to be called with the result: `fn(err, success)`
-     */
-    checkRequest(req, fn) {
-        let origin = req.headers.origin || req.headers.referer;
-        // file:// URLs produce a null Origin which can't be authorized via echo-back
-        if ("null" == origin || null == origin)
-            origin = "*";
-        if (!!origin && typeof this._origins == "function")
-            return this._origins(origin, fn);
-        if (this._origins.indexOf("*:*") !== -1)
-            return fn(null, true);
-        if (origin) {
-            try {
-                const parts = url_1.default.parse(origin);
-                const defaultPort = "https:" == parts.protocol ? 443 : 80;
-                parts.port = parts.port != null ? parts.port : defaultPort;
-                const ok = ~this._origins.indexOf(parts.protocol + "//" + parts.hostname + ":" + parts.port) ||
-                    ~this._origins.indexOf(parts.hostname + ":" + parts.port) ||
-                    ~this._origins.indexOf(parts.hostname + ":*") ||
-                    ~this._origins.indexOf("*:" + parts.port);
-                debug("origin %s is %svalid", origin, !!ok ? "" : "not ");
-                return fn(null, !!ok);
-            }
-            catch (ex) { }
-        }
-        fn(null, false);
-    }
     /**
      * Sets/gets whether client code is being served.
      *
@@ -176,18 +143,6 @@ class Server extends events_1.EventEmitter {
         }
         return this;
     }
-    /**
-     * Sets the allowed origins for requests.
-     *
-     * @param {String|String[]} v origins
-     * @return {Server|Adapter} self when setting or value when getting
-     */
-    origins(v) {
-        if (!arguments.length)
-            return this._origins;
-        this._origins = v;
-        return this;
-    }
     listen(srv, opts = {}) {
         return this.attach(srv, opts);
     }
@@ -212,8 +167,6 @@ class Server extends events_1.EventEmitter {
         }
         // set engine.io path to `/socket.io`
         opts.path = opts.path || this._path;
-        // set origins verification
-        opts.allowRequest = opts.allowRequest || this.checkRequest.bind(this);
         this.initEngine(srv, opts);
         return this;
     }
diff --git a/lib/index.ts b/lib/index.ts
@@ -9,7 +9,6 @@ import { ParentNamespace } from "./parent-namespace";
 import { Adapter, Room, SocketId } from "socket.io-adapter";
 import * as parser from "socket.io-parser";
 import { Encoder } from "socket.io-parser";
-import url from "url";
 import debugModule from "debug";
 import { Socket } from "./socket";
 import { CookieSerializeOptions } from "cookie";
@@ -122,13 +121,6 @@ interface ServerOptions extends EngineAttachOptions {
    * the adapter to use. Defaults to an instance of the Adapter that ships with socket.io which is memory based.
    */
   adapter: any;
-  /**
-   * the allowed origins (*:*)
-   */
-  origins:
-    | string
-    | string[]
-    | ((origin: string, cb: (err: Error, allow: boolean) => void) => void);
   /**
    * the parser to use. Defaults to an instance of the Parser that ships with socket.io.
    */
@@ -155,7 +147,6 @@ export class Server extends EventEmitter {
     ParentNamespace
   > = new Map();
   private _adapter;
-  private _origins;
   private _serveClient: boolean;
   private eio;
   private engine;
@@ -182,48 +173,10 @@ export class Server extends EventEmitter {
     this.parser = opts.parser || parser;
     this.encoder = new this.parser.Encoder();
     this.adapter(opts.adapter || Adapter);
-    this.origins(opts.origins || "*:*");
     this.sockets = this.of("/");
     if (srv) this.attach(srv, opts);
   }
 
-  /**
-   * Server request verification function, that checks for allowed origins
-   *
-   * @param {http.IncomingMessage} req request
-   * @param {Function} fn callback to be called with the result: `fn(err, success)`
-   */
-  private checkRequest(
-    req: http.IncomingMessage,
-    fn: (err: Error, success: boolean) => void
-  ) {
-    let origin = req.headers.origin || req.headers.referer;
-
-    // file:// URLs produce a null Origin which can't be authorized via echo-back
-    if ("null" == origin || null == origin) origin = "*";
-
-    if (!!origin && typeof this._origins == "function")
-      return this._origins(origin, fn);
-    if (this._origins.indexOf("*:*") !== -1) return fn(null, true);
-    if (origin) {
-      try {
-        const parts: any = url.parse(origin);
-        const defaultPort = "https:" == parts.protocol ? 443 : 80;
-        parts.port = parts.port != null ? parts.port : defaultPort;
-        const ok =
-          ~this._origins.indexOf(
-            parts.protocol + "//" + parts.hostname + ":" + parts.port
-          ) ||
-          ~this._origins.indexOf(parts.hostname + ":" + parts.port) ||
-          ~this._origins.indexOf(parts.hostname + ":*") ||
-          ~this._origins.indexOf("*:" + parts.port);
-        debug("origin %s is %svalid", origin, !!ok ? "" : "not ");
-        return fn(null, !!ok);
-      } catch (ex) {}
-    }
-    fn(null, false);
-  }
-
   /**
    * Sets/gets whether client code is being served.
    *
@@ -319,19 +272,6 @@ export class Server extends EventEmitter {
     return this;
   }
 
-  /**
-   * Sets the allowed origins for requests.
-   *
-   * @param {String|String[]} v origins
-   * @return {Server|Adapter} self when setting or value when getting
-   */
-  public origins(v) {
-    if (!arguments.length) return this._origins;
-
-    this._origins = v;
-    return this;
-  }
-
   /**
    * Attaches socket.io to a server or port.
    *
@@ -379,8 +319,6 @@ export class Server extends EventEmitter {
 
     // set engine.io path to `/socket.io`
     opts.path = opts.path || this._path;
-    // set origins verification
-    opts.allowRequest = opts.allowRequest || this.checkRequest.bind(this);
 
     this.initEngine(srv, opts);
 
diff --git a/test/socket.io.ts b/test/socket.io.ts

-Original file line number
+Diff line change
   describe("handshake", () => {
     const request = require("superagent");
 -    it("should disallow request when origin defined and none specified", done => {
 -      const sockets = new Server({ origins: "http://foo.example:*" }).listen(
 -        54013
 -      );
 -      request
 -        .get("http://localhost:54013/socket.io/default/")
 -        .query({ transport: "polling" })
 -        .end((err, res) => {
 -          expect(res.status).to.be(403);
 -          done();
 -        });
 -    });
+-
 -    it("should disallow request when origin defined and a different one specified", done => {
 -      const sockets = new Server({ origins: "http://foo.example:*" }).listen(
 -        54014
 -      );
 -      request
 -        .get("http://localhost:54014/socket.io/default/")
 -        .query({ transport: "polling" })
 -        .set("origin", "http://herp.derp")
 -        .end((err, res) => {
 -          expect(res.status).to.be(403);
 -          done();
 -        });
 -    });
+-
 -    it("should allow request when origin defined an the same is specified", done => {
 -      const sockets = new Server({ origins: "http://foo.example:*" }).listen(
 -        54015
 -      );
 -      request
 -        .get("http://localhost:54015/socket.io/default/")
 -        .set("origin", "http://foo.example")
 -        .query({ transport: "polling" })
 -        .end((err, res) => {
 -          expect(res.status).to.be(200);
 -          done();
 -        });
 -    });
+-
 -    it("should allow request when origin defined as function and same is supplied", done => {
 -      const sockets = new Server({
 -        origins: (origin, callback) => {
 -          if (origin == "http://foo.example") {
 -            return callback(null, true);
 -          }
 -          return callback(null, false);
 +    it("should send the Access-Control-Allow-xxx headers on OPTIONS request", done => {
 +      const sockets = new Server(54013, {
 +        cors: {
 +          origin: "http://localhost:54023",
 +          methods: ["GET", "POST"],
 +          allowedHeaders: ["content-type"],
 +          credentials: true
+        }
 -      }).listen(54016);
 +      });
       request
 -        .get("http://localhost:54016/socket.io/default/")
 -        .set("origin", "http://foo.example")
 +        .options("http://localhost:54013/socket.io/default/")
         .query({ transport: "polling" })
 +        .set("Origin", "http://localhost:54023")
         .end((err, res) => {
 -          expect(res.status).to.be(200);
 -          done();
 -        });
 -    });
 +          expect(res.status).to.be(204);
 -    it("should allow request when origin defined as function and different is supplied", done => {
 -      const sockets = new Server({
 -        origins: (origin, callback) => {
 -          if (origin == "http://foo.example") {
 -            return callback(null, true);
 -          }
 -          return callback(null, false);
 -        }
 -      }).listen(54017);
 -      request
 -        .get("http://localhost:54017/socket.io/default/")
 -        .set("origin", "http://herp.derp")
 -        .query({ transport: "polling" })
 -        .end((err, res) => {
 -          expect(res.status).to.be(403);
 +          expect(res.headers["access-control-allow-origin"]).to.be(
 +            "http://localhost:54023"
 +          );
 +          expect(res.headers["access-control-allow-methods"]).to.be("GET,POST");
 +          expect(res.headers["access-control-allow-headers"]).to.be(
 +            "content-type"
 +          );
 +          expect(res.headers["access-control-allow-credentials"]).to.be("true");
           done();
         });
     });
 -    it("should allow request when origin defined as function and no origin is supplied", done => {
 -      const sockets = new Server({
 -        origins: (origin, callback) => {
 -          if (origin == "*") {
 -            return callback(null, true);
 -          }
 -          return callback(null, false);
 +    it("should send the Access-Control-Allow-xxx headers on GET request", done => {
 +      const sockets = new Server(54014, {
 +        cors: {
 +          origin: "http://localhost:54024",
 +          methods: ["GET", "POST"],
 +          allowedHeaders: ["content-type"],
 +          credentials: true
+        }
 -      }).listen(54021);
 +      });
       request
 -        .get("http://localhost:54021/socket.io/default/")
 +        .get("http://localhost:54014/socket.io/default/")
         .query({ transport: "polling" })
 +        .set("Origin", "http://localhost:54024")
         .end((err, res) => {
           expect(res.status).to.be(200);
 -          done();
 -        });
 -    });
 -    it("should default to port 443 when protocol is https", done => {
 -      const sockets = new Server({ origins: "https://foo.example:443" }).listen(
 -        54036
 -      );
 -      request
 -        .get("http://localhost:54036/socket.io/default/")
 -        .set("origin", "https://foo.example")
 -        .query({ transport: "polling" })
 -        .end((err, res) => {
 -          expect(res.status).to.be(200);
 +          expect(res.headers["access-control-allow-origin"]).to.be(
 +            "http://localhost:54024"
 +          );
 +          expect(res.headers["access-control-allow-credentials"]).to.be("true");
           done();
         });
     });
     it("should allow request if custom function in opts.allowRequest returns true", done => {
       const sockets = new Server(createServer().listen(54022), {
 -        allowRequest: (req, callback) => callback(null, true),
 -        origins: "http://foo.example:*"
 +        allowRequest: (req, callback) => callback(null, true)
       });
       request
           done();
         });
     });
+-
 -    it("should allow request when using an array of origins", done => {
 -      new Server({ origins: ["http://foo.example:54024"] }).listen(54024);
 -      request
 -        .get("http://localhost:54024/socket.io/default/")
 -        .set("origin", "http://foo.example:54024")
 -        .query({ transport: "polling" })
 -        .end((err, res) => {
 -          expect(res.status).to.be(200);
 -          done();
 -        });
 -    });
   });
   describe("close", () => {