The Access-Control-Allow-xxx headers added by the cors middleware were
overwritten when sending an error response.
Those lines should have been removed in [1].
[1]: 61b949259e
Related: https://github.com/socketio/engine.io/issues/605
The WebSocket permessage-deflate extension, while useful is some cases,
adds some extra memory overhead for each WebSocket connection, and
results in huge memory usage in production deployments.
It will now be disabled by default.
So that bundlers like webpack do not try to include it in the build.
As a side-effect, any implementation which matches the API of the ws
module can now be used.
Before that change, you had to explicitly exclude uws:
```
// webpack.config.js
module.exports = {
// ...
externals: {
uws: 'uws'
}
};
```
Related: https://github.com/socketio/engine.io/issues/575
In order to catch the following errors:
```
events.js:288
throw er; // Unhandled 'error' event
^
Error: write EPIPE
at afterWriteDispatched (internal/stream_base_commons.js:154:25)
at writeGeneric (internal/stream_base_commons.js:145:3)
at Socket._writeGeneric (net.js:780:11)
at Socket._write (net.js:792:8)
at doWrite (_stream_writable.js:441:12)
at writeOrBuffer (_stream_writable.js:425:5)
at Socket.Writable.write (_stream_writable.js:316:11)
at abortConnection (<myproject>/node_modules/engine.io/lib/server.js:506:12)
at <myproject>/node_modules/engine.io/lib/server.js:353:7
at Server.verify (<myproject>/node_modules/engine.io/lib/server.js:158:14)
at Server.handleUpgrade (<myproject>/node_modules/engine.io/lib/server.js:351:8)
```
Closes https://github.com/socketio/engine.io/issues/596, https://github.com/socketio/engine.io/pull/598
This change reduces the default value from 100 mb to a more sane 1 mb.
This helps protect the server against denial of service attacks by
malicious clients sending huge amounts of data.
We'll now rely on the standard cors module (https://github.com/expressjs/cors),
instead of the custom implementation that is error-prone and not
really user-friendly.
Breaking change: the handlePreflightRequest option is removed by the
change.
Before:
```
new Server({
handlePreflightRequest: (req, res) => {
res.writeHead(200, {
"Access-Control-Allow-Origin": 'https://example.com',
"Access-Control-Allow-Methods": 'GET',
"Access-Control-Allow-Headers": 'Authorization',
"Access-Control-Allow-Credentials": true
});
res.end();
}
})
```
After:
```
new Server({
cors: {
origin: "https://example.com",
methods: ["GET"],
allowedHeaders: ["Authorization"],
credentials: true
}
})
```
The cookie might be used for sticky-session, but is not mandatory so it
makes sense to disable it by default.
The change also add a SameSite=Lax attribute by default.
Breaking change: the syntax has changed from
```
new Server({
cookieName: "test",
cookieHttpOnly: false,
cookiePath: "/custom"
})
```
to
```
new Server({
cookie: {
name: "test",
httpOnly: false,
path: "/custom"
}
})
```
All other options (domain, maxAge, sameSite, ...) are now supported.
Reference: https://github.com/jshttp/cookie#options-1
The ping packets will now be sent by the server, because the timers set
in the browsers are not reliable enough. We suspect that a lot of
timeout problems came from timers being delayed on the client-side.
Breaking change: v3.x clients will not be able to connect anymore (they
will send a ping packet and timeout while waiting for a pong packet).
Related: https://github.com/socketio/engine.io/issues/312
It's now possible to specify an origins value (default value is '*') when initialising the engine. This value will be returned as the Access-Control-Allow-Origin value.
Related: #449
Since the 'Origin' header is used as response header, a value with invalid characters would trigger
'The header content contains invalid characters' errors.
Closes#517
The server often crashes with 'TypeError: "list" argument must be an Array of Buffers' errors,
which is caused by a bug in new versions of node, where setEncoding call does not work for messages
that are already in the queue.
This pull request makes sure that concat is never called in the non binary case, even if
setEncoding does not work properly.
When the `verify` method fails, the current implementation closes the
connection immediately, which is understood by some proxy (such as
nginx) as if the server was not available (resulting in "upstream
prematurely closed connection while reading response header from
upstream" error). That commit make sure a proper response is sent
before closing the connection.
Before that commit, undefined callbacks were also added to the array,
which could lead to 'Maximum call stack size exceeded' error when
flush() method was called.
Fixes#399
