The Access-Control-Allow-xxx headers added by the cors middleware were
overwritten when sending an error response.
Those lines should have been removed in [1].
[1]: 61b949259e
Related: https://github.com/socketio/engine.io/issues/605
The eiows package is the published version of [1], which is a fork of
uws (a performant WebSocket server written in C++ with bindings for
Node.js).
[1] https://github.com/mmdevries/uws
The WebSocket permessage-deflate extension, while useful is some cases,
adds some extra memory overhead for each WebSocket connection, and
results in huge memory usage in production deployments.
It will now be disabled by default.
In order to catch the following errors:
```
events.js:288
throw er; // Unhandled 'error' event
^
Error: write EPIPE
at afterWriteDispatched (internal/stream_base_commons.js:154:25)
at writeGeneric (internal/stream_base_commons.js:145:3)
at Socket._writeGeneric (net.js:780:11)
at Socket._write (net.js:792:8)
at doWrite (_stream_writable.js:441:12)
at writeOrBuffer (_stream_writable.js:425:5)
at Socket.Writable.write (_stream_writable.js:316:11)
at abortConnection (<myproject>/node_modules/engine.io/lib/server.js:506:12)
at <myproject>/node_modules/engine.io/lib/server.js:353:7
at Server.verify (<myproject>/node_modules/engine.io/lib/server.js:158:14)
at Server.handleUpgrade (<myproject>/node_modules/engine.io/lib/server.js:351:8)
```
Closes https://github.com/socketio/engine.io/issues/596, https://github.com/socketio/engine.io/pull/598
We'll now rely on the standard cors module (https://github.com/expressjs/cors),
instead of the custom implementation that is error-prone and not
really user-friendly.
Breaking change: the handlePreflightRequest option is removed by the
change.
Before:
```
new Server({
handlePreflightRequest: (req, res) => {
res.writeHead(200, {
"Access-Control-Allow-Origin": 'https://example.com',
"Access-Control-Allow-Methods": 'GET',
"Access-Control-Allow-Headers": 'Authorization',
"Access-Control-Allow-Credentials": true
});
res.end();
}
})
```
After:
```
new Server({
cors: {
origin: "https://example.com",
methods: ["GET"],
allowedHeaders: ["Authorization"],
credentials: true
}
})
```
uws is no longer maintained, and did not support Node.js >= 10.
We now use a fork in order to support the newer versions of Node.js.
It is maintained there: https://github.com/mmdevries/uws
And can be installed with: `npm i github:mmdevries/uws#2.4.1`
We could also try to support uWebSockets.js, but it does not have the
same API as ws.
The "engines" attribute has also been added in the package.json file,
since we broke the support for Node.js 6 in the latest minor release.
Source: https://github.com/mmdevries/uws
Related: https://github.com/socketio/engine.io/pull/583
The cookie might be used for sticky-session, but is not mandatory so it
makes sense to disable it by default.
The change also add a SameSite=Lax attribute by default.
Breaking change: the syntax has changed from
```
new Server({
cookieName: "test",
cookieHttpOnly: false,
cookiePath: "/custom"
})
```
to
```
new Server({
cookie: {
name: "test",
httpOnly: false,
path: "/custom"
}
})
```
All other options (domain, maxAge, sameSite, ...) are now supported.
Reference: https://github.com/jshttp/cookie#options-1
The ping packets will now be sent by the server, because the timers set
in the browsers are not reliable enough. We suspect that a lot of
timeout problems came from timers being delayed on the client-side.
Breaking change: v3.x clients will not be able to connect anymore (they
will send a ping packet and timeout while waiting for a pong packet).
Related: https://github.com/socketio/engine.io/issues/312
It's now possible to specify an origins value (default value is '*') when initialising the engine. This value will be returned as the Access-Control-Allow-Origin value.
Related: #449
