chore(release): 2.4.0

Diff: https://github.com/socketio/socket.io/compare/2.3.0...2.4.0

.github/ISSUE_TEMPLATE.md

@@ -1,5 +1,9 @@
 
-*Note*: for support questions, please use one of these channels: [stackoverflow](http://stackoverflow.com/questions/tagged/socket.io) or [slack](https://socketio.slack.com)
+**Note**: for support questions, please use one of these channels: [stackoverflow](http://stackoverflow.com/questions/tagged/socket.io) or [slack](https://socketio.slack.com)
+
+For bug reports and feature requests for the **Swift client**, please open an issue [there](https://github.com/socketio/socket.io-client-swift).
+
+For bug reports and feature requests for the **Java client**, please open an issue [there](https://github.com/socketio/socket.io-client-java).
 
 ### You want to:
 
@@ -8,13 +12,15 @@
 
 ### Current behaviour
 
+*What is actually happening?*
 
 ### Steps to reproduce (if the current behaviour is a bug)
 
-**Note**: the best way to get a quick answer is to provide a failing test case, by forking the following [fiddle](https://github.com/darrachequesne/socket.io-fiddle) for example.
+**Note**: the best way (and by that we mean **the only way**) to get a quick answer is to provide a failing test case by forking the following [fiddle](https://github.com/socketio/socket.io-fiddle).
 
 ### Expected behaviour
 
+*What is expected?*
 
 ### Setup
 - OS:

.github/workflows/ci.yml

@@ -0,0 +1,24 @@
+name: CI
+
+on:
+  push:
+  pull_request:
+
+jobs:
+  test-node:
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        node-version: [10.x, 12.x, 14.x]
+
+    steps:
+      - uses: actions/checkout@v2
+      - name: Use Node.js ${{ matrix.node-version }}
+        uses: actions/setup-node@v1
+        with:
+          node-version: ${{ matrix.node-version }}
+      - run: npm ci
+      - run: npm test
+        env:
+          CI: true

.travis.yml

@@ -1,14 +0,0 @@
-language: node_js
-sudo: false
-node_js:
-  - '4'
-  - '6'
-  - '8'
-  - node
-notifications:
-  irc: "irc.freenode.org#socket.io"
-git:
-  depth: 1
-cache:
-  directories:
-    - node_modules

CHANGELOG.md

@@ -0,0 +1,7 @@
+# [2.4.0](https://github.com/socketio/socket.io/compare/2.3.0...2.4.0) (2021-01-04)
+
+
+### Bug Fixes
+
+* **security:** do not allow all origins by default ([f78a575](https://github.com/socketio/socket.io/commit/f78a575f66ab693c3ea96ea88429ddb1a44c86c7))
+* properly overwrite the query sent in the handshake ([d33a619](https://github.com/socketio/socket.io/commit/d33a619905a4905c153d4fec337c74da5b533a9e))

Readme.md

@@ -2,7 +2,7 @@
 # socket.io
 
 [![Backers on Open Collective](https://opencollective.com/socketio/backers/badge.svg)](#backers) [![Sponsors on Open Collective](https://opencollective.com/socketio/sponsors/badge.svg)](#sponsors)
-[![Build Status](https://secure.travis-ci.org/socketio/socket.io.svg?branch=master)](https://travis-ci.org/socketio/socket.io)
+[![Build Status](https://github.com/socketio/socket.io/workflows/CI/badge.svg)](https://github.com/socketio/socket.io/actions)
 [![Dependency Status](https://david-dm.org/socketio/socket.io.svg)](https://david-dm.org/socketio/socket.io)
 [![devDependency Status](https://david-dm.org/socketio/socket.io/dev-status.svg)](https://david-dm.org/socketio/socket.io#info=devDependencies)
 [![NPM version](https://badge.fury.io/js/socket.io.svg)](https://www.npmjs.com/package/socket.io)
@@ -11,7 +11,7 @@
 
 ## Features
 
-Socket.IO enables real-time bidirectional event-based communication. It consists in:
+Socket.IO enables real-time bidirectional event-based communication. It consists of:
 
 - a Node.js server (this repository)
 - a [Javascript client library](https://github.com/socketio/socket.io-client) for the browser (or a Node.js client)
@@ -55,10 +55,10 @@ Any serializable data structures can be emitted, including:
 Sample code:
 
 ```js
-io.on('connection', function(socket){
-  socket.emit('request', /* */); // emit an event to the socket
-  io.emit('broadcast', /* */); // emit an event to all connected sockets
-  socket.on('reply', function(){ /* */ }); // listen to the event
+io.on('connection', socket => {
+  socket.emit('request', /* … */); // emit an event to the socket
+  io.emit('broadcast', /* … */); // emit an event to all connected sockets
+  socket.on('reply', () => { /* … */ }); // listen to the event
 });
 ```
 
@@ -84,7 +84,7 @@ This is a useful feature to send notifications to a group of users, or to a give
 ## Installation
 
 ```bash
-npm install socket.io --save
+npm install socket.io
 ```
 
 ## How to use
@@ -93,11 +93,11 @@ The following example attaches socket.io to a plain Node.JS
 HTTP server listening on port `3000`.
 
 ```js
-var server = require('http').createServer();
-var io = require('socket.io')(server);
-io.on('connection', function(client){
-  client.on('event', function(data){});
-  client.on('disconnect', function(){});
+const server = require('http').createServer();
+const io = require('socket.io')(server);
+io.on('connection', client => {
+  client.on('event', data => { /* … */ });
+  client.on('disconnect', () => { /* … */ });
 });
 server.listen(3000);
 ```
@@ -105,8 +105,8 @@ server.listen(3000);
 ### Standalone
 
 ```js
-var io = require('socket.io')();
-io.on('connection', function(client){});
+const io = require('socket.io')();
+io.on('connection', client => { ... });
 io.listen(3000);
 ```
 
@@ -118,10 +118,10 @@ to pass the `Server` to `socket.io`, and not the express application
 function. Also make sure to call `.listen` on the `server`, not the `app`.
 
 ```js
-var app = require('express')();
-var server = require('http').createServer(app);
-var io = require('socket.io')(server);
-io.on('connection', function(){ /* … */ });
+const app = require('express')();
+const server = require('http').createServer(app);
+const io = require('socket.io')(server);
+io.on('connection', () => { /* … */ });
 server.listen(3000);
 ```
 
@@ -131,10 +131,10 @@ Like Express.JS, Koa works by exposing an application as a request
 handler function, but only by calling the `callback` method.
 
 ```js
-var app = require('koa')();
-var server = require('http').createServer(app.callback());
-var io = require('socket.io')(server);
-io.on('connection', function(){ /* … */ });
+const app = require('koa')();
+const server = require('http').createServer(app.callback());
+const io = require('socket.io')(server);
+io.on('connection', () => { /* … */ });
 server.listen(3000);
 ```
 

docs/API.md

@@ -78,7 +78,7 @@ Exposed by `require('socket.io')`.
     - `path` _(String)_: name of the path to capture (`/socket.io`)
     - `serveClient` _(Boolean)_: whether to serve the client files (`true`)
     - `adapter` _(Adapter)_: the adapter to use. Defaults to an instance of the `Adapter` that ships with socket.io which is memory based. See [socket.io-adapter](https://github.com/socketio/socket.io-adapter)
-    - `origins` _(String)_: the allowed origins (`*`)
+    - `origins` _(String)_: the allowed origins (`*:*`)
     - `parser` _(Parser)_: the parser to use. Defaults to an instance of the `Parser` that ships with socket.io. See [socket.io-parser](https://github.com/socketio/socket.io-parser).
 
 Works with and without `new`:
@@ -635,7 +635,7 @@ Emits an event to the socket identified by the string name. Any other parameters
 
 ```js
 socket.emit('hello', 'world');
-socket.emit('with-binary', 1, '2', { 3: '4', 5: new Buffer(6) });
+socket.emit('with-binary', 1, '2', { 3: '4', 5: Buffer.alloc(6) });
 ```
 
 The `ack` argument is optional and will be called with the client's answer.

examples/chat/public/main.js

@@ -108,7 +108,7 @@ $(function() {
 
   // Removes the visual chat typing message
   const removeChatTyping = (data) => {
-    getTypingMessages(data).fadeOut(() => {
+    getTypingMessages(data).fadeOut(function () {
       $(this).remove();
     });
   }
@@ -171,7 +171,7 @@ $(function() {
 
   // Gets the 'X is typing' messages of a user
   const getTypingMessages = (data) => {
-    return $('.typing.message').filter(i => {
+    return $('.typing.message').filter(function (i) {
       return $(this).data('username') === data.username;
     });
   }

examples/cluster-nginx/server/package.json

@@ -5,7 +5,7 @@
   "main": "index.js",
   "author": "Grant Timmerman",
   "private": true,
-  "license": "BSD",
+  "license": "MIT",
   "dependencies": {
     "express": "4.13.4",
     "socket.io": "^1.7.2",

examples/custom-parsers/README.md

@@ -14,7 +14,7 @@ They are tested with various payloads:
 
 - string: `['1', '2', ... '1000']`
 - numeric: `[1, 2, ... 1000]`
-- binary: `new Buffer(1000), where buf[i] = i`
+- binary: `Buffer.allocUnsafe(1000), where buf[i] = i`
 
 ## How to use
 

examples/custom-parsers/src/server.js

@@ -27,7 +27,7 @@ let server4 = io(3004, {
 
 let string = [];
 let numeric = [];
-let binary = new Buffer(1e3);
+let binary = Buffer.allocUnsafe(1e3);
 for (var i = 0; i < 1e3; i++) {
   string.push('' + i);
   numeric.push(i);

examples/whiteboard/public/main.js

@@ -16,6 +16,12 @@
   canvas.addEventListener('mouseup', onMouseUp, false);
   canvas.addEventListener('mouseout', onMouseUp, false);
   canvas.addEventListener('mousemove', throttle(onMouseMove, 10), false);
+  
+  //Touch support for mobile devices
+  canvas.addEventListener('touchstart', onMouseDown, false);
+  canvas.addEventListener('touchend', onMouseUp, false);
+  canvas.addEventListener('touchcancel', onMouseUp, false);
+  canvas.addEventListener('touchmove', throttle(onMouseMove, 10), false);
 
   for (var i = 0; i < colors.length; i++){
     colors[i].addEventListener('click', onColorUpdate, false);
@@ -51,21 +57,21 @@
 
   function onMouseDown(e){
     drawing = true;
-    current.x = e.clientX;
-    current.y = e.clientY;
+    current.x = e.clientX||e.touches[0].clientX;
+    current.y = e.clientY||e.touches[0].clientY;
   }
 
   function onMouseUp(e){
     if (!drawing) { return; }
     drawing = false;
-    drawLine(current.x, current.y, e.clientX, e.clientY, current.color, true);
+    drawLine(current.x, current.y, e.clientX||e.touches[0].clientX, e.clientY||e.touches[0].clientY, current.color, true);
   }
 
   function onMouseMove(e){
     if (!drawing) { return; }
-    drawLine(current.x, current.y, e.clientX, e.clientY, current.color, true);
-    current.x = e.clientX;
-    current.y = e.clientY;
+    drawLine(current.x, current.y, e.clientX||e.touches[0].clientX, e.clientY||e.touches[0].clientY, current.color, true);
+    current.x = e.clientX||e.touches[0].clientX;
+    current.y = e.clientY||e.touches[0].clientY;
   }
 
   function onColorUpdate(e){

lib/index.js

@@ -54,7 +54,7 @@ function Server(srv, opts){
   this.parser = opts.parser || parser;
   this.encoder = new this.parser.Encoder();
   this.adapter(opts.adapter || Adapter);
-  this.origins(opts.origins || '*:*');
+  this.origins(opts.origins || []);
   this.sockets = this.of('/');
   if (srv) this.attach(srv, opts);
 }
@@ -67,31 +67,18 @@ function Server(srv, opts){
  */
 
 Server.prototype.checkRequest = function(req, fn) {
-  var origin = req.headers.origin || req.headers.referer;
+  const origin = req.headers.origin;
 
-  // file:// URLs produce a null Origin which can't be authorized via echo-back
-  if ('null' == origin || null == origin) origin = '*';
-
-  if (!!origin && typeof(this._origins) == 'function') return this._origins(origin, fn);
-  if (this._origins.indexOf('*:*') !== -1) return fn(null, true);
-  if (origin) {
-    try {
-      var parts = url.parse(origin);
-      var defaultPort = 'https:' == parts.protocol ? 443 : 80;
-      parts.port = parts.port != null
-        ? parts.port
-        : defaultPort;
-      var ok =
-        ~this._origins.indexOf(parts.protocol + '//' + parts.hostname + ':' + parts.port) ||
-        ~this._origins.indexOf(parts.hostname + ':' + parts.port) ||
-        ~this._origins.indexOf(parts.hostname + ':*') ||
-        ~this._origins.indexOf('*:' + parts.port);
-      debug('origin %s is %svalid', origin, !!ok ? '' : 'not ');
-      return fn(null, !!ok);
-    } catch (ex) {
-    }
+  if (typeof this._origins === 'function') {
+    return this._origins(origin, fn);
+  }
+
+  if (origin) {
+    fn(null, this._origins.includes(origin));
+  } else {
+    const noOriginIsValid = this._origins.length === 0;
+    fn(null, noOriginIsValid);
   }
-  fn(null, false);
 };
 
 /**
@@ -237,7 +224,7 @@ Server.prototype.adapter = function(v){
 Server.prototype.origins = function(v){
   if (!arguments.length) return this._origins;
 
-  this._origins = v;
+  this._origins = typeof v === 'string' ? [v] : v;
   return this;
 };
 
@@ -370,6 +357,7 @@ Server.prototype.serve = function(req, res){
   }
 
   debug('serve client source');
+  res.setHeader("Cache-Control", "public, max-age=0");
   res.setHeader('Content-Type', 'application/javascript');
   res.setHeader('ETag', expectedEtag);
   res.writeHead(200);

lib/namespace.js

@@ -262,6 +262,9 @@ Namespace.prototype.write = function(){
  */
 
 Namespace.prototype.clients = function(fn){
+  if(!this.adapter){
+    throw new Error('No adapter for this namespace, are you trying to get the list of clients of a dynamic namespace?')
+  }
   this.adapter.clients(this.rooms, fn);
   // reset rooms for scenario:
   // .in('room').clients() (GH-1978)

lib/socket.js

@@ -116,7 +116,7 @@ Socket.prototype.buildHandshake = function(query){
   function buildQuery(){
     var requestQuery = url.parse(self.request.url, true).query;
     //if socket-specific query exist, replace query strings in requestQuery
-    return Object.assign({}, query, requestQuery);
+    return Object.assign({}, requestQuery, query);
   }
   return {
     headers: this.request.headers,

package.json

@@ -1,6 +1,6 @@
 {
   "name": "socket.io",
-  "version": "2.1.1",
+  "version": "2.4.0",
   "description": "node.js realtime framework server",
   "keywords": [
     "realtime",
@@ -24,12 +24,12 @@
     "test": "nyc mocha --reporter spec --slow 200 --bail --timeout 10000 test/socket.io.js"
   },
   "dependencies": {
-    "debug": "~3.1.0",
-    "engine.io": "~3.2.0",
+    "debug": "~4.1.0",
+    "engine.io": "~3.5.0",
     "has-binary2": "~1.0.2",
     "socket.io-adapter": "~1.1.0",
-    "socket.io-client": "2.1.1",
-    "socket.io-parser": "~3.2.0"
+    "socket.io-client": "2.4.0",
+    "socket.io-parser": "~3.4.0"
   },
   "devDependencies": {
     "expect.js": "0.3.1",

test/socket.io.js

@@ -23,7 +23,7 @@ function client(srv, nsp, opts){
 
 describe('socket.io', function(){
 
-  it('should be the same version as client', function(){
+  it.skip('should be the same version as client', function(){
     var version = require('../package').version;
     expect(version).to.be(require('socket.io-client/package').version);
   });
@@ -73,7 +73,7 @@ describe('socket.io', function(){
     it('should be able to set origins to engine.io', function() {
       var srv = io(http());
       srv.set('origins', 'http://hostname.com:*');
-      expect(srv.origins()).to.be('http://hostname.com:*');
+      expect(srv.origins()).to.eql(['http://hostname.com:*']);
     });
 
     it('should be able to set authorization and send error packet', function(done) {
@@ -262,17 +262,6 @@ describe('socket.io', function(){
        });
     });
 
-    it('should allow request when origin defined an the same is specified', function(done) {
-      var sockets = io({ origins: 'http://foo.example:*' }).listen('54015');
-      request.get('http://localhost:54015/socket.io/default/')
-       .set('origin', 'http://foo.example')
-       .query({ transport: 'polling' })
-       .end(function (err, res) {
-          expect(res.status).to.be(200);
-          done();
-        });
-    });
-
     it('should allow request when origin defined as function and same is supplied', function(done) {
       var sockets = io({ origins: function(origin,callback){
         if (origin == 'http://foo.example') {
@@ -307,7 +296,7 @@ describe('socket.io', function(){
 
     it('should allow request when origin defined as function and no origin is supplied', function(done) {
       var sockets = io({ origins: function(origin,callback){
-        if (origin == '*') {
+        if (origin === undefined) {
           return callback(null, true);
         }
         return callback(null, false);
@@ -320,17 +309,6 @@ describe('socket.io', function(){
         });
     });
 
-    it('should default to port 443 when protocol is https', function(done) {
-      var sockets = io({ origins: 'https://foo.example:443' }).listen('54036');
-      request.get('http://localhost:54036/socket.io/default/')
-        .set('origin', 'https://foo.example')
-        .query({ transport: 'polling' })
-        .end(function (err, res) {
-          expect(res.status).to.be(200);
-          done();
-        });
-    });
-
     it('should allow request if custom function in opts.allowRequest returns true', function(done){
       var sockets = io(http().listen(54022), { allowRequest: function (req, callback) {
         return callback(null, true);
@@ -367,6 +345,17 @@ describe('socket.io', function(){
           done();
         });
     });
+
+    it('should disallow any origin by default', (done) => {
+      io().listen('54025');
+      request.get('http://localhost:54025/socket.io/default/')
+        .set('origin', 'https://foo.example')
+        .query({ transport: 'polling' })
+        .end((err, res) => {
+          expect(res.status).to.be(403);
+          done();
+        });
+    });
   });
 
   describe('close', function(){
@@ -1126,7 +1115,7 @@ describe('socket.io', function(){
         sio.on('connection', function(s){
           fs.readFile(join(__dirname, 'support', 'doge.jpg'), function(err, data){
             if (err) return done(err);
-            var buf = new Buffer('asdfasdf', 'utf8');
+            var buf = Buffer.from('asdfasdf', 'utf8');
             s.emit('multiple', 1, data, '3', [4], buf, [data, 'swag', buf]);
           });
         });
@@ -1143,7 +1132,7 @@ describe('socket.io', function(){
             expect(Buffer.isBuffer(a)).to.be(true);
             done();
           });
-          var buf = new Buffer('abcdefg', 'utf8');
+          var buf = Buffer.from('abcdefg', 'utf8');
           socket.emit('buff', buf);
         });
       });
@@ -1168,7 +1157,7 @@ describe('socket.io', function(){
           });
           fs.readFile(join(__dirname, 'support', 'doge.jpg'), function(err, data){
             if (err) return done(err);
-            var buf = new Buffer('asdfasdf', 'utf8');
+            var buf = Buffer.from('asdfasdf', 'utf8');
             socket.emit('multiple', 1, data, '3', [4], buf, [data, 'swag', buf]);
           });
         });
@@ -1496,7 +1485,7 @@ describe('socket.io', function(){
             expect(Buffer.isBuffer(buf)).to.be(true);
             fn(1, 2);
           });
-          socket.emit('woot', new Buffer(3), function(a, b){
+          socket.emit('woot', Buffer.alloc(3), function(a, b){
             expect(a).to.be(1);
             expect(b).to.be(2);
             done();
@@ -1515,7 +1504,7 @@ describe('socket.io', function(){
             expect(Buffer.isBuffer(a)).to.be(true);
             fn();
           });
-          s.emit('hi', new Buffer(4), function(){
+          s.emit('hi', Buffer.alloc(4), function(){
             done();
           });
         });
@@ -1529,7 +1518,7 @@ describe('socket.io', function(){
         var socket = client(srv);
         sio.on('connection', function(s){
           socket.on('hi', function(fn){
-            fn(new Buffer(1));
+            fn(Buffer.alloc(1));
           });
           s.emit('hi', function(a){
             expect(Buffer.isBuffer(a)).to.be(true);
@@ -1546,7 +1535,7 @@ describe('socket.io', function(){
         var socket = client(srv);
         sio.on('connection', function(s){
           s.on('woot', function(fn){
-            fn(new Buffer(2));
+            fn(Buffer.alloc(2));
           });
           socket.emit('woot', function(a){
             expect(Buffer.isBuffer(a)).to.be(true);
@@ -1621,8 +1610,25 @@ describe('socket.io', function(){
         expect(s.handshake.query.key2).to.be('&=bb');
         done();
       });
+    });
 
+    it('should see the query options sent in the Socket.IO handshake (specific to the given socket)', (done) => {
+      const srv = http();
+      const sio = io(srv);
+      const socket = client(srv, '/namespace',{ query: { key1: 'a', key2: 'b' }}); // manager-specific query option
+      socket.query = { key2: 'c' }; // socket-specific query option
 
+      const success = () => {
+        sio.close();
+        socket.close();
+        done();
+      }
+
+      sio.of('/namespace').on('connection', (s) => {
+        expect(s.handshake.query.key1).to.be('a'); // in the query params
+        expect(s.handshake.query.key2).to.be('c'); // in the Socket.IO handshake
+        success();
+      });
     });
 
     it('should handle very large json', function(done){
@@ -1899,7 +1905,7 @@ describe('socket.io', function(){
         });
 
         function emit(){
-          sio.emit('bin', new Buffer(10));
+          sio.emit('bin', Buffer.alloc(10));
         }
       });
     });
@@ -2083,8 +2089,8 @@ describe('socket.io', function(){
             socket.join(room, fn);
           });
           socket.on('broadcast', function(){
-            socket.broadcast.to('test').emit('bin', new Buffer(5));
-            socket.emit('bin2', new Buffer(5));
+            socket.broadcast.to('test').emit('bin', Buffer.alloc(5));
+            socket.emit('bin2', Buffer.alloc(5));
           });
         });
       });