feat: remove the 'origins' option

The underlying Engine.IO server now supports a 'cors' option, which will be forwarded to the cors module. Breaking change: the 'origins' option is removed Before: ```js new Server(3000, { origins: ["https://example.com"] }); ``` The 'origins' option was used in the allowRequest method, in order to determine whether the request should pass or not. And the Engine.IO server would implicitly add the necessary Access-Control-Allow-xxx headers. After: ```js new Server(3000, { cors: { origin: "https://example.com", methods: ["GET", "POST"], allowedHeaders: ["content-type"] } }); ``` The already existing 'allowRequest' option can be used for validation: ```js new Server(3000, { allowRequest: (req, callback) => { callback(null, req.headers.referer.startsWith("https://example.com")); } }); ```
socketio · Oct 13, 2020 · a8c0600 · a8c0600
1 parent 8b6b100
commit a8c0600
Show file tree

Hide file tree

Showing 4 changed files with 34 additions and 234 deletions.
diff --git a/dist/index.d.ts b/dist/index.d.ts
@@ -97,10 +97,6 @@ interface ServerOptions extends EngineAttachOptions {
      * the adapter to use. Defaults to an instance of the Adapter that ships with socket.io which is memory based.
      */
     adapter: any;
-    /**
-     * the allowed origins (*:*)
-     */
-    origins: string | string[] | ((origin: string, cb: (err: Error, allow: boolean) => void) => void);
     /**
      * the parser to use. Defaults to an instance of the Parser that ships with socket.io.
      */
@@ -115,7 +111,6 @@ export declare class Server extends EventEmitter {
     nsps: Map<string, Namespace>;
     private parentNsps;
     private _adapter;
-    private _origins;
     private _serveClient;
     private eio;
     private engine;
@@ -130,13 +125,6 @@ export declare class Server extends EventEmitter {
     constructor(opts?: Partial<ServerOptions>);
     constructor(srv: http.Server, opts?: Partial<ServerOptions>);
     constructor(srv: number, opts?: Partial<ServerOptions>);
-    /**
-     * Server request verification function, that checks for allowed origins
-     *
-     * @param {http.IncomingMessage} req request
-     * @param {Function} fn callback to be called with the result: `fn(err, success)`
-     */
-    private checkRequest;
     /**
      * Sets/gets whether client code is being served.
      *
@@ -168,13 +156,6 @@ export declare class Server extends EventEmitter {
      * @return {Server|Adapter} self when setting or value when getting
      */
     adapter(v: any): any;
-    /**
-     * Sets the allowed origins for requests.
-     *
-     * @param {String|String[]} v origins
-     * @return {Server|Adapter} self when setting or value when getting
-     */
-    origins(v: any): any;
     /**
      * Attaches socket.io to a server or port.
      *

diff --git a/dist/index.js b/dist/index.js
@@ -33,7 +33,6 @@ const namespace_1 = require("./namespace");
 const parent_namespace_1 = require("./parent-namespace");
 const socket_io_adapter_1 = require("socket.io-adapter");
 const parser = __importStar(require("socket.io-parser"));
-const url_1 = __importDefault(require("url"));
 const debug_1 = __importDefault(require("debug"));
 const debug = debug_1.default("socket.io:server");
 const clientVersion = require("socket.io-client/package.json").version;
@@ -56,42 +55,10 @@ class Server extends events_1.EventEmitter {
         this.parser = opts.parser || parser;
         this.encoder = new this.parser.Encoder();
         this.adapter(opts.adapter || socket_io_adapter_1.Adapter);
-        this.origins(opts.origins || "*:*");
         this.sockets = this.of("/");
         if (srv)
             this.attach(srv, opts);
     }
-    /**
-     * Server request verification function, that checks for allowed origins
-     *
-     * @param {http.IncomingMessage} req request
-     * @param {Function} fn callback to be called with the result: `fn(err, success)`
-     */
-    checkRequest(req, fn) {
-        let origin = req.headers.origin || req.headers.referer;
-        // file:// URLs produce a null Origin which can't be authorized via echo-back
-        if ("null" == origin || null == origin)
-            origin = "*";
-        if (!!origin && typeof this._origins == "function")
-            return this._origins(origin, fn);
-        if (this._origins.indexOf("*:*") !== -1)
-            return fn(null, true);
-        if (origin) {
-            try {
-                const parts = url_1.default.parse(origin);
-                const defaultPort = "https:" == parts.protocol ? 443 : 80;
-                parts.port = parts.port != null ? parts.port : defaultPort;
-                const ok = ~this._origins.indexOf(parts.protocol + "//" + parts.hostname + ":" + parts.port) ||
-                    ~this._origins.indexOf(parts.hostname + ":" + parts.port) ||
-                    ~this._origins.indexOf(parts.hostname + ":*") ||
-                    ~this._origins.indexOf("*:" + parts.port);
-                debug("origin %s is %svalid", origin, !!ok ? "" : "not ");
-                return fn(null, !!ok);
-            }
-            catch (ex) { }
-        }
-        fn(null, false);
-    }
     /**
      * Sets/gets whether client code is being served.
      *
@@ -176,18 +143,6 @@ class Server extends events_1.EventEmitter {
         }
         return this;
     }
-    /**
-     * Sets the allowed origins for requests.
-     *
-     * @param {String|String[]} v origins
-     * @return {Server|Adapter} self when setting or value when getting
-     */
-    origins(v) {
-        if (!arguments.length)
-            return this._origins;
-        this._origins = v;
-        return this;
-    }
     listen(srv, opts = {}) {
         return this.attach(srv, opts);
     }
@@ -212,8 +167,6 @@ class Server extends events_1.EventEmitter {
         }
         // set engine.io path to `/socket.io`
         opts.path = opts.path || this._path;
-        // set origins verification
-        opts.allowRequest = opts.allowRequest || this.checkRequest.bind(this);
         this.initEngine(srv, opts);
         return this;
     }

diff --git a/lib/index.ts b/lib/index.ts
@@ -9,7 +9,6 @@ import { ParentNamespace } from "./parent-namespace";
 import { Adapter, Room, SocketId } from "socket.io-adapter";
 import * as parser from "socket.io-parser";
 import { Encoder } from "socket.io-parser";
-import url from "url";
 import debugModule from "debug";
 import { Socket } from "./socket";
 import { CookieSerializeOptions } from "cookie";
@@ -122,13 +121,6 @@ interface ServerOptions extends EngineAttachOptions {
    * the adapter to use. Defaults to an instance of the Adapter that ships with socket.io which is memory based.
    */
   adapter: any;
-  /**
-   * the allowed origins (*:*)
-   */
-  origins:
-    | string
-    | string[]
-    | ((origin: string, cb: (err: Error, allow: boolean) => void) => void);
   /**
    * the parser to use. Defaults to an instance of the Parser that ships with socket.io.
    */
@@ -155,7 +147,6 @@ export class Server extends EventEmitter {
     ParentNamespace
   > = new Map();
   private _adapter;
-  private _origins;
   private _serveClient: boolean;
   private eio;
   private engine;
@@ -182,48 +173,10 @@ export class Server extends EventEmitter {
     this.parser = opts.parser || parser;
     this.encoder = new this.parser.Encoder();
     this.adapter(opts.adapter || Adapter);
-    this.origins(opts.origins || "*:*");
     this.sockets = this.of("/");
     if (srv) this.attach(srv, opts);
   }
 
-  /**
-   * Server request verification function, that checks for allowed origins
-   *
-   * @param {http.IncomingMessage} req request
-   * @param {Function} fn callback to be called with the result: `fn(err, success)`
-   */
-  private checkRequest(
-    req: http.IncomingMessage,
-    fn: (err: Error, success: boolean) => void
-  ) {
-    let origin = req.headers.origin || req.headers.referer;
-
-    // file:// URLs produce a null Origin which can't be authorized via echo-back
-    if ("null" == origin || null == origin) origin = "*";
-
-    if (!!origin && typeof this._origins == "function")
-      return this._origins(origin, fn);
-    if (this._origins.indexOf("*:*") !== -1) return fn(null, true);
-    if (origin) {
-      try {
-        const parts: any = url.parse(origin);
-        const defaultPort = "https:" == parts.protocol ? 443 : 80;
-        parts.port = parts.port != null ? parts.port : defaultPort;
-        const ok =
-          ~this._origins.indexOf(
-            parts.protocol + "//" + parts.hostname + ":" + parts.port
-          ) ||
-          ~this._origins.indexOf(parts.hostname + ":" + parts.port) ||
-          ~this._origins.indexOf(parts.hostname + ":*") ||
-          ~this._origins.indexOf("*:" + parts.port);
-        debug("origin %s is %svalid", origin, !!ok ? "" : "not ");
-        return fn(null, !!ok);
-      } catch (ex) {}
-    }
-    fn(null, false);
-  }
-
   /**
    * Sets/gets whether client code is being served.
    *
@@ -319,19 +272,6 @@ export class Server extends EventEmitter {
     return this;
   }
 
-  /**
-   * Sets the allowed origins for requests.
-   *
-   * @param {String|String[]} v origins
-   * @return {Server|Adapter} self when setting or value when getting
-   */
-  public origins(v) {
-    if (!arguments.length) return this._origins;
-
-    this._origins = v;
-    return this;
-  }
-
   /**
    * Attaches socket.io to a server or port.
    *
@@ -379,8 +319,6 @@ export class Server extends EventEmitter {
 
     // set engine.io path to `/socket.io`
     opts.path = opts.path || this._path;
-    // set origins verification
-    opts.allowRequest = opts.allowRequest || this.checkRequest.bind(this);
 
     this.initEngine(srv, opts);