# # A BrowserChannel server.
#
# - Its still pretty young, so there's probably bugs lurking around and the API
# will still change quickly.
# - Its missing integration tests
#
# It works in all the browsers I've tried.
#
# I've written this using the literate programming style to try it out. So, thats why
# there's a million comments everywhere.
#
# The server is implemented an express middleware. Its intended to be used like this:
#
# ```
# server = express();
# server.use(browserChannel(function(client) { client.send('hi'); }));
# ```
# ## Dependancies, helper methods and constant data
# `parse` helps us decode URLs in requests
{parse} = require 'url'
# `querystring` will help decode the URL-encoded forward channel data
querystring = require 'querystring'
# `fs` is used to read & serve the client library
fs = require 'fs'
# Client sessions are `EventEmitters`
{EventEmitter} = require 'events'
# Client session Ids are generated using `node-hat`
hat = require('hat').rack(40, 36)
# When sending messages to IE using a hidden iframe, UTF8-encoded characters
# don't get processed correctly. This encodes unicode characters using the
# \u2028 encoding style, which (thankfully) makes it through.
asciijson = require 'ascii-json'
# `randomInt(n)` generates and returns a random int smaller than n (0 <= k < n)
randomInt = (n) -> Math.floor(Math.random() * n)
# `randomArrayElement(array)` Selects and returns a random element from *array*
randomArrayElement = (array) -> array[randomInt(array.length)]
# For testing we'll override `setInterval`, etc with special testing stub versions (so
# we don't have to actually wait for actual *time*. To do that, we need local variable
# versions (I don't want to edit the global versions). ... and they'll just point to the
# normal versions anyway.
{setInterval, clearInterval, setTimeout, clearTimeout, Date} = global
# The module is configurable
defaultOptions =
# An optional array of host prefixes. Each browserchannel client will
# randomly pick from the list of host prefixes when it connects. This reduces
# the impact of per-host connection limits.
#
# All host prefixes should point to the same server. Ie, if your server's
# hostname is *example.com* and your hostPrefixes contains ['a', 'b', 'c'],
# a.example.com, b.example.com and c.example.com should all point to the same
# host as example.com.
hostPrefixes: null
# You can specify the base URL which browserchannel connects to. Change this
# if you want to scope browserchannel in part of your app, or if you want
# /channel to mean something else, or whatever.
#
# I really want to remove this parameter - express 4.0's router is now good
# enough that you can just install the middleware anywhere using express. For
# example:
# app.use('/mycoolpath', browserchannel({base:''}, ...));
#
# Unfortunately you have to force the base option to '' to do that (since it
# defaults to /channel otherwise). What a pain. TODO browserchannel 3.0
base: '/channel'
# We'll send keepalives every so often to make sure the http connection isn't
# closed by eagar clients. The standard timeout is 30 seconds, so we'll
# default to sending them every 20 seconds or so.
keepAliveInterval: 20 * 1000
# After awhile (30 seconds or so) of not having a backchannel connected,
# we'll evict the session completely. This will happen whenever a user closes
# their browser.
sessionTimeoutInterval: 30 * 1000
# By default, browsers don't allow access via javascript to foreign sites.
# You can use the cors: option to set the Access-Control-Allow-Origin header
# in responses, which tells browsers whether or not to allow cross domain
# requests to be sent.
#
# See https://developer.mozilla.org/en/http_access_control for more information.
#
# Setting cors:'*' will enable javascript from any domain to access your
# application. BE CAREFUL! If your application uses cookies to manage user
# sessions, javascript on a foreign site could make requests as if it were
# acting on behalf of one of your users.
#
# Setting cors:'X' is equivalent to adding
# {headers: {'Access-Control-Allow-Origin':X}}.
#
# You may also set cors to a function receiving (request, response)
# and returning desired header value.
cors: null
# Even with Access-Control-Allow-Origin enabled, browsers don't send their
# cookies to different domains. You can set corsAllowCredentials to be true
# to add the `Access-Control-Allow-Credentials: true` header to responses.
# This tells browsers they are allowed to send credentialed requests (ie,
# requests with cookies) to a foreign domain. If you do this, you must *also*
# set {crossDomainXhr:true} in your BCSocket browser options to tell XHR
# requests to send credentials.
#
# Also note that credentialed requests require explicitly mentioned domains
# to work. You cannot use a wildcard cors header (`cors:*`) if you want
# credentials.
#
# See: https://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS#Requests_with_credentials
#
# Setting corsAllowCredentials:true is equivalent to adding:
# {headers: {'Access-Control-Allow-Credentials':true}}.
corsAllowCredentials: false
# A user can override all the headers if they want by setting the headers
# option to an object.
headers: null
# All server responses set some standard HTTP headers. To be honest, I don't
# know how many of these are necessary. I just copied them from google.
#
# The nocache headers in particular seem unnecessary since each client request
# includes a randomized `zx=junk` query parameter.
standardHeaders =
'Content-Type': 'text/plain'
'Cache-Control': 'no-cache, no-store, max-age=0, must-revalidate'
'Pragma': 'no-cache'
'Expires': 'Fri, 01 Jan 1990 00:00:00 GMT'
'X-Content-Type-Options': 'nosniff'
# Gmail also sends this, though I'm not really sure what it does...
# 'X-Xss-Protection': '1; mode=block'
# The one exception to that is requests destined for iframes. They need to have
# content-type: text/html set for IE to process the juicy JS inside.
ieHeaders = {}
ieHeaders[k] = v for k, v of standardHeaders
ieHeaders['Content-Type'] = 'text/html'
# Google's browserchannel server adds some junk after the first message data is
# sent. I assume this stops some whole-page buffering in IE. I assume the data
# used is noise so it doesn't compress.
#
# I don't really know why google does this. I'm assuming there's a good reason
# to it though.
ieJunk = "7cca69475363026330a0d99468e88d23ce95e222591126443015f5f462d9a177186c8701fb45a6ffe\
e0daf1a178fc0f58cd309308fba7e6f011ac38c9cdd4580760f1d4560a84d5ca0355ecbbed2ab715a3350fe0c47\
9050640bd0e77acec90c58c4d3dd0f5cf8d4510e68c8b12e087bd88cad349aafd2ab16b07b0b1b8276091217a44\
a9fe92fedacffff48092ee693af\n"
# If the user is using IE, instead of using XHR backchannel loaded using a
# forever iframe. When data is sent, it is wrapped in tags
# which call functions in the browserchannel library.
#
# This method wraps the normal `.writeHead()`, `.write()` and `.end()` methods
# by special versions which produce output based on the request's type.
#
# This **is not used** for:
#
# - The first channel test
# - The first *bind* connection a client makes. The server sends arrays there,
# but the connection is a POST and it returns immediately. So that request
# happens using XHR/Trident like regular forward channel requests.
messagingMethods = (options, query, res) ->
type = query.TYPE
if type == 'html' # IE encoding using messaging via a slowly loading script file
junkSent = false
methods =
writeHead: ->
res.writeHead 200, 'OK', ieHeaders
res.write ''
domain = query.DOMAIN
# If the iframe is making the request using a secondary domain, I think
# we need to set the `domain` to the original domain so that we can
# call the response methods.
if domain and domain != ''
# Make sure the domain doesn't contain anything by naughty by
# `JSON.stringify()`-ing it before passing it to the client. There
# are XSS vulnerabilities otherwise.
res.write "\n"
write: (data) ->
# The data is passed to `m()`, which is bound to *onTridentRpcMessage_* in the client.
res.write "\n"
unless junkSent
res.write ieJunk
junkSent = true
end: ->
# Once the data has been received, the client needs to call `d()`,
# which is bound to *onTridentDone_* with success=*true*. The weird
# spacing of this is copied from browserchannel. Its really not
# necessary.
res.end "\n"
# This is a helper method for signalling an error in the request back to the client.
writeError: (statusCode, message) ->
# The HTML (iframe) handler has no way to discover that the embedded
# script tag didn't complete successfully. To signal errors, we return
# **200 OK** and call an exposed rpcClose() method on the page.
methods.writeHead()
res.end "\n"
# For some reason, sending data during the second test (111112) works
# slightly differently for XHR, but its identical for html encoding. We'll
# use a writeRaw() method in that case, which is copied in the case of
# html.
methods.writeRaw = methods.write
methods
else # Encoding for modern browsers
# For normal XHR requests, we send data normally.
writeHead: -> res.writeHead 200, 'OK', options.headers
write: (data) -> res.write "#{data.length}\n#{data}"
writeRaw: (data) -> res.write data
end: -> res.end()
writeError: (statusCode, message) ->
res.writeHead statusCode, options.headers
res.end message
# For telling the client its done bad.
#
# It turns out google's server isn't particularly fussy about signalling errors
# using the proper html RPC stuff, so this is useful for html connections too.
sendError = (res, statusCode, message, options) ->
res.writeHead statusCode, message, options.headers
res.end "#{message}
"
return
# ## Parsing client maps from the forward channel
#
# The client sends data in a series of url-encoded maps. The data is encoded
# like this:
#
# ```
# count=2&ofs=0&req0_x=3&req0_y=10&req1_abc=def
# ```
#
# First, we need to buffer up the request response and query string decode it.
bufferPostData = (req, callback) ->
data = []
req.on 'data', (chunk) ->
data.push chunk.toString 'utf8'
req.on 'end', ->
data = data.join ''
callback data
# Next, we'll need to decode the incoming client data into an array of objects.
#
# The data could be in two different forms:
#
# - Classical browserchannel format, which is a bunch of string->string url-encoded maps
# - A JSON object
#
# We can tell what format the data is in by inspecting the content-type header
#
# ## URL Encoded data
#
# Essentially, url encoded the data looks like this:
#
# ```
# { count: '2',
# ofs: '0',
# req0_x: '3',
# req0_y: '10',
# req1_abc: 'def'
# }
# ```
#
# ... and we will return an object in the form of `[{x:'3', y:'10'}, {abc: 'def'}, ...]`
#
# ## JSON Encoded data
#
# JSON encoded the data looks like:
#
# ```
# { ofs: 0
# , data: [null, {...}, 1000.4, 'hi', ...]
# }
# ```
#
# or `null` if there's no data.
#
# This function returns null if there's no data or {ofs, json:[...]} or {ofs, maps:[...]}
transformData = (req, data) ->
if req.headers['content-type'] == 'application/json'
# We'll restructure it slightly to mark the data as JSON rather than maps.
{ofs, data} = data
{ofs, json:data}
else
count = parseInt data.count
return null if count is 0
# ofs will be missing if count is zero
ofs = parseInt data.ofs
throw new Error 'invalid map data' if isNaN count or isNaN ofs
throw new Error 'Invalid maps' unless count == 0 or (count > 0 and data.ofs?)
maps = new Array count
# Scan through all the keys in the data. Every key of the form:
# `req123_xxx` will be used to populate its map.
regex = /^req(\d+)_(.+)$/
for key, val of data
match = regex.exec key
if match
id = match[1]
mapKey = match[2]
map = (maps[id] ||= {})
# The client uses `mapX_type=_badmap` to signify an error encoding a map.
continue if id == 'type' and mapKey == '_badmap'
map[mapKey] = val
{ofs, maps}
# Decode data string body and get an object back
# Either a query string format or JSON depending on content type
decodeData = (req, data) ->
if req.headers['content-type'] == 'application/json'
JSON.parse data
else
# Maps. Ugh.
#
# By default, querystring.parse only parses out the first 1000 keys from the data.
# maxKeys:0 removes this restriction.
querystring.parse data, '&', '=', maxKeys:0
# This is a helper method to order the handling of messages / requests / whatever.
#
# Use it like this:
# inOrder = order 0
#
# inOrder 1, -> console.log 'second'
# inOrder 0, -> console.log 'first'
#
# Start is the ID of the first element we expect to receive. If we get data for
# earlier elements, we'll play them anyway if playOld is truthy.
order = (start, playOld) ->
# Base is the ID of the (missing) element at the start of the queue
base = start
# The queue will start with about 10 elements. Elements of the queue are
# undefined if we don't have data for that queue element.
queue = new Array 10
(seq, callback) ->
# Its important that all the cells of the array are truthy if we have data.
# We'll use an empty function instead of null.
callback or= ->
# Ignore old messages, or play them back immediately if playOld=true
if seq < base
callback() if playOld
else
queue[seq - base] = callback
while queue[0]
callback = queue.shift()
base++
callback()
return
# Host prefixes provide a way to skirt around connection limits. They're only
# really important for old browsers.
getHostPrefix = (options) ->
if options.hostPrefixes
randomArrayElement options.hostPrefixes
else
null
# We need access to the client's sourcecode. I'm going to get it using a
# synchronous file call (it'll be fast anyway, and only happen once).
#
# I'm also going to set an etag on the client data so the browser client will
# be cached. I'm kind of uncomfortable about adding complexity here because its
# not like this code hasn't been written before, but.. I think a lot of people
# will use this API.
#
# I should probably look into hosting the client code as a javascript module
# using that client-side npm thing.
clientFile = "#{__dirname}/../dist/bcsocket.js"
clientStats = fs.statSync clientFile
try
clientCode = fs.readFileSync clientFile, 'utf8'
catch e
console.error 'Could not load the client javascript. Run `cake client` to generate it.'
throw e
# This is mostly to help development, but if the client is recompiled, I'll
# pull in a new version. This isn't tested by the unit tests - but its not a
# big deal.
#
# The `readFileSync` call here will stop the whole server while the client is
# reloaded. This will only happen during development so its not a big deal.
if process.env.NODE_ENV != 'production'
if process.platform is "win32"
# Windows doesn't support watchFile. See:
# https://github.com/josephg/node-browserchannel/pull/6
fs.watch clientFile, persistent: false, (event, filename) ->
if event is "change"
console.log "Reloading client JS"
clientCode = fs.readFileSync clientFile, 'utf8'
clientStats = curr
else
fs.watchFile clientFile, persistent: false, (curr, prev) ->
if curr.mtime.getTime() isnt prev.mtime.getTime()
console.log "Reloading client JS"
clientCode = fs.readFileSync clientFile, 'utf8'
clientStats = curr
# This code was rewritten from closure-style to class style to make heap dumps
# clearer and make the code run faster in V8 (v8 loves this code style).
BCSession = (address, query, headers, options) ->
EventEmitter.call this
# The session's unique ID for this connection
@id = hat()
# The client stores its IP address and headers from when it first opened
# the session. The handler can use this information for authentication or
# something.
@address = address
@headers = headers
# Add a reference to the query as users can send extra query string
# information using the `extraParams` option on the Socket.
@query = query
# Options are passed in when creating the BrowserChannel middleware
@options = options
# The session is a little state machine. It has the following states:
#
# - **init**: The session has been created and its sessionId hasn't been
# sent yet. The session moves to the **ok** state when the first data
# chunk is sent to the client.
#
# - **ok**: The session is sitting pretty and ready to send and receive
# data. The session will spend most of its time in this state.
#
# - **closed**: The session has been removed from the session list. It can
# no longer be used for any reason.
@state = 'init'
# The client's reported application version, or null. This is sent when the
# connection is first requested, so you can use it to make your application die / stay
# compatible with people who don't close their browsers.
@appVersion = query.CVER or null
# The server sends messages to the client via a hanging GET request. Of course,
# the client has to be the one to open that request.
#
# This is a handle to null, or {res, methods, chunk}
#
# - **res** is the http response object
# - **methods** is a map of send(), etc methods for communicating properly with the backchannel -
# this will be different if the request comes from IE or not.
# - **chunk** specifies whether or not we're going to keep the connection open across multiple
# messages. If there's a buffering proxy in the way of the connection, we can't respond a bit at
# a time, so we close the backchannel after each data chunk. The client decides this during
# testing and passes a CI= parameter to the server when the backchannel connection is established.
# - **bytesSent** specifies how many bytes of data have been sent through the backchannel. We periodically
# close the backchannel and let the client reopen it, so things like the chrome web inspector stay
# usable.
@_backChannel = null
# The server sends data to the client by sending *arrays*. It seems a bit silly that
# client->server messages are maps and server->client messages are arrays, but there it is.
#
# Each entry in this array is of the form [id, data].
@_outgoingArrays = []
# `lastArrayId` is the array ID of the last queued array
@_lastArrayId = -1
# Every request from the client has an *AID* parameter which tells the server the ID
# of the last request the client has received. We won't remove arrays from the outgoingArrays
# list until the client has confirmed its received them.
#
# In `lastSentArrayId` we store the ID of the last array which we actually sent.
@_lastSentArrayId = -1
# If we haven't sent anything for 15 seconds, we'll send a little `['noop']` to the
# client so it knows we haven't forgotten it. (And to make sure the backchannel
# connection doesn't time out.)
@_heartbeat = null
# The session will close if there's been no backchannel for awhile.
@_sessionTimeout = null
# Since the session doesn't start with a backchannel, we'll kick off the timeout timer as soon as its
# created.
@_refreshSessionTimeout()
# The session has just been created. The first thing it needs to tell the client
# is its session id and host prefix and stuff.
#
# It would be pretty easy to add a callback here setting the client status to 'ok' or
# something, but its not really necessary. The client has already connected once the first
# POST /bind has been received.
@_queueArray ['c', @id, getHostPrefix(options), 8]
# ### Maps
#
# The client sends maps to the server using POST requests. Its possible for the requests
# to come in out of order, so sometimes we need to buffer up incoming maps and reorder them
# before emitting them to the user.
#
# Each map has an ID (which starts at 0 when the session is first created).
# We'll emit received data to the user immediately if they're in order, but if they're out of order
# we'll use the little order helper above to order them. The order helper is instructed to not
# emit any old messages twice.
#
# There's a potential DOS attack here whereby a client could just spam the server with
# out-of-order maps until it runs out of memory. We should dump a session if there are
# too many entries in this dictionary.
@_mapBuffer = order 0, false
# This method is called whenever we get maps from the client. Offset is the ID of the first
# map. The data could either be maps or JSON data. If its maps, data contains {maps} and if its
# JSON data, maps contains {JSON}.
#
# Browserchannel has 2 different mechanisms for consistantly ordering messages in the forward channel:
#
# - Each forward channel request contains a request ID (RID=X), which start at a random value
# (set with the first session create packet). These increment by 1 with each request.
#
# If a request fails, it might be retried with the same RID as the previous message, and with extra
# maps tacked on the end. We need to handle the maps in this case.
#
# - Each map has an ID, counting from 0. ofs= in the POST data tells the server the ID of the first
# map in a request.
#
# As far as I can tell, the RID stuff can mostly be ignored. The one place it is important is in
# handling disconnect messages. The session should only be disconnected by a disconnect message when
# the preceeding messages have been received.
# All requests are handled in order too, though if not for disconnecting I don't think it would matter.
# Because of the funky retry-has-extra-maps logic, we'll allow processing requests twice.
@_ridBuffer = order query.RID, true
return
# Sessions extend node's [EventEmitter][] so they
# have access to goodies like `session.on(event, handler)`,
# `session.emit('paarty')`, etc.
# [EventEmitter]: http://nodejs.org/docs/v0.4.12/api/events.html
do ->
for name, method of EventEmitter::
BCSession::[name] = method
return
# The state is modified through this method. It emits events when the state
# changes. (yay)
BCSession::_changeState = (newState) ->
oldState = @state
@state = newState
@emit 'state changed', @state, oldState
BackChannel = (session, res, query) ->
@res = res
@methods = messagingMethods session.options, query, res
@chunk = query.CI == '0'
@bytesSent = 0
@listener = ->
session._backChannel.listener = null
session._clearBackChannel res
return
# I would like this method to be private or something, but it needs to be accessed from
# the HTTP request code below. The _ at the start will hopefully make people think twice
# before using it.
BCSession::_setBackChannel = (res, query) ->
@_clearBackChannel()
@_backChannel = new BackChannel this, res, query
# When the TCP connection underlying the backchannel request is closed, we'll stop using the
# backchannel and start the session timeout clock. The listener is kept so the event handler
# removed once the backchannel is closed.
res.connection.once 'close', @_backChannel.listener
# We'll start the heartbeat interval and clear out the session timeout.
# The session timeout will be started again if the backchannel connection closes for
# any reason.
@_refreshHeartbeat()
clearTimeout @_sessionTimeout
# When a new backchannel is created, its possible that the old backchannel is dead.
# In this case, its possible that previously sent arrays haven't been received.
# By resetting lastSentArrayId, we're effectively rolling back the status of sent arrays
# to only those arrays which have been acknowledged.
if @_outgoingArrays.length > 0
@_lastSentArrayId = @_outgoingArrays[0].id - 1
# Send any arrays we've buffered now that we have a backchannel
@flush()
# This method removes the back channel and any state associated with it. It'll get called
# when the backchannel closes naturally, is replaced or when the connection closes.
BCSession::_clearBackChannel = (res) ->
# clearBackChannel doesn't do anything if we call it repeatedly.
return unless @_backChannel
# Its important that we only delete the backchannel if the closed connection is actually
# the backchannel we're currently using.
return if res? and res != @_backChannel.res
if @_backChannel.listener
# The backchannel listener has been attached to the 'close' event of the underlying TCP
# stream. We don't care about that anymore
@_backChannel.res.connection.removeListener 'close', @_backChannel.listener
@_backChannel.listener = null
# Conveniently, clearTimeout has no effect if the argument is null.
clearTimeout @_heartbeat
@_backChannel.methods.end()
@_backChannel = null
# Whenever we don't have a backchannel, we run the session timeout timer.
@_refreshSessionTimeout()
# This method sets / resets the heartbeat timeout to the full 15 seconds.
BCSession::_refreshHeartbeat = ->
clearTimeout @_heartbeat
session = this
@_heartbeat = setInterval ->
session.send ['noop']
, @options.keepAliveInterval
BCSession::_refreshSessionTimeout = ->
clearTimeout @_sessionTimeout
session = this
@_sessionTimeout = setTimeout ->
session.close 'Timed out'
, @options.sessionTimeoutInterval
# The arrays get removed once they've been acknowledged
BCSession::_acknowledgeArrays = (id) ->
id = parseInt id if typeof id is 'string'
while @_outgoingArrays.length > 0 and @_outgoingArrays[0].id <= id
{confirmcallback} = @_outgoingArrays.shift()
# I've got no idea what to do if we get an exception thrown here. The session will end up
# in an inconsistant state...
confirmcallback?()
return
OutgoingArray = (@id, @data, @sendcallback, @confirmcallback) ->
# Queue an array to be sent. The optional callbacks notifies a caller when the array has been
# sent, and then received by the client.
#
# If the session is already closed, we'll call the confirmation callback immediately with the
# error.
#
# queueArray returns the ID of the queued data chunk.
BCSession::_queueArray = (data, sendcallback, confirmcallback) ->
return confirmcallback? new Error 'closed' if @state is 'closed'
id = ++@_lastArrayId
@_outgoingArrays.push new OutgoingArray(id, data, sendcallback, confirmcallback)
return @_lastArrayId
# Send the array data through the backchannel. This takes an optional callback which
# will be called with no arguments when the client acknowledges the array, or called with an
# error object if the client disconnects before the array is sent.
#
# queueArray can also take a callback argument which is called when the session sends the message
# in the first place. I'm not sure if I should expose this through send - I can't tell if its
# useful beyond the server code.
BCSession::send = (arr, callback) ->
id = @_queueArray arr, null, callback
@flush()
return id
BCSession::_receivedData = (rid, data) ->
session = this
@_ridBuffer rid, ->
return if data is null
throw new Error 'Invalid data' unless data.maps? or data.json?
session._ridBuffer rid
id = data.ofs
# First, classic browserchannel maps.
if data.maps
# If an exception is thrown during this loop, I'm not really sure what the behaviour should be.
for map in data.maps
# The funky do expression here is used to pass the map into the closure.
# Another way to do it is to index into the data.maps array inside the function, but then I'd
# need to pass the index to the closure anyway.
session._mapBuffer id++, do (map) -> ->
return if session.state is 'closed'
session.emit 'map', map
# If you specify the key as JSON, the server will try to decode JSON data from the map and emit
# 'message'. This is a much nicer way to message the server.
if map.JSON?
try
message = JSON.parse map.JSON
catch e
session.close 'Invalid JSON'
return
session.emit 'message', message
# Raw string messages are embedded in a _S: property in a map.
else if map._S?
session.emit 'message', map._S
else
# We have data.json. We'll just emit it directly.
for message in data.json
session._mapBuffer id++, do (map) -> ->
return if session.state is 'closed'
session.emit 'message', message
return
BCSession::_disconnectAt = (rid) ->
session = this
@_ridBuffer rid, -> session.close 'Disconnected'
# When we receive forwardchannel data, we reply with a special little 3-variable array to tell the
# client if it should reopen the backchannel.
#
# This method returns what the forward channel should reply with.
BCSession::_backChannelStatus = ->
# Find the arrays have been sent over the wire but haven't been acknowledged yet
numUnsentArrays = @_lastArrayId - @_lastSentArrayId
unacknowledgedArrays = @_outgoingArrays[... @_outgoingArrays.length - numUnsentArrays]
outstandingBytes = if unacknowledgedArrays.length == 0
0
else
# We don't care about the length of the array IDs or callback functions.
# I'm actually not sure what data the client expects here - the value is just used in a rough
# heuristic to determine if the backchannel should be reopened.
data = (a.data for a in unacknowledgedArrays)
JSON.stringify(data).length
return [
(if @_backChannel then 1 else 0)
@_lastSentArrayId
outstandingBytes
]
# ## Encoding server arrays for the back channel
#
# The server sends data to the client in **chunks**. Each chunk is a *JSON* array prefixed
# by its length in bytes.
#
# The array looks like this:
#
# ```
# [
# [100, ['message', 'one']],
# [101, ['message', 'two']],
# [102, ['message', 'three']]
# ]
# ```
#
# Each individial message is prefixed by its *array id*, which is a counter starting at 0
# when the session is first created and incremented with each array.
# This will actually send the arrays to the backchannel on the next tick if the backchannel
# is alive.
BCSession::flush = ->
session = this
process.nextTick -> session._flush()
BCSession::_flush = ->
return unless @_backChannel
numUnsentArrays = @_lastArrayId - @_lastSentArrayId
if numUnsentArrays > 0
arrays = @_outgoingArrays[@_outgoingArrays.length - numUnsentArrays ...]
# I've abused outgoingArrays to also contain some callbacks. We only send [id, data] to
# the client.
data = ([id, data] for {id, data} in arrays)
bytes = JSON.stringify(data) + "\n"
# Stand back, pro hax! Ideally there is a general solution for escaping these characters
# when converting to JSON.
bytes = bytes.replace(/\u2028/g, "\\u2028")
bytes = bytes.replace(/\u2029/g, "\\u2029")
# **Away!**
@_backChannel.methods.write bytes
@_backChannel.bytesSent += bytes.length
@_lastSentArrayId = @_lastArrayId
# Fire any send callbacks on the messages. These callbacks should only be called once.
# Again, not sure what to do if there are exceptions here.
for a in arrays
if a.sendcallback?
a.sendcallback?()
delete a.sendcallback
# The send callback could have cleared the backchannel by calling close.
if @_backChannel and (!@_backChannel.chunk or @_backChannel.bytesSent > 10 * 1024)
@_clearBackChannel()
# The first backchannel is the client's initial connection. Once we've sent the first
# data chunk to the client, we've officially opened the connection.
@_changeState 'ok' if @state == 'init'
# Signal to a client that it should stop trying to connect. This has no other effect
# on the server session.
#
# `stop` takes a callback which will be called once the message has been *sent* by the server.
# Typically, you should call it like this:
#
# ```
# session.stop ->
# session.close()
# ```
#
# I considered making this automatically close the connection after you've called it, or after
# you've sent the stop message or something, but if I did that it wouldn't be obvious that you
# can still receive messages after stop() has been called. (Because you can!). That would never
# come up when you're testing locally, but it *would* come up in production. This is more obvious.
BCSession::stop = (callback) ->
return if @state is 'closed'
@_queueArray ['stop'], callback, null
@flush()
# This closes a session and makes the server forget about it.
#
# The client might try and reconnect if you only call `close()`. It'll get a new session if it does so.
#
# close takes an optional message argument, which is passed to the send event handlers.
BCSession::close = (message) ->
# You can't double-close.
return if @state == 'closed'
@_changeState 'closed'
@emit 'close', message
@_clearBackChannel()
clearTimeout @_sessionTimeout
for {confirmcallback} in @_outgoingArrays
confirmcallback? new Error(message || 'closed')
return
# ---
#
# # The server middleware
#
# The server module returns a function, which you can call with your
# configuration options. It returns your configured connect middleware, which
# is actually another function.
module.exports = browserChannel = (options, onConnect) ->
if typeof onConnect == 'undefined'
onConnect = options
options = {}
options ||= {}
options[option] ?= value for option, value of defaultOptions
options.headers = {} unless options.headers
options.headers[h] ||= v for h, v of standardHeaders
options.headers['Access-Control-Allow-Origin'] = options.cors if options.cors and typeof options.cors == 'string'
options.headers['Access-Control-Allow-Credentials'] = true if options.corsAllowCredentials
# Strip off a trailing slash in base.
base = options.base
base = base[... base.length - 1] if base.match /\/$/
# Add a leading slash back on base
base = "/#{base}" if base.length > 0 and !base.match /^\//
# map from sessionId -> session
sessions = {}
# # Create a new client session.
#
# This method will start a new client session.
#
# Session ids are generated by [node-hat]. They are guaranteed to be unique.
# [node-hat]: https://github.com/substack/node-hat
#
# This method is synchronous, because a database will never be involved in
# browserchannel session management. Browserchannel sessions only last as
# long as the user's browser is open. If there's any connection turbulence,
# the client will reconnect and get a new session id.
#
# Sometimes a client will specify an old session ID and old array ID. In this
# case, the client is reconnecting and we should evict the named session (if
# it exists).
createSession = (address, query, headers) ->
{OSID: oldSessionId, OAID: oldArrayId} = query
if oldSessionId? and (oldSession = sessions[oldSessionId])
oldSession._acknowledgeArrays oldArrayId
oldSession.close 'Reconnected'
session = new BCSession address, query, headers, options
sessions[session.id] = session
session.on 'close', ->
delete sessions[session.id]
# console.log "closed #{@id}"
return session
# This is the returned middleware. Connect middleware is a function which
# takes in an http request, an http response and a next method.
#
# The middleware can do one of two things:
#
# - Handle the request, sending data back to the server via the response
# - Call `next()`, which allows the next middleware in the stack a chance to
# handle the request.
middleware = (req, res, next) ->
{query, pathname} = parse req.url, true
#console.warn req.method, req.url
# If base is /foo, we don't match /foobar. (Currently no unit tests for this)
return next() if pathname.substring(0, base.length + 1) != "#{base}/"
{writeHead, write, writeRaw, end, writeError} = messagingMethods options, query, res
# # Serving the client
#
# The browserchannel server hosts a usable web client library at /CHANNEL/bcsocket.js.
# This library wraps the google closure library client implementation.
#
# If I have time, I would like to write my own version of the client to add a few features
# (websockets, message acknowledgement callbacks) and do some manual optimisations for speed.
# However, the current version works ok.
if pathname is "#{base}/bcsocket.js"
etag = "\"#{clientStats.size}-#{clientStats.mtime.getTime()}\""
res.writeHead 200, 'OK',
'Content-Type': 'application/javascript',
'ETag': etag,
'Content-Length': clientCode.length
# This code is manually tested because it looks like its impossible to send HEAD requests
# using nodejs's HTTP library at time of writing (0.4.12). (Yeah, I know, rite?)
if req.method is 'HEAD'
res.end()
else
res.end clientCode
# # Connection testing
#
# Before the browserchannel client connects, it tests the connection to make
# sure its working, and to look for buffering proxies.
#
# The server-side code for connection testing is completely stateless.
else if pathname is "#{base}/test"
# This server only supports browserchannel protocol version **8**.
# I have no idea if 400 is the right error here.
return sendError res, 400, 'Version 8 required', options unless query.VER is '8'
#### Phase 1: Server info
# The client is requests host prefixes. The server responds with an array of
# ['hostprefix' or null, 'blockedprefix' or null].
#
# > Actually, I think you might be able to return [] if neither hostPrefix nor blockedPrefix
# > is defined. (Thats what google wave seems to do)
#
# - **hostprefix** is subdomain prepended onto the hostname of each request.
# This gets around browser connection limits. Using this requires a bank of
# configured DNS entries and SSL certificates if you're using HTTPS.
#
# - **blockedprefix** provides network admins a way to blacklist browserchannel
# requests. It is not supported by node-browserchannel.
if query.MODE == 'init' and req.method == 'GET'
hostPrefix = getHostPrefix options
blockedPrefix = null # Blocked prefixes aren't supported.
# We add an extra special header to tell the client that this server likes
# json-encoded forward channel data over form urlencoded channel data.
#
# It might be easier to put these headers in the response body or increment the
# version, but that might conflict with future browserchannel versions.
headers = {}
headers[k] = v for k, v of options.headers
if options.cors and typeof options.cors == 'function'
headers['Access-Control-Allow-Origin'] = options.cors req, res
headers['X-Accept'] = 'application/json; application/x-www-form-urlencoded'
# This is a straight-up normal HTTP request like the forward channel requests.
# We don't use the funny iframe write methods.
res.writeHead 200, 'OK', headers
res.end(JSON.stringify [hostPrefix, blockedPrefix])
else
#### Phase 2: Buffering proxy detection
# The client is trying to determine if their connection is buffered or unbuffered.
# We reply with '11111', then 2 seconds later '2'.
#
# The client should get the data in 2 chunks - but they won't if there's a misbehaving
# corporate proxy in the way or something.
writeHead()
writeRaw '11111'
setTimeout (-> writeRaw '2'; end()), 2000
# # BrowserChannel connection
#
# Once a client has finished testing its connection, it connects.
#
# BrowserChannel communicates through two connections:
#
# - The **forward channel** is used for the client to send data to the server.
# It uses a **POST** request for each message.
# - The **back channel** is used to get data back from the server. This uses a
# hanging **GET** request. If chunking is disallowed (ie, if the proxy buffers)
# then the back channel is closed after each server message.
else if pathname == "#{base}/bind"
# I'm copying the behaviour of unknown SIDs below. I don't know how the client
# is supposed to detect this error, but, eh. The other choice is to `return writeError ...`
return sendError res, 400, 'Version 8 required', options unless query.VER is '8'
# All browserchannel connections have an associated client object. A client
# is created immediately if the connection is new.
if query.SID
session = sessions[query.SID]
# This is a special error code for the client. It tells the client to abandon its
# connection request and reconnect.
#
# For some reason, google replies with the same response on HTTP and HTML requests here.
# I'll follow suit, though its a little weird. Maybe I should do the same with all client
# errors?
return sendError res, 400, 'Unknown SID', options unless session
session._acknowledgeArrays query.AID if query.AID? and session
# ### Forward Channel
if req.method == 'POST'
if session == undefined
# The session is new! Make them a new session object and let the
# application know.
session = createSession req.connection.remoteAddress, query, req.headers
onConnect? session, req
# TODO Emit 'req' for subsequent requests associated with session
session.emit 'req', req
dataError = (e) ->
console.warn 'Error parsing forward channel', e.stack
return sendError res, 400, 'Bad data', options
processData = (data) ->
try
data = transformData req, data
session._receivedData query.RID, data
catch e
return dataError e
if session.state is 'init'
# The initial forward channel request is also used as a backchannel
# for the server's initial data (session id, etc). This connection
# is a little bit special - it is always encoded using
# length-prefixed json encoding and it is closed as soon as the
# first chunk is sent.
res.writeHead 200, 'OK', options.headers
session._setBackChannel res, CI:1, TYPE:'xmlhttp', RID:'rpc'
session.flush()
else if session.state is 'closed'
# If the onConnect handler called close() immediately,
# session.state can be already closed at this point. I'll assume
# there was an authentication problem and treat this as a forbidden
# connection attempt.
sendError res, 403, 'Forbidden', options
else
# On normal forward channels, we reply to the request by telling
# the session if our backchannel is still live and telling it how
# many unconfirmed arrays we have.
response = JSON.stringify session._backChannelStatus()
res.writeHead 200, 'OK', options.headers
res.end "#{response.length}\n#{response}"
if req.body
processData req.body
else
bufferPostData req, (data) ->
try
data = decodeData req, data
catch e
return dataError e
processData data
else if req.method is 'GET'
# ### Back channel
#
# GET messages are usually backchannel requests (server->client).
# Backchannel messages are handled by the session object.
if query.TYPE in ['xmlhttp', 'html']
return sendError res, 400, 'Invalid SID', options if typeof query.SID != 'string' && query.SID.length < 5
return sendError res, 400, 'Expected RPC', options unless query.RID is 'rpc'
writeHead()
session._setBackChannel res, query
# The client can manually disconnect by making a GET request with TYPE='terminate'
else if query.TYPE is 'terminate'
# We don't send any data in the response to the disconnect message.
#
# The client implements this using an img= appended to the page.
session?._disconnectAt query.RID
res.writeHead 200, 'OK', options.headers
res.end()
else
res.writeHead 405, 'Method Not Allowed', options.headers
res.end "Method not allowed"
else
# We'll 404 the user instead of letting another handler take care of it.
# Users shouldn't be using the specified URL prefix for anything else.
res.writeHead 404, 'Not Found', options.headers
res.end "Not found"
middleware.close = ->
for id, session of sessions
session.close()
return
# This is an undocumented, untested treat - if you pass the HTTP server /
# connect server to browserchannel through the options object, it can attach
# a close listener for you automatically.
options.server?.on 'close', middleware.close
middleware
# This will override the timer methods (`setInterval`, etc) with the testing
# stub versions, which are way faster.
browserChannel._setTimerMethods = (methods) ->
{setInterval, clearInterval, setTimeout, clearTimeout, Date} = methods