auto_login on open instead of separate message. token now in querystring instead of separate message after open. lowers latency and less boilerplate for auto reconnect.
Created by boogerlad on May 18, 2020
5SAL2YA2IIYRBZSNM6SBKHSD6UFP67GDOR5J6W2WXREYLJZEFJ6AC Dependencies
- [2]
LWG4EVVTDO3IO46PTT5LGO7A2KSFPGZXSRNI7G3ZMXIAZACBB4IQC - [3]
7RKEQK2KPXJ2MEHPVSY7ROMHW6FTTKCXSMZV5MEXPFZKESZQYUUAC - [4]
WYTMZJFYVKHR4QH7AV5JUNWXT6NAC5NNQNPZCQSDI6LGI7DVXFYAC - [5]
P7PFZMZQ5S7GZRJVYE6ACAIDKVTD6YHOOGBHZ52MBSGAIDDGJTBQC - [6]
UXLEHDHRPKDY6DXD2Q64ULMVTPOPMQW6VAOPHG5K5HX24YPGG3MQC - [7]
6QCQLOKDENPPQQ4ZIWHSZSBUCO7TDYPMUE4JPIVF7AYQXGL5QRTQC - [8]
SRIPJD5O5RNXAH2EOCTVJRGFSNNC4LDPBB44AE7FPEXGTC66NYTAC - [9]
2FPZGFF5PCGNV45HOB6TROMJFPURHPXM7YSPWNXCHFJS7EICVKQAC - [10]
63VXWIHIAKGK7J4VTNRUAG2V32N2QUSWFELB6GD34S54FGRWAPCQC - [11]
WYEWZOEIGDF3SIG6LHQVOKHI6MTDEYMRWZFGDFCEH27EDL2H4BVQC
In channels
main
Change contents
Insertion in server.js at line 2 [4.590]
Replacement in server.js at line 54 [4.590]
Replacement in server.js at line 56 [4.590]
console.log('A WebSocket connected via URL: ' + req.getUrl() + '!');console.log('WebSocket opened');let parameters = qs.parse(req.getQuery());if(parameters.token) {let user = (await pool.query('select * from usr where token_hash = $1 and now() < token_expiry', [crypto.createHash('BLAKE2b512').update(Buffer.from(parameters.token, 'base64')).digest()])).rows[0];//possible timing attack?if(user === undefined) {ws.send(JSON.stringify({response_ID: 'firth',data: 'invalid token'}));} else {ws.user_ID = user.user_id;ws.user_type = user.type;desensitize(user);ws.send(JSON.stringify({response_ID: 'firth',data: user}));//disallow multiple sockets with same credentialslet old = authenticated.get(user.user_id);if(old !== undefined) {delete old.user_ID;delete old.user_type;//old.send()logout event//old.close()??}authenticated.set(user.user_id, ws);ws.publish('user/authenticated', JSON.stringify({what: 'user/authenticated',//tbdhow: 'update',data: authenticated.size}));}}Replacement in server.js at line 96 [4.590]
Insertion in server.js at line 190 [4.590]
Insertion in server.js at line 217 [4.590]
Deletion in server.js at line 241 [4.590]
case 'auto_login':if(isLoggedIn(ws)) {ws.send(JSON.stringify({response_ID: request_ID,data: "already logged in"}));} else {let user = (await pool.query('select * from usr where token_hash = $1 and now() < token_expiry', [crypto.createHash('BLAKE2b512').update(Buffer.from(parameters.token, 'base64')).digest()])).rows[0];//possible timing attack?if(user === undefined) {ws.send(JSON.stringify({response_ID: request_ID,data: "invalid token"}));} else {ws.user_ID = user.user_id;ws.user_type = user.type;desensitize(user);ws.send(JSON.stringify({response_ID: request_ID,data: user}));//disallow multiple sockets with same credentialslet old = authenticated.get(user.user_id);if(old !== undefined) {delete old.user_ID;delete old.user_type;//old.send()logout event}authenticated.set(user.user_id, ws);ws.publish('user/authenticated', JSON.stringify({what: 'user/authenticated',//tbdhow: 'update',data: authenticated.size}));}}break;