OLD | NEW |
(Empty) | |
| 1 // Copyright (c) 2014, the Dart project authors. Please see the AUTHORS file |
| 2 // for details. All rights reserved. Use of this source code is governed by a |
| 3 // BSD-style license that can be found in the LICENSE file. |
| 4 |
| 5 library shelf_web_socket.web_socket_handler; |
| 6 |
| 7 import 'dart:convert'; |
| 8 |
| 9 import 'package:http_parser/http_parser.dart'; |
| 10 import 'package:shelf/shelf.dart'; |
| 11 |
| 12 /// A class that exposes a handler for upgrading WebSocket requests. |
| 13 class WebSocketHandler { |
| 14 /// The function to call when a request is upgraded. |
| 15 final Function _onConnection; |
| 16 |
| 17 /// The set of protocols the user supports, or `null`. |
| 18 final Set<String> _protocols; |
| 19 |
| 20 /// The set of allowed browser origin connections, or `null`.. |
| 21 final Set<String> _allowedOrigins; |
| 22 |
| 23 WebSocketHandler(this._onConnection, this._protocols, this._allowedOrigins); |
| 24 |
| 25 /// The [Handler]. |
| 26 Response handle(Request request) { |
| 27 if (request.method != 'GET') return _notFound(); |
| 28 |
| 29 var connection = request.headers['Connection']; |
| 30 if (connection == null) return _notFound(); |
| 31 if (connection.toLowerCase() != 'upgrade') return _notFound(); |
| 32 |
| 33 var upgrade = request.headers['Upgrade']; |
| 34 if (upgrade == null) return _notFound(); |
| 35 if (upgrade.toLowerCase() != 'websocket') return _notFound(); |
| 36 |
| 37 var version = request.headers['Sec-WebSocket-Version']; |
| 38 if (version == null) { |
| 39 return _badRequest('missing Sec-WebSocket-Version header.'); |
| 40 } else if (version != '13') { |
| 41 return _notFound(); |
| 42 } |
| 43 |
| 44 if (request.protocolVersion != '1.1') { |
| 45 return _badRequest('unexpected HTTP version ' |
| 46 '"${request.protocolVersion}".'); |
| 47 } |
| 48 |
| 49 var key = request.headers['Sec-WebSocket-Key']; |
| 50 if (key == null) return _badRequest('missing Sec-WebSocket-Key header.'); |
| 51 |
| 52 if (!request.canHijack) { |
| 53 throw new ArgumentError("webSocketHandler may only be used with a server " |
| 54 "that supports request hijacking."); |
| 55 } |
| 56 |
| 57 // The Origin header is always set by browser connections. By filtering out |
| 58 // unexpected origins, we ensure that malicious JavaScript is unable to fake |
| 59 // a WebSocket handshake. |
| 60 var origin = request.headers['Origin']; |
| 61 if (origin != null && _allowedOrigins != null && |
| 62 !_allowedOrigins.contains(origin.toLowerCase())) { |
| 63 return _forbidden('invalid origin "$origin".'); |
| 64 } |
| 65 |
| 66 var protocol = _chooseProtocol(request); |
| 67 request.hijack((stream, byteSink) { |
| 68 var sink = UTF8.encoder.startChunkedConversion(byteSink); |
| 69 sink.add( |
| 70 "HTTP/1.1 101 Switching Protocols\r\n" |
| 71 "Upgrade: websocket\r\n" |
| 72 "Connection: Upgrade\r\n" |
| 73 "Sec-WebSocket-Accept: ${CompatibleWebSocket.signKey(key)}\r\n"); |
| 74 if (protocol != null) sink.add("Sec-WebSocket-Protocol: $protocol\r\n"); |
| 75 sink.add("\r\n"); |
| 76 |
| 77 _onConnection(new CompatibleWebSocket(stream, sink: byteSink), protocol); |
| 78 }); |
| 79 |
| 80 // [request.hijack] is guaranteed to throw a [HijackException], so we'll |
| 81 // never get here. |
| 82 assert(false); |
| 83 return null; |
| 84 } |
| 85 |
| 86 /// Selects a subprotocol to use for the given connection. |
| 87 /// |
| 88 /// If no matching protocol can be found, returns `null`. |
| 89 String _chooseProtocol(Request request) { |
| 90 var protocols = request.headers['Sec-WebSocket-Protocol']; |
| 91 if (protocols == null) return null; |
| 92 for (var protocol in protocols.split(',')) { |
| 93 protocol = protocol.trim(); |
| 94 if (_protocols.contains(protocol)) return protocol; |
| 95 } |
| 96 return null; |
| 97 } |
| 98 |
| 99 /// Returns a 404 Not Found response. |
| 100 Response _notFound() => _htmlResponse(404, "404 Not Found", |
| 101 "Only WebSocket connections are supported."); |
| 102 |
| 103 /// Returns a 400 Bad Request response. |
| 104 /// |
| 105 /// [message] will be HTML-escaped before being included in the response body. |
| 106 Response _badRequest(String message) => _htmlResponse(400, "400 Bad Request", |
| 107 "Invalid WebSocket upgrade request: $message"); |
| 108 |
| 109 /// Returns a 403 Forbidden response. |
| 110 /// |
| 111 /// [message] will be HTML-escaped before being included in the response body. |
| 112 Response _forbidden(String message) => _htmlResponse(403, "403 Forbidden", |
| 113 "WebSocket upgrade refused: $message"); |
| 114 |
| 115 /// Creates an HTTP response with the given [statusCode] and an HTML body with |
| 116 /// [title] and [message]. |
| 117 /// |
| 118 /// [title] and [message] will be automatically HTML-escaped. |
| 119 Response _htmlResponse(int statusCode, String title, String message) { |
| 120 title = HTML_ESCAPE.convert(title); |
| 121 message = HTML_ESCAPE.convert(message); |
| 122 return new Response(statusCode, body: """ |
| 123 <!doctype html> |
| 124 <html> |
| 125 <head><title>$title</title></head> |
| 126 <body> |
| 127 <h1>$title</h1> |
| 128 <p>$message</p> |
| 129 </body> |
| 130 </html> |
| 131 """, headers: {'content-type': 'text/html'}); |
| 132 } |
| 133 } |
OLD | NEW |