NAME

WebSocket - WebSocket Client & Server

SYNOPSIS

use WebSocket qw( :ws ); # exports standard codes as constant

VERSION

v0.2.1

DESCRIPTION

This is the client (WebSocket::Client) and server (WebSocket::Server) implementation of WebSocket api. It provides a comprehensive well documented and hopefully easy-to-use implementation.

Also, this api, by design, does not die, but rather returns undef and set an WebSocket::Exception that can be retrieved with the inherited "error" in Module::Generic method.

It is important to always check the return value of a method. If it returns undef and unless this means something else, by default it means an error has occurred and you can retrieve it with the error method. If you fail to check return values, you are in for some trouble. If you would rather have error be fatal, you can instantiate objects with the option fatal set to a true value.

Most of methods here allows chaining.

You can also find a JavaScript WebSocket client library in this distribution under the example folder. The JavaScript library also has a pod documentation.

CONSTRUCTOR

new

Create a new WebSocket object acting as an accessor.

One object should be created per po file, because it stores internally the po data for that file in the Text::PO object instantiated.

Returns the object.

METHODS

client

Convenient shortcut to instantiate a new WebSocket::Client object, passing it whatever argument was provided.

compression_threshold

Set or get the threshold in bytes above which the ut8 or binary messages will be compressed if the client and the server support compression and it is activated as an extension.

See "extensions" in WebSocket::Client and "extensions" in WebSocket::Server.

server

Convenient shortcut to instantiate a new WebSocket::Server object, passing it whatever argument was provided.

CONSTANTS

The following constants are available, but not exported by default. You can import them into your namespace using either the tag :ws or :all, such as:

use WebSocket qw( :ws );

WS_OK

Code 1000.

The default, normal closure (used if no code supplied),

rfc6455 describes this as: "1000 indicates a normal closure, meaning that the purpose for which the connection was established has been fulfilled."

WS_GONE

Code 1001

The party is going away, e.g. server is shutting down, or a browser leaves the page.

rfc6455 describes this as: "1001 indicates that an endpoint is "going away", such as a server going down or a browser having navigated away from a page."

WS_PROTOCOL_ERROR

Code 1002

rfc6455 describes this as: "1002 indicates that an endpoint is terminating the connection due to a protocol error."

WS_NOT_ACCEPTABLE

Code 1003

rfc6455 describes this as: "1003 indicates that an endpoint is terminating the connection because it has received a type of data it cannot accept (e.g., an endpoint that understands only text data MAY send this if it receives a binary message)."

WS_NO_STATUS

Code 1005

rfc6455 describes this as: "1005 is a reserved value and MUST NOT be set as a status code in a Close control frame by an endpoint. It is designated for use in applications expecting a status code to indicate that no status code was actually present."

WS_CLOSED_ABNORMALLY

Code 1006

No way to set such code manually, indicates that the connection was lost (no close frame).

rfc6455 describes this as: "1006 is a reserved value and MUST NOT be set as a status code in a Close control frame by an endpoint. It is designated for use in applications expecting a status code to indicate that the connection was closed abnormally, e.g., without sending or receiving a Close control frame."

WS_BAD_MESSAGE

Code 1007

rfc6455 describes this as: "1007 indicates that an endpoint is terminating the connection because it has received data within a message that was not consistent with the type of the message (e.g., non-UTF-8 [RFC3629] data within a text message)."

WS_FORBIDDEN

Code 1008

rfc6455 describes this as: "1008 indicates that an endpoint is terminating the connection because it has received a message that violates its policy. This is a generic status code that can be returned when there is no other more suitable status code (e.g., 1003 or 1009) or if there is a need to hide specific details about the policy."

WS_MESSAGE_TOO_LARGE

Code 1009

The message is too big to process.

rfc6455 describes this as: "1009 indicates that an endpoint is terminating the connection because it has received a message that is too big for it to process."

WS_EXTENSIONS_NOT_AVAILABLE

Code 1010

rfc6455 describes this as: "1010 indicates that an endpoint (client) is terminating the connection because it has expected the server to negotiate one or more extension, but the server didn't return them in the response message of the WebSocket handshake. The list of extensions that are needed SHOULD appear in the /reason/ part of the Close frame. Note that this status code is not used by the server, because it can fail the WebSocket handshake instead."

WS_INTERNAL_SERVER_ERROR

Code 1011

Unexpected error on server.

rfc6455 describes this as: "1011 indicates that a server is terminating the connection because it encountered an unexpected condition that prevented it from fulfilling the request."

WS_TLS_HANDSHAKE_FAIL

Code 1015

rfc6455 describes this as: "1015 is a reserved value and MUST NOT be set as a status code in a Close control frame by an endpoint. It is designated for use in applications expecting a status code to indicate that the connection was closed due to a failure to perform a TLS handshake (e.g., the server certificate can't be verified)."

SECURITY CONSIDERATIONS

Some consideration about security. The following are merely food for thoughts that would hopefully be helpful to you, but your mileage may vary.

Always use SSL, which means use the proto wss over ws

Since there is no authentication in the WebSocket protocol, and it does not accept custom headers, a good way to implement authentication is by using double submit cookie security measure on your website.

In a nutshel:

GET /auth/signin?code=220a4e8a-e4e5-11ed-9be8-f6e9e4564960 HTTP/1.1
Host: api.example.com

Your API would respond something like:

HTTP/1.1 302 Found
Date: Thu, 27 Apr 2023 10:21:35 GMT
Server: Apache
Vary: Origin
Location: https://example.com/account/
Set-Cookie: my_auth_token=eyJwMmMiOjUwMDAsInAycyI6ImlMQlAtbkE4ZU5pTWhnU3VTOEdEZHciLCJlbmMiOiJBMTI4R0NNIiwiZXhwIjoxNjgzMTk1Njk2LCJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1cifQ.zYrrWho2QZUTEYE0YziGTtcn6q7GjzjE.t-KP3Jao3jl_VaoZ.j3H2k96_sVZUbQCjUw51vZTqyejjP5ioYTVl4WvL9fJo_ohA3ci2SJXawf1NOaRStKI5xmpnSNmMJLpjCpvxV0DW7mBgpcw4jddUOQLX4wm7XlHqyBOSdmgmusTgQiQ2SnQH6MFXBZfXkz0zx7s8o9w2pHQm9JS8r_av_SkFEDrx4uRlEl0BXrTrVyDHPSiqt0Chz9mXVsVw3hAz-A7yTq1Xd_-Eeg.g4lVIVUFHbeOpnuQVFvII; Domain=example.com; Path=/; Expires=Thu, 04 May 2023 10:21:36 GMT; HttpOnly
Expires: Wed, 29 Jun 2016 00:00:00 GMT
Access-Control-Allow-Origin: *
Cache-Control: private, no-cache, no-store, must-revalidate
2. Your JavaScript issues an API call to refresh and get an updated CSRF every 30 seconds for example.
POST /csrf HTTP/1.1
Host: api.example.com
Accept: application/json, text/javascript, */*; q=0.01
Accept-Encoding: gzip, deflate, br
Referer: https://example.com/
Origin: https://example.com
Cookie: my_auth_token=eyJwMmMiOjUwMDAsInAycyI6ImlMQlAtbkE4ZU5pTWhnU3VTOEdEZHciLCJlbmMiOiJBMTI4R0NNIiwiZXhwIjoxNjgzMTk1Njk2LCJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1cifQ.zYrrWho2QZUTEYE0YziGTtcn6q7GjzjE.t-KP3Jao3jl_VaoZ.j3H2k96_sVZUbQCjUw51vZTqyejjP5ioYTVl4WvL9fJo_ohA3ci2SJXawf1NOaRStKI5xmpnSNmMJLpjCpvxV0DW7mBgpcw4jddUOQLX4wm7XlHqyBOSdmgmusTgQiQ2SnQH6MFXBZfXkz0zx7s8o9w2pHQm9JS8r_av_SkFEDrx4uRlEl0BXrTrVyDHPSiqt0Chz9mXVsVw3hAz-A7yTq1Xd_-Eeg.g4lVIVUFHbeOpnuQVFvII
3. The API returns an encrypted CSRF token

For example using "hmac_hex" in Digest::HMAC and the payload is something that can be compared with the authentication token. For example, a user id. To set the CSRF to a short time span, you would want to also add to the payload a timestamp, so the payload could be a combination of the user id and timestamp, such as:

my $ts = time() + $csrf_time_to_live; # e.g. 30 seconds
my $payload = join( ';', $user_id, $ts );

# Add the timestamp at the end to easily find out if it expired
my $csrf_token = Digest::HMAC::hmac_hex( $payload, $secret, \&Digest::SHA::sha256 ) . ".$ts";

The API returns it in a custom HTTP response header and/or in a JSON reply, something like:

HTTP/1.1 200 OK
Date: Thu, 27 Apr 2023 10:21:38 GMT
Server: Apache
Vary: Origin
Access-Control-Allow-Origin: https://example.com
Access-Control-Allow-Credentials: true
Access-Control-Max-Age: 5
X-CSRF-Token: 899106ee26933c654c33b0fac9adc93f2adad2c95ff30a4eeebe200fbfeafb6a.1682591199
Access-Control-Expose-Headers: X-CSRF-Token
Cache-Control: private, no-cache, no-store, must-revalidate
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/json

{"token":"899106ee26933c654c33b0fac9adc93f2adad2c95ff30a4eeebe200fbfeafb6a.1682591199","code":200}
4. Your JavaScript stores the CSRF in the web browser local storage
5. Your JavaScript opens up a WebSocket connection to the same api

This is important so that the authentication cookie can be received (cookies cannot be shared across domains)

Also, the URL of the connection contains a query string with the current CSRF token such as:

var webSocket = new WebSocket('wss://api.example.com/wss?csrf=899106ee26933c654c33b0fac9adc93f2adad2c95ff30a4eeebe200fbfeafb6a.1682591199');

Query strings are encrypted under SSL, however they will be recorded in the server HTTP logs.

You can use the WebSocket JavaScript library provided in the examples folder in this distribution and its documentation.

6. Your API reverse proxy that WebSocket request to the WebSocket server

This can be achieved with Apache and Nginx. For example with Apache:

Inside the VirtualHost, add the following:

RewriteEngine On
# When Upgrade:websocket header is present, redirect to ws
# Using NC flag (case-insensitive) as some browsers will pass Websocket
RewriteCond %{REQUEST_URI}  ^/wss                  [NC]
RewriteCond %{HTTP:Upgrade}             =websocket [NC]
RewriteRule ^/wss/(.*)     ws://localhost:8080/$1 [P,L]

RewriteCond %{REQUEST_URI}  ^/wss                  [NC]
RewriteCond %{QUERY_STRING} transport=websocket    [NC]
RewriteRule ^/wss/(.*)     ws://localhost:8080/$1 [P,L]

ProxyRequests Off
ProxyPass /wss            ws://localhost:8080
ProxyPassReverse /wss     ws://localhost:8080

You will need to enable the Apache modules proxy, proxy_http and proxy_wstunnel

See also this StackOverflow thread

For Nginx, check its documentation

7. The WebSocket server would receive the initial connection request such as:
GET /wss?csrf=899106ee26933c654c33b0fac9adc93f2adad2c95ff30a4eeebe200fbfeafb6a.1682591199 HTTP/1.1
Host: api.example.com
Upgrade: websocket
Connection: Upgrade
Cookie: my_auth_token=eyJwMmMiOjUwMDAsInAycyI6ImlMQlAtbkE4ZU5pTWhnU3VTOEdEZHciLCJlbmMiOiJBMTI4R0NNIiwiZXhwIjoxNjgzMTk1Njk2LCJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1cifQ.zYrrWho2QZUTEYE0YziGTtcn6q7GjzjE.t-KP3Jao3jl_VaoZ.j3H2k96_sVZUbQCjUw51vZTqyejjP5ioYTVl4WvL9fJo_ohA3ci2SJXawf1NOaRStKI5xmpnSNmMJLpjCpvxV0DW7mBgpcw4jddUOQLX4wm7XlHqyBOSdmgmusTgQiQ2SnQH6MFXBZfXkz0zx7s8o9w2pHQm9JS8r_av_SkFEDrx4uRlEl0BXrTrVyDHPSiqt0Chz9mXVsVw3hAz-A7yTq1Xd_-Eeg.g4lVIVUFHbeOpnuQVFvIIg
Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==
Origin: https://example.com
Sec-WebSocket-Protocol: chat, superchat
Sec-WebSocket-Version: 13

This will be handled by the "on_handshake" in WebSocket::Connection handler.

The WebSocket::Server would respond like so:

HTTP/1.1 101 Switching Protocols
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Accept: s3pPLMBiTxaQ9kYGzzhZRbK+xOo=
Sec-WebSocket-Protocol: chat
use Cookie::Jar;
use DB::Object;
$ws->on( handshake => sub
{
    my( $conn, $hs );
    my $req = $hs->request;
    my $cookie = $req->header( 'Cookie' );
    my $jar = Cookie::Jar->new;
    $jar->fetch( string => $cookie );
    my $token = $jar->get( 'my_auth_token' );
    my $csrf = $req->uri->query_param( 'csrf' );
    # Do authentication checks
    my $dbh = DB::Object->new( conf_file => '/some/where/sql_connection.json' );
    my $tbl = $dbh->sessions || die( "No table 'sessions' in database" );
    $tbl->where( $tbl->fo->session_id => '?' );
    my $sth = $tbl->select || die( $tbl->error );
    $sth->exec( $token ) || die( $sth->error );
    my $ref = $sth->fetchrow_hashref;
    if( !%$ref )
    {
        # At the hanshake stage, we use an HTTP error in reply
        # http_error() will also disconnect
        my $bytes = $conn->http_error({
            code => 403,
            message => "You do not have permission to access this websocket.",
        });
        defined( $bytes ) || die( $conn->error );
        return;
    }
    my $user_id = $ref->{user_id};
    # Stores some unique user id that we will use to check the csrf submitted in each message
    $conn->metadata({ id => $user_id });
    my( $payload, $ts ) = ( $csrf =~ /^(\w+)\.(\d{10})$/ );
    my $check = Digest::HMAC::hmac_hex( join( ';', $user_id, $ts ), $secret, \&Digest::SHA::sha256 ) . '.' . $ts;
    if( $check ne $csrf )
    {
        my $bytes = $conn->http_error({
            code => 403,
            message => "You do not have permission to access this websocket.",
        });
        defined( $bytes ) || die( $conn->error );
        return;
    }
    # etc...
});

Using the handler set with "on_handshake" in WebSocket::Connection, your API checks the authentication token is valid and the CSRF token has not expired.

It also re-creates the CSRF payload using the timestamp provided, re-encrypts it and compares is to the CSRF token received.

You can then stores the id used in the CSRF payload in the connection metadata

9. Once established, the JavaScript will send JSON messages containing a property csrf with the current CSRF token.
10. Check the CSRF token in message received.

Check each CSRF token to ensure the message received is valid using the id stored in the connection metadata using "metadata" in WebSocket::Connection

At this stage, we use WebSocket message to return an error, contrary to the handshake stage earlier

use JSON;
$conn->on( utf8 => sub
{
    my( $conn, $msg ) = @_;
    my $j = JSON->new->utf8;
    my $ref = $j->decode( $msg );
    my $id = $conn->metadata->{id};
    my $csrf = $ref->{csrf};
    if( !length( $csrf // '' ) )
    {
        my $msg = 
        {
        code => 403,
        message => "You do not have permission to access this websocket.",
        };
        my $json = $j->encode( $msg );
        my $bytes = $conn->send_utf8( $json );
        $conn->disconnect;
        defined( $bytes ) || die( $conn->error );
        return;
    }
    elsif( $ts < time() )
    {
        my $msg = 
        {
        code => 403,
        message => "The CSRF provided has expired.",
        };
        my $json = $j->encode( $msg );
        my $bytes = $conn->send_utf8( $json );
        $conn->disconnect;
        defined( $bytes ) || die( $conn->error );
        return;
    }
    my( $encrypted, $ts ) = ( $csrf =~ /^(\w+)\.(\d{10})$/ );
    my $payload = join( ';', $id, $ts );
    my $check = Digest::HMAC::hmac_hex( $payload, $secret, \&Digest::SHA::sha256 ) . ".$ts";
    if( $check ne $csrf )
    {
        my $msg = 
        {
        code => 403,
        message => "You do not have permission to access this websocket.",
        };
        my $json = $j->encode( $msg );
        my $bytes = $conn->send_utf8( $json );
        $conn->disconnect;
        defined( $bytes ) || die( $conn->error );
        return;
    }
    # etc...
});

CREDITS

Graham Ollis for AnyEvent::WebSocket::Client, Eric Wastl for Net::WebSocket::Server, Vyacheslav Tikhanovsky aka VTI for Protocol::WebSocket

AUTHOR

Jacques Deguest <jack@deguest.jp>

SEE ALSO

Mozilla documentation

WebSocket::Client, WebSocket::Common, WebSocket::Connection, WebSocket::Exception, WebSocket::Extension, WebSocket::Frame, WebSocket::Handshake, WebSocket::Handshake::Client, WebSocket::Handshake::Server, WebSocket::Headers, WebSocket::HeaderValue, WebSocket::Request, WebSocket::Response, WebSocket::Server, WebSocket::Version

COPYRIGHT & LICENSE

Copyright(c) 2021-2023 DEGUEST Pte. Ltd.

You can use, copy, modify and redistribute this package and associated files under the same terms as Perl itself.