@webjsdev/server 0.8.7 → 0.8.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +1 -1
- package/src/auth.js +7 -2
- package/src/broadcast.js +5 -1
package/package.json
CHANGED
package/src/auth.js
CHANGED
|
@@ -49,8 +49,13 @@ async function unsign(input, secret) {
|
|
|
49
49
|
const idx = input.lastIndexOf('.');
|
|
50
50
|
if (idx < 1) return null;
|
|
51
51
|
const value = input.slice(0, idx);
|
|
52
|
-
|
|
53
|
-
|
|
52
|
+
// `unb64url` -> `atob` throws on non-base64 input. A malformed signature
|
|
53
|
+
// (a corrupted or attacker-supplied cookie) must read as "not signed by
|
|
54
|
+
// us", not crash the request. Mirrors the guard in `decodeJwt`.
|
|
55
|
+
try {
|
|
56
|
+
const ok = await crypto.subtle.verify('HMAC', await hmacKey(secret), unb64url(input.slice(idx + 1)), enc.encode(value));
|
|
57
|
+
return ok ? value : null;
|
|
58
|
+
} catch { return null; }
|
|
54
59
|
}
|
|
55
60
|
|
|
56
61
|
function randomId() {
|
package/src/broadcast.js
CHANGED
|
@@ -55,7 +55,11 @@ export function broadcast(path, data, opts) {
|
|
|
55
55
|
const msg = typeof data === 'string' ? data : data.toString();
|
|
56
56
|
for (const ws of clients) {
|
|
57
57
|
if (opts?.except && ws === opts.except) continue;
|
|
58
|
-
if (ws.readyState
|
|
58
|
+
if (ws.readyState !== 1) continue;
|
|
59
|
+
// A socket can die between the readyState check and the send (or send
|
|
60
|
+
// can throw for other reasons). Isolate each send so one dead client
|
|
61
|
+
// cannot abort the fan-out to everyone after it in the set.
|
|
62
|
+
try { ws.send(msg); } catch { /* drop this client's frame; close handler removes it */ }
|
|
59
63
|
}
|
|
60
64
|
}
|
|
61
65
|
|