aedes 0.45.1 → 0.46.2

package/.github/workflows/ci.yml

@@ -20,10 +20,10 @@ jobs:
         os: [ubuntu-latest, windows-latest, macOS-latest]
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v2.3.5
 
       - name: Use Node.js
-        uses: actions/setup-node@v2.1.5
+        uses: actions/setup-node@v2.3.2
         with:
           node-version: ${{ matrix.node-version }}
 

package/.taprc

@@ -2,4 +2,5 @@ ts: false
 jsx: false
 flow: false
 coverage: true
-strict: true
+strict: true
+check-coverage: false

package/aedes.d.ts

@@ -4,5 +4,6 @@ export declare function aedes (options?: AedesOptions): Aedes
 export declare function Server (options?: AedesOptions): Aedes
 
 export * from './types/instance'
+export * from './types/packet'
 export * from './types/client'
 export default aedes

package/aedes.js

@@ -12,6 +12,7 @@ const Packet = require('aedes-packet')
 const memory = require('aedes-persistence')
 const mqemitter = require('mqemitter')
 const Client = require('./lib/client')
+const { $SYS_PREFIX } = require('./lib/utils')
 
 module.exports = Aedes.Server = Aedes
 
@@ -78,7 +79,7 @@ function Aedes (opts) {
   this.clients = {}
   this.brokers = {}
 
-  const heartbeatTopic = '$SYS/' + that.id + '/heartbeat'
+  const heartbeatTopic = $SYS_PREFIX + that.id + '/heartbeat'
   this._heartbeatInterval = setInterval(heartbeat, opts.heartbeatInterval)
 
   const bufId = Buffer.from(that.id, 'utf8')
@@ -138,12 +139,12 @@ function Aedes (opts) {
     }
   }
 
-  this.mq.on('$SYS/+/heartbeat', function storeBroker (packet, done) {
+  this.mq.on($SYS_PREFIX + '+/heartbeat', function storeBroker (packet, done) {
     that.brokers[packet.payload.toString()] = Date.now()
     done()
   })
 
-  this.mq.on('$SYS/+/new/clients', function closeSameClients (packet, done) {
+  this.mq.on($SYS_PREFIX + '+/new/clients', function closeSameClients (packet, done) {
     const serverId = packet.topic.split('/')[1]
     const clientId = packet.payload.toString()
 
@@ -206,7 +207,7 @@ function DoEnqueues () {
       return
     }
 
-    if (that.topic.indexOf('$SYS') === 0) {
+    if (that.topic.indexOf($SYS_PREFIX) === 0) {
       subs = subs.filter(removeSharp)
     }
 
@@ -281,7 +282,7 @@ Aedes.prototype._finishRegisterClient = function (client) {
   this.clients[client.id] = client
   this.emit('client', client)
   this.publish({
-    topic: '$SYS/' + this.id + '/new/clients',
+    topic: $SYS_PREFIX + this.id + '/new/clients',
     payload: Buffer.from(client.id, 'utf8')
   }, noop)
 }
@@ -291,7 +292,7 @@ Aedes.prototype.unregisterClient = function (client) {
   delete this.clients[client.id]
   this.emit('clientDisconnect', client)
   this.publish({
-    topic: '$SYS/' + this.id + '/disconnect/clients',
+    topic: $SYS_PREFIX + this.id + '/disconnect/clients',
     payload: Buffer.from(client.id, 'utf8')
   }, noop)
 }
@@ -326,6 +327,9 @@ function defaultAuthenticate (client, username, password, callback) {
 }
 
 function defaultAuthorizePublish (client, packet, callback) {
+  if (packet.topic.startsWith($SYS_PREFIX)) {
+    return callback(new Error($SYS_PREFIX + ' topic is reserved'))
+  }
   callback(null)
 }
 

package/docs/Aedes.md

@@ -113,7 +113,7 @@ Emitted when timeout happes in the `client` keepalive.
 - `packet` `<aedes-packet>` & [`PUBLISH`][PUBLISH]
 - `client` [`<Client>`](./Client.md) | `null`
 
-Emitted when servers delivers the `packet` to subscribed `client`. If there are no clients subscribed to the `packet` topic, server still publish the `packet` and emit thie event. `client` is `null` when `packet` is an internal message like aedes heartbeat message and LWT.
+Emitted when servers delivers the `packet` to subscribed `client`. If there are no clients subscribed to the `packet` topic, server still publish the `packet` and emit the event. `client` is `null` when `packet` is an internal message like aedes heartbeat message and LWT.
 
 > _Note! `packet` belongs `aedes-packet` type. Some properties belongs to aedes internal, any changes on them will break aedes internal flow._
 
@@ -315,6 +315,17 @@ aedes.authorizePublish = function (client, packet, callback) {
 }
 ```
 
+By default `authorizePublish` throws error in case a client publish to topics with `$SYS/` prefix to prevent possible DoS (see [#597](https://github.com/moscajs/aedes/issues/597)). If you write your own implementation of `authorizePublish` we suggest you to add a check for this. Default implementation:
+
+```js
+function defaultAuthorizePublish (client, packet, callback) {
+  if (packet.topic.startsWith($SYS_PREFIX)) {
+    return callback(new Error($SYS_PREFIX + ' topic is reserved'))
+  }
+  callback(null)
+}
+```
+
 ## Handler: authorizeSubscribe (client, subscription, callback)
 
 - client: [`<Client>`](./Client.md)
@@ -392,7 +403,7 @@ aedes.authorizeForward = function (client, packet) {
 - client: [`<Client>`](./Client.md)
 - callback: `<Function>`
 
-same as [`Event: publish`](#event-publish), but provides a backpressure functionality.
+same as [`Event: publish`](#event-publish), but provides a backpressure functionality. TLDR; If you are doing operations on packets that MUST require finishing operations on a packet before handling the next one use this otherwise, expecially for long running operations, you should use [`Event: publish`](#event-publish) instead.
 
 [CONNECT]: https://github.com/mqttjs/mqtt-packet#connect
 [CONNACK]: https://github.com/mqttjs/mqtt-packet#connack

package/lib/handlers/subscribe.js

@@ -3,7 +3,7 @@
 const fastfall = require('fastfall')
 const Packet = require('aedes-packet')
 const { through } = require('../utils')
-const { validateTopic } = require('../utils')
+const { validateTopic, $SYS_PREFIX } = require('../utils')
 const write = require('../write')
 
 const subscribeTopicActions = fastfall([
@@ -184,7 +184,7 @@ function completeSubscribe (err) {
   const packet = this.packet
   const client = this.client
 
-  if (packet.messageId) {
+  if (packet.messageId !== undefined) {
     // [MQTT-3.9.3-1]
     write(client,
       new SubAck(packet, this.subState.map(obj => obj.granted)),
@@ -207,7 +207,7 @@ function completeSubscribe (err) {
 
   broker.emit('subscribe', subs, client)
   broker.publish({
-    topic: '$SYS/' + broker.id + '/new/subscribes',
+    topic: $SYS_PREFIX + broker.id + '/new/subscribes',
     payload: Buffer.from(JSON.stringify({
       clientId: client.id,
       subs: subs
@@ -234,6 +234,6 @@ function completeSubscribe (err) {
   }))
 }
 
-function noop () {}
+function noop () { }
 
 module.exports = handleSubscribe

package/lib/handlers/unsubscribe.js

@@ -1,7 +1,7 @@
 'use strict'
 
 const write = require('../write')
-const { validateTopic } = require('../utils')
+const { validateTopic, $SYS_PREFIX } = require('../utils')
 
 function UnSubAck (packet) {
   this.cmd = 'unsuback'
@@ -26,7 +26,7 @@ function handleUnsubscribe (client, packet, done) {
     }
   }
 
-  if (packet.messageId) {
+  if (packet.messageId !== undefined) {
     if (client.clean) {
       return actualUnsubscribe(client, packet, done)
     }
@@ -80,7 +80,7 @@ function completeUnsubscribe (err) {
   const packet = this.packet
   const done = this.finish
 
-  if (packet.messageId) {
+  if (packet.messageId !== undefined) {
     write(client, new UnSubAck(packet),
       done)
   } else {
@@ -90,7 +90,7 @@ function completeUnsubscribe (err) {
   if ((!client.closed || client.clean === true) && packet.unsubscriptions.length > 0) {
     client.broker.emit('unsubscribe', packet.unsubscriptions, client)
     client.broker.publish({
-      topic: '$SYS/' + client.broker.id + '/new/unsubscribes',
+      topic: $SYS_PREFIX + client.broker.id + '/new/unsubscribes',
       payload: Buffer.from(JSON.stringify({
         clientId: client.id,
         subs: packet.unsubscriptions
@@ -99,6 +99,6 @@ function completeUnsubscribe (err) {
   }
 }
 
-function noop () {}
+function noop () { }
 
 module.exports = handleUnsubscribe

package/lib/utils.js

@@ -39,5 +39,6 @@ function through (transform) {
 
 module.exports = {
   validateTopic,
-  through
+  through,
+  $SYS_PREFIX: '$SYS/'
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "aedes",
-  "version": "0.45.1",
+  "version": "0.46.2",
   "description": "Stream-based MQTT broker",
   "main": "aedes.js",
   "types": "aedes.d.ts",
@@ -96,14 +96,14 @@
   ],
   "license": "MIT",
   "devDependencies": {
-    "@sinonjs/fake-timers": "^7.0.5",
-    "@types/node": "^14.14.41",
+    "@sinonjs/fake-timers": "^8.0.1",
+    "@types/node": "^16.0.0",
     "@typescript-eslint/eslint-plugin": "^4.22.0",
     "@typescript-eslint/parser": "^4.22.0",
     "concat-stream": "^2.0.0",
     "duplexify": "^4.1.1",
     "license-checker": "^25.0.1",
-    "markdownlint-cli": "^0.27.1",
+    "markdownlint-cli": "^0.29.0",
     "mqtt": "^4.2.6",
     "mqtt-connection": "^4.1.0",
     "pre-commit": "^1.2.2",
@@ -112,7 +112,7 @@
     "snazzy": "^9.0.0",
     "standard": "^16.0.3",
     "tap": "^15.0.2",
-    "tsd": "^0.14.0",
+    "tsd": "^0.18.0",
     "typescript": "^4.2.4",
     "websocket-stream": "^5.5.2"
   },
@@ -126,7 +126,7 @@
     "fastseries": "^2.0.0",
     "hyperid": "^2.1.0",
     "mqemitter": "^4.4.1",
-    "mqtt-packet": "^6.9.1",
+    "mqtt-packet": "^7.0.0",
     "readable-stream": "^3.6.0",
     "retimer": "^3.0.0",
     "reusify": "^1.0.4",

package/test/basic.js

@@ -95,6 +95,23 @@ test('publish empty topic throws error', function (t) {
   })
 })
 
+test('publish to $SYS topic throws error', function (t) {
+  t.plan(1)
+
+  const s = connect(setup())
+  t.teardown(s.broker.close.bind(s.broker))
+
+  s.inStream.write({
+    cmd: 'publish',
+    topic: '$SYS/not/allowed',
+    payload: 'world'
+  })
+
+  s.broker.on('clientError', function (client, err) {
+    t.pass('should emit error')
+  })
+})
+
 ;[{ qos: 0, clean: false }, { qos: 0, clean: true }, { qos: 1, clean: false }, { qos: 1, clean: true }].forEach(function (ele) {
   test('subscribe a single topic in QoS ' + ele.qos + ' [clean=' + ele.clean + ']', function (t) {
     t.plan(5)
@@ -243,6 +260,35 @@ test('subscribe should have messageId', function (t) {
   })
 })
 
+test('subscribe with messageId 0 should return suback', function (t) {
+  t.plan(1)
+
+  const s = connect(setup())
+  t.teardown(s.broker.close.bind(s.broker))
+
+  s.inStream.write({
+    cmd: 'subscribe',
+    subscriptions: [{
+      topic: 'hello',
+      qos: 0
+    }],
+    messageId: 0
+  })
+  s.outStream.once('data', function (packet) {
+    t.same(packet, {
+      cmd: 'suback',
+      messageId: 0,
+      dup: false,
+      length: 3,
+      qos: 0,
+      retain: false,
+      granted: [
+        0
+      ]
+    }, 'packet matches')
+  })
+})
+
 test('unsubscribe', function (t) {
   t.plan(5)
 

package/types/client.d.ts

@@ -1,8 +1,9 @@
 import { IncomingMessage } from 'http'
 import { PublishPacket, SubscribePacket, Subscription, Subscriptions, UnsubscribePacket } from './packet'
 import { Connection } from './instance'
+import { EventEmitter } from 'events'
 
-export interface Client {
+export interface Client extends EventEmitter {
   id: Readonly<string>
   clean: Readonly<boolean>
   version: Readonly<number>

package/types/instance.d.ts

@@ -2,6 +2,7 @@ import { Duplex } from 'stream'
 import { Socket } from 'net'
 import { Client } from './client'
 import type { AedesPublishPacket, ConnectPacket, ConnackPacket, Subscription, PingreqPacket, PublishPacket, PubrelPacket } from './packet'
+import { EventEmitter } from 'events'
 
 type LastHearthbeatTimestamp = Date;
 
@@ -56,7 +57,7 @@ export interface AedesOptions {
   published?: PublishedHandler
 }
 
-export interface Aedes {
+export interface Aedes extends EventEmitter {
   id: Readonly<string>
   connectedClients: Readonly<number>
   closed: Readonly<boolean>
@@ -89,4 +90,11 @@ export interface Aedes {
     callback: () => void
   ): void
   close (callback?: () => void): void
+
+  preConnect: PreConnectHandler
+  authenticate: AuthenticateHandler
+  authorizePublish: AuthorizePublishHandler
+  authorizeSubscribe: AuthorizeSubscribeHandler
+  authorizeForward: AuthorizeForwardHandler
+  published: PublishedHandler
 }