node-opcua-server 2.166.0 → 2.168.0

package/source/server_end_point.ts

@@ -10,7 +10,8 @@ import chalk from "chalk";
 
 import { assert } from "node-opcua-assert";
 import type { OPCUACertificateManager } from "node-opcua-certificate-manager";
-import { type Certificate, makeSHA1Thumbprint, type PrivateKey, split_der } from "node-opcua-crypto/web";
+import { type ICertificateChainProvider, StaticCertificateChainProvider } from "node-opcua-common";
+import { type Certificate, combine_der, makeSHA1Thumbprint, type PrivateKey, split_der } from "node-opcua-crypto/web";
 import { checkDebugFlag, make_debugLog, make_errorLog, make_warningLog } from "node-opcua-debug";
 import { getFullyQualifiedDomainName, resolveFullyQualifiedDomainName } from "node-opcua-hostname";
 import {
@@ -98,7 +99,8 @@ function dumpChannelInfo(channels: ServerSecureChannelLayer[]): void {
     console.log("------------------------------------------------------");
 }
 
-const emptyCertificate = Buffer.alloc(0);
+const emptyCertificateChain: Certificate[] = [];
+
 // biome-ignore lint/suspicious/noExplicitAny: deliberate null→PrivateKey sentinel
 const emptyPrivateKey = null as any as PrivateKey;
 
@@ -116,7 +118,7 @@ export interface OPCUAServerEndPointOptions {
     /**
      * the DER certificate chain
      */
-    certificateChain: Certificate;
+    certificateChain: Certificate[];
 
     /**
      * privateKey
@@ -302,9 +304,12 @@ function getUniqueName(name: string, collection: { [key: string]: number }) {
     }
 }
 
-interface ServerSecureChannelLayerPriv extends ServerSecureChannelLayer {
-    _unpreregisterChannelEvent?: () => void;
-}
+/**
+ * Stores the abort listener for channels in the pre-registration phase.
+ * Using a WeakMap instead of monkey-patching the channel object keeps
+ * this internal state invisible to debuggers and external code.
+ */
+const preregisterAbortListeners = new WeakMap<ServerSecureChannelLayer, () => void>();
 /**
  * OPCUAServerEndPoint a Server EndPoint.
  * A sever end point is listening to one port
@@ -329,12 +334,23 @@ export class OPCUAServerEndPoint extends EventEmitter implements ServerSecureCha
     public objectFactory: unknown;
 
     public _on_new_channel?: (channel: ServerSecureChannelLayer) => void;
+    public _on_channel_secured?: (channel: ServerSecureChannelLayer) => void;
     public _on_close_channel?: (channel: ServerSecureChannelLayer) => void;
     public _on_connectionRefused?: (socketData: ISocketData) => void;
     public _on_openSecureChannelFailure?: (socketData: ISocketData, channelData: IChannelData) => void;
 
-    private _certificateChain: Certificate;
-    private _privateKey: PrivateKey;
+    /**
+     * Certificate chain provider — delegates all cert/key access.
+     * Stored in a `#` private field so secrets are not visible
+     * in the debugger's property list or JSON serialization.
+     */
+    #certProvider: ICertificateChainProvider;
+    /**
+     * Combined DER cache — invalidated whenever the cert provider
+     * changes so that `EndpointDescription.serverCertificate`
+     * getters don't call `combine_der()` on every access.
+     */
+    #combinedDerCache: Certificate | undefined;
     private _channels: { [key: string]: ServerSecureChannelLayer };
     private _server?: Server;
     private _endpoints: EndpointDescription[];
@@ -347,9 +363,9 @@ export class OPCUAServerEndPoint extends EventEmitter implements ServerSecureCha
     constructor(options: OPCUAServerEndPointOptions) {
         super();
 
-        assert(!Object.prototype.hasOwnProperty.call(options, "certificate"), "expecting a certificateChain instead");
-        assert(Object.prototype.hasOwnProperty.call(options, "certificateChain"), "expecting a certificateChain");
-        assert(Object.prototype.hasOwnProperty.call(options, "privateKey"));
+        assert(!Object.hasOwn(options, "certificate"), "expecting a certificateChain instead");
+        assert(Object.hasOwn(options, "certificateChain"), "expecting a certificateChain");
+        assert(Object.hasOwn(options, "privateKey"));
 
         this.certificateManager = options.certificateManager;
 
@@ -359,8 +375,7 @@ export class OPCUAServerEndPoint extends EventEmitter implements ServerSecureCha
         this.host = options.host;
         assert(typeof this.port === "number");
 
-        this._certificateChain = options.certificateChain;
-        this._privateKey = options.privateKey;
+        this.#certProvider = new StaticCertificateChainProvider(options.certificateChain, options.privateKey);
 
         this._channels = {};
 
@@ -390,8 +405,8 @@ export class OPCUAServerEndPoint extends EventEmitter implements ServerSecureCha
     }
 
     public dispose(): void {
-        this._certificateChain = emptyCertificate;
-        this._privateKey = emptyPrivateKey;
+        this.#certProvider = new StaticCertificateChainProvider(emptyCertificateChain, emptyPrivateKey);
+        this.#combinedDerCache = undefined;
 
         assert(Object.keys(this._channels).length === 0, "OPCUAServerEndPoint channels must have been deleted");
 
@@ -417,7 +432,7 @@ export class OPCUAServerEndPoint extends EventEmitter implements ServerSecureCha
             " l = " +
             this._endpoints.length +
             " " +
-            makeSHA1Thumbprint(this.getCertificateChain()).toString("hex");
+            makeSHA1Thumbprint(this.getCertificate()).toString("hex");
         return txt;
     }
 
@@ -429,21 +444,85 @@ export class OPCUAServerEndPoint extends EventEmitter implements ServerSecureCha
      * Returns the X509 DER form of the server certificate
      */
     public getCertificate(): Certificate {
-        return split_der(this.getCertificateChain())[0];
+        return this.getCertificateChain()[0];
     }
 
     /**
      * Returns the X509 DER form of the server certificate
      */
-    public getCertificateChain(): Certificate {
-        return this._certificateChain;
+    public getCertificateChain(): Certificate[] {
+        return this.#certProvider.getCertificateChain();
+    }
+
+    /**
+     * Replace the certificate chain provider for this endpoint.
+     *
+     * Used by push certificate management to switch from the
+     * default static provider to a disk-based one that re-reads
+     * certificates on demand.
+     *
+     * Invalidates the cached `combine_der` result so that
+     * `EndpointDescription.serverCertificate` getters pick up
+     * the new chain immediately.
+     */
+    public setCertificateProvider(provider: ICertificateChainProvider): void {
+        this.#certProvider = provider;
+        this.#combinedDerCache = undefined;
+    }
+
+    /**
+     * Return the current certificate chain provider.
+     * Useful for calling `invalidate()` after certificate rotation.
+     */
+    public getCertificateProvider(): ICertificateChainProvider {
+        return this.#certProvider;
+    }
+
+    /**
+     * Invalidate the combined DER cache.
+     *
+     * Called after the underlying provider's chain changes
+     * (e.g. after `provider.invalidate()` or `provider.update()`).
+     * The next `EndpointDescription.serverCertificate` access
+     * will recompute the combined DER from the provider.
+     */
+    public invalidateCombinedDerCache(): void {
+        this.#combinedDerCache = undefined;
+    }
+
+    /**
+     * Convenience method: invalidate both the provider's cache
+     * (so it re-reads from disk) and the combined DER cache
+     * (so endpoint descriptions recompute `serverCertificate`).
+     *
+     * Prefer this over calling `getCertificateProvider().invalidate()`
+     * and `invalidateCombinedDerCache()` separately.
+     */
+    public invalidateCertificates(): void {
+        this.#certProvider.invalidate();
+        this.#combinedDerCache = undefined;
+    }
+
+    /**
+     * Get the combined DER certificate (all certs concatenated)
+     * for use in EndpointDescription.serverCertificate.
+     * Cached internally; invalidated by provider changes.
+     * @internal
+     */
+    public getCombinedCertificate(): Certificate | undefined {
+        const chain = this.#certProvider.getCertificateChain();
+        if (chain.length === 0) return undefined;
+        if (!this.#combinedDerCache) {
+            this.#combinedDerCache = combine_der(chain);
+        }
+        return this.#combinedDerCache;
     }
 
     /**
      * the private key
      */
     public getPrivateKey(): PrivateKey {
-        return this._privateKey;
+        return this.#certProvider.getPrivateKey();
     }
 
     /**
@@ -512,7 +591,6 @@ export class OPCUAServerEndPoint extends EventEmitter implements ServerSecureCha
                     collection: this._policy_deduplicator,
                     hostname,
                     server: this.serverInfo,
-                    serverCertificateChain: this.getCertificateChain(),
 
                     securityMode,
                     securityPolicy,
@@ -964,16 +1042,16 @@ export class OPCUAServerEndPoint extends EventEmitter implements ServerSecureCha
         // as they will need to be interrupted when OPCUAServerEndPoint is closed
         assert(this._started, "OPCUAServerEndPoint must be started");
 
-        assert(!Object.prototype.hasOwnProperty.call(this._channels, channel.hashKey), " channel already preregistered!");
+        assert(!Object.hasOwn(this._channels, channel.hashKey), " channel already preregistered!");
 
-        const channelPriv = <ServerSecureChannelLayerPriv>channel;
-        this._channels[channel.hashKey] = channelPriv;
-        channelPriv._unpreregisterChannelEvent = () => {
+        this._channels[channel.hashKey] = channel;
+        const onAbort = () => {
             debugLog("Channel received an abort event during the preregistration phase");
             this._un_pre_registerChannel(channel);
             channel.dispose();
         };
-        channel.on("abort", channelPriv._unpreregisterChannelEvent);
+        preregisterAbortListeners.set(channel, onAbort);
+        channel.on("abort", onAbort);
     }
 
     private _un_pre_registerChannel(channel: ServerSecureChannelLayer) {
@@ -982,10 +1060,10 @@ export class OPCUAServerEndPoint extends EventEmitter implements ServerSecureCha
             return;
         }
         delete this._channels[channel.hashKey];
-        const channelPriv = <ServerSecureChannelLayerPriv>channel;
-        if (typeof channelPriv._unpreregisterChannelEvent === "function") {
-            channel.removeListener("abort", channelPriv._unpreregisterChannelEvent);
-            channelPriv._unpreregisterChannelEvent = undefined;
+        const onAbort = preregisterAbortListeners.get(channel);
+        if (onAbort) {
+            channel.removeListener("abort", onAbort);
+            preregisterAbortListeners.delete(channel);
         }
     }
 
@@ -1000,11 +1078,22 @@ export class OPCUAServerEndPoint extends EventEmitter implements ServerSecureCha
             this._channels[channel.hashKey] = channel;
 
             /**
-             * @event newChannel
+             * @event newChannel — fired after transport init (HEL/ACK).
+             * Note: securityPolicy/securityMode are NOT yet established.
              * @param channel
              */
             this.emit("newChannel", channel);
 
+            channel.once("open", () => {
+                /**
+                 * @event channelSecured — fired after OpenSecureChannel
+                 * handshake succeeds. securityPolicy, securityMode, and
+                 * clientCertificate are available at this point.
+                 * @param channel
+                 */
+                this.emit("channelSecured", channel);
+            });
+
             channel.on("abort", () => {
                 this._unregisterChannel(channel);
             });
@@ -1021,11 +1110,11 @@ export class OPCUAServerEndPoint extends EventEmitter implements ServerSecureCha
      */
     private _unregisterChannel(channel: ServerSecureChannelLayer): void {
         debugLog("_un-registerChannel channel.hashKey", channel.hashKey);
-        if (!Object.prototype.hasOwnProperty.call(this._channels, channel.hashKey)) {
+        if (!Object.hasOwn(this._channels, channel.hashKey)) {
             return;
         }
 
-        assert(Object.prototype.hasOwnProperty.call(this._channels, channel.hashKey), "channel is not registered");
+        assert(Object.hasOwn(this._channels, channel.hashKey), "channel is not registered");
 
         /**
          * @event closeChannel
@@ -1130,7 +1219,6 @@ interface MakeEndpointDescriptionOptions {
      */
     hostname: string;
 
-    serverCertificateChain: Certificate;
     /**
      *
      */
@@ -1224,14 +1312,6 @@ function estimateSecurityLevel(securityMode: MessageSecurityMode, securityPolicy
  * @private
  */
 function _makeEndpointDescription(options: MakeEndpointDescriptionOptions, parent: OPCUAServerEndPoint): EndpointDescriptionEx {
-    assert(Object.prototype.hasOwnProperty.call(options, "serverCertificateChain"));
-    assert(!Object.prototype.hasOwnProperty.call(options, "serverCertificate"));
-    assert(!!options.securityMode); // s.MessageSecurityMode
-    assert(!!options.securityPolicy);
-    assert(options.server !== null && typeof options.server === "object");
-    assert(!!options.hostname && typeof options.hostname === "string");
-    assert(typeof options.restricted === "boolean");
-
     const u = (n: string) => getUniqueName(n, options.collection);
     options.securityLevel =
         options.securityLevel === undefined
@@ -1353,7 +1433,8 @@ function _makeEndpointDescription(options: MakeEndpointDescriptionOptions, paren
         endpointUrl: "<to be evaluated at run time>", // options.endpointUrl,
 
         server: undefined, // options.server,
-        serverCertificate: options.serverCertificateChain,
+        // serverCertificate is set as a dynamic getter below
+        serverCertificate: undefined,
 
         securityMode: options.securityMode,
         securityPolicyUri,
@@ -1364,15 +1445,27 @@ function _makeEndpointDescription(options: MakeEndpointDescriptionOptions, paren
     }) as EndpointDescriptionEx;
     endpoint._parent = parent;
 
+    // serverCertificate — always dynamic.
+    // Delegates to the parent endpoint's combined DER cache
+    // which in turn reads from the current ICertificateChainProvider.
+    // This ensures GetEndpoints always returns the current chain,
+    // whether the provider is static or disk-based.
+    Object.defineProperty(endpoint, "serverCertificate", {
+        get: () => parent.getCombinedCertificate(),
+        configurable: true
+    });
+
     // endpointUrl is dynamic as port number may be adjusted
     // when the tcp socket start listening
-    // biome-ignore lint/suspicious/noExplicitAny: __defineGetter__ not in standard typings
-    (endpoint as any).__defineGetter__("endpointUrl", () => {
-        const port = options.advertisedPort ?? endpoint._parent.port;
-        const resourcePath = options.resourcePath || "";
-        const hostname = options.hostname;
-        const endpointUrl = `opc.tcp://${hostname}:${port}${resourcePath}`;
-        return resolveFullyQualifiedDomainName(endpointUrl);
+    Object.defineProperty(endpoint, "endpointUrl", {
+        get: () => {
+            const port = options.advertisedPort ?? endpoint._parent.port;
+            const resourcePath = options.resourcePath || "";
+            const hostname = options.hostname;
+            const endpointUrl = `opc.tcp://${hostname}:${port}${resourcePath}`;
+            return resolveFullyQualifiedDomainName(endpointUrl);
+        },
+        configurable: true
     });
 
     endpoint.server = options.server;

package/source/server_engine.ts

@@ -4,7 +4,7 @@
 import { EventEmitter } from "node:events";
 import { types } from "node:util";
 
-import async from "async";
+
 import chalk from "chalk";
 import {
     AddressSpace,
@@ -184,7 +184,7 @@ function requestServerStateChange(
 ) {
     assert(Array.isArray(inputArguments));
     assert(typeof callback === "function");
-    assert(Object.prototype.hasOwnProperty.call(context, "session"), " expecting a session id in the context object");
+    assert(Object.hasOwn(context, "session"), " expecting a session id in the context object");
     const session = context.session as ServerSession;
     if (!session) {
         return callback(null, { statusCode: StatusCodes.BadInternalError });
@@ -199,7 +199,7 @@ function _getSubscription(
     context: ISessionContext
 ): { subscription: Subscription; statusCode?: never } | { statusCode: StatusCode; subscription?: never } {
     assert(Array.isArray(inputArguments));
-    assert(Object.prototype.hasOwnProperty.call(context, "session"), " expecting a session id in the context object");
+    assert(Object.hasOwn(context, "session"), " expecting a session id in the context object");
     const session = context.session as ServerSession;
     if (!session) {
         return { statusCode: StatusCodes.BadInternalError };
@@ -466,11 +466,11 @@ export class ServerEngine extends EventEmitter implements IAddressSpaceAccessor
 
         // --------------------------------------------------- serverDiagnosticsSummary extension Object
         this.serverDiagnosticsSummary = new ServerDiagnosticsSummaryDataType();
-        assert(Object.prototype.hasOwnProperty.call(this.serverDiagnosticsSummary, "currentSessionCount"));
+        assert(Object.hasOwn(this.serverDiagnosticsSummary, "currentSessionCount"));
 
         // note spelling is different for serverDiagnosticsSummary.currentSubscriptionCount
         //      and sessionDiagnostics.currentSubscriptionsCount ( with an s)
-        assert(Object.prototype.hasOwnProperty.call(this.serverDiagnosticsSummary, "currentSubscriptionCount"));
+        assert(Object.hasOwn(this.serverDiagnosticsSummary, "currentSubscriptionCount"));
 
         Object.defineProperty(this.serverDiagnosticsSummary, "currentSubscriptionCount", {
             get: () => {
@@ -505,7 +505,7 @@ export class ServerEngine extends EventEmitter implements IAddressSpaceAccessor
             this._applicationUri = options.applicationUri || "<unset _applicationUri>";
         }
 
-        options.serverDiagnosticsEnabled = Object.prototype.hasOwnProperty.call(options, "serverDiagnosticsEnable")
+        options.serverDiagnosticsEnabled = Object.hasOwn(options, "serverDiagnosticsEnable")
             ? options.serverDiagnosticsEnabled
             : true;
 
@@ -1899,23 +1899,23 @@ export class ServerEngine extends EventEmitter implements IAddressSpaceAccessor
             return;
         }
         // perform all asyncRefresh in parallel
-        async.map(
-            uaVariableArray,
-            (uaVariable: UAVariable, inner_callback: CallbackT<DataValue>) => {
+        const promises = uaVariableArray.map((uaVariable) => {
+            return new Promise<DataValue>((resolve, reject) => {
                 try {
                     uaVariable.asyncRefresh(referenceTime, (err, dataValue) => {
-                        inner_callback(err, dataValue);
+                        if (err) return reject(err);
+                        resolve(dataValue!);
                     });
                 } catch (err) {
                     const _err = err as Error;
                     errorLog("asyncRefresh internal error", _err.message);
-                    inner_callback(_err);
+                    reject(_err);
                 }
-            },
-            (err?: Error | null, arrResult?: (DataValue | undefined)[]) => {
-                callback(err || null, arrResult as DataValue[]);
-            }
-        );
+            });
+        });
+        Promise.all(promises)
+            .then((dataValues) => callback(null, dataValues))
+            .catch((err) => callback(err));
     }
 
     private _exposeSubscriptionDiagnostics(subscription: Subscription): void {
@@ -1954,12 +1954,12 @@ export class ServerEngine extends EventEmitter implements IAddressSpaceAccessor
      * @return {Subscription}
      */
     public _createSubscriptionOnSession(session: ServerSession, request: CreateSubscriptionRequestLike): Subscription {
-        assert(Object.prototype.hasOwnProperty.call(request, "requestedPublishingInterval")); // Duration
-        assert(Object.prototype.hasOwnProperty.call(request, "requestedLifetimeCount")); // Counter
-        assert(Object.prototype.hasOwnProperty.call(request, "requestedMaxKeepAliveCount")); // Counter
-        assert(Object.prototype.hasOwnProperty.call(request, "maxNotificationsPerPublish")); // Counter
-        assert(Object.prototype.hasOwnProperty.call(request, "publishingEnabled")); // Boolean
-        assert(Object.prototype.hasOwnProperty.call(request, "priority")); // Byte
+        assert(Object.hasOwn(request, "requestedPublishingInterval")); // Duration
+        assert(Object.hasOwn(request, "requestedLifetimeCount")); // Counter
+        assert(Object.hasOwn(request, "requestedMaxKeepAliveCount")); // Counter
+        assert(Object.hasOwn(request, "maxNotificationsPerPublish")); // Counter
+        assert(Object.hasOwn(request, "publishingEnabled")); // Boolean
+        assert(Object.hasOwn(request, "priority")); // Byte
 
         // adjust publishing parameters
         const publishingInterval = request.requestedPublishingInterval || 0;

package/source/server_publish_engine.ts

@@ -2,28 +2,29 @@
  * @module node-opcua-server
  */
 // tslint:disable:no-console
-import { EventEmitter } from "events";
+
+import { EventEmitter } from "node:events";
 import chalk from "chalk";
-import { partition, sortBy } from "lodash";
+import partition from "lodash.partition";
+import sortBy from "lodash.sortby";
 
 import { assert } from "node-opcua-assert";
 import { checkDebugFlag, make_debugLog } from "node-opcua-debug";
 import { ObjectRegistry } from "node-opcua-object-registry";
-import { StatusCode, StatusCodes } from "node-opcua-status-code";
+import { type StatusCode, StatusCodes } from "node-opcua-status-code";
 
-import { PublishRequest, PublishResponse, ServiceFault, SubscriptionAcknowledgement } from "node-opcua-types";
-import { Subscription } from "./server_subscription";
-import { SubscriptionState } from "./server_subscription";
-import { IServerSidePublishEngine, INotifMsg, IClosedOrTransferredSubscription } from "./i_server_side_publish_engine";
+import { PublishRequest, PublishResponse, ServiceFault, type SubscriptionAcknowledgement } from "node-opcua-types";
+import type { IClosedOrTransferredSubscription, IServerSidePublishEngine } from "./i_server_side_publish_engine";
+import { Subscription, SubscriptionState } from "./server_subscription";
 
 const debugLog = make_debugLog(__filename);
 const doDebug = checkDebugFlag(__filename);
 
-function traceLog(...args: [any?, ...any[]]) {
+function traceLog(...args: [unknown?, ...unknown[]]) {
     if (!doDebug) {
         return;
     }
-    const a: string[] = args.map((x?: any) => x!);
+    const a: string[] = args.map((x?: unknown) => String(x));
     a.unshift(chalk.yellow(" TRACE "));
     debugLog(...a);
 }
@@ -56,7 +57,7 @@ function addDate(date: Date, delta: number) {
 
 function timeout_filter(publishData: PublishData): boolean {
     const request = publishData.request;
-    const results = publishData.results;
+    const _results = publishData.results;
     if (!request.requestHeader.timeoutHint) {
         // no limits
         return false;
@@ -87,7 +88,7 @@ export class ServerSidePublishEngine extends EventEmitter implements IServerSide
         );
 
         for (const subscription of Object.values(srcPublishEngine._subscriptions)) {
-            assert((subscription.publishEngine as any) === srcPublishEngine);
+            assert(subscription.publishEngine === srcPublishEngine);
 
             if (subscription.$session) {
                 subscription.$session._unexposeSubscriptionDiagnostics(subscription);
@@ -117,7 +118,7 @@ export class ServerSidePublishEngine extends EventEmitter implements IServerSide
         destPublishEngine: ServerSidePublishEngine,
         sendInitialValues: boolean
     ): Promise<Subscription> {
-        const srcPublishEngine = subscription.publishEngine as any as ServerSidePublishEngine;
+        const srcPublishEngine = subscription.publishEngine as ServerSidePublishEngine;
 
         assert(!destPublishEngine.getSubscriptionById(subscription.id));
         assert(srcPublishEngine.getSubscriptionById(subscription.id));
@@ -161,8 +162,6 @@ export class ServerSidePublishEngine extends EventEmitter implements IServerSide
         assert(destPublishEngine.getSubscriptionById(subscription.id));
         assert(!srcPublishEngine.getSubscriptionById(subscription.id));
 
-       
-
         return subscription;
     }
 
@@ -252,9 +251,9 @@ export class ServerSidePublishEngine extends EventEmitter implements IServerSide
      */
     public add_subscription(subscription: Subscription): Subscription {
         assert(subscription instanceof Subscription);
-        assert(isFinite(subscription.id));
-        subscription.publishEngine = (subscription.publishEngine || this) as any;
-        assert((subscription.publishEngine as any) === this);
+        assert(Number.isFinite(subscription.id));
+        subscription.publishEngine = subscription.publishEngine || this;
+        assert(subscription.publishEngine === this);
         assert(!this._subscriptions[subscription.id]);
 
         debugLog("ServerSidePublishEngine#add_subscription -  adding subscription with Id:", subscription.id);
@@ -265,12 +264,12 @@ export class ServerSidePublishEngine extends EventEmitter implements IServerSide
 
     public detach_subscription(subscription: Subscription): Subscription {
         assert(subscription instanceof Subscription);
-        assert(isFinite(subscription.id));
-        assert((subscription.publishEngine as any) === this);
+        assert(Number.isFinite(subscription.id));
+        assert(subscription.publishEngine === this);
         assert(this._subscriptions[subscription.id] === subscription);
 
         delete this._subscriptions[subscription.id];
-        subscription.publishEngine = null as any;
+        subscription.publishEngine = null as unknown as ServerSidePublishEngine;
         debugLog("ServerSidePublishEngine#detach_subscription detaching subscription with Id:", subscription.id);
         return subscription;
     }
@@ -318,7 +317,7 @@ export class ServerSidePublishEngine extends EventEmitter implements IServerSide
         const result = subscriptions.reduce((sum: number, subscription: Subscription) => {
             return sum + subscription.monitoredItemCount;
         }, 0);
-        assert(isFinite(result));
+        assert(Number.isFinite(result));
         return result;
     }
 
@@ -405,7 +404,7 @@ export class ServerSidePublishEngine extends EventEmitter implements IServerSide
      */
     public _on_PublishRequest(
         request: PublishRequest,
-        callback?: (request1: PublishRequest, response: PublishResponse| ServiceFault) => void
+        callback?: (request1: PublishRequest, response: PublishResponse | ServiceFault) => void
     ): void {
         callback = callback || dummy_function;
         assert(typeof callback === "function");
@@ -430,11 +429,11 @@ export class ServerSidePublishEngine extends EventEmitter implements IServerSide
             this._send_error_for_request(publishData, StatusCodes.BadSessionClosed);
         } else if (this.subscriptionCount === 0) {
             if (this._closed_subscriptions.length > 0 && this._closed_subscriptions[0].hasPendingNotifications) {
-                const verif = this._publish_request_queue.length;
+                const _verif = this._publish_request_queue.length;
                 // add the publish request to the queue for later processing
                 this._publish_request_queue.push(publishData);
 
-                const processed = this.#_feed_closed_subscription();
+                const _processed = this.#_feed_closed_subscription();
                 //xx ( may be subscription has expired by themselves) assert(verif === this._publish_request_queue.length);
                 //xx  ( may be subscription has expired by themselves) assert(processed);
                 return;
@@ -529,11 +528,11 @@ export class ServerSidePublishEngine extends EventEmitter implements IServerSide
             return false;
         }
         // process closed subscription
-        const closed_subscription = this._closed_subscriptions[0]!;
+        const closed_subscription = this._closed_subscriptions[0];
         assert(closed_subscription.hasPendingNotifications);
         debugLog("ServerSidePublishEngine#_feed_closed_subscription for closed_subscription ", closed_subscription.id);
-        closed_subscription?._publish_pending_notifications();
-        if (!closed_subscription?.hasPendingNotifications) {
+        closed_subscription._publish_pending_notifications();
+        if (!closed_subscription.hasPendingNotifications) {
             closed_subscription.dispose();
             this._closed_subscriptions.shift();
         }
@@ -579,7 +578,10 @@ export class ServerSidePublishEngine extends EventEmitter implements IServerSide
             // request and return a response with the result set to Bad_TooManyPublishRequests.
 
             // dequeue oldest request
-            const publishData = this._publish_request_queue.shift()!;
+            const publishData = this._publish_request_queue.shift();
+            if (!publishData) {
+                return;
+            }
             this._send_error_for_request(publishData, StatusCodes.BadTooManyPublishRequests);
         }
     }
@@ -629,10 +631,13 @@ export class ServerSidePublishEngine extends EventEmitter implements IServerSide
         );
         return true;
     }
-    public _send_response(subscription: Subscription, response: PublishResponse): void {
+    public _send_response(_subscription: Subscription, response: PublishResponse): void {
         assert(this.pendingPublishRequestCount > 0);
         assert(response.subscriptionId !== 0xffffff);
-        const publishData = this._publish_request_queue.shift()!;
+        const publishData = this._publish_request_queue.shift();
+        if (!publishData) {
+            return;
+        }
         this._send_valid_response_for_request(publishData, response);
     }
 

package/source/server_publish_engine_for_orphan_subscriptions.ts

@@ -7,8 +7,8 @@ import chalk from "chalk";
 import { checkDebugFlag, make_debugLog } from "node-opcua-debug";
 import { NodeId } from "node-opcua-nodeid";
 
-import { ServerSidePublishEngine, ServerSidePublishEngineOptions } from "./server_publish_engine";
-import { Subscription } from "./server_subscription";
+import { ServerSidePublishEngine, type ServerSidePublishEngineOptions } from "./server_publish_engine";
+import type { Subscription } from "./server_subscription";
 
 const debugLog = make_debugLog(__filename);
 const doDebug = checkDebugFlag(__filename);
@@ -32,7 +32,7 @@ export class ServerSidePublishEngineForOrphanSubscription extends ServerSidePubl
 
         // detach subscription from old session
         subscription.$session = undefined;
-        
+
         super.add_subscription(subscription);
         // also add an event handler to detected when the subscription has ended
         // so we can automatically remove it from the orphan table