svelte-adapter-uws 0.2.25 → 0.3.1

package/README.md

@@ -289,7 +289,7 @@ The client store automatically uses `wss://` when the page is served over HTTPS
 
 The Vite plugin is required for WebSocket support in both dev and production (see [Step 2](#step-2-add-the-vite-plugin-required)). It spins up a `ws` WebSocket server alongside Vite's dev server, so your client store and `event.platform` work identically to production.
 
-Changes to your `hooks.ws` file are picked up automatically — the plugin reloads the handler on save, no dev server restart needed.
+Changes to your `hooks.ws` file are picked up automatically — the plugin reloads the handler on save and closes existing connections so they reconnect with the new code. No dev server restart needed.
 
 **Note:** The dev server does not enforce `allowedOrigins`. Origin checks only run in production. A warning is logged at startup as a reminder.
 
@@ -388,6 +388,8 @@ adapter({
     // 'same-origin' - only accept where Origin matches Host and scheme (default)
     // '*' - accept from any origin
     // ['https://example.com'] - whitelist specific origins
+    // Requests without an Origin header (non-browser clients) are rejected
+    // unless an upgrade handler is configured to authenticate them.
     allowedOrigins: 'same-origin' // default: 'same-origin'
   }
 })

package/client.js

@@ -314,6 +314,11 @@ function createConnection(options) {
 
 		ws.onmessage = (rawEvent) => {
 			try {
+				// Reject oversized messages to prevent main-thread blocking
+				if (typeof rawEvent.data === 'string' && rawEvent.data.length > 1048576) {
+					if (debug) console.warn('[ws] message too large, dropped:', rawEvent.data.length, 'bytes');
+					return;
+				}
 				const msg = JSON.parse(rawEvent.data);
 				if (msg.topic && msg.event !== undefined) {
 					/** @type {import('./client.js').WSEvent} */
@@ -548,7 +553,7 @@ function createConnection(options) {
 			ws.send(JSON.stringify(data));
 		} else {
 			if (sendQueue.length >= MAX_QUEUE_SIZE) {
-				if (debug) console.warn('[ws] queue full, dropping oldest message');
+				console.warn('[ws] queue full (' + MAX_QUEUE_SIZE + '), dropping oldest message');
 				sendQueue.shift();
 			}
 			if (debug) console.log('[ws] queued ->', data);

package/files/handler.js

@@ -110,7 +110,7 @@ function cacheDir(dir, urlPrefix, immutable) {
 		if (immutable && relPath.startsWith(`${manifest.appPath}/immutable/`)) {
 			headers.push(['cache-control', 'public, max-age=31536000, immutable']);
 		} else {
-			etag = `W/"${createHash('md5').update(buffer).digest('hex').slice(0, 12)}"`;
+			etag = `W/"${createHash('sha256').update(buffer).digest('hex').slice(0, 16)}"`;
 			headers.push(['cache-control', 'no-cache'], ['etag', etag]);
 		}
 
@@ -575,6 +575,10 @@ async function handleSSR(res, method, url, headers, remoteAddress, state, abortS
 					const value = headers[address_header] || '';
 
 					if (address_header === 'x-forwarded-for') {
+						// Reject absurdly long XFF headers (max ~8KB)
+						if (value.length > 8192) {
+							throw new Error('X-Forwarded-For header too large');
+						}
 						const addresses = value.split(',');
 
 						if (xff_depth > addresses.length) {
@@ -696,17 +700,18 @@ async function writeResponse(res, response, state) {
 			res.write(second.value);
 		});
 
-		// Stream remaining chunks with backpressure
+		// Stream remaining chunks with backpressure (30s timeout per drain)
 		for (;;) {
 			const { done, value } = await reader.read();
 			if (done || state.aborted) break;
 
 			const ok = res.write(value);
 			if (!ok) {
-				await new Promise((resolve) =>
-					res.onWritable(() => { resolve(undefined); return true; })
-				);
-				if (state.aborted) break;
+				const drained = await new Promise((resolve) => {
+					const timer = setTimeout(() => resolve(false), 30000);
+					res.onWritable(() => { clearTimeout(timer); resolve(true); return true; });
+				});
+				if (!drained || state.aborted) break;
 			}
 		}
 	} finally {
@@ -799,6 +804,21 @@ if (WS_ENABLED) {
 	const wsOptions = WS_OPTIONS;
 	const allowedOrigins = wsOptions.allowedOrigins || 'same-origin';
 
+	// Per-IP upgrade rate limiter (configurable, 0 = disabled)
+	const UPGRADE_MAX_PER_WINDOW = wsOptions.upgradeRateLimit ?? 10;
+	const UPGRADE_WINDOW_MS = (wsOptions.upgradeRateLimitWindow ?? 10) * 1000;
+	/** @type {Map<string, { count: number, resetAt: number }>} */
+	const upgradeRateMap = new Map();
+	if (UPGRADE_MAX_PER_WINDOW > 0) {
+		// Purge stale entries every 60s to prevent unbounded growth
+		setInterval(() => {
+			const now = Date.now();
+			for (const [ip, entry] of upgradeRateMap) {
+				if (now > entry.resetAt) upgradeRateMap.delete(ip);
+			}
+		}, 60000).unref();
+	}
+
 	app.ws(WS_PATH, {
 		// Handle HTTP -> WebSocket upgrade with user-provided auth
 		upgrade: (res, req, context) => {
@@ -808,16 +828,42 @@ if (WS_ENABLED) {
 			req.forEach((key, value) => {
 				headers[key] = value;
 			});
+			const upgradeIp = textDecoder.decode(res.getRemoteAddressAsText());
+
+			// Rate limit upgrade requests per IP (0 = disabled)
+			if (UPGRADE_MAX_PER_WINDOW > 0) {
+				const now = Date.now();
+				let rateEntry = upgradeRateMap.get(upgradeIp);
+				if (!rateEntry || now > rateEntry.resetAt) {
+					rateEntry = { count: 0, resetAt: now + UPGRADE_WINDOW_MS };
+					upgradeRateMap.set(upgradeIp, rateEntry);
+				}
+				rateEntry.count++;
+				if (rateEntry.count > UPGRADE_MAX_PER_WINDOW) {
+					res.cork(() => {
+						res.writeStatus('429 Too Many Requests');
+						res.writeHeader('content-type', 'text/plain');
+						res.end('Too many upgrade requests');
+					});
+					return;
+				}
+			}
+
 			const secKey = req.getHeader('sec-websocket-key');
 			const secProtocol = req.getHeader('sec-websocket-protocol');
 			const secExtensions = req.getHeader('sec-websocket-extensions');
 
 			// Origin validation - reject cross-origin WebSocket connections.
-			// Non-browser clients (no Origin header) are always allowed.
-			const reqOrigin = headers['origin'];
-			if (reqOrigin && allowedOrigins !== '*') {
+			// Requests without an Origin header are also rejected (non-browser
+			// clients must be authenticated via the upgrade handler instead).
+			if (allowedOrigins !== '*') {
+				const reqOrigin = headers['origin'];
 				let allowed = false;
-				if (allowedOrigins === 'same-origin') {
+				if (!reqOrigin) {
+					// No Origin header - reject unless an upgrade handler is
+					// configured (it can authenticate non-browser clients itself)
+					allowed = !!wsModule.upgrade;
+				} else if (allowedOrigins === 'same-origin') {
 					try {
 						const parsed = new URL(reqOrigin);
 						const requestHost = (host_header && headers[host_header]) || headers['host'];
@@ -942,6 +988,11 @@ if (WS_ENABLED) {
 				try {
 					const msg = JSON.parse(textDecoder.decode(message));
 					if (msg.type === 'subscribe' && typeof msg.topic === 'string') {
+						// Validate topic name: max 256 chars, no control characters
+						if (msg.topic.length === 0 || msg.topic.length > 256) return;
+						for (let i = 0; i < msg.topic.length; i++) {
+							if (msg.topic.charCodeAt(i) < 32) return;
+						}
 						// If a subscribe hook exists, let it gate access
 						if (wsModule.subscribe && wsModule.subscribe(ws, msg.topic, { platform }) === false) {
 							return;
@@ -964,8 +1015,11 @@ if (WS_ENABLED) {
 		drain: wsModule.drain ? (ws) => wsModule.drain(ws, { platform }) : undefined,
 
 		close: (ws, code, message) => {
-			wsConnections.delete(ws);
-			wsModule.close?.(ws, { code, message, platform });
+			try {
+				wsModule.close?.(ws, { code, message, platform });
+			} finally {
+				wsConnections.delete(ws);
+			}
 		},
 
 		maxPayloadLength: wsOptions.maxPayloadLength,

package/files/index.js

@@ -45,6 +45,8 @@ if (is_primary) {
 	// Exponential backoff for crash-looping workers
 	let restart_delay = 0;
 	const RESTART_DELAY_MAX = 5000;
+	const RESTART_MAX_ATTEMPTS = 50;
+	let restart_attempts = 0;
 	/** @type {Set<ReturnType<typeof setTimeout>>} */
 	const restart_timers = new Set();
 
@@ -57,8 +59,9 @@ if (is_primary) {
 				workers.set(worker, msg.descriptor);
 				acceptorApp.addChildAppDescriptor(msg.descriptor);
 				console.log(`Worker thread ${worker.threadId} registered`);
-				// Worker started successfully  - reset backoff
+				// Worker started successfully  - reset backoff and attempt counter
 				restart_delay = 0;
+				restart_attempts = 0;
 				for (const t of restart_timers) clearTimeout(t);
 				restart_timers.clear();
 				// Start (or resume) listening once a worker is ready to handle requests
@@ -99,8 +102,13 @@ if (is_primary) {
 					listening = false;
 					console.log('All workers down, acceptor paused until a replacement is ready');
 				}
+				restart_attempts++;
+				if (restart_attempts > RESTART_MAX_ATTEMPTS) {
+					console.error(`Worker restart limit reached (${RESTART_MAX_ATTEMPTS}). Exiting.`);
+					process.exit(1);
+				}
 				restart_delay = restart_delay ? Math.min(restart_delay * 2, RESTART_DELAY_MAX) : 100;
-				console.log(`Worker thread ${worker.threadId} exited with code ${code}, restarting in ${restart_delay}ms...`);
+				console.log(`Worker thread ${worker.threadId} exited with code ${code}, restarting in ${restart_delay}ms... (attempt ${restart_attempts}/${RESTART_MAX_ATTEMPTS})`);
 				const timer = setTimeout(() => {
 				restart_timers.delete(timer);
 				if (shutting_down) return;

package/index.d.ts

@@ -166,11 +166,26 @@ export interface WebSocketOptions {
 	 * - `'*'` - accept connections from any origin
 	 * - `string[]` - whitelist of allowed origin URLs (e.g. `['https://example.com']`)
 	 *
-	 * Non-browser clients (no Origin header) are always allowed.
+	 * Requests without an Origin header (non-browser clients) are rejected
+	 * unless an upgrade handler is configured to authenticate them.
 	 *
 	 * @default 'same-origin'
 	 */
 	allowedOrigins?: 'same-origin' | '*' | string[];
+
+	/**
+	 * Maximum number of WebSocket upgrade requests allowed per IP address
+	 * within `upgradeRateLimitWindow` seconds.
+	 * Set to `0` to disable upgrade rate limiting.
+	 * @default 10
+	 */
+	upgradeRateLimit?: number;
+
+	/**
+	 * Time window in seconds for the upgrade rate limiter.
+	 * @default 10
+	 */
+	upgradeRateLimitWindow?: number;
 }
 
 // -- User's WebSocket handler module exports ---------------------------------

package/index.js

@@ -221,7 +221,9 @@ export default function (opts = {}) {
 				sendPingsAutomatically: websocket?.sendPingsAutomatically ?? true,
 				compression: websocket?.compression ?? false,
 				allowedOrigins: websocket?.allowedOrigins ?? 'same-origin',
-				upgradeTimeout: websocket?.upgradeTimeout ?? 10
+				upgradeTimeout: websocket?.upgradeTimeout ?? 10,
+				upgradeRateLimit: websocket?.upgradeRateLimit ?? 10,
+				upgradeRateLimitWindow: websocket?.upgradeRateLimitWindow ?? 10
 			};
 
 			builder.copy(files, out, {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "svelte-adapter-uws",
-  "version": "0.2.25",
+  "version": "0.3.1",
   "description": "SvelteKit adapter for uWebSockets.js - high-performance C++ HTTP server with built-in WebSocket support",
   "author": "Kevin Radziszewski",
   "license": "MIT",

package/vite.js

@@ -364,6 +364,11 @@ export default function uws(options = {}) {
 						try {
 							const msg = JSON.parse(buf.toString());
 							if (msg.type === 'subscribe' && typeof msg.topic === 'string') {
+								// Validate topic name: max 256 chars, no control characters
+								if (msg.topic.length === 0 || msg.topic.length > 256) return;
+								for (let ci = 0; ci < msg.topic.length; ci++) {
+									if (msg.topic.charCodeAt(ci) < 32) return;
+								}
 								if (userHandlers.subscribe && userHandlers.subscribe(wrapped, msg.topic, { platform }) === false) {
 									return;
 								}
@@ -416,7 +421,12 @@ export default function uws(options = {}) {
 					mod.drain !== userHandlers.drain ||
 					mod.subscribe !== userHandlers.subscribe) {
 					applyHandlers(mod);
-					console.log('[adapter-uws] WebSocket handler reloaded');
+					// Close existing connections so they reconnect with the new handler.
+					// 1012 = "Service Restart" - clients with auto-reconnect will reconnect.
+					for (const ws of connections) {
+						ws.close(1012, 'Handler reloaded');
+					}
+					console.log('[adapter-uws] WebSocket handler reloaded, existing connections closed');
 				}
 			}).catch((err) => {
 				handlerFailed = true;