npm - wse-client - Versions diffs - 2.1.1 → 2.2.1 - Mend

wse-client 2.1.1 → 2.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/README.md +17 -6
package/package.json +1 -1

package/README.md CHANGED Viewed

@@ -14,7 +14,7 @@ High-performance WebSocket server built in Rust with native clustering, E2E encr
 | Feature | Details |
 |---------|---------|
 | **Rust core** | tokio async runtime, tungstenite WebSocket transport, dedicated thread pool, zero GIL on the data path |
-| **JWT authentication** | Rust-native HS256 validation during handshake (0.01ms), cookie + Authorization header extraction |
+| **JWT authentication** | HS256, RS256, ES256 algorithms via jsonwebtoken crate. Validated during handshake (0.01ms), cookie + Authorization header extraction, key rotation, kid validation |
 | **Protocol negotiation** | `client_hello`/`server_hello` handshake with feature discovery, capability advertisement, version agreement |
 | **Topic subscriptions** | Per-connection topic subscriptions with automatic cleanup on disconnect |
 | **Pre-framed broadcast** | WebSocket frame built once, shared via Arc across all connections, single allocation per broadcast |
@@ -99,7 +99,7 @@ High-performance WebSocket server built in Rust with native clustering, E2E encr
 | Feature | Details |
 |---------|---------|
-| **Origin validation** | `ALLOWED_ORIGINS` env var, rejects unlisted origins with close code 4403 |
+| **Origin validation** | Configure in reverse proxy (nginx/Caddy) to prevent CSWSH |
 | **Cookie auth** | `access_token` HTTP-only cookie with `Secure + SameSite=Lax` (OWASP recommended for browsers) |
 | **Frame protection** | 1 MB max frame size, serde_json parsing (no eval), escaped user IDs in server_ready |
 | **Cluster frame protection** | zstd decompression output capped at 1 MB (MAX_FRAME_SIZE), protocol version validation |
@@ -163,9 +163,14 @@ token = rust_jwt_encode(
 | `host` | required | Bind address |
 | `port` | required | Bind port |
 | `max_connections` | 1000 | Maximum concurrent WebSocket connections |
-| `jwt_secret` | None | HS256 secret for JWT validation (bytes, min 32 bytes). `None` disables authentication |
+| `jwt_secret` | None | JWT key for validation. HS256: shared secret (bytes, min 32). RS256/ES256: PEM public key. `None` disables auth |
 | `jwt_issuer` | None | Expected `iss` claim. Skipped if `None` |
 | `jwt_audience` | None | Expected `aud` claim. Skipped if `None` |
+| `jwt_cookie_name` | "access_token" | Cookie name for JWT token extraction |
+| `jwt_previous_secret` | None | Previous key for zero-downtime rotation. HS256: previous secret. RS256/ES256: previous public key PEM |
+| `jwt_key_id` | None | Expected `kid` header claim. Rejects tokens with mismatched key ID |
+| `jwt_algorithm` | None | JWT algorithm: `"HS256"` (default), `"RS256"`, or `"ES256"` |
+| `jwt_private_key` | None | PEM private key for RS256/ES256 token encoding. Not needed for HS256 |
 | `max_inbound_queue_size` | 131072 | Drain mode bounded queue capacity |
 | `recovery_enabled` | False | Enable per-topic message recovery buffers |
 | `recovery_buffer_size` | 128 | Ring buffer slots per topic (rounded to power-of-2) |
@@ -175,6 +180,12 @@ token = rust_jwt_encode(
 | `presence_enabled` | False | Enable per-topic presence tracking |
 | `presence_max_data_size` | 4096 | Max bytes for a user's presence metadata |
 | `presence_max_members` | 0 | Max tracked members per topic (0 = unlimited) |
+| `max_outbound_queue_bytes` | 16777216 | Per-connection outbound buffer limit (bytes, default 16 MB). Messages dropped when exceeded |
+| `rate_limit_capacity` | 100000.0 | Token bucket capacity per connection |
+| `rate_limit_refill` | 10000.0 | Token bucket refill rate per second |
+| `max_message_size` | 1048576 | Maximum WebSocket frame size in bytes (default 1 MB) |
+| `ping_interval` | 25 | Server-initiated ping interval in seconds |
+| `idle_timeout` | 60 | Force-close connections idle for this many seconds |
 ---
@@ -375,7 +386,7 @@ Token delivery:
 - **Backend clients**: `Authorization: Bearer <token>` header and/or `access_token` cookie
 - **API clients**: `Authorization: Bearer <token>` header
-Required claims: `sub` (user ID), `exp` (expiration), `iat` (issued at). Optional: `iss`, `aud` (validated if configured).
+Required claims: `sub` (user ID), `exp` (expiration). Recommended: `iat` (issued at). Optional: `iss`, `aud` (validated if configured).
 ### End-to-End Encryption
@@ -499,10 +510,10 @@ Benchmarked on AMD EPYC 7502P (32 cores / 64 threads, 128 GB RAM), Ubuntu 24.04.
 | Mode | Peak Throughput | Connections | Message Loss |
 |------|----------------|-------------|--------------|
-| Standalone (fan-out) | 5.0M deliveries/s | 500K | 0% |
+| Standalone (fan-out) | 4.7M deliveries/s | 100K | 0% |
 | Standalone (inbound JSON) | 14.7M msg/s | 500K | 0% |
 | Standalone (inbound msgpack) | 30M msg/s | 500K | 0% |
-| Cluster (2 nodes) | 9.5M deliveries/s | 20K per node | 0% |
+| Cluster (2 nodes, 50/50) | 6.6M deliveries/s | 500 per node | 0% |
 Sub-millisecond latency. Median 0.38ms with JWT authentication. Connection handshake: 0.53ms median (Rust JWT path).

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "wse-client",
-  "version": "2.1.1",
+  "version": "2.2.1",
   "description": "WSE (WebSocket Engine) React client. Type-safe hooks, auto-reconnect, offline queue, E2E encryption.",
   "main": "dist/index.js",
   "module": "dist/index.js",