I am developing a website which uses a private messaging system using php + socket.io.
From the beginning i passed the sender_id, recipient_id and text to socket.io using socket.emit but later realized that this could be easily tampered with and wanted to use my php sessions in some way to be sure that the sender_id is indeed the sender_id.
I have the following setup right now but i dont really understand how to pass the session from index.php to app.js and then connect to redis-server in app.js to get the PHPSESSID which holds the user_id.
Server 1 running nginx + php-fpm (index.php)
Server 2 running node.js with socket.io (app.js)
Server 3 running redis for session management
My code right now looks like the following but is obviously missing the redis part right now which i would really appriciate some help with.
Thanks!
index.php
<?php
session_start();
if ($_SESSION['user_id'] == false){
header("Location:login.php");die;
}
?>
<script>
var socket = io('https://app01.dev.domain.com:8895');
socket.on('connect', function(){
console.log("Connected to websockets");
});
socket.on('event', function(data){});
socket.on('disconnect', function(){});
$('.chat-message').keypress(function (e) {
if (e.which == 13) {
console.log("send message");
var friend_id = $(this).attr('id');
friend_id = friend_id.split("-");
friend_id = friend_id[3];
var obj = {
recipient_id: friend_id,
text: $(this).val()
};
socket.emit('chat_message', obj);
$(this).val('');
return false;
}
});
</script>
app.js
var https = require("https"), fs = require("fs");
var options = {
key: fs.readFileSync('/etc/letsencrypt/live/domain/privkey.pem'),
cert: fs.readFileSync('/etc/letsencrypt/live/domain/cert.pem'),
ca: fs.readFileSync('/etc/letsencrypt/live/domain/chain.pem')
};
var app = https.createServer(options);
var io = require("socket.io")(app);
var redis = require("redis");
// This i want to fill with for example PHPSESSION:user_id that i get from redis and later use it as sender
// var all_clients = {};
io.set("transports", ["websocket", "polling"]);
io.on("connection", function(client){
console.log("Client connected");
// Here i would like to connect to redis in some way and get the user_id but dont really understand how
//all_clients[USER_ID_FROM_REDIS] = client.id;
//var user_id = USER_ID_FROM_REDIS;
client.on("chat_message", function(data){
var obj = {
to: data.recipient_id,
text: data.text
};
console.log("Message inbound from socket: "+client.id+" from: "+data.user_id+" to: "+data.recipient_id+" with text: "+data.text);
});
client.on("disconnect", function(){
console.log("Client disconnected ");
//delete all_clients[USER_ID_FROM_REDIS];
});
});
app.listen(8895, function(){
console.log("listening on *:8895");
});
var recursive = function () {
//console.log("Connected clients: "+Object.keys(all_clients).length);
//console.log(JSON.stringify(all_clients));
setTimeout(recursive,2000);
}
recursive();
HTTP in itself does not protect against MITM attacks, to protect against MITM the server certificate needs to be pined.
To protect against a user being spoofed you need authentication such as logging-in or a secret token like Dropbox.
Add certificate pinning, that is just jargon for validating that you are connecting to the correct server and not a MITM by verifying the certificate that is sent by the server. MITM used to be harder but WiFi has made it easy to connect to the wrong end-point at Hot Sports, even at home I have seen this.
Related
Im building my socket application with laravel broadcaasting. I made my server script and then added https like in this script: (The code may contain errors because it is written from memory)
var fs = require('fs');
var https = require('https');
var express = require('express');
var app = express();
var options = {
key: fs.readFileSync('./file.pem'),
cert: fs.readFileSync('./file.crt')
};
var serverPort = 3000;
var server = https.createServer(options, app);
var io = require('socket.io')(server);
require('socketio-auth')(io, {
authenticate: authenticate,
postAuthenticate: postAuthenticate,
disconnect: disconnect,
timeout: 1000
});
after that i added socketio-auth and modified it for just username and password authentication.
function authenticate(socket, data, callback) {
if (data.username != "username") {
return callback(new Error("User not found"));
}
return callback(null, user.password == "password");
}
}
My question is about credntials I'm sending via socket.
import VueSocketio from 'vue-socket.io';
Vue.use(VueSocketio, socketio('https://socketserver.com:1923', {secure: true}));
var vm = new Vue({
sockets:{
connect: function(){
console.log('socket connected')
this.$socket.emit('authentication', {username : "username", password: "password"});
},
},
})
Im actually using Vue with vue-socketio but its working with connection and with getting / sending information properly.
Problem I got is when Im going to console in google chrome im getting plain text socket emit authentication information like
(REQUEST PAYLOAD : {authentication: {username: "username", password : "password"}}).
Is that normal thing when Im using ssl? Something is wrong with my code?
Or I need to encrypt then decrypt this information myself?
I thought all Im sending via HTTPS is encrypted.
Looking for ur replay. Thanks!
Okey I made my own encryptor.
For client Im emiting encrypted information with data and the verify hash with socket.id.
And for server i decrypted and check hmac verification with socket.id.
I am making a chat application for my web job portal.I used to save user's name from php session to nodejs socket io library..I am confused..it is ok to store 10k users in socket object.if yes then how to maintain that users list? Another problem is when user navigates from one page to another..socket disconnect and again connect..Does it effect my application performance or nodejs server perform?
Please guide me through tutorials or blog..I have not find relevant docs yet about socket connection management ..Thanks in advance!!
You can store your data into socket.
For example,
On Server side, use like this,
var socketIo = require('/socket.io').listen(8080);
var usernames=[];
socketIo.sockets.on('connection', function (socket) {
socket.on('storeUserData', function (data) {
var userInfo = new Object();
userInfo.userName = data.userName;
userInfo.SocketId = socket.id;
usernames.push(userInfo);
});
socket.on('disconnect', function (data) {
var len = usernames.length;
for(var i=0; i<len; i++){
var user = usernames[i];
if(user.socketId == socket.id){
usernames.splice(i,1);
break;
}
}
});
});
and on client side, you need to add this
<script>
var userName = <?php echo $_SESSION['userName'] ?>;
var socket = io.connect('http://localhost', {port: 8080});
socket.on('connect', function (data) {
socket.emit('storeUserData', { 'userName' : userName });
});
</script>
Socket connection disconnects on page refresh.Why?
It is default behaviour of socket.io.
I am working for a real time private messaging system into my php application. My codes are working for all users together. But I need private messaging system as one-to-one message.
After setup node and redis I can get the message data what I need : here is the code ::
Front-end ::
1. I use a form for - username , message and send button
and Notification JS:
$( document ).ready(function() {
var socket = io.connect('http://192.168.2.111:8890');
socket.on('notification', function (data) {
var message = JSON.parse(data);
$( "#notifications" ).prepend("<p> <strong> " + message.user_name + "</strong>: " + message.message + "</p>" );
});
});
Server Side js:
var app = require('express')();
var server = require('http').Server(app);
var io = require('socket.io')(server);
var redis = require('redis');
server.listen(8890);
var users = {};
var sockets = {};
io.on('connection', function (socket) {
console.log(" New User Connected ");
// instance of Redis Client
var redisClient = redis.createClient();
redisClient.subscribe('notification');
socket.on('set nickname', function (name) {
socket.set('nickname', name, function () {
socket.emit('ready');
});
});
socket.on('msg', function () {
socket.get('nickname', function (err, name) {
console.log('Chat message by ', name);
});
});
redisClient.on("message", function(channel, message)
{
// to view into terminal for monitoring
console.log("Message from: " + message + ". In channel: " + channel + ". Socket ID "+ socket.id );
//send to socket
socket.emit(channel, message);
});
redisClient.on('update_chatter_count', function(data)
{
socket.emit('count_chatters', data);
});
//close redis
socket.on('disconnect', function()
{
redisClient.quit();
});
});
HTML::
<script src="https://cdn.socket.io/socket.io-1.3.5.js"></script>
<form .....>
<input ....... >
</form>
<div id="notifications" ></div>
Over-all output:
John : Hello
Kate : Hi
Others: .....
Above codes are working nicely in my php application. Now I want to set-up private or one-to-one messaging system.
The way I need to add username or email or unique socketID for user. I do not have any more ideas for private messaging. I tried to figure on online but failed.
**How do I setup private message into my php application ? **
Basic initialization of variables:-
First, make a MAP of mapOfSocketIdToSocket and then send the userid of the specific user to whom you want to sent the message from the front-end. In the server, find the socket obeject mapped with the userid and emit your message in that socket. Here is a sample of the idea (not the full code)
var io = socketio.listen(server);
var connectedCount = 0;
var clients = [];
var socketList = [];
var socketInfo = {};
var mapOfSocketIdToSocket={};
socket.on('connectionInitiation', function (user) {
io.sockets.sockets['socketID'] = socket.id;
socketInfo = {};
socketInfo['userId']=user.userId;
socketInfo['connectTime'] = new Date();
socketInfo['socketId'] = socket.id;
socketList.push(socketInfo);
socket.nickname = user.name;
socket.userId= user.userId;
loggjs.debug("<"+ user.name + "> is just connected!!");
clients.push(user.userId);
mapOfSocketIdToSocket[socket.id]=socket;
}
socket.on('messageFromClient', function (cMessageObj, callback) {
for(var i=0; i<socketList.length;i++){
if(socketList[i]['userId']==cMessageObj['messageToUserID']){ // if user is online
mapOfSocketIdToSocket[socketList[i]['socketId']].emit('clientToClientMessage', {sMessageObj: cMessageObj});
loggjs.debug(cMessageObj);
}
}
})
Either you may want to go for private one-to-many chat room or you can go for one-to-one channel communication (if there are only two members communicating) http://williammora.com/nodejs-tutorial-building-chatroom-with/
I would suggest you to use socketIO namespaces, it allow you to send / emit event from / to specific communication "channels".
Here is the link to socketIO documentation regarding rooms & namespaces
http://socket.io/docs/rooms-and-namespaces/
Cheers
One solution could be sending messages to person with the particular socket id. As you are already using redis you can store the user's detail and socket id in redis when user joins and then to send messages to user by getting the socket id from the redis whenever you want to send him a message. Call events like
socket.emit('send private') from front end
and on backend handle the
socket.on('send private'){
// do redis stuff inside this }
Use Pusher. It offers channel usage to make private chats possible without any additional code
My application stack:
On my server runs a Redis server. The PHP backend communicates with Predis library with the Redis server. It will publish messages. These messages will be fetched by my Redis client (node.js) and pushed to the connected websocket clients (with SockJS).
My problem:
It runs well. At least for broadcast messages. Now I came to the point I need to send a unicast message and I'm stuck... How to connect the user on the backend side (sender of messages) with the connected client of the websocket?
Code snippets:
PHP
$redis = new Client();
$redis->publish('updates', Random::getUniqueString());
Redis client on node.js server
redis.subscribe('updates');
redis.on('message', function(channel, data) {
for (var id in sockets) {
if (sockets.hasOwnProperty(id)) {
sockets[id].write(data);
}
}
});
SockJS client
mySocketFactory.setHandler('message', function(event) {
console.log(event.data);
});
Like I said. Working well but the id used for the socket connection is not known by the PHP backend.
Edit: One idea I got in mind is to use cookies.
I found a way to solve my problem. When the socket connection is established I sent a request to my PHP backend and ask for the user id. This is stored on the node.js server. When messages are incoming there is a check if they are for specific user and handle them only for them.
So, what do I store exactly on my node server?
var sockets = {}; // {connection_id: socket_connection}
var connIdToUser = {}; // {connection_id: user_id}
var connIdsForUser = {}; // {user_id: [connection_id_1, connection_id_2 ,...]}
socketServer.on('connection', function(conn) {
sockets[conn.id] = conn;
var options = {
host: os.hostname(),
port: 80,
path: '/user/id',
method: 'GET'
};
var req = http.request(options, function(res) {
res.setEncoding('utf8');
res.on('data', function (chunk) {
var userId = JSON.parse(chunk).id;
connIdToUser[conn.id] = userId;
if (!connIdsForUser.hasOwnProperty(userId)) {
connIdsForUser[userId] = [];
}
connIdsForUser[userId].push(conn.id);
console.log('connection id ' + conn.id + ' related to user id ' + userId);
});
});
req.end();
conn.on('close', function() {
console.log('connection lost ' + conn.id);
// remove connection id from stack for user
var connections = connIdsForUser[connIdToUser[conn.id]];
var index = connections.indexOf(conn.id);
if (index > -1) {
connections.splice(index, 1);
}
// remove connection at all
delete sockets[conn.id];
// remove relation between connection id and user
delete connIdToUser[conn.id];
});
});
The reason for storing the relation between user id an connection id twice is the different use case I need either for sending a message or deleting the connection for the close event. Otherwise I would have to use a nested loop.
As you can see deleting a socket is fairly easy. Although deleting the connection from the connection stack of an user is a little bit complicated.
Let's continue with the sending of a message. Here I defined a structure of the message I get from the Redis server:
{
targets: [], // array of unit ids (can be empty)
data: <mixed> // the real data
}
Sending the data to the sockets looks like:
redis.on('message', function(channel, message) {
message = JSON.parse(message);
// unicast/multicast
if (message.targets.length > 0) {
message.targets.forEach(function(userId) {
if (connIdsForUser[userId] !== undefined) {
connIdsForUser[userId].forEach(function(connId) {
sockets[connId].write(message.data);
});
}
});
// broadcast
} else {
for (var id in sockets) {
if (sockets.hasOwnProperty(id)) {
sockets[id].write(message.data);
}
}
}
});
Since I store the connection stack per user it is quite easy to send the data to all sockets related to a specific user. So what I can do now is unicast (array with one user id), multicast (array with more than one user id) and broadcast (empty array).
It's working well for my use case.
i used multi room chat application example for node.js writed by mike in this article.and changed it to use session data which grabed from php session handler until now
this is the part of code which i wrote until now
var express = require('express'),
app = express(),
memcache = require("memcache"),
http = require('http'),
server = http.createServer(app),
io = require('socket.io').listen(server),
co = require("./cookie.js"),
php = require('phpjs'),
codein = require("node-codein");
//check if user loggedin
// routing
app.get('/', function (req, res) {
res.sendfile(__dirname + '/index.html');
var cookieManager = new co.cookie(req.headers.cookie);
var client = new memcache.Client(11211, "localhost");
client.connect();
user = client.get("sessions/"+cookieManager.get("sec_session_id"), function(error, result){
var session = JSON.parse(result);
user = JSON.parse(session.name);
user = user.username;
storeUsername(user);
});
});
function storeUsername(user){
// usernames which are currently connected to the chat
var usernames = {};
io.of('/private').authorization(function (handshakeData, callback) {
console.dir(handshakeData);
handshakeData.foo = 'baz';
callback(null, true);
}).io.sockets.on('connection', function (socket) {
usernames[socket.id] = socket;
// when the client emits 'sendchat', this listens and executes
socket.on('sendchat', function (data) {
// we tell the client to execute 'updatechat' with 2 parameters
io.sockets.emit('updatechat', socket.username, data);
});
// when the client emits 'adduser', this listens and executes
socket.on('adduser', function(username){
// we store the username in the socket session for this client
socket.username = user;
// add the client's username to the global list
// echo to client they've connected
if(php.in_array(socket.username,usernames)){
delete usernames[socket.username];
}else{
usernames[user] = user;
console.log('not exist');
socket.emit('updatechat', 'SERVER', 'you have connected');
// echo globally (all clients) that a person has connected
socket.broadcast.emit('updatechat', 'SERVER', username + ' has connected');
// update the list of users in chat, client-side
io.sockets.emit('updateusers', usernames);
}
});
// when the user disconnects.. perform this
socket.on('disconnect', function(){
// remove the username from global usernames list
delete usernames[socket.username];
// update list of users in chat, client-side
io.sockets.emit('updateusers', usernames);
// echo globally that this client has left
socket.broadcast.emit('updatechat', 'SERVER', socket.username + ' has disconnected');
});
});
}
server.listen(3000);
for example user master will connect to our chatroom and he will have his username which stored from php based application.but where is the problem now?when user master connect from 2 or 3 tab of our browser he will connect to socket server 3 or 4 times and if he post some data we have this result
master : hello
master : hello
master : hello
i want users to connect to my application just once and can post data just once.now how should i achieve that?
how should i access this users in case of private message to each other
i am so new in node.js.my bad.sorry
thanks for help in advance.+1 for all teachers
1) You could you (seems to), var app = require('express').express();
2) On first app.get, you don't need to put 2 times JSON.parse, maybe the second JSON.parse is not what you want (are you trying to retrieve user threw that field ?)
3) MOST IMPORTANT : to make usage of room, you must use socket.join to join a room, if you don't
do it, the socket.broadcast will have no special effect...
To remove a user from a room, use socket.leave