This is my first node project I'm doing, still trying to get my head around it all. I have a project which requires the dependencies yjs, y-webrtc and y-codemirror
Hi @renieravin , there is no functionality that enforces that a Yjs document is not modified. But you can enforce that a client does not receive messages from an unautorized user. This is part of the connector. y-websocket has such functionality, but you would need to modify the server a bit to make it work. I recommend that authentication happens before accepting the websocket connection - I made a marker here: https://github.com/yjs/y-websocket/blob/69c770174158ade76d23fe81443d7950a796d778/bin/server.js#L21
Welcome @callum-atwal Yeah that's possible, you simply need to exchange the connector. You should check out y-webrtc. It currently only works in v12 of Yjs. I'm currently working on a fork for v13 (the current version).
Hey @callum-atwal . Here is an update on y-webrtc: Today I took some time and polished and pushed a new version of y-webrtc. There is some documentation here https://github.com/y-js/y-webrtc
The new y-webrtc connector, that is compatible with v13, implements a simple signalling server that should be easy to re-implement in other languages. Also I published several signalling servers that you can use for free. In the next few days I also want to implement password protection for webrtc rooms.
The new y-webrtc connector, that is compatible with v13, implements a simple signalling server that should be easy to re-implement in other languages. Also I published several signalling servers that you can use for free. In the next few days I also want to implement password protection for webrtc rooms.
FYI Yjs was actually my final year project :p
I just continued to work on it for five more years ..
One question is how do you authenticate? A cookie? A request parameter? Send the message on a socket? I went with an
access_token querystring parameter (over SSL)
the other thing I wasn't sure of is how to reject access. I tried closing/destroying/terminating the socket and it caused the browser to start spooling up infinite new websockets, so I set a 10s timeout before closing.
also once I added this I started seeing server crashes caused by what I think was a memory leak
here's the code I ended up with. apologies for the messiness. some of it may not be strictly necessary:
server.on('upgrade', (request, socket, upgradeHead) => {
var head = new Buffer(upgradeHead.length);
upgradeHead.copy(head);
upgradeHead = null
// You may check auth of request here..
// or check cookie here
// console.log('CHECK AUTH', request.url, request.headers.cookie)
/**
* @param {any} ws
*/
const handleAuth = async ws => {
const parsed = url.parse(request.url, true)
const access_token = parsed.query.access_token
const docName = parsed.pathname
// console.log('parsed', parsed)
request.url = (parsed.origin||'') + docName
const access = await verifyAccess(access_token, docName)
const { user } = access
if (user) {
// console.log('connecting inner request url', request.url)
request.user = user
wss.emit('connection', ws, request)
// release ref?
socket.unref()
socket = null
}
// if (true || request.headers.cookie.indexOf('tehsecretpassword')> -1) {
// }
else {
console.log('access denied', request.url)
// socket.close();
setTimeout(() => {
socket.destroy();
socket = null;
}, 10000)
// socket.close()
// socket.terminate()
return;
}
}
wss.handleUpgrade(request, socket, head, handleAuth)
})
@WinstonFassett Thanks for the feedback on the authentication method. I will look into it. I guess a client shouldn't try to reconnect after auth has been rejected. And the server should properly close the connection (I thought that this would be handled by the
http module). I opened a ticket for this yjs/y-websocket#7
Regarding y-webrtc: You are right that webrtc connections are always encrypted (by web standard). But unless you trust the signaling server, webrtc is still vulnerable to man-in-the middle attacks. With y-webrtc, you can perform signaling handshakes over untrusted signaling servers. The crypto module encrypts signaling data that is sent over the signaling server so that only users with the shared secret can connect with each other.
As for the method how you authenticate over y-websocket: I think the best method to authenticate is before you create the actual websocket connection. This way you can really make sure that no data is shared with unauthenticated clients. If you want to authenticate over a message via the websocket connection you would need to adapt the connection protocol and make sure that unauthorized clients don't receive any data.
I recommend to authenticate via request header or cookies. In general, you should avoid to authenticate via request parameters. Request parameters are often visible in the server logs and accessible by people who shouldn't have access to personal user data. Request headers and cookies are (presumptuously) always the better choice for sharing user secrets.
Yes my first choice was to use a header for auth, but I was unable to get it to work in the browser even using a protocol header hack that was supposed to work (I was using Chrome, which apparently strips security headers). Similarly basic auth didn't work. Querystring parameter and cookie both worked. Incidentally, the feathers-js API server I'm using for REST can also do websockets pretty well. When enabled it will use messages for auth rather than any of the mechanisms I just described. I lean towards that approach but don't see a good way to implement it with YJS.
That's a good point. I expected that headers should work because websockets are just http requests. Also the ws package (native nodejs) supports headers.
I will rethink this approach then. In this case you are right that we should probably go for authentication via a websocket message. I opened a ticket for this yjs/y-websocket#8
Hey @rafeautie I think I have an unfinished version lying around somewhere. I'll push to https://github.com/yjs/y-ace and then you can have a look at it if you want
Hey all, I decided to restart my project but instead using Angular for the frontend. I'm having a little trouble (which I think is a minor one). I've installed the yjs, y-codemirror, y-websocket and codemirror packages in npm. They exist in the package.json and my IDE doesn't complain they do not exist/not found. When I go to create a Y.Doc() instance, it tells me (on runtime in angular) that
.Doc is not a constructor. Please see these images
(I think this is more a Angular question, however was just hoping someone in here could field the question before I turn to Stackoverflow or something) :D
@Callum I had a similar issue. If you simply install yjs using npm, you get an earlier version than the current one. Try re-installing, but getting yjs@13.0.0-103 This might help. (I don't whether there is an even more recent version).
I'm developing an app that uses yjs and vis-network graph visualisation (watch this space for a submission as a yjs demo). While developing it and testing it, lots of test data was inserted into y.Doc, and now I want to start afresh, with an empty Doc. But I haven't found a method to do this (e.g. a destroy method). Note that I don't want to delete the structs/records (which would just mark them as deleted), but to go bak to the state where the Doc was just initialised. I'm using the standard WebsocketProvider and yjs v13. On a related issue, I am not clear where the y.Doc is stored (in the browser? if so, where? Can I use DevTools to view it?).
however, lib0 is running into an error, cannot find module crypto. I've installed it seperately and it still cannot find it
reverting back to 78 doesnt give the error
^ was the error
Forced it to use version 103 and was successful finally. @dmonad I've raised an issue on your lib0 repo as this was the issue for me - dmonad/lib0#2
@micrology The Y.Doc is stored in the Y.Doc instance that you create. I.e.
const ydoc = Y.Doc() . ydoc holds all the data. If you don't reference the doc anymore it is automatically garbage collected. But it is good practice to ydoc.destroy() to make sure that the data is really removed. But you must .destroy() the provider instances and the document bindings because they register event handlers.
Is there documentation or some hints anywhere about how to use y-leveldb with y-websocket-server for version 13 of yjs (there is for version 12 at https://github.com/yjs/y-leveldb, but this does not seem to apply to version 13)? Alternatively any other way of giving y-websocket-server persistence?
And another query: I am running y-websocket-server on a remote server (specifically, an AWS ECS virtual machine) and my yjs app disconnects and immediately reconnects exactly every 30 seconds. See log below. Is there a timeout I should be setting to avoid this?
22:44:11: connected to room 342186106253552448544
22:44:41: disconnected from room 342186106253552448544
22:44:41: connected to room 342186106253552448544
22:45:11: disconnected from room 342186106253552448544
I starrted an empty project and added the tsconfig.json options but still get a 'no types' error
Hi, still got trouble with the bundler used in es-dev-server, it gives me
Uncaught SyntaxError: The requested module '../isomorphic.js/iso.js' does not provide an export named 'default'I guess dmonad/isomorphic.js@0bee192 did intend to fix it, but it didn't. :(