Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
github.com/eclipse/paho.mqtt.golang
This repository contains the source code for the Eclipse Paho MQTT 3.1/3.11 Go client library.
This code builds a library which enable applications to connect to an MQTT broker to publish messages, and to subscribe to topics and receive published messages.
This library supports a fully asynchronous mode of operation.
A client supporting MQTT V5 is also available.
The process depends upon whether you are using modules (recommended) or GOPATH
.
If you are using modules then import "github.com/eclipse/paho.mqtt.golang"
and start using it. The necessary packages will be download automatically when you run go build
.
Note that the latest release will be downloaded and changes may have been made since the release. If you have
encountered an issue, or wish to try the latest code for another reason, then run
go get github.com/eclipse/paho.mqtt.golang@master
to get the latest commit.
Installation is as easy as:
go get github.com/eclipse/paho.mqtt.golang
The client depends on Google's proxy package and the websockets package, also easily installed with the commands:
go get github.com/gorilla/websocket
go get golang.org/x/net/proxy
Detailed API documentation is available by using to godoc tool, or can be browsed online using the pkg.go.dev service.
Samples are available in the cmd
directory for reference.
Note:
The library also supports using MQTT over websockets by using the ws://
(unsecure) or wss://
(secure) prefix in the
URI. If the client is running behind a corporate http/https proxy then the following environment variables HTTP_PROXY
,
HTTPS_PROXY
and NO_PROXY
are taken into account when establishing the connection.
If you are new to MQTT and your application is not working as expected reviewing the MQTT specification, which this library implements, is a good first step. MQTT.org has some good resources that answer many common questions.
The asynchronous nature of this library makes it easy to forget to check for errors. Consider using a go routine to log these:
t := client.Publish("topic", qos, retained, msg)
go func() {
_ = t.Wait() // Can also use '<-t.Done()' in releases > 1.2.0
if t.Error() != nil {
log.Error(t.Error()) // Use your preferred logging technique (or just fmt.Printf)
}
}()
If you are encountering issues then enabling logging, both within this library and on your broker, is a good way to begin troubleshooting. This library can produce various levels of log by assigning the logging endpoints, ERROR, CRITICAL, WARN and DEBUG. For example:
func main() {
mqtt.ERROR = log.New(os.Stdout, "[ERROR] ", 0)
mqtt.CRITICAL = log.New(os.Stdout, "[CRIT] ", 0)
mqtt.WARN = log.New(os.Stdout, "[WARN] ", 0)
mqtt.DEBUG = log.New(os.Stdout, "[DEBUG] ", 0)
// Connect, Subscribe, Publish etc..
}
max_inflight_messages=1
in mosquitto) then set ClientOptions.SetOrderMatters(false)
. Doing so will avoid the
below issue (deadlocks due to blocking message handlers).MessageHandler
(called when a new message is received) must not block (unless
ClientOptions.SetOrderMatters(false)
set). If you wish to perform a long-running task, or publish a message, then
please use a go routine (blocking in the handler is a common cause of unexpected pingresp not received, disconnecting
errors).CleanSession
set to false it is possible
that the broker will deliver retained messages before Subscribe
can be called. To process these messages either
configure a handler with AddRoute
or set a DefaultPublishHandler
. If there is no handler (or DefaultPublishHandler
)
then inbound messages will not be acknowledged. Adding a handler (even if it's opts.SetDefaultPublishHandler(func(mqtt.Client, mqtt.Message) {})
)
is highly recommended to avoid inadvertently hitting inflight message limits.ClientOptions.KeepAlive
(sends regular messages to check the link is active).Client
is not completely safe. After calling Disconnect
please create a new Client (NewClient()
) rather
than attempting to reuse the existing one (note that features such as SetAutoReconnect
mean this is rarely necessary).If using Mosquitto then there are a range of fairly common issues:
listener
- By default Mosquitto v2+ listens on loopback
interfaces only (meaning it will only accept connections made from the computer its running on).max_inflight_messages
- Unless this is set to 1 mosquitto does not guarantee ordered delivery of messages.max_queued_messages
/ max_queued_bytes
- These impose limits on the number/size of queued messages. The defaults
may lead to messages being silently dropped.persistence
- Defaults to false (messages will not survive a broker restart)max_keepalive
- defaults to 65535 and, from version 2.0.12, SetKeepAlive(0)
will result in a rejected connection
by default.Please report bugs by raising issues for this project in github https://github.com/eclipse/paho.mqtt.golang/issues
A limited number of contributors monitor the issues section so if you have a general question please see the resources in the more information section for help.
We welcome bug reports, but it is important they are actionable. A significant percentage of issues reported are not resolved due to a lack of information. If we cannot replicate the problem then it is unlikely we will be able to fix it. The information required will vary from issue to issue but almost all bug reports would be expected to include:
go.mod
file)ClientOption
)If at all possible please also include:
cmd/docker
) makes it relatively simple to provide a working end-to-end
example.It is important to remember that this library does not stand alone; it communicates with a broker and any issues you are seeing may be due to:
When submitting an issue, please ensure that you provide sufficient details to enable us to eliminate causes outside of this library.
We welcome pull requests but before your contribution can be accepted by the project, you need to create and electronically sign the Eclipse Contributor Agreement (ECA) and sign off on the Eclipse Foundation Certificate of Origin.
More information is available in the Eclipse Development Resources; please take special note of the requirement that the commit record contain a "Signed-off-by" entry.
Stack Overflow has a range questions/answers covering a range of common issues (both relating to use of this library and MQTT in general). This is the best place to ask general questions (including those relating to the use of this library).
Discussion of the Paho clients takes place on the Eclipse paho-dev mailing list.
General questions about the MQTT protocol are discussed in the MQTT Google Group.
There is much more information available via the MQTT community site.
FAQs
Unknown package
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.