Research
Security News
Kill Switch Hidden in npm Packages Typosquatting Chalk and Chokidar
Socket researchers found several malicious npm packages typosquatting Chalk and Chokidar, targeting Node.js developers with kill switches and data theft.
@cap-js-community/websocket
Advanced tools
Exposes a WebSocket protocol via WebSocket standard or Socket.IO for CDS services. Runs in context of the SAP Cloud Application Programming Model (CAP) using @sap/cds (CDS Node.js).
npm add @cap-js-community/websocket
in @sap/cds
project@ws
@websocket
@protocol: 'ws'
@protocol: 'websocket'
@protocol: [{ kind: 'websocket', path: 'chat' }]
@protocol: [{ kind: 'ws', path: 'chat' }]
cds-serve
to start servernpm add @cap-js-community/websocket
in @sap/cds
project@protocol: 'websocket'
service ChatService {
function message(text: String) returns String;
event received {
text: String;
}
}
const socket = io("/chat", { path: "/ws" });
socket.emit("message", { text: "Hello World" });
socket.on("received", (message) => {
/* ... message.text */
});
The websocket server is exposed on cds
object implementation-independent at cds.ws
and implementation-specific at
cds.io
or cds.wss
. Additional listeners can be registered bypassing CDS definitions and runtime.
WebSocket server options can be provided via cds.requires.websocket.options
.
Default protocol path is /ws
and can be overwritten via cds.env.protocols.websocket.path
resp. cds.env.protocols.ws.path
;
Services are exposed therefore like this: /ws/<service-path>
:
Examples:
const socket = new WebSocket("ws://localhost:4004/ws/chat");
const socket = io("/chat", { path: "/ws" })
Each CDS handler request context is extended to hold the current server socket
instance of the event.
It can be accessed via req.context.socket
or cds.context.socket
.
Events can be directly emitted via the socket
bypassing CDS runtime.
Authentication only works via AppRouter using a UAA configuration, as the auth token is forwarded
via authorization header bearer token by AppRouter to backend instance. CDS middlewares process the auth token and
set the auth info accordingly. Authorization scopes are checked as defined in the CDS services @requires
annotations and
authorization restrictions are checked as defined in the CDS services @restrict
annotations.
Authorization in provided in production by approuter component vis XSUAA auth. Valid UAA bindings for approuter and backend are necessary, so that the authorization flow is working. Locally, the following default environment files need to exist:
test/\_env/default-env.json
{
"VCAP_SERVICES": {
"xsuaa": [
{
...
}
]
}
}
test/\_env/approuter/default-services.json
{
"uaa": {
...
}
}
Approuter is configured to support websockets in xs-app.json
according to @sap/approuter - websockets property:
"websockets": {
"enabled": true
}
For local testing a mocked basic authorization is hardcoded in flp.html/index.html
.
Operations comprise actions and function in the CDS service that are exposed by CDS service either unbound (static level) or bound (entity instance level). Operations are exposed as part of the websocket protocol as described below. Operation results will be provided via optional websocket acknowledgement callback.
Operation results are only supported with Socket.IO (kind:
socket.io
) using acknowledgement callbacks.
Each unbound function and action is exposed as websocket event. The signature (parameters and return type) is passed through without additional modification. Operation result will be provided as part of acknowledgment callback.
The websocket adapter tries to call the following special operations on the service, if available in service:
wsConnect
: Callback to notify that a socket was connectedwsDisconnect
: Callback to notify that a socket was disconnectedEach service entity is exposed as CRUD interface via as special events as proposed here.
The event is prefixed with the entity name and has the CRUD operation as suffix, e.g. Books:create
.
In addition, also bound functions and actions are included into these schema, e.g. Books:sell
.
The signature (parameters and return type) is passed through without additional modification.
It is expected, that the event payload contains the primary key information.
CRUD/action/function result will be provided as part of acknowledgment callback.
Create, Read, Update and Delete (CRUD) actions are mapped to websocket events as follows:
<entity>:create
: Create an entity instance<entity>:read
: Read an entity instance by key<entity>:readDeep
: Read an entity instance deep (incl. deep compositions) by key<entity>:update
: Update an entity instance by key<entity>:delete
: Delete an entity instance by key<entity>:list
: List all entity instances<entity>:<operation>
: Call a bound entity operation (action/function)Events can be emitted and the response can be retrieved via acknowledgment callback.
CRUD events that modify entities automatically emit another event after successful processing:
<entity>:create
-> <entity>:created
: Entity instance has been updated<entity>:update
-> <entity>:updated
: Entity instance has been created<entity>:delete
-> <entity>:deleted
: Entity instance has been deletedBecause of security concerns, it can be controlled which data of those events is broadcast,
via annotations @websocket.broadcast
or @ws.broadcast
.
@websocket.broadcast = 'key'
, @ws.broadcast = 'key'
@websocket.broadcast = 'data'
, @ws.broadcast = 'data'
The example UI5 todo
application using Socket.IO can be found at test/_env/app/todo
.
Example application can be started by:
npm start
npm run start:approuter
npm run start:uaa
An example chat
application using Socket.IO can be found at test/_env/app/chat
.
Example application can be started by:
npm start
npm run start:socketio
npm run start:approuter
npm run start:uaa
npm run start:socketio:uaa
Unit-test can be found in folder test
and can be executed via npm test
;
The basic unit-test setup for WebSockets in CDS context looks as follows:
"use strict";
const cds = require("@sap/cds");
const WebSocket = require("ws");
cds.test(__dirname + "/..");
const authorization = `Basic ${Buffer.from("alice:alice").toString("base64")}`;
describe("WebSocket", () => {
let socket;
beforeAll((done) => {
const port = cds.app.server.address().port;
socket = new WebSocket(`ws://localhost:${ port }/ws/chat`, {
headers: {
authorization
}
});
});
afterAll(() => {
cds.ws.close();
socket.close();
});
test("Test", (done) => {
socket.send(JSON.stringify({
event: "event",
data: {},
}));
});
});
"use strict";
const cds = require("@sap/cds");
const ioc = require("socket.io-client");
cds.test(__dirname + "/..");
const authorization = `Basic ${Buffer.from("alice:alice").toString("base64")}`;
describe("WebSocket", () => {
let socket;
beforeAll((done) => {
const port = cds.app.server.address().port;
socket = ioc(`http://localhost:${port}/chat`, {
path: "/ws",
extraHeaders: {
authorization,
},
});
socket.on("connect", done);
});
afterAll(() => {
cds.ws.close();
socket.disconnect();
});
test("Test", (done) => {
socket.emit("event", {}, (result) => {
expect(result).toBeDefined();
done();
});
});
});
An Adapter is a server-side component which is responsible for broadcasting events to all or a subset of clients.
Every event that is sent to multiple clients is sent to all matching clients connected to the current server and published in a Redis channel, and received by the other Socket.IO servers of the cluster.
Redis adapter can be disabled by setting cds.requires.websocket.adapter: false
.
Per default a basic publish/subscribe redis adapter is active, if the app is bound to a Redis service.
The Redis channel key can be specified via cds.requires.websocket.adapter.options.key
. Default value is websocket
.
The following Redis adapters for Socket.IO are supported out-of-the-box.
To use the Redis Adapter, the following steps have to be performed:
npm install @socket.io/redis-adapter
cds.requires.websocket.adapter.impl: "@socket.io/redis-adapter"
default-env.json
file need to exist with redis configurationcds.requires.websocket.adapter.options
Details: https://socket.io/docs/v4/redis-adapter/
To use the Redis Stream Adapter, the following steps have to be performed:
npm install @socket.io/redis-streams-adapter
cds.requires.websocket.adapter.impl: "@socket.io/redis-streams-adapter"
default-env.json
file need to exist with redis configurationcds.requires.websocket.adapter.options
Details: https://socket.io/docs/v4/redis-streams-adapter/
This module also works on a deployed infrastructure like Cloud Foundry (CF) or Kubernetes (K8s).
An example Cloud Foundry deployment can be found in test/_env
:
cd test/_env
npm run cf:push
approuter
and backend
in test/_env
and pushes to Cloud Foundry
This project is open to feature requests/suggestions, bug reports etc. via GitHub issues. Contribution and feedback are encouraged and always welcome. For more information about how to contribute, the project structure, as well as additional contribution information, see our Contribution Guidelines.
We as members, contributors, and leaders pledge to make participation in our community a harassment-free experience for everyone. By participating in this project, you agree to abide by its Code of Conduct at all times.
Copyright 2023 SAP SE or an SAP affiliate company and websocket contributors. Please see our LICENSE for copyright and license information. Detailed information including third-party components and their licensing/copyright information is available via the REUSE tool.
Version 0.1.1 - 2023-12-22
FAQs
WebSocket adapter for CDS
The npm package @cap-js-community/websocket receives a total of 329 weekly downloads. As such, @cap-js-community/websocket popularity was classified as not popular.
We found that @cap-js-community/websocket demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers found several malicious npm packages typosquatting Chalk and Chokidar, targeting Node.js developers with kill switches and data theft.
Security News
pnpm 10 blocks lifecycle scripts by default to improve security, addressing supply chain attack risks but sparking debate over compatibility and workflow changes.
Product
Socket now supports uv.lock files to ensure consistent, secure dependency resolution for Python projects and enhance supply chain security.