Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
PeerServer helps establishing connections between PeerJS clients. Data is not proxied through the server.
Run your own server on Gitpod!
If you don't want to develop anything, just enter few commands below.
Install the package globally:
$ npm install peer -g
Run the server:
$ peerjs --port 9000 --key peerjs --path /myapp
Started PeerServer on ::, port: 9000, path: /myapp (v. 0.3.2)
Check it: http://127.0.0.1:9000/myapp It should returns JSON with name, description and website fields.
Also, you can use Docker image to run a new container:
$ docker run -p 9000:9000 -d peerjs/peerjs-server
$ kubectl run peerjs-server --image=peerjs/peerjs-server --port 9000 --expose -- --port 9000 --path /myapp
If you have your own server, you can attach PeerServer.
Install the package:
# $ cd your-project-path
# with npm
$ npm install peer
# with yarn
$ yarn add peer
Use PeerServer object to create a new server:
const { PeerServer } = require("peer");
const peerServer = PeerServer({ port: 9000, path: "/myapp" });
Check it: http://127.0.0.1:9000/myapp It should returns JSON with name, description and website fields.
<script>
const peer = new Peer("someid", {
host: "localhost",
port: 9000,
path: "/myapp",
});
</script>
You can provide config object to PeerServer
function or specify options for peerjs
CLI.
CLI option | JS option | Description | Required | Default |
---|---|---|---|---|
--port, -p | port | Port to listen (number) | Yes | |
--key, -k | key | Connection key (string). Client must provide it to call API methods | No | "peerjs" |
--path | path | Path (string). The server responds for requests to the root URL + path. E.g. Set the path to /myapp and run server on 9000 port via peerjs --port 9000 --path /myapp Then open http://127.0.0.1:9000/myapp - you should see a JSON reponse. | No | "/" |
--proxied | proxied | Set true if PeerServer stays behind a reverse proxy (boolean) | No | false |
--expire_timeout, -t | expire_timeout | The amount of time after which a message sent will expire, the sender will then receive a EXPIRE message (milliseconds). | No | 5000 |
--alive_timeout | alive_timeout | Timeout for broken connection (milliseconds). If the server doesn't receive any data from client (includes pong messages), the client's connection will be destroyed. | No | 60000 |
--concurrent_limit, -c | concurrent_limit | Maximum number of clients' connections to WebSocket server (number) | No | 5000 |
--sslkey | sslkey | Path to SSL key (string) | No | |
--sslcert | sslcert | Path to SSL certificate (string) | No | |
--allow_discovery | allow_discovery | Allow to use GET /peers http API method to get an array of ids of all connected clients (boolean) | No | |
--cors | corsOptions | The CORS origins that can access this server | ||
generateClientId | A function which generate random client IDs when calling /id API method (() => string ) | No | uuid/v4 |
Simply pass in PEM-encoded certificate and key.
const fs = require("fs");
const { PeerServer } = require("peer");
const peerServer = PeerServer({
port: 9000,
ssl: {
key: fs.readFileSync("/path/to/your/ssl/key/here.key"),
cert: fs.readFileSync("/path/to/your/ssl/certificate/here.crt"),
},
});
You can also pass any other SSL options accepted by https.createServer, such as `SNICallback:
const fs = require("fs");
const { PeerServer } = require("peer");
const peerServer = PeerServer({
port: 9000,
ssl: {
SNICallback: (servername, cb) => {
// your code here ....
},
},
});
Make sure to set the proxied
option, otherwise IP based limiting will fail.
The option is passed verbatim to the
expressjs trust proxy
setting
if it is truthy.
const { PeerServer } = require("peer");
const peerServer = PeerServer({
port: 9000,
path: "/myapp",
proxied: true,
});
By default, PeerServer uses uuid/v4
npm package to generate random client IDs.
You can set generateClientId
option in config to specify a custom function to generate client IDs.
const { PeerServer } = require("peer");
const customGenerationFunction = () =>
(Math.random().toString(36) + "0000000000000000000").substr(2, 16);
const peerServer = PeerServer({
port: 9000,
path: "/myapp",
generateClientId: customGenerationFunction,
});
Open http://127.0.0.1:9000/myapp/peerjs/id to see a new random id.
const express = require("express");
const { ExpressPeerServer } = require("peer");
const app = express();
app.get("/", (req, res, next) => res.send("Hello world!"));
// =======
const server = app.listen(9000);
const peerServer = ExpressPeerServer(server, {
path: "/myapp",
});
app.use("/peerjs", peerServer);
// == OR ==
const http = require("http");
const server = http.createServer(app);
const peerServer = ExpressPeerServer(server, {
debug: true,
path: "/myapp",
});
app.use("/peerjs", peerServer);
server.listen(9000);
// ========
Open the browser and check http://127.0.0.1:9000/peerjs/myapp
The 'connection'
event is emitted when a peer connects to the server.
peerServer.on('connection', (client) => { ... });
The 'disconnect'
event is emitted when a peer disconnects from the server or
when the peer can no longer be reached.
peerServer.on('disconnect', (client) => { ... });
Read /src/api/README.md
$ npm test
We have 'ready to use' images on docker hub: https://hub.docker.com/r/peerjs/peerjs-server
To run the latest image:
$ docker run -p 9000:9000 -d peerjs/peerjs-server
You can build a new image simply by calling:
$ docker build -t myimage https://github.com/peers/peerjs-server.git
To run the image execute this:
$ docker run -p 9000:9000 -d myimage
This will start a peerjs server on port 9000 exposed on port 9000 with key peerjs
on path /myapp
.
Open your browser with http://localhost:9000/myapp It should returns JSON with name, description and website fields. http://localhost:9000/myapp/peerjs/id - should returns a random string (random client id)
Google App Engine will create an HTTPS certificate for you automatically, making this by far the easiest way to deploy PeerJS in the Google Cloud Platform.
package.json
file for GAE to read:echo "{}" > package.json
npm install express@latest peer@latest
app.yaml
file to configure the GAE application.runtime: nodejs
# Flex environment required for WebSocket support, which is required for PeerJS.
env: flex
# Limit resources to one instance, one CPU, very little memory or disk.
manual_scaling:
instances: 1
resources:
cpu: 1
memory_gb: 0.5
disk_size_gb: 0.5
server.js
(which node will run by default for the start
script):const express = require("express");
const { ExpressPeerServer } = require("peer");
const app = express();
app.enable("trust proxy");
const PORT = process.env.PORT || 9000;
const server = app.listen(PORT, () => {
console.log(`App listening on port ${PORT}`);
console.log("Press Ctrl+C to quit.");
});
const peerServer = ExpressPeerServer(server, {
path: "/",
});
app.use("/", peerServer);
module.exports = app;
gcloud
), replacing YOUR-PROJECT-ID-HERE
with your particular project ID:gcloud app deploy --project=YOUR-PROJECT-ID-HERE --promote --quiet app.yaml
See PRIVACY.md
Discuss PeerJS on our Telegram chat: https://t.me/joinchat/ENhPuhTvhm8WlIxTjQf7Og
Please post any bugs as a Github issue.
FAQs
PeerJS server component
We found that peer demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.