| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
WebSocket always defers the decision to the server, because it didn't
have to deal with legacy compatibility... but the same-origin policy is
still a reasonable default.
Origin checks do not protect against a directly connecting attacker --
they can lie about their host, but can also lie about their origin.
Origin checks protect against a connection from 3rd-party controlled
script in a context where a victim browser's cookies will be passed
along. And if an attacker has breached that protection, they've already
compromised the HTTP session, so treating the WebSocket connection in
the same way seems reasonable.
In case this logic proves incorrect (or anyone just wants to be more
paranoid), we retain a config option to disable it.
|
|\
| |
| |
| | |
Optionally allow ActionCable requests from the same host as origin
|
| |
| |
| |
| |
| |
| |
| | |
When the `allow_same_origin_as_host` is set to `true`, the request
forgery protection permits `HTTP_ORIGIN` values starting with the
corresponding `proto://` prefix followed by `HTTP_HOST`. This way
it is not required to specify the list of allowed URLs.
|
| | |
|
| | |
|
| |
| |
| |
| | |
We hit when we skip the PostgreSQL adapter.
|
| | |
|
| |
| |
| |
| |
| |
| | |
Mostly, this is just to avoid EventMachine. But there's also an argument
to be made that we're better off using a different protocol library for
our test suite than the one we use to implement the server.
|
| | |
|
| | |
|
| |
| |
| |
| | |
No deprecation, because it was never documented.
|
|\ \
| | |
| | |
| | |
| | |
| | | |
palkan/fix/actioncable-confirmation-race-condition
Avoid race condition on subscription confirmation
|
| | |
| | |
| | |
| | | |
initializing
|
| |/ |
|
|/
|
|
|
| |
Otherwise, they can sometimes block, leading to reduced system
throughput.
|
|
|
|
|
|
|
|
|
| |
Fixes #23757.
Before this commit, even if `reject` was called in the `subscribe`
method for an Action Cable channel, all actions on that channel could
still be invoked. This calls a `return` if a rejected connection tries
to invoke any actions on the channel.
|
|
|
|
|
|
|
|
| |
Style/SpaceBeforeBlockBraces
Style/SpaceInsideBlockBraces
Style/SpaceInsideHashLiteralBraces
Fix all violations in the repository.
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
| |
The current code base is not uniform. After some discussion,
we have chosen to go with double quotes by default.
|
|\
| |
| | |
Add ActiveSupport::Notifications hook to ActionCable::Server.broadcast
|
| |
| |
| |
| |
| | |
This addition of this notification hook will give users better visibility
into the messages being sent over the PubSub adapter.
|
|\ \
| | |
| | | |
ActionCable, sometimes add_channel is not called.
|
| |/ |
|
| | |
|
| |
| |
| |
| | |
Require our dependency and forgo the core ext version.
|
| | |
|
| | |
|
| | |
|
| | |
|
|/
|
|
| |
[Javan Makhmali, Jon Moss]
|
| |
|
|
|
|
|
|
|
|
| |
* Use separate stream handler builders for easy override and testing.
* Fix worker pool execution that was silently failing since it only
expected connection receivers.
Sparked by code in #24162.
|
|
|
|
|
|
|
|
|
| |
* Rewrite docs
* Support blocks in addition to method names and Proc args
* Check for valid arguments
* Convert `periodically :method_name` to Proc callbacks
* Drop periodic runner methods from the worker pool
* Ensure we clear active periodic timers after shutdown
|
|
|
|
|
|
| |
ActionCable::Connection::StreamTest test name
- Only add attr_readers for required attributes
|
|
|
|
|
|
|
|
|
|
| |
Alternate implementation of #24162 with tests. The code had diverged
too far on master to pull that implemenation directly.
Fixes #23778
Close #24162
[Mattew Draper & Sean Griffin]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Introduce a connection coder responsible for encoding Cable messages
as WebSocket messages, defaulting to `ActiveSupport::JSON` and duck-
typing to any object responding to `#encode` and `#decode`.
* Consolidate encoding responsibility to the connection. No longer
explicitly JSON-encode from channels or other sources. Pass Cable
messages as Hashes to `#transmit` and rely on it to encode.
* Introduce stream encoders responsible for decoding pubsub messages.
Preserve the currently raw encoding, but make it easy to use JSON.
Same duck type as the connection encoder.
* Revert recent data normalization/quoting (#23649) which treated
`identifier` and `data` values as nested JSON objects rather than as
opaque JSON-encoded strings. That dealt us an awkward hand where we'd
decode JSON strings… or not, but always encode as JSON. Embedding
JSON object values directly is preferably, no extra JSON encoding,
but that should be a purposeful protocol version change rather than
ambiguously, inadvertently supporting multiple message formats.
|
|
|
|
|
|
| |
To move Action Cable logging to a LoggingSubscriber we need to pass the
log tags in the notification payload since Action Cable logging use the
Channel instance to tag the logs.
|
|\
| |
| |
| | |
Add ActiveSupport::Notification to Channel::Base#perform_action
|
| |
| |
| |
| |
| | |
This commit adds ActiveSupport::Notifications instrumentation hooks
and a LogSuscriber to ActionCable::Channel::Base.
|
| |
| |
| |
| |
| |
| |
| |
| | |
`skip` raises an exception to abort the execution of the test, so
`super` would never be called and thus `@rx_adapter` and `@tx_adapter`
would never have been defined at the time of teardown.
Define them just before skipping and zap the warnings.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
EM::Hiredis were spewing screenfuls of warnings when running the Action Cable tests.
Copied over the technique that shushes up faye-websocket in the client tests, so
we can reduce the noise ratio.
Note: there's still warnings spewed after tests have finished when EM::Hiredis shuts
down. I haven't been able to shush them up yet.
|
| |
| |
| |
| |
| |
| |
| |
| | |
We'll get `Errno::ECONNRESET` if the client forcibly disconnected.
Just close the socket rather than raising the exception.
Handle other errors in `ClientSocket#write`, too, mirroring the Faye
error handling which swallows all `StandardError` on write.
|
|/ |
|
|\
| |
| | |
Support faye-websocket + EventMachine as an option
|
| | |
|
| |
| |
| |
| |
| |
| |
| | |
Fixes #22675
Allow channel identifiers and also data with no backslahes/escaping to be accepted by
the subscription storer.
|