NodeJS Server-Server Secure Communication - node.js

I have two servers using NodeJS on the same domain. (server1.example.com and server2.example.com)
I'd like to send messages from one server to the other in a secure way.
Right now, I'm using sending my message by sending a HTTPS POST such as https://example.com with {secret:XXXXX,message:1234}.
Is there a cleaner way to do this? If so, what would be the exact steps needed?
Note: I have a SSL certifiate on the site. Both servers are on the same domain.

There are a few options I can think of, though of course, it depends on the amount of encryption and security you are looking for, if HTTPS is not strong enough for what is required for the specific communication. (Though as mentioned you do have HTTPS.)
You can have the sending server issue a whole JWT route. Send the information with a Token and verify it on the other side. Make sure the Token has a short TTL as well. (If you really want to go for broke here, you can start implementing the OAuth2 framework, though that may be complete overkill.)
Additionally, you can create a Websocket HTTPS server, and only accept the information from the information on a specific incoming port. That will allow you to use the JWT and further verify by the port access. The port you open will only be allowed to accept packets from a specific IP, which is your outgoing server.
You can add yet another layer as you are doing by encrypting the entire message (via one of the Node NPM modules or via Crypto), so both the message and secret are hashed.
You can also add a cache layer (either Redis or a Node-Cache module), where all the decryption will be done to speed up the process.
Another trick to use, though you have to work out the actual schedule, is to mix up the various hashing routines you use based on process or on different hours, or whatever schedule you wish.
Finally, a sometimes overlooked option is to install a firewall on the receiving computer with very specific rules on what to receive and from where. (This though is not a Node process, and can take time to get right.)
None of the above is linked to Express though, or middleware. I assume if you adopt any of the above you will need a few NPM modules in the end result.
Probably forgot a few options but hope this helps.

Just to add to the other solutions already posted, you could just use certificates on both ends, that way you could do the authentication at the TLS layer instead of the application layer if that helps at all.
Assuming you're using node on both servers, you could achieve this like so:
Create one custom CA, and then one certificate and one private key for each server.
Each server might have code like:
const tls = require('tls');
function onMessage(socket, msg) {
// `msg` is a parsed message received from `socket`
}
// Receive incoming messages
tls.createServer({
rejectUnauthorized: true,
requestCert: true,
ca: MY_CUSTOM_CA,
cert: THIS_SERVER_CERT,
key: THIS_SERVER_PRIVATE_KEY
}, (socket) => {
if (!socket.authorized)
return socket.end(); // Certificate did not check out
console.log('Connection accepted');
// example protocol: newline-delimited JSON
var jsonBuffer = '';
socket.setEncoding('utf8');
socket.on('data', (chunk) => {
var chunks = chunk.split('\n');
var numComplete = chunks.length - 1;
// Last line does not have trailing newline
var incompleteChunk = chunks[numComplete];
if (numComplete === 0) {
jsonBuffer += incompleteChunk;
return;
}
chunks[0] = jsonBuffer + chunks[0];
for (var i = 0; i < numComplete; ++i) {
try {
onMessage(socket, JSON.parse(chunks[i]));
} catch (ex) {}
}
jsonBuffer = incompleteChunk;
});
socket.on('end', () => {
console.log('Connection ended');
});
}).listen(MY_PORT);
// Send outgoing messages
function sendMessages(host, port, msgs, cb) {
if (!Array.isArray(msgs))
msgs = [msgs];
var req = tls.connect({
host,
port,
rejectUnauthorized: true,
ca: MY_CUSTOM_CA,
cert: THIS_SERVER_CERT,
key: THIS_SERVER_PRIVATE_KEY
}, () => {
if (!this.authorized)
return this.end(); // Certificate did not check out
for (var i = 0; i < msgs.length; ++i)
this.write(JSON.stringify(msgs[i]) + '\n');
this.end();
}).once('error', onError).once('close', onClose);
function onError(err) {
req.removeListener('close', onClose);
cb(err);
}
function onClose() {
cb();
}
}
Add incoming message handling in onMessage() and send outgoing messages with sendMessages().
You could also just keep a single socket open all the time instead of using a new connection per set of outgoing messages, but that would be a little more involved because you'd need to add an application-level keepalive mechanism and such, but it's certainly doable.

You could harden your security some more by verifying the host of the request, via the HOST or ORIGIN header.
Check out: https://stackoverflow.com/questions/18498726/how-do-i-get-the-domain-originating-the-request-in-express-js
Essentially, you'd be making sure that the request with the encrypted secret actually came from a specific server, and not just any.

Related

Trouble Connecting to Google Cloud IoT via MQTT with Node.js

I'm trying to create a MQTT client that'll connect to the Google Cloud IoT Core, but for some reason, it won't connect at all. Here's what I have so far
mqtt = require("mqtt")
fs = require("fs")
var jwt = require('jsonwebtoken');
const projectId = "my-project"
const deviceId = "my-device"
const registryId = "my-degistry"
const region = "us-central1"
const algorithm = "RS256"
const privateKeyFile = "./rsa_private.pem"
const mqttBridgeHostname = "mqtt.googleapis.com"
const mqttBridgePort = 8883
const messageType = "events"
//The mqttClientId is a unique string that identifies a particular device.
//For Google Cloud IoT Core, it must be the format below
const mqttClientId = `projects/${projectId}/locations/${region}/registries/${registryId}/devices/${deviceId}`
const mqttTopic = `/devices/${deviceId}/${messageType}`;
const createJwt = (projectId, privateKeyFile, algorithm) => {
// Create a JWT to authenticate this device. The device will be disconnected
// after the token expires, and will have to reconnect with a new token. The
// audience field should always be set to the GCP project id.
const token = {
iat: parseInt(Date.now() / 1000),
exp: parseInt(Date.now() / 1000) + 20 * 60, // 20 minutes
aud: projectId,
};
const privateKey = fs.readFileSync(privateKeyFile);
return jwt.sign(token, privateKey, {algorithm: algorithm});
};
//Username field is ignored in Cloud IoT Core, but it must be set to something
//Password field sends a JWT (javascript web token) to authorize the device
//mqtts protocol causes library to connecti using SSL, which is required for IoT Core
const connectionArgs = {
host: mqttBridgeHostname,
port: mqttBridgePort,
clientId: mqttClientId,
username: "unused",
password: createJwt(projectId, privateKeyFile, algorithm),
protocol: "mqtts",
secureProtocol: "TLSv1_2_method"
}
const client = mqtt.connect(connectionArgs)
client.on("connect", (connected)=>{
console.log("Attempting to connect")
if (!connected) {
console.log("Client failed to connect")
} else {
console.log("Client is connected!")
}
})
client.on("error", err => {
console.log(err)
setTimeout(( ()=> {
console.log('Terminating process')
return process.kill(process.pid);
}), 1000);
})
client.on("packetsend", (payload) => {
console.log("Payload has been sent")
return process.kill(process.pid)
})
client.on("packetreceive", packet => {
console.log("Killing")
//return process.kill(process.pid)
})
client.on("reconnect", ()=>{
console.log("Attempting a reconnect")
//return process.kill(process.pid)
})
client.on("close", ()=>{
console.log("A disconnect occurred")
// return process.kill(process.pid)
})
client.on("offline", () => {
console.log("Client is offline")
//return process.kill(process.pid)
})
I'm not getting any errors when I try to connect to the server. In other words, everything seems to be authenticating properly and I get no error messages, but the client never connects to the Cloud and instead repeatedly tries to reconnect in an endless cycle (which is why I included code to kill the script). I tried going through the Google Cloud troubleshooting page but nothing there really seemed to help. I don't get any sort of errors messages or helpful tidbits of information when using the Cloud SDK like the guide suggested.
I've opened up the port 8883 through my firewall just in case that was the issue but it doesn't appear to be.
I based this code off some of Google's guides and based on this guide here. I have a registry, project, and device all set up with a proper RSA key.
So I'm not really sure how to proceed! If there's any additional information that would help, please let me know.
Thank you.
I realized that when I was creating the project and registry on the Google Console, I actually mistyped the name I was intending (I thought it was "testmqtt" but it was actually "tesmqtt").
So if you're having an issue similar to this, I'd suggest trying the follwing:
Make sure your you've spelled everything right. Make sure the project title is correct, the registry title, etc. It sounds dumb but these types of mistakes happen, so it doesn't hurt to check them first. Otherwise you'll overthink things like I did.
Check out this this page for troubleshooting. There's two parts of this troubleshooting page that might really help you. The first is trying to see if you can actually connect to the cloud at all. You can test if you're able to make a connection by issuing a command like openssl s_client -connect mqtt.googleapis.com:8883 on the command line. You'll need to have openssl downloaded in order to issue that command, however. You can see the page I just linked for more details about testing your connection. The second thing you can do is check to see if you have authentication by running a gcloud command using Google's sdk. The troubleshooting page I linked also has more details in this regard.
This quickstart guide is also particularly helpful. It might be confusing to navigate at first but understanding it will be your best bet.
Google's github repository also has some good examples of how to make an mqtt connection to the cloud IoT core.
DavidC in the comments below helped me find some of these helpful links, so credit should go to him.
Apart from the links I provided in the comment section and as additional to what you have found out, some users use the Project Number instead of the Project ID which leads to a similar concern which you have encountered. It really pays to double check everything in your configuration as you troubleshoot.
If you need to have a refresher about the authentication, you may also refer to this link.

Node SSDP Client not finding Server broadcast

I've implemented a server/client implementation of node-ssdp(npm install node-ssdp). Everything "appears" to work but my client does not pick up the server's packet. I am receiving a lot of other payloads from different devices/locations but not the payload from my node-ssdp server.
I'm running on the same machine and I'm running on OSX. I have two separate node projects: one for my client and one for my server.
Note: I've also tried running the server on one machine and the client on a separate machine, in case there was an issue with loopback or something. I also verified via Wireshark that the packets from the server were being read by the client machine. It is sending a NOTIFY * HTTP/1.1 in the headers.
Here are my implementations for client and server:
Server
var SSDP = require('node-ssdp').Server
, server = new SSDP({
location: 'http://' + require('ip').address() + ':33333',
ssdpPort: 33333
})
console.log(require('ip').address())
server.addUSN('upnp:rootdevice')
server.addUSN('urn:schemas-upnp-org:device:MediaServer:1')
server.addUSN('urn:schemas-upnp-org:service:ContentDirectory:1')
server.addUSN('urn:schemas-upnp-org:service:ConnectionManager:1')
server.on('advertise-alive', function (heads) {
console.log('advertise-alive', heads)
// Expire old devices from your cache.
// Register advertising device somewhere (as designated in http headers heads)
})
server.on('advertise-bye', function (heads) {
console.log('advertise-bye', heads)
// Remove specified device from cache.
})
// start server on all interfaces
console.log('starting ssdp server')
server.start()
Client
var ssdp = require('node-ssdp').Client
, client = new ssdp({
})
client.on('notify', function () {
//console.log('Got a notification.')
})
client.on('response', function inResponse(headers, code, rinfo) {
console.log('Got a response to an m-search:\n%d\n%s\n%s', code, JSON.stringify(headers, null, ' '), JSON.stringify(rinfo, null, ' '))
})
client.search('ssdp:all')
// And after 10 seconds, you want to stop
setTimeout(function () {
client.stop()
}, 10000)
I am running out of ideas. It's weird because I've previously implemented a UDP multicast solution and it works. SSDP is, from what I understand, UDP multicast behind the scenes.
From the github issue itself, apparently adding sourcePort to the configuration solved the issue. https://github.com/diversario/node-ssdp/issues/75#issuecomment-292054892

Node.js server side connection to Socket.io

I have a Node.js application with a frontend app and a backend app, the backend will manage the list and "push" an update to the frontend app, the call to the frontend app will trigger a list update so that all clients receive the correct list data.
The problem is on the backend side, when I press the button, I perform an AJAX call, and that AJAX call will perform the following code (trimmed some operations out of it):
Lists.findOne({_id: active_settings.active_id}, function(error, lists_result) {
var song_list = new Array();
for (i=0; i < lists_result.songs.length; i++) {
song_list.push(lists_result.songs[i].ref);
}
Song.find({
'_id': {$in: song_list}
}, function(error, songs){
// DO STUFF WITH THE SONGS
// UPDATE SETTINGS (code trimmed)
active_settings.save(function(error, updated_settings) {
list = {
settings: updated_settings,
};
var io = require('socket.io-client');
var socket = io.connect(config.app_url);
socket.on('connect', function () {
socket.emit('update_list', {key: config.socket_key});
});
response.json({
status: true,
list: list
});
response.end();
}
});
});
However the response.end never seems to work, the call keeps hanging, further more, the list doesn't always get refreshed so there is an issue with the socket.emit code. And the socket connection stays open I assume because the response isn't ended?
I have never done this server side before so any help would be much appreciated. (the active_settings etc exists)
I see some issues that might or might not be causing your problems:
list isn't properly scoped, since you don't prefix it with var; essentially, you're creating a global variable which might get overwritten when there are multiple requests being handled;
response.json() calls .end() itself; it doesn't hurt to call response.end() again yourself, but not necessary;
since you're not closing the socket(.io) connection anywhere, it will probably always stay open;
it sounds more appropriate to not set up a new socket.io connection for each request, but just once at your app startup and just re-use that;

How to disable Multiplexing with Socket.io

I am using Socket.io to stream live tweets to my users using Twitter's Streaming API (my implementation is more or less based on this tutorial).
The problem is that every time a connection event is fired by Socket.io the newly connected client causes every other client connected to the server to cease updating. While it would take too long to go through all the hacks that I tried, I will say that I played with it enough that I believe the problem is caused by Socket.io's multiplexing of the connections from multiple clients (enabled by default) as a performance boost to allow multiple clients or connections to share the same underlying socket. In short, I believe this to be the case because I don't think it would be possible for new connections to affect older connections in this manner if not for the connection multiplexing. In other words, if a new, independent connection with its own underlying (TCP) socket were created every time a client connected it would be impossible for this to occur since one connection would know nothing about the other and therefore couldn't affect any other client's state as is currently happening. This also leads me to believe that simply disabling the multiplexing functionality would be the simplest way to get around this problem since I am not concerned about scaling because Node.js already handles all the concurrency I'm likely to need to handle very adequately.
I have gone through Socket.io's documentation but could not see where the ability to "demultiplex" the connections is exposed via the API, so if anyone knows how to do this I'd create appreciate your response.
My code below is pretty standard and simple. But just to be clear, the issue is that whenever a new client connects to Socket.io every other client stops receiving new tweets and updates are no longer pushed to the older client unless I refresh the browser in which case the newly refreshed client will begin to update and receive fresh tweets again, but the other still connected clients will then stop updating.
Server-side Code:
// Code also uses ntwitter (https://github.com/AvianFlu/ntwitter) as an abstraction over Twitter's Streaming API
io.sockets.on('connection', function (socket) {
tweet.stream('statuses/filter', { track : 'new orleans' }, function (stream) {
stream.on('data', function (data) {
// The following lines simply pre-process data sent from Twitter so junk isn't
// unnecessarily sent to the client.
if (data.user) {
tweets = {
text : data.text,
image : data.user.profile_image_url,
user : data.user.name
};
var t = JSON.stringify(tweets);
console.log(t);
socket.send(t);
}
});
});
});
Client-Side Code
// Notice the option that I passed in as the second argument. This supposedly forces every
// new client to create a new connection with the server but it either doesn't work or I'm
// implementing it incorrectly. It is the very last configuration option listed in the
// documentation linked to above.
var socket = io.connect('http://' + location.host, {'force new connection' : true });
socket.on('message', function (tweet) {
var t = JSON.parse(tweet);
if (t.image) {
$('.hero-unit').prepend('<div class="media"><a class="pull-left" href="#"><img class="media-object" alt="64x64" style="width: 64px; height: 64px;" src="' + t.image + '"></a><div class="media-body"><h4 class="media-heading">' + t.user + '</h4>' + t.text + '</div></div>');
}
});
If I am thinking of this incorrectly or if there's something wrong with my code I am definitely open to any suggestions. I'd also be happy to reply with any additional details.
I would try something like this
Serverside:
io.sockets.on('connection', function (socket) {
//Other Connectiony goodness here.
});
});
tweet.stream('statuses/filter', { track : 'new orleans' }, function (stream) {
stream.on('data', function (data) {
// The following lines simply pre-process data sent from Twitter so junk isn't
// unnecessarily sent to the client.
if (data.user) {
tweets = {
text : data.text,
image : data.user.profile_image_url,
user : data.user.name
};
var t = JSON.stringify(tweets);
console.log(t);
io.sockets.emit("tweet", t);
}
});
Client-side:
var socket = io.connect('http://' + location.host, {'force new connection' : true });
socket.on('tweet', function (tweet) {
var t = JSON.parse(tweet);
if (t.image) {
$('.hero-unit').prepend('<div class="media"><a class="pull-left" href="#"><img class="media-object" alt="64x64" style="width: 64px; height: 64px;" src="' + t.image + '"></a><div class="media-body"><h4 class="media-heading">' + t.user + '</h4>' + t.text + '</div></div>');
}
});
Basically have the stream from twitter outside your socket, and then on a new tweet emit a message to all connected.

Socket.io session without express.js?

I want to make a sessionhandling over websockets via node.js and socket.io without necessarily using cookies and avoiding express.js, because there should be also clients not running in a browser environment. Somebody did this already or got some experience with a proof of concept?
Before socket.io connection is established, there is a handshake mechanism, by default, all properly incoming requests successfully shake hands. However there is a method to get socket data during handshake and return true or false depending on your choice which accepts or denies the incoming connection request. Here is example from socket.io docs:
Because the handshakeData is stored after the authorization you can actually add or remove data from this object.
var io = require('socket.io').listen(80);
io.configure(function (){
io.set('authorization', function (handshakeData, callback) {
// findDatabyip is an async example function
findDatabyIP(handshakeData.address.address, function (err, data) {
if (err) return callback(err);
if (data.authorized) {
handshakeData.foo = 'bar';
for(var prop in data) handshakeData[prop] = data[prop];
callback(null, true);
} else {
callback(null, false);
}
})
});
});
The first argument of callback function is error, you can provide a string here, which will automatically refuse the client if not set to null. Second argument is boolean, whether you want to accept the incoming request or not.
This should be helpful, https://github.com/LearnBoost/socket.io/wiki/Authorizing
You could keep track of all session variables and uniquely identify users using a combination of the following available in handshakeData
{
headers: req.headers // <Object> the headers of the request
, time: (new Date) +'' // <String> date time of the connection
, address: socket.address() // <Object> remoteAddress and remotePort object
, xdomain: !!headers.origin // <Boolean> was it a cross domain request?
, secure: socket.secure // <Boolean> https connection
, issued: +date // <Number> EPOCH of when the handshake was created
, url: request.url // <String> the entrance path of the request
, query: data.query // <Object> the result of url.parse().query or a empty object
}
This example may help as well, just have your non-browser clients supply the information in a different way:
SocketIO + MySQL Authentication

Resources