const OError = require('@overleaf/o-error') const logger = require('@overleaf/logger') const metrics = require('@overleaf/metrics') const WebApiManager = require('./WebApiManager') const AuthorizationManager = require('./AuthorizationManager') const DocumentUpdaterManager = require('./DocumentUpdaterManager') const ConnectedUsersManager = require('./ConnectedUsersManager') const WebsocketLoadBalancer = require('./WebsocketLoadBalancer') const RoomManager = require('./RoomManager') const { JoinLeaveEpochMismatchError, NotAuthorizedError, NotJoinedError, } = require('./Errors') let WebsocketController module.exports = WebsocketController = { // If the protocol version changes when the client reconnects, // it will force a full refresh of the page. Useful for non-backwards // compatible protocol changes. Use only in extreme need. PROTOCOL_VERSION: 2, joinProject(client, user, projectId, callback) { if (client.disconnected) { metrics.inc('editor.join-project.disconnected', 1, { status: 'immediately', }) return callback() } const userId = user._id logger.info( { userId, projectId, clientId: client.id, remoteIp: client.remoteIp, userAgent: client.userAgent, }, 'user joining project' ) metrics.inc('editor.join-project', 1, { status: client.transport }) WebApiManager.joinProject( projectId, user, function (error, project, privilegeLevel, userMetadata) { if (error) { return callback(error) } if (client.disconnected) { logger.info( { userId, projectId, clientId: client.id }, 'client disconnected before joining project' ) metrics.inc('editor.join-project.disconnected', 1, { status: 'after-web-api-call', }) return callback() } if (!privilegeLevel) { return callback(new NotAuthorizedError()) } client.ol_context = {} client.ol_context.privilege_level = privilegeLevel client.ol_context.user_id = userId client.ol_context.project_id = projectId client.ol_context.owner_id = project.owner && project.owner._id client.ol_context.first_name = user.first_name client.ol_context.last_name = user.last_name client.ol_context.email = user.email client.ol_context.connected_time = new Date() client.ol_context.signup_date = user.signUpDate client.ol_context.login_count = user.loginCount client.ol_context.is_restricted_user = !!userMetadata.isRestrictedUser client.ol_context.is_token_member = !!userMetadata.isTokenMember client.ol_context.is_invited_member = !!userMetadata.isInvitedMember RoomManager.joinProject(client, projectId, function (err) { if (err) { return callback(err) } logger.debug( { userId, projectId, clientId: client.id, privilegeLevel, userMetadata, }, 'user joined project' ) callback( null, project, privilegeLevel, WebsocketController.PROTOCOL_VERSION ) }) // No need to block for setting the user as connected in the cursor tracking ConnectedUsersManager.updateUserPosition( projectId, client.publicId, user, null, function (err) { if (err) { logger.warn( { err, projectId, userId, clientId: client.id }, 'background cursor update failed' ) } } ) } ) }, // We want to flush a project if there are no more (local) connected clients // but we need to wait for the triggering client to disconnect. How long we wait // is determined by FLUSH_IF_EMPTY_DELAY. FLUSH_IF_EMPTY_DELAY: 500, // ms leaveProject(io, client, callback) { const { project_id: projectId, user_id: userId } = client.ol_context if (!projectId) { return callback() } // client did not join project metrics.inc('editor.leave-project', 1, { status: client.transport }) logger.info( { projectId, userId, clientId: client.id }, 'client leaving project' ) WebsocketLoadBalancer.emitToRoom( projectId, 'clientTracking.clientDisconnected', client.publicId ) // We can do this in the background ConnectedUsersManager.markUserAsDisconnected( projectId, client.publicId, function (err) { if (err) { logger.error( { err, projectId, userId, clientId: client.id }, 'error marking client as disconnected' ) } } ) RoomManager.leaveProjectAndDocs(client) setTimeout(function () { const remainingClients = io.sockets.clients(projectId) if (remainingClients.length === 0) { // Flush project in the background DocumentUpdaterManager.flushProjectToMongoAndDelete( projectId, function (err) { if (err) { logger.error( { err, projectId, userId, clientId: client.id }, 'error flushing to doc updater after leaving project' ) } } ) } callback() }, WebsocketController.FLUSH_IF_EMPTY_DELAY) }, joinDoc(client, docId, fromVersion, options, callback) { if (client.disconnected) { metrics.inc('editor.join-doc.disconnected', 1, { status: 'immediately' }) return callback() } const joinLeaveEpoch = ++client.joinLeaveEpoch metrics.inc('editor.join-doc', 1, { status: client.transport }) const { project_id: projectId, user_id: userId, is_restricted_user: isRestrictedUser, } = client.ol_context if (!projectId) { return callback(new NotJoinedError()) } logger.debug( { userId, projectId, docId, fromVersion, clientId: client.id }, 'client joining doc' ) WebsocketController._assertClientAuthorization( client, docId, function (error) { if (error) { return callback(error) } if (client.disconnected) { metrics.inc('editor.join-doc.disconnected', 1, { status: 'after-client-auth-check', }) // the client will not read the response anyways return callback() } if (joinLeaveEpoch !== client.joinLeaveEpoch) { // another joinDoc or leaveDoc rpc overtook us return callback(new JoinLeaveEpochMismatchError()) } // ensure the per-doc applied-ops channel is subscribed before sending the // doc to the client, so that no events are missed. RoomManager.joinDoc(client, docId, function (error) { if (error) { return callback(error) } if (client.disconnected) { metrics.inc('editor.join-doc.disconnected', 1, { status: 'after-joining-room', }) // the client will not read the response anyways return callback() } DocumentUpdaterManager.getDocument( projectId, docId, fromVersion, function (error, lines, version, ranges, ops) { if (error) { return callback(error) } if (client.disconnected) { metrics.inc('editor.join-doc.disconnected', 1, { status: 'after-doc-updater-call', }) // the client will not read the response anyways return callback() } if (isRestrictedUser && ranges && ranges.comments) { ranges.comments = [] } // Encode any binary bits of data so it can go via WebSockets // See http://ecmanaut.blogspot.co.uk/2006/07/encoding-decoding-utf8-in-javascript.html const encodeForWebsockets = text => unescape(encodeURIComponent(text)) const escapedLines = [] for (let line of lines) { try { line = encodeForWebsockets(line) } catch (err) { OError.tag(err, 'error encoding line uri component', { line }) return callback(err) } escapedLines.push(line) } if (options.encodeRanges) { try { for (const comment of (ranges && ranges.comments) || []) { if (comment.op.c) { comment.op.c = encodeForWebsockets(comment.op.c) } } for (const change of (ranges && ranges.changes) || []) { if (change.op.i) { change.op.i = encodeForWebsockets(change.op.i) } if (change.op.d) { change.op.d = encodeForWebsockets(change.op.d) } } } catch (err) { OError.tag(err, 'error encoding range uri component', { ranges, }) return callback(err) } } AuthorizationManager.addAccessToDoc(client, docId, () => {}) logger.debug( { userId, projectId, docId, fromVersion, clientId: client.id, }, 'client joined doc' ) callback(null, escapedLines, version, ops, ranges) } ) }) } ) }, _assertClientAuthorization(client, docId, callback) { // Check for project-level access first AuthorizationManager.assertClientCanViewProject(client, function (error) { if (error) { return callback(error) } // Check for doc-level access next AuthorizationManager.assertClientCanViewProjectAndDoc( client, docId, function (error) { if (error) { // No cached access, check docupdater const { project_id: projectId } = client.ol_context DocumentUpdaterManager.checkDocument( projectId, docId, function (error) { if (error) { return callback(error) } else { // Success AuthorizationManager.addAccessToDoc(client, docId, callback) } } ) } else { // Access already cached callback() } } ) }) }, leaveDoc(client, docId, callback) { // client may have disconnected, but we have to cleanup internal state. client.joinLeaveEpoch++ metrics.inc('editor.leave-doc', 1, { status: client.transport }) const { project_id: projectId, user_id: userId } = client.ol_context logger.debug( { userId, projectId, docId, clientId: client.id }, 'client leaving doc' ) RoomManager.leaveDoc(client, docId) // we could remove permission when user leaves a doc, but because // the connection is per-project, we continue to allow access // after the initial joinDoc since we know they are already authorised. // # AuthorizationManager.removeAccessToDoc client, doc_id callback() }, updateClientPosition(client, cursorData, callback) { if (client.disconnected) { // do not create a ghost entry in redis return callback() } metrics.inc('editor.update-client-position', 0.1, { status: client.transport, }) const { project_id: projectId, first_name: firstName, last_name: lastName, email, user_id: userId, } = client.ol_context logger.debug( { userId, projectId, clientId: client.id, cursorData }, 'updating client position' ) AuthorizationManager.assertClientCanViewProjectAndDoc( client, cursorData.doc_id, function (error) { if (error) { logger.debug( { err: error, clientId: client.id, projectId, userId }, "silently ignoring unauthorized updateClientPosition. Client likely hasn't called joinProject yet." ) return callback() } cursorData.id = client.publicId if (userId) { cursorData.user_id = userId } if (email) { cursorData.email = email } // Don't store anonymous users in redis to avoid influx if (!userId || userId === 'anonymous-user') { cursorData.name = '' // consistent async behaviour setTimeout(callback) } else { cursorData.name = firstName && lastName ? `${firstName} ${lastName}` : firstName || lastName || '' ConnectedUsersManager.updateUserPosition( projectId, client.publicId, { first_name: firstName, last_name: lastName, email, _id: userId, }, { row: cursorData.row, column: cursorData.column, doc_id: cursorData.doc_id, }, callback ) } WebsocketLoadBalancer.emitToRoom( projectId, 'clientTracking.clientUpdated', cursorData ) } ) }, CLIENT_REFRESH_DELAY: 1000, getConnectedUsers(client, callback) { if (client.disconnected) { // they are not interested anymore, skip the redis lookups return callback() } metrics.inc('editor.get-connected-users', { status: client.transport }) const { project_id: projectId, user_id: userId, is_restricted_user: isRestrictedUser, } = client.ol_context if (isRestrictedUser) { return callback(null, []) } if (!projectId) { return callback(new NotJoinedError()) } logger.debug( { userId, projectId, clientId: client.id }, 'getting connected users' ) AuthorizationManager.assertClientCanViewProject(client, function (error) { if (error) { return callback(error) } WebsocketLoadBalancer.emitToRoom(projectId, 'clientTracking.refresh') setTimeout( () => ConnectedUsersManager.getConnectedUsers( projectId, function (error, users) { if (error) { return callback(error) } logger.debug( { userId, projectId, clientId: client.id }, 'got connected users' ) callback(null, users) } ), WebsocketController.CLIENT_REFRESH_DELAY ) }) }, applyOtUpdate(client, docId, update, callback) { // client may have disconnected, but we can submit their update to doc-updater anyways. const { user_id: userId, project_id: projectId } = client.ol_context if (!projectId) { return callback(new NotJoinedError()) } WebsocketController._assertClientCanApplyUpdate( client, docId, update, function (error) { if (error) { setTimeout( () => // Disconnect, but give the client the chance to receive the error client.disconnect(), 100 ) return callback(error) } if (!update.meta) { update.meta = {} } update.meta.source = client.publicId update.meta.user_id = userId metrics.inc('editor.doc-update', 0.3, { status: client.transport }) logger.debug( { userId, docId, projectId, clientId: client.id, version: update.v, }, 'sending update to doc updater' ) DocumentUpdaterManager.queueChange( projectId, docId, update, function (error) { if ((error && error.message) === 'update is too large') { metrics.inc('update_too_large') const { updateSize } = error.info logger.warn( { userId, projectId, docId, updateSize }, 'update is too large' ) // mark the update as received -- the client should not send it again! callback() // trigger an out-of-sync error const message = { project_id: projectId, doc_id: docId, error: 'update is too large', } setTimeout(function () { if (client.disconnected) { // skip the message broadcast, the client has moved on return metrics.inc('editor.doc-update.disconnected', 1, { status: 'at-otUpdateError', }) } client.emit('otUpdateError', message.error, message) client.disconnect() }, 100) return } if (error) { OError.tag(error, 'document was not available for update', { version: update.v, }) client.disconnect() } callback(error) } ) } ) }, _assertClientCanApplyUpdate(client, docId, update, callback) { AuthorizationManager.assertClientCanEditProjectAndDoc( client, docId, function (error) { if ( error && error.message === 'not authorized' && WebsocketController._isCommentUpdate(update) ) { // This might be a comment op, which we only need read-only priveleges for AuthorizationManager.assertClientCanViewProjectAndDoc( client, docId, callback ) return } callback(error) } ) }, _isCommentUpdate(update) { if (!(update && update.op instanceof Array)) { return false } for (const op of update.op) { if (!op.c) { return false } } return true }, }