denis-sokolov / oncilla Goto Github PK

For future development we need to use the power of useSyncExternalStore.

reactwg/react-18#86

Realize this probably isn't directly related to this PR but it's kind of weird here how authDetails is a Promise and details is the actual details. This could be cleaned up by

1. defining authDetails like this:

let authDetails: AuthDetails | undefined = undefined;

2. writing handlers.auth as async:

auth: async msg => {
  const { token } = msg;
  if (!auth) throw new Error("Unexpected auth message");
  authDetails = await auth
    .parseToken(token, {
      close: () => socket.terminate()
    })
    .catch(() => undefined);
  processCache();
},

3. For handlers.push(), remove the async and change the if block:

  if (auth) {
    if (!authDetails) {
      addToQueue(msg);
      return;
    }
    if (!auth.canWrite({ auth: authDetails, kind, id })) return;
  }

4. also do the same with the function that's passed as the last parameter to getAndObserve() in handlers.subscribe():

v => {
  if (auth) {
    if (!authDetails) {

Originally posted by @nateq314 in #40

• Please add a LICENSE.md file which includes the same content currently linked on Facebook's React repo
• Please update the GitHub repository to reflect the MIT license in metadata which should result in MIT being reflected in the license portion of the GitHub UI
• Please add the following to the footer of the README.md (please find a Theorem logo we can host and replace the Citrusbyte one I've linked):

## About Theorem

![Theorem](http://i.imgur.com/W6eISI3.png)

This software is lovingly maintained and funded by Theorem.
From whiteboarding new concepts to long-term support, Theorem works with startups and large multi-national enterprises to develop new applications, software, services, and platforms to achieve the best results and deliver Full Stack Innovation™

At Theorem we believe in and support open-source software.

* Check out more of our open-source software at Theorem.
* Learn more about [our work](https://theorem.co/portfolio).
* [Hire us](https://theorem.co/contact) to work on your project.
* [Want to join the team?](https://theorem.co/careers)

*Theorem and the Theorem logo are trademarks or registered trademarks of Theorem, LLC.*

See: #40

My architectural recommendation would be to move the queue to the client side. This eliminates the attack vector where a malicious user could open a connection and send messages to fill up the queue, thus running the server out of memory. I do see that we've limited the max number of messages to 100, but an attacker could figure out that number based on when the termination happens, so it doesn't necessarily mitigate an attack (the attacker simply opens multiple connections to fill up the server's memory). Conversely, that server-side queue limit could cause UX issues for a legitimate user who is experiencing latency issues during the auth process. If the queue were moved client-side it would not only help with auth, but also if the connection goes offline for any other reason. (Related to stagger-offline-ui-changes)

Sometimes a change is displayed applied twice briefly. It seems as if an optimistic update is briefly applied on top of a revision that already includes it. In less than a second the UI settles on the correct value again.

Screenshots and more details pending.

Onciall currently supports the ability to observe existing kind/id pairs. We need to be able to create new id/value pairs for existing kinds from the client side.

The newly added onAuthenticate is not backwards-compatible with 2.2.0.

https://github.com/citrusbyte/oncilla/blob/33e7c38eb16449729f3f9dfb5f358eadd8459999/src/network/websockets/server/types.ts#L17