Huboard – socket.io backend

huboard.com!

Your favorite open source kanban board built on top of the GitHub api has gotten a little bit more awesome. I’ve decided to release the socket.io backend that is keeping huboard.com all up to date and super fancy.

Why nodejs (express + socket.io)?

1. Simple

Nodejs (express + socket.io) was by far the easiest thing for me to get running on heroku. The original version I published back in August was only about 26 lines of javascript.

2. Reliable

I’m absolutely amazed, I pushed that code up to heroku back in August and haven’t touched it. It ran for about 6 months and I never even checked on it. As far as I can tell it never even crashed.

3. Documentation

There is a ton of great tutorials and blog posts just a google search away on getting socket.io up and running on heroku.

4. Cheap (free as in beer)

Plain vanilla install of socket.io and express configured to use xhr-polling has been running problem free on heroku with one free dyno for 6 months. I’m not exactly sure how far that will scale using the MemoryStore (eventually I’ll run out of RAM) but huboard is sitting at nearly 4000 users and haven’t had any problems yet

Other options

I did explore other options

  • .NET – server sent events – (fubumvc or signalr)

    • FubuMVC.ServerSentEvents
      • Not supported by heroku (see #1 && #4)
      • SSE only – no fallback support
      • Very little documentation
    • [SignalR]
      • Not supported by heroku
      • Not as stable (at the time)
  • Ruby – EventMachine

    • I originally wanted to use something simple on top of ruby. I tried several different approaches and ultimately I just couldn’t figure out how to host a HTTP POST endpoint && the socket connections inside the same app.

Why did it take you so long to release it?

Well the TL;DR; is that it wasn’t secure. It was largely experimental. Back when I published the RealTime™ support the socket.io server was only about 26 lines of nodejs. It had no security because I didn’t know how to set it up. So I secure it the best I could (with a simple correlation string) and called it a day. The code wasn’t published so hackers at least had a harder time connecting to the socket than if the code was in the open. Security by obscurity (I know shame on me, I’m sorry).

How are you going to make it secure?

Step one is open sourcing it, people who are using huboard and know more than I do will hopefully care enough to help me make it as secure as possible.

  • Things I’m doing already.

All my users trust me with their OAuth token and I take that responsibility seriously. I try my best to make sure your authorization key doesn’t get into the wrong hands. Huboard never exposes your authorization key unencrypted.

The socket server now performs a handshake when making a connection. Your encrypted OAuth token is passed into socket.io via query string, which turns around and passes the encrypted key to a huboard api endpoint that decrypts your token and asks the GitHub api if its valid.

*| Disclaimer *| I’m not a security expert, I’m not happy that I’m passing the token back to huboard for verification. It doesn’t feel right. I tried for days to decrypt the token using node in order to validate the token inside the handshake code but I just ran into dead ends. I think it has something to do with the encoding of ruby vs node but I had very similar encryption code on both platforms and could figure out how to get node to decrypt a string from ruby or visa versa. Please help!

Related Articles:

Post Footer automatically generated by Add Post Footer Plugin for wordpress.

About Ryan Rauh

My name is Ryan Rauh and I like shiny things. If I've seen it on twitter more the twice most likely I've looked at it or tried it. I really like memes and other silly and seemingly useless things out on the internet. I blog about things *I* think are cool and interesting, I hope you will find them cool and interesting too.
This entry was posted in Uncategorized and tagged . Bookmark the permalink. Follow any comments here with the RSS feed for this post.
  • Rasmus Bækgaard

    You could try look at this blog for security: http://www.troyhunt.com/
    He has some pretty good guides of what to and what NOT to.

  • http://bosslee.co/ Bryan Lee

    thank you! for Huboard
    was looking for something in between github and trello
    you are amazing

    • rauhryan

      No problem man!

  • http://www.friv2.org/Flappy_Bird.html flappy bird

    I agree with your post