[Websocket] Update options parameter to headers. Update to spec.

[christopherdro]

This is a follow up of 9b87e6c.

PR Overview:

• Allows custom headers on connection request
• Adds a default origin header to Android, just like iOS

Introduces no breaking changes.

PR Detail:

I was working on something similar and would like to propose a few changes that make the API more consistent across both iOS and Android platforms and brings this closer to spec.

I believe @aprock first implementation of adding custom headers was correct. It makes sense naming this argument headers since we have no other general options available, and the current options field is being used to pass in a header anyway.

My use case for custom headers was attaching a token to the Authorization header on the connection request. I have been testing this by passing a JWT inside the Authorization header and verifying it on the server before establishing a connection.

I tried to take this this abstraction further and read the response headers from the server to see if a new token was available if the connection was denied from a expired token. Unfortunately, this was only possible with Android since the third party library used by iOS (SquareRocket) does not return the server response on connection failures.

[facebook-github-bot]

By analyzing the blame information on this pull request, we identified @aprock, @hharnisc and @satya164 to be potential reviewers.

[christopherdro]

@mkonicek @satya164 Not sure the best way to handle the error here. Ideas?

[satya164]

@christopherdro Since this is a user error, we should throw the error to show a redbox (IllegalArgumentException). This matches the behaviour on the web where it throws an error.

[facebook-github-bot]

@christopherdro updated the pull request.

[christopherdro]

@satya164 I updated the PR to handle the error message. However, it appears that passing a invalid url scheme will be caught beforehand through Request.Builder

[mkonicek]

Ah this used to be called options but it's really HTTP headers?

[christopherdro]

Yea, these were recently merged via 9b87e6c

I noticed that his original implementation did have an option for using headers but was asked to remove it because only the origin header was required by the contributor.

[facebook-github-bot]

@christopherdro updated the pull request.

[facebook-github-bot]

@christopherdro updated the pull request.

[nicklockwood]

Since NSURLRequest already includes headers, is there any reason for the seperate headers parameter? Can't we just include them in the request?

[christopherdro]

@nicklockwood That makes sense but it appears there are two other places that headers are being set.

1. react-native/Libraries/WebSocket/RCTSRWebSocket.m

   Lines 478 to 489 in debcac5

   	// Set host first so it defaults
   	CFHTTPMessageSetHeaderFieldValue(request, CFSTR("Host"), (__bridge CFStringRef)(_url.port ? [NSString stringWithFormat:@"%@:%@", _url.host, _url.port] : _url.host));
   	NSMutableData *keyBytes = [[NSMutableData alloc] initWithLength:16];
   	SecRandomCopyBytes(kSecRandomDefault, keyBytes.length, keyBytes.mutableBytes);
   	_secKey = [keyBytes base64EncodedStringWithOptions:0];
   	assert([_secKey length] == 24);
   	CFHTTPMessageSetHeaderFieldValue(request, CFSTR("Upgrade"), CFSTR("websocket"));
   	CFHTTPMessageSetHeaderFieldValue(request, CFSTR("Connection"), CFSTR("Upgrade"));
   	CFHTTPMessageSetHeaderFieldValue(request, CFSTR("Sec-WebSocket-Key"), (__bridge CFStringRef)_secKey);
   	CFHTTPMessageSetHeaderFieldValue(request, CFSTR("Sec-WebSocket-Version"), (__bridge CFStringRef)[NSString stringWithFormat:@"%ld", (long)_webSocketVersion]);

2. react-native/Libraries/WebSocket/RCTSRWebSocket.m

   Line 298 in debcac5

   [request setAllHTTPHeaderFields:[NSHTTPCookie requestHeaderFieldsWithCookies:cookies]];

So im not sure the best way to handle this.

[mkonicek]

We talked about this briefly at React.js conf but don't remember the conclusion. Regarding the setDefaultOriginMethod - why is the origin header needed in React Native? I thought it was designed for browsers?

[christopherdro]

@mkonicek Your are right that it is browser specfic. I was just trying to make things consistent across platform. If it's unnecessary then we should remove it from iOS as well.

@nicklockwood Thoughts on whether we need to have a default origin on iOS?

[mkonicek]

Cool, thanks for the explanation! I vote for getting rid of the origin headers if they're not needed on mobile.

[facebook-github-bot]

@christopherdro updated the pull request.

[christopherdro]

@nicklockwood Updated the PR based on some of your comments and made further notes on ones that I wasn't sure about.

[mkonicek]

Is the method setDefaultOrigin needed? Do we need to set an origin header if we're not in a browser (maybe yes, I just don't have the context)?

[christopherdro]

Technically no since RN is not a browser client.

The |Origin| header field [RFC6454] is used to protect against
unauthorized cross-origin use of a WebSocket server by scripts using
the WebSocket API in a web browser. The server is informed of the
script origin generating the WebSocket connection request. If the
server does not wish to accept connections from this origin, it can
choose to reject the connection by sending an appropriate HTTP error
code. This header field is sent by browser clients; for non-browser
clients, this header field may be sent if it makes sense in the
context of those clients.

I was waiting to see what @nicklockwood thought about removing the default origin header from iOS.

[facebook-github-bot]

@christopherdro updated the pull request.

[christopherdro]

@nicklockwood Any chance you can chime in here again so I can go ahead and wrap up this PR? Thanks!

[mkonicek]

This PR does two things which makes it a bit harder to review and land:

1. Allows custom headers on connection request
2. Adds a default origin header to Android, just like iOS

Do you think you could send the "Allows custom headers on connection request" part separately especially since we're not sure 2. is needed? Then it should be fairly straightforward to merge.

[facebook-github-bot]

@christopherdro updated the pull request.

[christopherdro]

@mkonicek Fair enough. I'll update the the PR to only update the headers. Should have it done by this weekend and will ping you again.

[zxcpoiu]

Hi @christopherdro,

What is your opinion to keep the argument name options, and use 'headers' as a key for setting up additional header ?

*ex: *

options = {
    headers: {}
    otherOptions: ...
}

for future workaround flags or custom actions.

[christopherdro]

@zxcpoiu I believe that was my original thought but avoided since it seems that the general attitude of PR's is to implement whats required atm and not over engineer. I will however revisit this shortly.

Can you provide any examples of what some future options might be?

[zxcpoiu]

Hi @christopherdro

you're right, not over engineer is a good point.

Currently what I can think of potential use cases are: maybe to tweak options of android OkHttpClient Consturrctor when create ws instance

for example:

• read/write Timeout
• self-signed certificate verify
• force TLS versions

It's not that critical, and I don't want to hold this decent PR.
Just treat it as a note here for reference :)

[nicklockwood]

@facebook-github-bot shipit

[facebook-github-bot]

Thanks for importing. If you are an FB employee go to Phabricator to review.

[facebook-github-bot]

@christopherdro updated the pull request.