Improve WebSocket server handshake handling (#1921)

The WebSocket server incorrectly used http headers:
* The 'Connection' header field value can have multiple elements, not just 'Upgrade'.
* The header field names should be handled in a case-insensitive way.
* If there is an error reporting a 400 error should also terminate the connection
  and correctly add http header termination lines.

IoT.js-DCO-1.0-Signed-off-by: Peter Gal pgal.u-szeged@partner.samsung.com

Author: galpeter

src/js/websocket.js

@@ -88,33 +88,37 @@ function parseServerHandshakeData(data, client, server) {
   var res = data.split('\r\n');
   var method = res[0].split(' ');
 
-  var headers = { 'Connection': '',
-                  'Upgrade': '',
-                  'Host': '',
-                  'Sec-WebSocket-Key': '',
-                  'Sec-WebSocket-Version': -1,
+  // All header keys are converted to lower case
+  // to ease the processing of the values.
+  // Based on the HTTP/1.1 RFC (https://tools.ietf.org/html/rfc7230#section-3.2)
+  // this conversion is ok as the header field names are case-insensitive.
+  var headers = { 'connection': '',
+                  'upgrade': '',
+                  'host': '',
+                  'sec-websocket-key': '',
+                  'sec-websocket-version': -1,
                 };
 
   for (var i = 1; i < res.length; i++) {
     var temp = res[i].split(': ');
-    headers[temp[0]] = temp[1];
+    headers[temp[0].toLowerCase()] = temp[1];
   }
 
   var response = '';
   if (method[0] === 'GET' &&
       method[2] === 'HTTP/1.1' &&
       method[1] === server.path &&
-      headers['Connection'] === 'Upgrade' &&
-      headers['Upgrade'] === 'websocket' &&
-      headers['Sec-WebSocket-Version'] === '13') {
+      headers['connection'].toLowerCase().indexOf('upgrade') !== -1 &&
+      headers['upgrade'].toLowerCase() === 'websocket' &&
+      headers['sec-websocket-version'] === '13') {
     response = native.ReceiveHandshakeData(
-      headers['Sec-WebSocket-Key']
+      headers['sec-websocket-key']
     ).toString();
     client.readyState = 'OPEN';
     client._socket.write(response);
     server.emit('open', client);
   } else {
-    response = method[2] + ' 400 Bad Request';
+    response = method[2] + ' 400 Bad Request\r\nConnection: Closed\r\n\r\n';
     client._socket.write(response);
   }
 }

test/run_pass/test_websocket_headercheck.js

@@ -0,0 +1,54 @@
+/* Copyright 2019-present Samsung Electronics Co., Ltd. and other contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+var assert = require('assert');
+var ws = require('websocket');
+var http = require('http');
+
+var websocket = new ws.Websocket();
+
+var test_connected = false;
+var test_statuscode = -1;
+
+var server = new ws.Server({ port: 8001 }, function(srv) {
+  console.log("Connected!");
+  test_connected = true;
+  server.close()
+});
+
+var client = http.request({
+  method: 'GET',
+  port: 8001,
+  headers: {
+    // Test if multiple values for the Connection header is accepted
+    'Connection': 'keep-alive, Upgrade',
+    'Upgrade': 'websocket',
+    'Sec-WebSocket-Key': 'r3UXMybFKTPGuT2CK5cYGw==',
+    'Sec-WebSocket-Version': 13,
+  }
+}, function(response) {
+  // 101 Switching Protocols
+  test_statuscode = response.statusCode;
+  server.close();
+});
+
+client.end();
+
+
+process.on('exit', function () {
+  assert(test_connected, 'WebScoket server did not received connection event');
+  assert.equal(test_statusCode, 101,
+               'GET with multiple Connection value should return 101 status');
+});