Fix syntax of dependency versions and bump version to 0.7.3

Avoid using deprecated Buffer API

.gitignore

@@ -1 +1,2 @@
 node_modules
+package-lock.json

.travis.yml

@@ -10,6 +10,10 @@ node_js:
   - "6"
   - "7"
   - "8"
+  - "9"
+  - "10"
+  - "11"
+  - "12"
 
 before_install:
   - '[ "${TRAVIS_NODE_VERSION}" = "0.8" ] && npm install -g npm@~1.4.0 || true'

CHANGELOG.md

@@ -1,115 +1,136 @@
+### 0.7.3 / 2019-06-13
+
+- Cap version of http-parser-js below 0.4.11, which introduced a bug that
+  prevents us from handling messages that are part of the same input buffer as
+  the handshake response if chunked encoding is specified
+
+### 0.7.2 / 2019-06-13
+
+(This version was pulled due to an error when publishing)
+
+### 0.7.1 / 2019-06-10
+
+- Catch any exceptions produced while generating a handshake response and send a
+  `400 Bad Request` response to the client
+- Pick the RFC-6455 protocol version if the request contains any of the headers
+  used by that version
+- Use the `Buffer.alloc()` and `Buffer.from()` functions instead of the unsafe
+  `Buffer()` constructor
+- Handle errors encountered while handling malformed draft-76 requests
+- Change license from MIT to Apache 2.0
+
 ### 0.7.0 / 2017-09-11
 
-* Add `ping` and `pong` to the set of events users can listen to
-* Replace the bindings to Node's HTTP parser with `http-parser-js`
+- Add `ping` and `pong` to the set of events users can listen to
+- Replace the bindings to Node's HTTP parser with `http-parser-js`
 
 ### 0.6.5 / 2016-05-20
 
-* Don't mutate buffers passed in by the application when masking
+- Don't mutate buffers passed in by the application when masking
 
 ### 0.6.4 / 2016-01-07
 
-* If a number is given as input for a frame payload, send it as a string
+- If a number is given as input for a frame payload, send it as a string
 
 ### 0.6.3 / 2015-11-06
 
-* Reject draft-76 handshakes if their Sec-WebSocket-Key headers are invalid
-* Throw a more helpful error if a client is created with an invalid URL
+- Reject draft-76 handshakes if their Sec-WebSocket-Key headers are invalid
+- Throw a more helpful error if a client is created with an invalid URL
 
 ### 0.6.2 / 2015-07-18
 
-* When the peer sends a close frame with no error code, emit 1000
+- When the peer sends a close frame with no error code, emit 1000
 
 ### 0.6.1 / 2015-07-13
 
-* Use the `buffer.{read,write}UInt{16,32}BE` methods for reading/writing numbers
+- Use the `buffer.{read,write}UInt{16,32}BE` methods for reading/writing numbers
   to buffers rather than including duplicate logic for this
 
 ### 0.6.0 / 2015-07-08
 
-* Allow the parser to recover cleanly if event listeners raise an error
-* Add a `pong` method for sending unsolicited pong frames
+- Allow the parser to recover cleanly if event listeners raise an error
+- Add a `pong` method for sending unsolicited pong frames
 
 ### 0.5.4 / 2015-03-29
 
-* Don't emit extra close frames if we receive a close frame after we already
+- Don't emit extra close frames if we receive a close frame after we already
   sent one
-* Fail the connection when the driver receives an invalid
+- Fail the connection when the driver receives an invalid
   `Sec-WebSocket-Extensions` header
 
 ### 0.5.3 / 2015-02-22
 
-* Don't treat incoming data as WebSocket frames if a client driver is closed
+- Don't treat incoming data as WebSocket frames if a client driver is closed
   before receiving the server handshake
 
 ### 0.5.2 / 2015-02-19
 
-* Fix compatibility with the HTTP parser on io.js
-* Use `websocket-extensions` to make sure messages and close frames are kept in
+- Fix compatibility with the HTTP parser on io.js
+- Use `websocket-extensions` to make sure messages and close frames are kept in
   order
-* Don't emit multiple `error` events
+- Don't emit multiple `error` events
 
 ### 0.5.1 / 2014-12-18
 
-* Don't allow drivers to be created with unrecognized options
+- Don't allow drivers to be created with unrecognized options
 
 ### 0.5.0 / 2014-12-13
 
-* Support protocol extensions via the websocket-extensions module
+- Support protocol extensions via the websocket-extensions module
 
 ### 0.4.0 / 2014-11-08
 
-* Support connection via HTTP proxies using `CONNECT`
+- Support connection via HTTP proxies using `CONNECT`
 
 ### 0.3.6 / 2014-10-04
 
-* It is now possible to call `close()` before `start()` and close the driver
+- It is now possible to call `close()` before `start()` and close the driver
 
 ### 0.3.5 / 2014-07-06
 
-* Don't hold references to frame buffers after a message has been emitted
-* Make sure that `protocol` and `version` are exposed properly by the TCP driver
+- Don't hold references to frame buffers after a message has been emitted
+- Make sure that `protocol` and `version` are exposed properly by the TCP driver
 
 ### 0.3.4 / 2014-05-08
 
-* Don't hold memory-leaking references to I/O buffers after they have been
+- Don't hold memory-leaking references to I/O buffers after they have been
   parsed
 
 ### 0.3.3 / 2014-04-24
 
-* Correct the draft-76 status line reason phrase
+- Correct the draft-76 status line reason phrase
 
 ### 0.3.2 / 2013-12-29
 
-* Expand `maxLength` to cover sequences of continuation frames and
+- Expand `maxLength` to cover sequences of continuation frames and
   `draft-{75,76}`
-* Decrease default maximum frame buffer size to 64MB
-* Stop parsing when the protocol enters a failure mode, to save CPU cycles
+- Decrease default maximum frame buffer size to 64MB
+- Stop parsing when the protocol enters a failure mode, to save CPU cycles
 
 ### 0.3.1 / 2013-12-03
 
-* Add a `maxLength` option to limit allowed frame size
-* Don't pre-allocate a message buffer until the whole frame has arrived
-* Fix compatibility with Node v0.11 `HTTPParser`
+- Add a `maxLength` option to limit allowed frame size
+- Don't pre-allocate a message buffer until the whole frame has arrived
+- Fix compatibility with Node v0.11 `HTTPParser`
 
 ### 0.3.0 / 2013-09-09
 
-* Support client URLs with Basic Auth credentials
+- Support client URLs with Basic Auth credentials
 
 ### 0.2.2 / 2013-07-05
 
-* No functional changes, just updates to package.json
+- No functional changes, just updates to package.json
 
 ### 0.2.1 / 2013-05-17
 
-* Export the isSecureRequest() method since faye-websocket relies on it
-* Queue sent messages in the client's initial state
+- Export the isSecureRequest() method since faye-websocket relies on it
+- Queue sent messages in the client's initial state
 
 ### 0.2.0 / 2013-05-12
 
-* Add API for setting and reading headers
-* Add Driver.server() method for getting a driver for TCP servers
+- Add API for setting and reading headers
+- Add Driver.server() method for getting a driver for TCP servers
 
 ### 0.1.0 / 2013-05-04
 
-* First stable release
+- First stable release

LICENSE.md

@@ -1,20 +1,12 @@
-# The MIT License
+Copyright 2010-2019 James Coglan
 
-Copyright (c) 2010-2017 James Coglan
+Licensed under the Apache License, Version 2.0 (the "License"); you may not use
+this file except in compliance with the License. You may obtain a copy of the
+License at
 
-Permission is hereby granted, free of charge, to any person obtaining a copy of
-this software and associated documentation files (the 'Software'), to deal in
-the Software without restriction, including without limitation the rights to
-use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
-the Software, and to permit persons to whom the Software is furnished to do so,
-subject to the following conditions:
+    http://www.apache.org/licenses/LICENSE-2.0
 
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
-FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
-COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+Unless required by applicable law or agreed to in writing, software distributed
+under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+CONDITIONS OF ANY KIND, either express or implied. See the License for the
+specific language governing permissions and limitations under the License.

README.md

@@ -10,21 +10,21 @@ pluggable I/O.
 Due to this design, you get a lot of things for free. In particular, if you hook
 this module up to some I/O object, it will do all of this for you:
 
-* Select the correct server-side driver to talk to the client
-* Generate and send both server- and client-side handshakes
-* Recognize when the handshake phase completes and the WS protocol begins
-* Negotiate subprotocol selection based on `Sec-WebSocket-Protocol`
-* Negotiate and use extensions via the
+- Select the correct server-side driver to talk to the client
+- Generate and send both server- and client-side handshakes
+- Recognize when the handshake phase completes and the WS protocol begins
+- Negotiate subprotocol selection based on `Sec-WebSocket-Protocol`
+- Negotiate and use extensions via the
   [websocket-extensions](https://github.com/faye/websocket-extensions-node)
   module
-* Buffer sent messages until the handshake process is finished
-* Deal with proxies that defer delivery of the draft-76 handshake body
-* Notify you when the socket is open and closed and when messages arrive
-* Recombine fragmented messages
-* Dispatch text, binary, ping, pong and close frames
-* Manage the socket-closing handshake process
-* Automatically reply to ping frames with a matching pong
-* Apply masking to messages sent by the client
+- Buffer sent messages until the handshake process is finished
+- Deal with proxies that defer delivery of the draft-76 handshake body
+- Notify you when the socket is open and closed and when messages arrive
+- Recombine fragmented messages
+- Dispatch text, binary, ping, pong and close frames
+- Manage the socket-closing handshake process
+- Automatically reply to ping frames with a matching pong
+- Apply masking to messages sent by the client
 
 This library was originally extracted from the [Faye](http://faye.jcoglan.com)
 project but now aims to provide simple WebSocket support for any Node-based
@@ -153,8 +153,8 @@ driver.messages.on('data', function(message) {
 Client drivers have two additional properties for reading the HTTP data that was
 sent back by the server:
 
-* `driver.statusCode` - the integer value of the HTTP status code
-* `driver.headers` - an object containing the response headers
+- `driver.statusCode` - the integer value of the HTTP status code
+- `driver.headers` - an object containing the response headers
 
 
 ### HTTP Proxies
@@ -177,7 +177,7 @@ var driver = websocket.client('ws://www.example.com/socket'),
     proxy  = driver.proxy('http://username:password@proxy.example.com'),
     tcp    = net.connect(80, 'proxy.example.com');
 
-tcp.pipe(proxy).pipe(tcp, {end: false});
+tcp.pipe(proxy).pipe(tcp, { end: false });
 
 tcp.on('connect', function() {
   proxy.start();
@@ -235,18 +235,18 @@ masking enabled on outgoing frames.
 The `options` argument is optional, and is an object. It may contain the
 following fields:
 
-* `maxLength` - the maximum allowed size of incoming message frames, in bytes.
+- `maxLength` - the maximum allowed size of incoming message frames, in bytes.
   The default value is `2^26 - 1`, or 1 byte short of 64 MiB.
-* `protocols` - an array of strings representing acceptable subprotocols for use
+- `protocols` - an array of strings representing acceptable subprotocols for use
   over the socket. The driver will negotiate one of these to use via the
   `Sec-WebSocket-Protocol` header if supported by the other peer.
 
 A driver has two duplex streams attached to it:
 
-* <b>`driver.io`</b> - this stream should be attached to an I/O socket like a
-  TCP stream. Pipe incoming TCP chunks to this stream for them to be parsed, and
+- **`driver.io`** - this stream should be attached to an I/O socket like a TCP
+  stream. Pipe incoming TCP chunks to this stream for them to be parsed, and
   pipe this stream back into TCP to send outgoing frames.
-* <b>`driver.messages`</b> - this stream emits messages received over the
+- **`driver.messages`** - this stream emits messages received over the
   WebSocket.  Writing to it sends messages to the other peer by emitting frames
   via the `driver.io` stream.
 

examples/net_client.js

@@ -5,11 +5,11 @@ var net       = require('net'),
     websocket = require('..'),
     deflate   = require('permessage-deflate');
 
-var DEFAULT_PORTS = {'ws:': 80, 'wss:': 443};
+var DEFAULT_PORTS = { 'ws:': 80, 'wss:': 443 };
 
 var uri  = url.parse(process.argv[2]),
     port = uri.port || DEFAULT_PORTS[uri.protocol],
-    conn = net.connect({host: uri.hostname, port: port});
+    conn = net.connect({ host: uri.hostname, port: port });
 
 var driver = websocket.client(uri.href);
 driver.addExtension(deflate);

lib/websocket/driver.js

@@ -1,7 +1,7 @@
 'use strict';
 
 // Protocol references:
-// 
+//
 // * http://tools.ietf.org/html/draft-hixie-thewebsocketprotocol-75
 // * http://tools.ietf.org/html/draft-hixie-thewebsocketprotocol-76
 // * http://tools.ietf.org/html/draft-ietf-hybi-thewebsocketprotocol-17
@@ -27,8 +27,12 @@ var Driver = {
     return Server.http.apply(Server, arguments);
   },
 
+  isSecureRequest: function(request) {
+    return Server.isSecureRequest(request);
+  },
+
   isWebSocket: function(request) {
-    return Server.isWebSocket(request);
+    return Base.isWebSocket(request);
   },
 
   validateOptions: function(options, validKeys) {

lib/websocket/driver/base.js

@@ -1,6 +1,7 @@
 'use strict';
 
-var Emitter = require('events').EventEmitter,
+var Buffer  = require('safe-buffer').Buffer,
+    Emitter = require('events').EventEmitter,
     util    = require('util'),
     streams = require('../streams'),
     Headers = require('./headers'),
@@ -25,6 +26,15 @@ var Base = function(request, url, options) {
 };
 util.inherits(Base, Emitter);
 
+Base.isWebSocket = function(request) {
+  var connection = request.headers.connection || '',
+      upgrade    = request.headers.upgrade || '';
+
+  return request.method === 'GET' &&
+         connection.toLowerCase().split(/ *, */).indexOf('upgrade') >= 0 &&
+         upgrade.toLowerCase() === 'websocket';
+};
+
 Base.validateOptions = function(options, validKeys) {
   for (var key in options) {
     if (validKeys.indexOf(key) < 0)
@@ -79,13 +89,35 @@ var instance = {
 
   start: function() {
     if (this.readyState !== 0) return false;
-    var response = this._handshakeResponse();
-    if (!response) return false;
+
+    if (!Base.isWebSocket(this._request))
+      return this._failHandshake(new Error('Not a WebSocket request'));
+
+    var response;
+
+    try {
+      response = this._handshakeResponse();
+    } catch (error) {
+      return this._failHandshake(error);
+    }
+
     this._write(response);
     if (this._stage !== -1) this._open();
     return true;
   },
 
+  _failHandshake: function(error) {
+    var headers = new Headers();
+    headers.set('Content-Type', 'text/plain');
+    headers.set('Content-Length', Buffer.byteLength(error.message, 'utf8'));
+
+    headers = ['HTTP/1.1 400 Bad Request', headers.toString(), error.message];
+    this._write(Buffer.from(headers.join('\r\n'), 'utf8'));
+    this._fail('protocol_error', error.message);
+
+    return false;
+  },
+
   text: function(message) {
     return this.frame(message);
   },
@@ -124,6 +156,12 @@ var instance = {
   _write: function(chunk) {
     var io = this.io;
     if (io.readable) io.emit('data', chunk);
+  },
+
+  _fail: function(type, message) {
+    this.readyState = 2;
+    this.emit('error', new Error(message));
+    this.close();
   }
 };
 

lib/websocket/driver/client.js

@@ -1,6 +1,7 @@
 'use strict';
 
-var crypto     = require('crypto'),
+var Buffer     = require('safe-buffer').Buffer,
+    crypto     = require('crypto'),
     url        = require('url'),
     util       = require('util'),
     HttpParser = require('../http_parser'),
@@ -9,7 +10,7 @@ var crypto     = require('crypto'),
     Proxy      = require('./proxy');
 
 var Client = function(_url, options) {
-  this.version = 'hybi-13';
+  this.version = 'hybi-' + Hybi.VERSION;
   Hybi.call(this, null, _url, options);
 
   this.readyState = -1;
@@ -18,7 +19,7 @@ var Client = function(_url, options) {
   this._http      = new HttpParser('response');
 
   var uri  = url.parse(this.url),
-      auth = uri.auth && new Buffer(uri.auth, 'utf8').toString('base64');
+      auth = uri.auth && Buffer.from(uri.auth, 'utf8').toString('base64');
 
   if (this.VALID_PROTOCOLS.indexOf(uri.protocol) < 0)
     throw new Error(this.url + ' is not a valid WebSocket URL');
@@ -29,7 +30,7 @@ var Client = function(_url, options) {
   this._headers.set('Upgrade', 'websocket');
   this._headers.set('Connection', 'Upgrade');
   this._headers.set('Sec-WebSocket-Key', this._key);
-  this._headers.set('Sec-WebSocket-Version', '13');
+  this._headers.set('Sec-WebSocket-Version', Hybi.VERSION);
 
   if (this._protocols.length > 0)
     this._headers.set('Sec-WebSocket-Protocol', this._protocols.join(', '));
@@ -79,7 +80,7 @@ var instance = {
     var start   = 'GET ' + this._pathname + ' HTTP/1.1',
         headers = [start, this._headers.toString(), ''];
 
-    return new Buffer(headers.join('\r\n'), 'utf8');
+    return Buffer.from(headers.join('\r\n'), 'utf8');
   },
 
   _failHandshake: function(message) {

lib/websocket/driver/draft75.js

@@ -1,7 +1,8 @@
 'use strict';
 
-var Base = require('./base'),
-    util = require('util');
+var Buffer = require('safe-buffer').Buffer,
+    Base   = require('./base'),
+    util   = require('util');
 
 var Draft75 = function(request, url, options) {
   Base.apply(this, arguments);
@@ -61,7 +62,7 @@ var instance = {
         case 2:
           if (octet === 0xFF) {
             this._stage = 0;
-            message = new Buffer(this._buffer).toString('utf8', 0, this._buffer.length);
+            message = Buffer.from(this._buffer).toString('utf8', 0, this._buffer.length);
             this.emit('message', new Base.MessageEvent(message));
           }
           else {
@@ -85,12 +86,12 @@ var instance = {
 
     if (typeof buffer !== 'string') buffer = buffer.toString();
 
-    var payload = new Buffer(buffer, 'utf8'),
-        frame   = new Buffer(payload.length + 2);
+    var length = Buffer.byteLength(buffer),
+        frame  = Buffer.allocUnsafe(length + 2);
 
     frame[0] = 0x00;
-    frame[payload.length + 1] = 0xFF;
-    payload.copy(frame, 1);
+    frame.write(buffer, 1);
+    frame[frame.length - 1] = 0xFF;
 
     this._write(frame);
     return true;
@@ -100,7 +101,7 @@ var instance = {
     var start   = 'HTTP/1.1 101 Web Socket Protocol Handshake',
         headers = [start, this._headers.toString(), ''];
 
-    return new Buffer(headers.join('\r\n'), 'utf8');
+    return Buffer.from(headers.join('\r\n'), 'utf8');
   },
 
   _parseLeadingByte: function(octet) {

lib/websocket/driver/draft76.js

@@ -1,17 +1,18 @@
 'use strict';
 
-var Base    = require('./base'),
+var Buffer  = require('safe-buffer').Buffer,
+    Base    = require('./base'),
     Draft75 = require('./draft75'),
     crypto  = require('crypto'),
     util    = require('util');
 
 
 var numberFromKey = function(key) {
-  return parseInt(key.match(/[0-9]/g).join(''), 10);
+  return parseInt((key.match(/[0-9]/g) || []).join(''), 10);
 };
 
 var spacesInKey = function(key) {
-  return key.match(/ /g).length;
+  return (key.match(/ /g) || []).length;
 };
 
 
@@ -42,7 +43,7 @@ var instance = {
 
   close: function() {
     if (this.readyState === 3) return false;
-    this._write(new Buffer([0xFF, 0x00]));
+    if (this.readyState === 1) this._write(Buffer.from([0xFF, 0x00]));
     this.readyState = 3;
     this.emit('close', new Base.CloseEvent(null, null));
     return true;
@@ -50,41 +51,41 @@ var instance = {
 
   _handshakeResponse: function() {
     var headers = this._request.headers,
-
         key1    = headers['sec-websocket-key1'],
-        number1 = numberFromKey(key1),
+        key2    = headers['sec-websocket-key2'];
+
+    if (!key1) throw new Error('Missing required header: Sec-WebSocket-Key1');
+    if (!key2) throw new Error('Missing required header: Sec-WebSocket-Key2');
+
+    var number1 = numberFromKey(key1),
         spaces1 = spacesInKey(key1),
 
-        key2    = headers['sec-websocket-key2'],
         number2 = numberFromKey(key2),
         spaces2 = spacesInKey(key2);
 
-    if (number1 % spaces1 !== 0 || number2 % spaces2 !== 0) {
-      this.emit('error', new Error('Client sent invalid Sec-WebSocket-Key headers'));
-      this.close();
-      return null;
-    }
+    if (number1 % spaces1 !== 0 || number2 % spaces2 !== 0)
+      throw new Error('Client sent invalid Sec-WebSocket-Key headers');
 
     this._keyValues = [number1 / spaces1, number2 / spaces2];
 
     var start   = 'HTTP/1.1 101 WebSocket Protocol Handshake',
         headers = [start, this._headers.toString(), ''];
 
-    return new Buffer(headers.join('\r\n'), 'binary');
+    return Buffer.from(headers.join('\r\n'), 'binary');
   },
 
   _handshakeSignature: function() {
     if (this._body.length < this.BODY_SIZE) return null;
 
     var md5    = crypto.createHash('md5'),
-        buffer = new Buffer(8 + this.BODY_SIZE);
+        buffer = Buffer.allocUnsafe(8 + this.BODY_SIZE);
 
     buffer.writeUInt32BE(this._keyValues[0], 0);
     buffer.writeUInt32BE(this._keyValues[1], 4);
-    new Buffer(this._body).copy(buffer, 8, 0, this.BODY_SIZE);
+    Buffer.from(this._body).copy(buffer, 8, 0, this.BODY_SIZE);
 
     md5.update(buffer);
-    return new Buffer(md5.digest('binary'), 'binary');
+    return Buffer.from(md5.digest('binary'), 'binary');
   },
 
   _sendHandshakeBody: function() {

lib/websocket/driver/hybi.js

@@ -1,6 +1,7 @@
 'use strict';
 
-var crypto     = require('crypto'),
+var Buffer     = require('safe-buffer').Buffer,
+    crypto     = require('crypto'),
     util       = require('util'),
     Extensions = require('websocket-extensions'),
     Base       = require('./base'),
@@ -22,25 +23,20 @@ var Hybi = function(request, url, options) {
 
   if (!this._request) return;
 
-  var secKey    = this._request.headers['sec-websocket-key'],
-      protos    = this._request.headers['sec-websocket-protocol'],
-      version   = this._request.headers['sec-websocket-version'],
+  var protos    = this._request.headers['sec-websocket-protocol'],
       supported = this._protocols;
 
-  this._headers.set('Upgrade', 'websocket');
-  this._headers.set('Connection', 'Upgrade');
-  this._headers.set('Sec-WebSocket-Accept', Hybi.generateAccept(secKey));
-
   if (protos !== undefined) {
     if (typeof protos === 'string') protos = protos.split(/ *, */);
     this.protocol = protos.filter(function(p) { return supported.indexOf(p) >= 0 })[0];
-    if (this.protocol) this._headers.set('Sec-WebSocket-Protocol', this.protocol);
   }
 
-  this.version = 'hybi-' + version;
+  this.version = 'hybi-' + Hybi.VERSION;
 };
 util.inherits(Hybi, Base);
 
+Hybi.VERSION = '13';
+
 Hybi.mask = function(payload, mask, offset) {
   if (!mask || mask.length === 0) return payload;
   offset = offset || 0;
@@ -192,7 +188,7 @@ var instance = {
     if (this.readyState <= 0) return this._queue([buffer, type, code]);
     if (this.readyState > 2) return false;
 
-    if (buffer instanceof Array)    buffer = new Buffer(buffer);
+    if (buffer instanceof Array)    buffer = Buffer.from(buffer);
     if (typeof buffer === 'number') buffer = buffer.toString();
 
     var message = new Message(),
@@ -202,11 +198,11 @@ var instance = {
     message.rsv1   = message.rsv2 = message.rsv3 = false;
     message.opcode = this.OPCODES[type || (isText ? 'text' : 'binary')];
 
-    payload = isText ? new Buffer(buffer, 'utf8') : buffer;
+    payload = isText ? Buffer.from(buffer, 'utf8') : buffer;
 
     if (code) {
       copy = payload;
-      payload = new Buffer(2 + copy.length);
+      payload = Buffer.allocUnsafe(2 + copy.length);
       payload.writeUInt16BE(code, 0);
       copy.copy(payload, 2);
     }
@@ -244,7 +240,7 @@ var instance = {
     var length = frame.length,
         header = (length <= 125) ? 2 : (length <= 65535 ? 4 : 10),
         offset = header + (frame.masked ? 4 : 0),
-        buffer = new Buffer(offset + length),
+        buffer = Buffer.allocUnsafe(offset + length),
         masked = frame.masked ? this.MASK : 0;
 
     buffer[0] = (frame.final ? this.FIN : 0) |
@@ -275,18 +271,28 @@ var instance = {
   },
 
   _handshakeResponse: function() {
-    try {
-      var extensions = this._extensions.generateResponse(this._request.headers['sec-websocket-extensions']);
-    } catch (e) {
-      return this._fail('protocol_error', e.message);
-    }
+    var secKey  = this._request.headers['sec-websocket-key'],
+        version = this._request.headers['sec-websocket-version'];
 
+    if (version !== Hybi.VERSION)
+      throw new Error('Unsupported WebSocket version: ' + version);
+
+    if (typeof secKey !== 'string')
+      throw new Error('Missing handshake request header: Sec-WebSocket-Key');
+
+    this._headers.set('Upgrade', 'websocket');
+    this._headers.set('Connection', 'Upgrade');
+    this._headers.set('Sec-WebSocket-Accept', Hybi.generateAccept(secKey));
+
+    if (this.protocol) this._headers.set('Sec-WebSocket-Protocol', this.protocol);
+
+    var extensions = this._extensions.generateResponse(this._request.headers['sec-websocket-extensions']);
     if (extensions) this._headers.set('Sec-WebSocket-Extensions', extensions);
 
     var start   = 'HTTP/1.1 101 Switching Protocols',
         headers = [start, this._headers.toString(), ''];
 
-    return new Buffer(headers.join('\r\n'), 'utf8');
+    return Buffer.from(headers.join('\r\n'), 'utf8');
   },
 
   _shutdown: function(code, reason, error) {

lib/websocket/driver/hybi/message.js

@@ -1,26 +1,19 @@
 'use strict';
 
+var Buffer = require('safe-buffer').Buffer;
+
 var Message = function() {
   this.rsv1    = false;
   this.rsv2    = false;
   this.rsv3    = false;
-  this.opcode  = null
+  this.opcode  = null;
   this.length  = 0;
   this._chunks = [];
 };
 
 var instance = {
   read: function() {
-    if (this.data) return this.data;
-
-    this.data  = new Buffer(this.length);
-    var offset = 0;
-
-    for (var i = 0, n = this._chunks.length; i < n; i++) {
-      this._chunks[i].copy(this.data, offset);
-      offset += this._chunks[i].length;
-    }
-    return this.data;
+    return this.data = this.data || Buffer.concat(this._chunks, this.length);
   },
 
   pushFrame: function(frame) {

lib/websocket/driver/proxy.js

@@ -1,13 +1,14 @@
 'use strict';
 
-var Stream     = require('stream').Stream,
+var Buffer     = require('safe-buffer').Buffer,
+    Stream     = require('stream').Stream,
     url        = require('url'),
     util       = require('util'),
     Base       = require('./base'),
     Headers    = require('./headers'),
     HttpParser = require('../http_parser');
 
-var PORTS = {'ws:': 80, 'wss:': 443};
+var PORTS = { 'ws:': 80, 'wss:': 443 };
 
 var Proxy = function(client, origin, options) {
   this._client  = client;
@@ -25,7 +26,7 @@ var Proxy = function(client, origin, options) {
   this._headers.set('Connection', 'keep-alive');
   this._headers.set('Proxy-Connection', 'keep-alive');
 
-  var auth = this._url.auth && new Buffer(this._url.auth, 'utf8').toString('base64');
+  var auth = this._url.auth && Buffer.from(this._url.auth, 'utf8').toString('base64');
   if (auth) this._headers.set('Proxy-Authorization', 'Basic ' + auth);
 };
 util.inherits(Proxy, Stream);
@@ -47,7 +48,7 @@ var instance = {
 
     var headers = [start, this._headers.toString(), ''];
 
-    this.emit('data', new Buffer(headers.join('\r\n'), 'utf8'));
+    this.emit('data', Buffer.from(headers.join('\r\n'), 'utf8'));
     return true;
   },
 

lib/websocket/driver/server.js

@@ -71,54 +71,6 @@ var instance = {
 for (var key in instance)
   Server.prototype[key] = instance[key];
 
-Server.http = function(request, options) {
-  options = options || {};
-  if (options.requireMasking === undefined) options.requireMasking = true;
-
-  var klass = this.getDriverClass(request),
-      url   = this.determineUrl(request);
-
-  return klass && new klass(request, url, options);
-};
-
-Server.isWebSocket = function(request) {
-  var klass = this.getDriverClass(request);
-  return !!klass;
-};
-
-Server.getDriverClass = function(request) {
-  var headers = request.headers;
-
-  var connection = headers['connection'] || '',
-      key        = headers['sec-websocket-key'],
-      key1       = headers['sec-websocket-key1'],
-      key2       = headers['sec-websocket-key2'],
-      origin     = headers['origin'],
-      upgrade    = headers['upgrade'] || '',
-      version    = headers['sec-websocket-version'];
-
-  if (request.method !== 'GET' ||
-      connection.toLowerCase().split(/ *, */).indexOf('upgrade') < 0 ||
-      upgrade.toLowerCase() !== 'websocket')
-    return null;
-
-  if (typeof version === 'string' || typeof key === 'string')
-    return (version === '13' && key.length > 0) ? Hybi : null;
-
-  if (typeof origin !== 'string' || origin.length === 0)
-    return null;
-
-  if (typeof key1 === 'string' && typeof key2 === 'string')
-    return Draft76;
-
-  return Draft75;
-};
-
-Server.determineUrl = function(request) {
-  var scheme = this.isSecureRequest(request) ? 'wss:' : 'ws:';
-  return scheme + '//' + request.headers.host + request.url;
-};
-
 Server.isSecureRequest = function(request) {
   if (request.connection && request.connection.authorized !== undefined) return true;
   if (request.socket && request.socket.secure) return true;
@@ -133,4 +85,28 @@ Server.isSecureRequest = function(request) {
   return false;
 };
 
+Server.determineUrl = function(request) {
+  var scheme = this.isSecureRequest(request) ? 'wss:' : 'ws:';
+  return scheme + '//' + request.headers.host + request.url;
+};
+
+Server.http = function(request, options) {
+  options = options || {};
+  if (options.requireMasking === undefined) options.requireMasking = true;
+
+  var headers = request.headers,
+      version = headers['sec-websocket-version'],
+      key     = headers['sec-websocket-key'],
+      key1    = headers['sec-websocket-key1'],
+      key2    = headers['sec-websocket-key2'],
+      url     = this.determineUrl(request);
+
+  if (version || key)
+    return new Hybi(request, url, options);
+  else if (key1 || key2)
+    return new Draft76(request, url, options);
+  else
+    return new Draft75(request, url, options);
+};
+
 module.exports = Server;

lib/websocket/driver/stream_reader.js

@@ -1,5 +1,7 @@
 'use strict';
 
+var Buffer = require('safe-buffer').Buffer;
+
 var StreamReader = function() {
   this._queue     = [];
   this._queueSize = 0;
@@ -8,14 +10,14 @@ var StreamReader = function() {
 
 StreamReader.prototype.put = function(buffer) {
   if (!buffer || buffer.length === 0) return;
-  if (!buffer.copy) buffer = new Buffer(buffer);
+  if (!Buffer.isBuffer(buffer)) buffer = Buffer.from(buffer);
   this._queue.push(buffer);
   this._queueSize += buffer.length;
 };
 
 StreamReader.prototype.read = function(length) {
   if (length > this._queueSize) return null;
-  if (length === 0) return new Buffer(0);
+  if (length === 0) return Buffer.alloc(0);
 
   this._queueSize -= length;
 
@@ -44,7 +46,7 @@ StreamReader.prototype.read = function(length) {
     buffers.push(queue[0].slice(0, remain));
     queue[0] = queue[0].slice(remain);
   }
-  return this._concat(buffers, length);
+  return Buffer.concat(buffers, length);
 };
 
 StreamReader.prototype.eachByte = function(callback, context) {
@@ -64,17 +66,4 @@ StreamReader.prototype.eachByte = function(callback, context) {
   }
 };
 
-StreamReader.prototype._concat = function(buffers, length) {
-  if (Buffer.concat) return Buffer.concat(buffers, length);
-
-  var buffer = new Buffer(length),
-      offset = 0;
-
-  for (var i = 0, n = buffers.length; i < n; i++) {
-    buffers[i].copy(buffer, offset);
-    offset += buffers[i].length;
-  }
-  return buffer;
-};
-
 module.exports = StreamReader;

lib/websocket/http_parser.js

@@ -1,8 +1,7 @@
 'use strict';
 
-var NodeHTTPParser = require('http-parser-js').HTTPParser;
-
-var VERSION = process.version.match(/[0-9]+/g).map(function(n) { return parseInt(n, 10) });
+var NodeHTTPParser = require('http-parser-js').HTTPParser,
+    Buffer         = require('safe-buffer').Buffer;
 
 var TYPES = {
   request:  NodeHTTPParser.REQUEST  || 'request',
@@ -97,6 +96,10 @@ HttpParser.METHODS = {
   32: 'UNLINK'
 };
 
+var VERSION = (process.version || '')
+              .match(/[0-9]+/g)
+              .map(function(n) { return parseInt(n, 10) });
+
 if (VERSION[0] === 0 && VERSION[1] === 12) {
   HttpParser.METHODS[16] = 'REPORT';
   HttpParser.METHODS[17] = 'MKACTIVITY';
@@ -123,12 +126,10 @@ HttpParser.prototype.parse = function(chunk) {
     return;
   }
 
-  if (VERSION[0] === 0 && VERSION[1] < 6) consumed += 1;
-
   if (this._complete)
     this.body = (consumed < chunk.length)
               ? chunk.slice(consumed)
-              : new Buffer(0);
+              : Buffer.alloc(0);
 };
 
 module.exports = HttpParser;

package.json

@@ -1,27 +1,35 @@
-{ "name"            : "websocket-driver"
-, "description"     : "WebSocket protocol handler with pluggable I/O"
-, "homepage"        : "https://github.com/faye/websocket-driver-node"
-, "author"          : "James Coglan <jcoglan@gmail.com> (http://jcoglan.com/)"
-, "keywords"        : ["websocket"]
-, "license"         : "MIT"
-
-, "version"         : "0.7.0"
-, "engines"         : { "node": ">=0.8.0" }
-, "files"           : ["lib"]
-, "main"            : "./lib/websocket/driver"
-
-, "dependencies"    : { "http-parser-js": ">=0.4.0"
-                      , "websocket-extensions": ">=0.1.1"
-                      }
-, "devDependencies" : { "jstest": "*"
-                      , "permessage-deflate": "*"
-                      }
-
-, "scripts"         : { "test": "jstest spec/runner.js" }
-
-, "repository"      : { "type"  : "git"
-                      , "url"   : "git://github.com/faye/websocket-driver-node.git"
-                      }
-
-, "bugs"            : "https://github.com/faye/websocket-driver-node/issues"
+{
+          "name": "websocket-driver",
+          "description": "WebSocket protocol handler with pluggable I/O",
+          "homepage": "https://github.com/faye/websocket-driver-node",
+          "author": "James Coglan <jcoglan@gmail.com> (http://jcoglan.com/)",
+          "keywords": [
+                    "websocket"
+          ],
+          "license": "Apache-2.0",
+          "version": "0.7.3",
+          "engines": {
+                    "node": ">=0.8.0"
+          },
+          "files": [
+                    "lib"
+          ],
+          "main": "./lib/websocket/driver",
+          "dependencies": {
+                    "http-parser-js": ">=0.4.0 <0.4.11",
+                    "safe-buffer": ">=5.1.0",
+                    "websocket-extensions": ">=0.1.1"
+          },
+          "devDependencies": {
+                    "jstest": "*",
+                    "permessage-deflate": "*"
+          },
+          "scripts": {
+                    "test": "jstest spec/runner.js"
+          },
+          "repository": {
+                    "type": "git",
+                    "url": "git://github.com/faye/websocket-driver-node.git"
+          },
+          "bugs": "https://github.com/faye/websocket-driver-node/issues"
 }

spec/runner.js

@@ -1,11 +1,10 @@
-var test   = require('jstest').Test,
+var Buffer = require('safe-buffer').Buffer,
+    test   = require('jstest').Test,
     Stream = require('stream').Stream,
     util   = require('util')
 
 var BufferMatcher = function(data) {
-  this._data = (typeof data === 'string')
-             ? new Buffer(data, 'utf8')
-             : new Buffer(data)
+  this._data = Buffer.from(data)
 }
 BufferMatcher.prototype.equals = function(other) {
   if (this._data.length !== other.length) return false;

spec/websocket/driver/client_spec.js

@@ -1,9 +1,10 @@
 var Client = require("../../../lib/websocket/driver/client"),
+    Buffer = require('safe-buffer').Buffer,
     test   = require('jstest').Test
 
 test.describe("Client", function() { with(this) {
     define("options", function() {
-    return this._options = this._options || {protocols: this.protocols()}
+    return this._options = this._options || { protocols: this.protocols() }
   })
 
   define("protocols", function() {
@@ -190,21 +191,21 @@ test.describe("Client", function() { with(this) {
 
       it("returns true when the response is written", function() { with(this) {
         // this prevents downstream connections suddenly closing for no reason
-        assertEqual( true, proxy.write(new Buffer("HTTP/1.1 200 OK\r\n\r\n")) )
+        assertEqual( true, proxy.write(Buffer.from("HTTP/1.1 200 OK\r\n\r\n")) )
       }})
 
       it("emits a 'connect' event when the proxy connects", function() { with(this) {
         expect(proxy, "emit").given("connect", anything())
         expect(proxy, "emit").given("close")
         expect(proxy, "emit").given("end")
-        proxy.write(new Buffer("HTTP/1.1 200 OK\r\n\r\n"))
+        proxy.write(Buffer.from("HTTP/1.1 200 OK\r\n\r\n"))
       }})
 
       it("emits an 'error' event if the proxy does not connect", function() { with(this) {
-        expect(proxy, "emit").given("error", objectIncluding({message: "Can't establish a connection to the server at ws://www.example.com/socket"}))
+        expect(proxy, "emit").given("error", objectIncluding({ message: "Can't establish a connection to the server at ws://www.example.com/socket" }))
         expect(proxy, "emit").given("close")
         expect(proxy, "emit").given("end")
-        proxy.write(new Buffer("HTTP/1.1 403 Forbidden\r\n\r\n"))
+        proxy.write(Buffer.from("HTTP/1.1 403 Forbidden\r\n\r\n"))
       }})
     }})
   }})
@@ -213,7 +214,7 @@ test.describe("Client", function() { with(this) {
     before(function() { this.driver().start() })
 
     describe("with a valid response", function() { with(this) {
-      before(function() { this.driver().parse(new Buffer(this.response())) })
+      before(function() { this.driver().parse(Buffer.from(this.response())) })
 
       it("changes the state to open", function() { with(this) {
         assertEqual( true, open )
@@ -232,9 +233,9 @@ test.describe("Client", function() { with(this) {
 
     describe("with a valid response followed by a frame", function() { with(this) {
       before(function() { with(this) {
-        var resp = new Buffer(response().length + 4)
-        new Buffer(response()).copy(resp)
-        new Buffer([0x81, 0x02, 72, 105]).copy(resp, resp.length - 4)
+        var resp = Buffer.alloc(response().length + 4)
+        Buffer.from(response()).copy(resp)
+        Buffer.from([0x81, 0x02, 72, 105]).copy(resp, resp.length - 4)
         driver().parse(resp)
       }})
 
@@ -252,7 +253,7 @@ test.describe("Client", function() { with(this) {
     describe("with a bad status line", function() { with(this) {
       before(function() {
         var resp = this.response().replace(/101/g, "4")
-        this.driver().parse(new Buffer(resp))
+        this.driver().parse(Buffer.from(resp))
       })
 
       it("changes the state to closed", function() { with(this) {
@@ -266,7 +267,7 @@ test.describe("Client", function() { with(this) {
     describe("with a bad Upgrade header", function() { with(this) {
       before(function() {
         var resp = this.response().replace(/websocket/g, "wrong")
-        this.driver().parse(new Buffer(resp))
+        this.driver().parse(Buffer.from(resp))
       })
 
       it("changes the state to closed", function() { with(this) {
@@ -280,7 +281,7 @@ test.describe("Client", function() { with(this) {
     describe("with a bad Accept header", function() { with(this) {
       before(function() {
         var resp = this.response().replace(/QV3/g, "wrong")
-        this.driver().parse(new Buffer(resp))
+        this.driver().parse(Buffer.from(resp))
       })
 
       it("changes the state to closed", function() { with(this) {
@@ -296,7 +297,7 @@ test.describe("Client", function() { with(this) {
 
       before(function() {
         var resp = this.response().replace(/\r\n\r\n/, "\r\nSec-WebSocket-Protocol: xmpp\r\n\r\n")
-        this.driver().parse(new Buffer(resp))
+        this.driver().parse(Buffer.from(resp))
       })
 
       it("changs the state to open", function() { with(this) {
@@ -315,7 +316,7 @@ test.describe("Client", function() { with(this) {
 
       before(function() {
         var resp = this.response().replace(/\r\n\r\n/, "\r\nSec-WebSocket-Protocol: irc\r\n\r\n")
-        this.driver().parse(new Buffer(resp))
+        this.driver().parse(Buffer.from(resp))
       })
 
       it("changs the state to closed", function() { with(this) {

spec/websocket/driver/draft75_spec.js

@@ -4,6 +4,7 @@ var Draft75 = require("../../../lib/websocket/driver/draft75"),
 test.describe("Draft75", function() { with(this) {
   define("request", function() {
     return this._request = this._request || {
+      method: "GET",
       headers: {
         "connection": "Upgrade",
         "upgrade":    "WebSocket",
@@ -13,7 +14,7 @@ test.describe("Draft75", function() { with(this) {
   })
 
   define("options", function() {
-    return this._options = this._options || {masking: false}
+    return this._options = this._options || { masking: false }
   })
 
   define("driver", function() {

spec/websocket/driver/draft76_spec.js

@@ -1,8 +1,9 @@
 var Draft76 = require("../../../lib/websocket/driver/draft76"),
+    Buffer  = require('safe-buffer').Buffer,
     test    = require('jstest').Test
 
 test.describe("Draft76", function() { with(this) {
-  BODY = new Buffer([0x91, 0x25, 0x3e, 0xd3, 0xa9, 0xe7, 0x6a, 0x88])
+  BODY = Buffer.from([0x91, 0x25, 0x3e, 0xd3, 0xa9, 0xe7, 0x6a, 0x88])
 
   define("body", function() {
     return BODY
@@ -14,6 +15,7 @@ test.describe("Draft76", function() { with(this) {
 
   define("request", function() {
     return this._request = this._request || {
+      method: "GET",
       headers: {
         "connection":         "Upgrade",
         "upgrade":            "WebSocket",
@@ -25,7 +27,7 @@ test.describe("Draft76", function() { with(this) {
   })
 
   define("options", function() {
-    return this._options = this._options || {masking: false}
+    return this._options = this._options || { masking: false }
   })
 
   define("driver", function() {
@@ -88,8 +90,13 @@ test.describe("Draft76", function() { with(this) {
           request().headers["sec-websocket-key1"] = "2 L785 8o% s9Sy9@V. 4<1P5"
         }})
 
-        it("writes a closing frame to the socket", function() { with(this) {
-          expect(driver().io, "emit").given("data", buffer([0xff, 0x00]))
+        it("writes a handshake error response", function() { with(this) {
+          expect(driver().io, "emit").given("data", buffer(
+              "HTTP/1.1 400 Bad Request\r\n" +
+              "Content-Type: text/plain\r\n" +
+              "Content-Length: 45\r\n" +
+              "\r\n" +
+              "Client sent invalid Sec-WebSocket-Key headers"))
           driver().start()
         }})
 
@@ -143,7 +150,7 @@ test.describe("Draft76", function() { with(this) {
 
     describe("with no request body", function() { with(this) {
       define("body", function() {
-        return new Buffer([])
+        return Buffer.alloc(0)
       })
 
       it("writes the handshake response with no body", function() { with(this) {

spec/websocket/driver/hybi_spec.js

@@ -4,6 +4,7 @@ var Hybi = require("../../../lib/websocket/driver/hybi"),
 test.describe("Hybi", function() { with(this) {
   define("request", function() {
     return this._request = this._request || {
+      method: "GET",
       headers: {
         "connection":             "Upgrade",
         "upgrade":                "websocket",
@@ -16,7 +17,7 @@ test.describe("Hybi", function() { with(this) {
   })
 
   define("options", function() {
-    return this._options = this._options || {masking: false}
+    return this._options = this._options || { masking: false }
   })
 
   define("driver", function() {
@@ -84,8 +85,13 @@ test.describe("Hybi", function() { with(this) {
           request().headers["sec-websocket-extensions"] = "x-webkit- -frame"
         }})
 
-        it("does not write a handshake", function() { with(this) {
-          expect(driver().io, "emit").exactly(0)
+        it("writes a handshake error response", function() { with(this) {
+          expect(driver().io, "emit").given("data", buffer(
+              "HTTP/1.1 400 Bad Request\r\n" +
+              "Content-Type: text/plain\r\n" +
+              "Content-Length: 57\r\n" +
+              "\r\n" +
+              "Invalid Sec-WebSocket-Extensions header: x-webkit- -frame"))
           driver().start()
         }})
 
@@ -115,13 +121,13 @@ test.describe("Hybi", function() { with(this) {
           driver().setHeader("Authorization", "Bearer WAT")
         }})
 
-        it("writes the handshake with Sec-WebSocket-Protocol", function() { with(this) {
+        it("writes the handshake with the custom headers", function() { with(this) {
           expect(driver().io, "emit").given("data", buffer(
               "HTTP/1.1 101 Switching Protocols\r\n" +
+              "Authorization: Bearer WAT\r\n" +
               "Upgrade: websocket\r\n" +
               "Connection: Upgrade\r\n" +
               "Sec-WebSocket-Accept: JdiiuafpBKRqD7eol0y4vJDTsTs=\r\n" +
-              "Authorization: Bearer WAT\r\n" +
               "\r\n"))
           driver().start()
         }})