chore(deps): Upgrading socket.io packages (#946)

BREAKING CHANGES: Previously the boardgame.io server accepted requests from any origin. After this change, you must set an `origins` argument when creating the server specifying the origins that are allowed to connect to your server. See the Server reference page for more details: https://boardgame.io/documentation/#/api/Server


* upgrading socket.io server and client packages as well the koa-socket-2 package

* Upgrades socketio types

* Fix unit test

* Adds origins param to the Server API and fix CORS issue

* Use socket.io typing for origins server option

* docs: Update origins documentation

* feat: Log explanatory warning if origins option is undefined

* docs: Fix link to MDN CORS documentation

* chore(deps): deep update `ws` to fix ReDoS vulnerability

* feat: Provide default origins configurations

* docs: Document use of provided origins configurations

* chore: Use origins config in examples server

Co-authored-by: Vinny <[email protected]>
Co-authored-by: vdf.dev <[email protected]>
Co-authored-by: delucis <[email protected]>

Author: 3 people

docs/documentation/api/Server.md

@@ -16,20 +16,45 @@ be configured to run on a separate port.
 
 A config object with the following options:
 
-1. `games` (_array_): a list of game implementations
+1. `games` (_array_) (required): a list of game implementations
    (each should be an object conforming to the [Game API](/api/Game.md)).
 
-2. `db` (_object_): the [database connector](/storage).
+2. `origins` (_array_) (required): a list of allowed origins for
+    [CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS "Cross-Origin Resource Sharing").
+    
+    The list can contain strings or regular expressions, matching the origins
+    that are allowed to access the game server. For example, this could be
+    `['https://example.com']` if that’s where your game is running. While
+    developing locally you probably want to allow any page running on localhost
+    to connect. boardgame.io provides default configurations to help with this:
+
+    ```js
+    const { Server, Origins } = require('boardgame.io/server');
+    
+    Server({
+      origins: [
+        // Allow your game site to connect.
+        'https://www.mygame.domain',
+        // Allow localhost to connect, except when NODE_ENV is 'production'.
+        Origins.LOCALHOST_IN_DEVELOPMENT
+      ],
+      // ...
+    });
+    ```
+
+[cors]: https://github.com/expressjs/cors#configuration-options
+
+3. `db` (_object_): the [database connector](/storage).
    If not provided, an in-memory implementation is used.
 
-3. `transport` (_object_): the transport implementation.
+4. `transport` (_object_): the transport implementation.
    If not provided, socket.io is used.
 
-4. `uuid` (_function_): an optional function that returns a unique identifier, used to create new game IDs and — if `generateCredentials` is not specified — player credentials. Defaults to [nanoid](https://www.npmjs.com/package/nanoid).
+5. `uuid` (_function_): an optional function that returns a unique identifier, used to create new game IDs and — if `generateCredentials` is not specified — player credentials. Defaults to [nanoid](https://www.npmjs.com/package/nanoid).
 
-5. `generateCredentials` (_function_): an optional function that returns player credentials to store in the game metadata and validate against. If not specified, the `uuid` function will be used.
+6. `generateCredentials` (_function_): an optional function that returns player credentials to store in the game metadata and validate against. If not specified, the `uuid` function will be used.
 
-6. `authenticateCredentials` (_function_): an optional function that tests if a player’s move is made with the correct credentials when using the default socket.io transport implementation.
+7. `authenticateCredentials` (_function_): an optional function that tests if a player’s move is made with the correct credentials when using the default socket.io transport implementation.
 
 #### Returns
 

docs/documentation/multiplayer.md

@@ -208,19 +208,30 @@ a server at the location specified, which is discussed below.
 ### Setting up the server
 
 We’ll create a new file at `src/server.js` to write our server code.
-In order to run the game master on a Node server, we import the
-boardgame.io server module and provide it with our `TicTacToe` game object.
+
+boardgame.io provides a server module that simplifies running the game
+master on a Node server. We import that module and configure it with our
+`TicTacToe` game object and a list of URL origins we want to allow to
+connect to the server. Later you would set `origins` with your game’s domain
+name, but for now we’ll import a default value that allows any locally served
+page to connect.
 
 ```js
 // src/server.js
-const { Server } = require('boardgame.io/server');
+const { Server, Origins } = require('boardgame.io/server');
 const { TicTacToe } = require('./Game');
 
-const server = Server({ games: [TicTacToe] });
+const server = Server({
+  games: [TicTacToe],
+  origins: [Origins.LOCALHOST],
+});
 
 server.run(8000);
 ```
 
+?> See [the Server reference page](api/Server.md) for more detail on
+   the various configuration options.
+
 Because `Game.js` is an ES module, we will use [esm](https://github.com/standard-things/esm)
 which enables us to use `import` statements in a Node environment:
 

examples/react-web/server.js

@@ -6,12 +6,15 @@
  * https://opensource.org/licenses/MIT.
  */
 
-import { Server } from 'boardgame.io/server';
+import { Server, Origins } from 'boardgame.io/server';
 import TicTacToe from './src/tic-tac-toe/game';
 import Chess from './src/chess/game';
 
 const PORT = process.env.PORT || 8000;
-const server = Server({ games: [TicTacToe, Chess] });
+const server = Server({
+  games: [TicTacToe, Chess],
+  origins: [Origins.LOCALHOST],
+});
 server.run(PORT, () => {
-  console.log(`Serving at: http://localhost:${PORT}/`);
+  console.log(`Serving at: http://localhost:${PORT}`);
 });