The JavaScript blog.


libraries node modules http network security

Node Roundup: Building Node.js Together, node-libnmap, httpolyglot

Posted on .

Building Node.js Together

TJ Fontaine wrote about Node from a release management perspective on the official Node blog, in Building Node.js Together. It covers documentation, code quality, and the growing team of core contributors and contributors that are employed full-time to work on Node:

For instance, Chris Dickinson was recently hired to work full time on Node.js, and has expressed interest in working on the current and future state of streams. But it's not who employs Chris that makes him an ideal candidate, but it will be the quality of his contributions, and his understanding of the ethos of Node.js. That's how we find members of the team.


The evilscan module uses JavaScript to enumerate over TCP ports. node-libnmap (GitHub: jas- / node-libnmap, License: MIT, npm: node-libnmap) by Jason Gerfen is an alternative that uses the nmap binary.

It will return results as JavaScript objects, so you should be able to process the output fairly easily. A basic scan looks like this:

var libnmap = require('libnmap');

var opts = {  
  range: ['localhost', '', '']

libnmap.nmap('scan', opts, function(err, report){  
  if (err) throw err


httpolyglot (GitHub: mscdex / httpolyglot, License: MIT, npm: httpolyglot) by Brian White allows you to start a server that accepts both HTTP and HTTPS connections on the same port.

It works by sniffing the first byte of the stream to see if TLS is required:

var firstByte = data[0];  
if (firstByte < 32 || firstByte >= 127) {  
  // tls/ssl
} else


irc node modules security talks slides

Node Roundup: 0.10.24, irc-message-stream, 100% Uptime

Posted on .

Node 0.10.24 Released

Node 0.10.24 was released soon after 0.10.23. It updates uv and npm, but presumably this release was due to CVE-2013-6639 and CVE-2013-6640. These are security related patches for V8:

... allows remote attackers to cause a denial of service (out-of-bounds read) via JavaScript code that sets a variable to the value of an array element with a crafted index

If you run this example in Node 0.10.22 you should see a segfault.

var size = 0x20000;  
var a = new Float64Array(size);  
var training = new Float64Array(10);

function store(a, index) {  
  var offset = 0x20000000;
  for (var i = 0; i < 1; i++) {
    a[index + offset] = 0xcc;

store(training, -0x20000000);  
store(training, -0x20000000 + 1);  
store(training, -0x20000000);  
store(training, -0x20000000 + 1);

for (var i = -0x20000000; i < -0x20000000 + size; i++) {  
  store(a, i);


irc-message (GitHub: expr / irc-message, License: BSD 2-Clause, npm: irc-message) by Fionn Kelleher is a small parser that outputs objects based on RFC1459. The author has used it to create irc-message-stream, which is a transform stream.

That means you can take a socket connection to an IRC server and pipe it through your own stream handlers:

var net = require('net');  
var MessageStream = require('irc-message-stream');  
var messageStream = new MessageStream();

messageStream.on('line', function(line) {  
  console.log('Raw line:', line);

messageStream.on('data', function(message) {  
  console.log('Parsed message:', JSON.stringify(message));

var socket = net.connect(6667, 'irc.freenode.net');  

I think this is a great way to handle IRC in Node -- taking advantage of the newer streams API seems a lot more idiomatic than other approaches that I've seen (and made!).

Towards 100% Uptime with Node

William sent in his slides for a talk called Towards 100% Uptime with Node. The slides cover the difficulties of handling uncaught exceptions in a cluster of Node processes, and ensuring that every request has a response, even if it's to report an error.

One of the tips he mentions is to be able to generate errors on demand for development and staging. I do this in my tests -- if critical paths are expected to throw exceptions, emit 'error' events, or return error objects to callbacks, then all of these eventualities should be hit as part of automated testing.

The Node applications I work on for my day job are hosted on Heroku, and I've found you have to be extremely careful with code that throws errors and causes the process to stop. Sometimes Heroku gets confused about the state of a process and won't gracefully restart it, so a worker just hangs for an undefined amount of time. The way I stopped this was to fix all the bugs, which sounds like an obvious thing to say, but it took lots of log file archaeology. Coincidentally, Heroku's default logging is inadequate, so you have to send logs to a syslog daemon somewhere, or a service like Loggly (which I preferred to Splunk).


security google-drive

Drake: Password Syncing with Google Drive

Posted on .

Drake (GitHub: marksteve / drake, License: MIT) by Mark Steve Samson is a password management tool. It syncs with Google Drive, and uses SJCL for client-side encryption.


It has a simple password generation feature -- it just creates a random string, so you can select a portion from it. It would be nice if it had some options for length and punctuation like 1Password.

The interesting thing about Drake is it's entirely client-side. It uses Google's APIs to sync data, but runs in your browser. Mark said he developed it using Chrome, so it could be a password management solution for Chromebook users who don't want to sync all of their passwords using Chrome's built-in system.

The code is organised using TJ Holowaychuk's Component project, and can be built locally using make.


node modules security

Bitcoins and JavaScript

Posted on .


Bitcoin might seem like a crazy cryptocurrency, mainly because it is, but it's also becoming more widely adopted. I find it fascinating because it feels like I'm finally living in a 90s Neal Stephenson or William Gibson novel, although the possibility of making online payments outside of the standard merchant account/bank model has its appeal.

I've been researching the state of bitcoin payments in JavaScript to see how easy it is to set up. The first thing I found was CoinWidget -- this allows you to accept donations using client-side JavaScript. I've added a widget to DailyJS in case you want to donate, but it should be easy enough to add to your own sites as well.

Address validation

A bitcoin address includes a four byte checksum, which means addresses can be validated without talking to any servers. The bitcoin-address module (GitHub: shtylman / bitcoin-address, npm: bitcoin-address) by Roman Shtylman implements the algorithm: a double SHA-256 digest of the 21 bytes before the checksum is calculated to validate the address.

var btcAddr = require('bitcoin-address');  
// true

Addresses are encoded with base 58, so Roman's module includes his own decoding library. He also uses Node Buffer objects to work with the decoded data. Node's crypto core module is used to create SHA-256 hashes.


If you install a wallet like Bitcoin-QT, you should get bitcoind running in the background. This has an optional JSON API. There are several npm modules for this API, like: bitcoin. This allows you to query the daemon for transactions, account balances, and you can even create backups of wallets. There's a full API call list on the Bitcoin wiki.

Accepting payments

There's no easy way to accept payments for web-based transactions, because you really need to talk to a bitcoin wallet to see if a customer's payment has been made. I've seen people hosting Java-based wallets on Heroku, and wallets usually have APIs that we can talk to from Node, but this isn't exactly ideal.


That's where bitcoin merchants come in. They handle all the messy stuff so you can keep your web application code simple. Popular merchants with sensible APIs include BIPS and Coinbase.

This is the BIPS REST API (PDF), and the Coinbase API. There are Coinbase modules on npm and a BIPS API library.


Exchanges, like the infamous Mt.Gox, also have APIs. Through exchanges you can track interesting information about bitcoins, particularly exchange rate values, and some even allow trades to be made. There's an Mt.Gox module on npm, which is light on documentation: check out MtGox/API for a general overview.

If you've written any bitcoin-related Node or client-side projects, send them in!


node modules security crypto vim

Node Roundup: 0.11.5, nvi, signobj

Posted on .

You can send in your Node projects for review through our contact form.

Node 0.11.5

Node 0.11.5 was released this week. This unstable version updates v8 and uv. It also includes fixes for buffer, child_process, dgram, fs, https, openssl, os, tls, and util.

The patch for fs by Trevor Norris is interesting (pull request) -- rather than writing strings to a buffer and then the disk, it changes fs.js and src/node_file.cc to write directly to the disk instead.


nvi (GitHub: mikesmullin / nvi, License: GPLv3, npm: nvi) by Mike Smullin is a 'very opinionated Vi clone'. I tried installing it with npm install -g nvi, but it wouldn't run; I had to check out the repository manually. It doesn't clone Vi or Vim in a way that I think it's fair to call 'clone' -- I can't seem to get hjkl to move the cursor, and the modes have been changed to include 'COMBO' mode instead of Normal mode which makes using it extremely confusing for a seasoned Vim veteran.

Despite all that, and the fact that the name nvi is a bad choice, I find the project interesting because making complex text user interfaces isn't an easy task. Also, Mike's nvi is focused on collaborative features, which potentially makes Node a great fit.


Django has a cryptographic API for setting and reading signed cookies, and presumably you can also use this to sign API responses for RESTful JSON APIs. Inspired by this, signobj (GitHub: Submersible / node-signobj, License: MIT, npm: signobj by Ryan Munro allows you to sign JSON data with a SHA-1 HMAC:

signobj() - Signs data with secret, you can also pass in some extra hidden data that is used when hashing. This can be useful if you're creating an access token, and you want it to become invalid when they change their password, and also don't want the password with the public data.

Ryan said he's been using it to sign cookies and localStorage sessions.