fix(sdk-js)[FDE-148]: sanitize ws close codes in browser on live session destroy#43
fix(sdk-js)[FDE-148]: sanitize ws close codes in browser on live session destroy#43egenthon-cmd wants to merge 2 commits into
Conversation
|
Warning Review limit reached
Next review available in: 50 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
📝 WalkthroughWalkthroughAdds browser-safe WebSocket close-code sanitization in wsClient.ts via a new safeWsClose helper and pendingClose state tracking, updating close()/connect()/onopen/onclose paths accordingly. Wraps LiveV2Session's abort-triggered webSocketSession.close() call in try/catch. Adds corresponding tests in both files. ChangesWebSocket close-code sanitization fix
Estimated code review effort: 3 (Moderate) | ~25 minutes Possibly related issues
Suggested reviewers: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
🧹 Nitpick comments (1)
packages/sdk-js/src/network/wsClient.test.ts (1)
766-791: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick winTest does not exercise the
catchfallback it claims to cover.With
window/documentstubbed,session.close(1006, …)routes throughsafeWsClose, which sanitizes1006→1000before callingws.close. Since the mock only throws forcode !== 1000,ws.close(1000)never throws, so thetry/catchfallback insafeWsCloseis never triggered. The assertions pass purely via sanitization, making this effectively a duplicate of the previous test rather than a test ofInvalidAccessErrorrecovery.To actually cover the catch path, make the mock throw on the sanitized code too (forcing the inner
ws.close(1000)retry), or drive the fallback in a non-browser environment where sanitization is skipped.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@packages/sdk-js/src/network/wsClient.test.ts` around lines 766 - 791, The `WebSocketClient` browser-close test is only verifying sanitization, not the `InvalidAccessError` fallback in `safeWsClose`. Update the `ws.close` mock in this test so it also throws when called with the sanitized close code, forcing the retry/catch path to execute. Keep the existing `WebSocketClient`, `createSession`, and `session.close` flow, but adjust the mock and assertions so the test truly covers recovery from `DOMException('InvalidAccessError')` rather than duplicating the previous case.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@packages/sdk-js/src/network/wsClient.test.ts`:
- Around line 766-791: The `WebSocketClient` browser-close test is only
verifying sanitization, not the `InvalidAccessError` fallback in `safeWsClose`.
Update the `ws.close` mock in this test so it also throws when called with the
sanitized close code, forcing the retry/catch path to execute. Keep the existing
`WebSocketClient`, `createSession`, and `session.close` flow, but adjust the
mock and assertions so the test truly covers recovery from
`DOMException('InvalidAccessError')` rather than duplicating the previous case.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 3aa7cfa1-6df7-42dc-bf3e-b1b823e6e2d9
📒 Files selected for processing (4)
packages/sdk-js/src/network/wsClient.test.tspackages/sdk-js/src/network/wsClient.tspackages/sdk-js/src/v2/live/session.test.tspackages/sdk-js/src/v2/live/session.ts
|
any reason is this fix only implemented in typescript, and not in python ? |
|
@karamouche Yes, because the pb is a browser-only WebSocket API constraint. |
Fixes an uncatchable InvalidAccessError when destroying a LiveV2Session in the browser. WebSocketSession.close() was passing reserved close codes (1001, 1006, etc.) directly to WebSocket.close(), which browsers only allow for 1000 or 3000–4999.
Sanitize close codes in browser via safeWsClose(); keep the original code/reason in onclose callbacks
Wrap the abort listener’s close() in try/catch so errors don’t bubble to window.onerror
Summary by CodeRabbit