RocketChat
Last updated
Last updated
Ushanth Loganthan, Diksha Sharma, Madhav Malhotra, Muzaffer Birben and Sitting Lui
RocketChat is an open-source web chat platform built for communities and companies wanting to privately host their own chat service. It was named the top project at Black Duck’s Open Source Rookies of the Year in 2016[1]. RocketChat has over 17.2K stars on GitHub and more than 850 contributors. To help developers understand RocketChat, we first analyse the stakeholders and business goals and then describe RocketChat from various views and perspectives. The results from this research can used for new contributors to get an architectural insight into the RocketChat web application.
As a final project for the SEng480 - Documenting and Understanding Software Systems course at the University of Victoria, Team 4 is presenting the following document which is the analysis of RocketChat.
Communication has always been a necessity rather than a want. If we go back to ancient history, even the neanderthals created “language” in order to communicate amongst themselves. As humans evolved so did technology. In today’s day and age, everyone knows how to use a smart device, texting is used as main source of communication. Whether it be an education institute, business or non-profit organization; everyone keeps in touch with each other by using an application. Every successful team project requires strong communication between teammates; strong and reliable source of communication is required.
There are multiple chat platforms available for people to use and that’s where RocketChat comes in the play. RocketChat is a free open source web chat application, that allows team collaboration and communication. With the ability to send private messages to people within or outside your team, RocketChat makes sure that all the conversations are secure. It can potentially replace slack with the ultimate team chat software solution [1]. Some of the features of the application has are free audio, video conferencing, guest access, screen sharing, file sharing, LiveChat, LDAP Group Sync, two-factor authentication (2FA), E2E encryption, SSO and dozens of OAuth providers. RocketChat also has the ability to handle unlimited users, guests, messages, channels, files, and searches. The application is not only user friendly with simple yet sophisticated design. It also gives developers the facility to develop their own chat platform.RocketChat web application is written in JavaScript.
Over the past 3 months, team 4 has been analyzing the application, and RocketChat's code to better understand the thought process behind how the application was built. We stepped through various components throughout the terms from different perspectives and views. With this knowledge, we hope to contribute to the application by solving some of the issues that we encountered. In this report on Software Architecture, we provide an in-depth overview of the different components that our team looked at, the development process, and technical debts.
We worked in a team of five: Ushanth Loganthan, Diksha Sharma, Madhav Malhotra, Muzaffer Birben and Sitting Lui.
A stakeholder is a person, group or organization that has interest or concern in an organization. RocketChat is a very active community consisting of a very diverse group of stakeholders.This section identifies the important stakeholders who have a profound impact on the development RocketChat. The RocketChat stakeholders are represented in Table 1.
Table 1. Stakeholders of RocketChat
Role
Concerns
Acquirers
RocketChat / Gabriel Engel(founder)
Assessors
Communicators
Developers
RocketChat
Maintainers
RocketChat, OW2 community & over 600 contributors
Production Engineers
Suppliers
Support Staff
System Administrators
Testers
RocketChat & over 600 contributors
Users
RocketChat is a real time chat application that allows team collaboration and communication. It is an open source application that was developed using Meteor full stack framework. Users can run live client interface on desktop and mobile and can be used as an alternative to Slack. Following are the business goals of the RocketChat app:
One of the main business goals of RocketChat is to become a very well-known open source company in the world. Started as a small team, RocketChat has overgrown as a large scale enterprise with over 850 contributors and serves over 123,000 registered users.
Another goal of RocketChar is to implement plugins, add-ons, integration, and value-added services in the global app marketplace. The server is build in a manner that can be deployed in all the popular public and private clouds, along with hardware ranging from Raspberry Pi to clusters of high power servers. RocketChat features support for a large set of REST APIs and real-time streaming API. The chat services provided by RocketChat are seamless integration into web and mobile apps for iOS and Android. One of the most important features that RocketChat has is the ability to allow developers to develop their own chat platform.
RocketChat wants to provide solutions for organizations and communities to host their private chat services. It is is secure and features Off-Record Messaging which is highly secure for private messages. Every user of the application would have to be authenticated and messages are encrypted within the applications.
RocketChat lets clients to communicate over multiple servers and service deployment over federation. Unlike other chat applications, it would allow users to deploy chat web servers instantly. Currently, there are more than 100,000 servers which have been deployed and active.
RocketChat believes in helping everyone. Whether it be large organizations or non-profit and educational organizations. RocketChat helps large organizations by providing enterprise plugin with enhanced performance and scalability of the application. RocketChat also provides discounted rates for non-profit and educational organizations. Any non-profit charitable organizations, accredited educational institutions and student organizations that are affiliated with an educational institution are eligible to receive special discounted rates.
ASR’s are those requirements that play an important role determining the architecture of the system. Such requirements require special attention; however, not all requirements have equal significance with regards to the architecture[2]. As developers, we are responsible for the system doing what it’s supposed to do its functionality and how well it does its quality so we have to balance all of these concerns and we have to ensure that the architecture that we deliver and the system that we deliver based on the architecture balance everything and achieve everything at least that’s our goal as developers the most important quality attributes In this section, we first highlighted several significant ASR’s of Rocketchat and created a utility tree and quality attributes scenarios that are related to ASR’s. The following are examples of ASR’s:
Rocket chat is deployable on cloud platform.
Enable secure communities between different parties.
The application should be deployable on personal servers.
System evolves through open source contribution.
System is deployable in enterprises and government agencies.
All messages should be secured and encrypted.
The system is capable of capturing errors, bugs and crashes.
A utility tree provides a top-down mechanism for directly and efficiently translating the business drivers of a system into concrete quality attribute scenarios[3]. Before we can assess the architecture, these system goals must be made more specific and more concrete. Moreover, we need to understand the relative importance of these goals versus other quality attribute goals, such as availability, security, testability and modifiability, to determine where we should focus our attention during the architecture evaluation. A utility tree helps to concretize and prioritize quality goals. Figure 1 is an example of a utility tree.
Figure 1. Utility Tree
General scenarios provide a framework for generating a large number of generic, system-independent, quality-attribute-specific scenarios[4]. It is an analytic method for identifying various quality attribute requirements applicable to the system by analysing scenarios in order to evaluate system quality. We determined some of the functional requirements and specified quality attributes scenarios that are relevant to the requirements.
Availability can be the amount of time the system is functioning.The system availability can be affected if there are system errors, infrastructure problems, malicious attacks, and system load. Rocket chat is a communication application and it requires high availability to its users. Any system failures of the application can interrupt the communication between users.
Table 2. QAS for availability in template form
Aspect
Detail
Scenario Name
Application crash
Business goal
High availability
Quality attributes
Availability
Stimulus
Rocket chat application crash
Stimulus source
User who uses the application
Response
Log the failure of the crash and continue to function in normal mode
Response measure
Unavailability time interval
Security can be the system's ability to resist unauthorized usage while still providing its services to legitimate users. Any unauthorised users can hack into data or services or can prevent the legitimate users to access the services of the system.
One of the important business goal of Rocket chat is to secure the messages and information database of the users.
Table 3. QAS for security in template form
Aspect
Detail
Scenario Name
Attack on the system
Business goal
Secured Messages
Quality attributes
Security
Stimulus
Denial of service (DDOS) attacks
Stimulus source
Unknown identity
Response
Detect and classify the legitimate users of the system and inform them about the attack to protect themselves
Response measure
Detection time, Time to mitigation
Software testability refers to the ease with which software can be made to demonstrate its faults through (typically execution-based) testing. In particular, testability refers to the probability, assuming that the software has at least one fault, that it will fail on its next test execution. It can be measure of how easy it is to create test criteria for the system and its components
Table 4. QAS for testability in template form
Aspect
Detail
Scenario Name
Testing
Business goal
Ensuring reliability
Quality attributes
Testability
Stimulus
Subsystem integration completed
Stimulus source
Unit developer
Response
Prepares test environment
Response measure
Time to prepare test environment
Modifiability is about the cost of change. It brings up two concerns. What to change & when to change and by whom.
Table 5. QAS for modifiability in template form
Aspect
Detail
Scenario Name
Change in the UI
Business goal
Improving the efficiency
Quality attributes
Modifiability
Stimulus
Wishes to change the UI
Stimulus source
Developer
Response
Change made and tested
Response measure
In seven hours
A module view is a representation of a coherent set of architectural elements, as written by and read by system stakeholders. It consists of a representation of a set of elements and the relations among them. A structure is the set of elements itself, as they exist in software or hardware. For example, a module structure is the set of the system's modules and their organization. A module view is the representation of that structure, as documented by and used by some system stakeholders[5]. We chose modifiability as a quality attribute to be a representation of a set of elements and its relations with the system architecture.
Primary presentation shows the elements and the relationship amongst them that populate the view. The primary presentation shown in Figure 2. represents how modules interact with each other and indicates the external dependent packages.
Figure 2. Primary Presentation for Module View
Element catalog lists the modules and relationship amongst each other in the primary presentation. Element catalog shown in Table 6. was omitted from the primary presentation shown in Figure 2.
Table 6. Element catalog for primary presentation
Element Name
Description
RocketChat
The business logic for RocketChat stays in this module. Creating channels, private groups, send direct messages using OTR, integrating with the third party for OAuth, IRC (Internet Relay Chat) are some functionality implemented in this module.
RocketChat-lib
This package contains the main libraries of RocketChat. The APIs such as RocketChat settings, room types, accountbox, functions, methods, and publications are included in this package.
RocketChat-IRC
Internet Relay Chat (IRC) is a text-based group communication tool. Users join uniquely named channels, or rooms, for open discussion. IRC also supports private messages between individual users and file sharing capabilities. This package integrates these layers of functionality with RocketChat.
Twilio SMS service
This service is used to send and receive SMS messages within live chat used in RocketChat. It uses HTTP application protocol for communication. The RocketChat-SMS module uses the REST(Representational State Transfer) interface to communicate with the Twilio SMS service.
meteor-buildpack-horse
This is an external module imported from Meteor framework which uses Heroku (Paas) for deployment.
Heroku
Heroku is used to deploy the application. It uses git remote URL of the application for deployment.
Underscore
It is a JavaScript library which provides utility functions for common programming tasks.
Mongo
It is a free and open-source cross-platform document-oriented database program. Mongo is classified as a NoSQL database program, uses JSON-like documents with schemas. This module is responsible for creating and managing the database.
RocketChat communicates with multiple systems as shown in the context diagram below. The purpose of the context diagram is to show the system and the different entities it interacts with. Below is the high level view of the system.
Figure 3. Context Diagram
The different systems RocketChat interacts with are Heroku, Meteor, Twilio user account, Mongodb, Log entries, underscore, slack and HTTP. Heroku allows the application to build, to run and to deploy application model. Meteor is an open source JavaScript web framework which is used to provide packages and build applications for web, mobile, and desktops. Twilio is a cloud communication platform used by RocketChat to send and receive SMS messages within live chat. Twilio user account is required to get user ID for it to work with RocketChat. Mongodb is a free, open source cross-platform document-oriented database program, used by RocketChat to simply request, pull and show data. Log entries, which is a self hosted log management and analytics service, which is used by Rocket chat for logging applications.Underscore is a JavaScript library that provides useful functional programming helper without extending any built-in objects [6]. It is used to create user account by the application. Slack is a cloud based collaborative tool, which is used to import messages by RocketChat. HTTP is an open source application which helps to connect RocketChat with Facebook, Github and Google.
A behavior diagram is a dynamic diagram of the elements in the system. It provides a place to describe aspects of the transfer of information and the stimulation of actions from one element to another[5]. Figure 4, the diagram indicates how the system handles encrypted messages in order to provide secure communication. Double-clicking a contact's screen name opens a channel window. He enables Off-the-Record Messaging in order to send encrypted messages. When the sender enables OTR, the system alerts the receiver to enable OTR in his channel window in order to receive those encrypted messages. Behind the screen, the software rapidly breaks up his messages into encrypted packets by Signal Protocol Library. The packets are sent to receiver’s side through Internet Relay Chat. When the packets are received, they are decrypted by Signal Protocol Library. Finally, the message appears in the receiver’s window.
Figure 4. Behavioral Diagram for Encrypted Messaging
The primary quality attribute that we chose to analyse was modifiability for uses module view. This pertains to the overall system in terms of how the component(s)/package(s) of the system are organized. As seen in the primary presentation, there is an Aspect Level Modularity. This means that each package focuses on a particular aspect of the system. For example, the modules for RocketChat-grant-facebook and RocketChat-grant-google work in a low coupling manner in order to provide authentication services with different social media platforms. Adding a new platform would be just adding a new package. Editing one platform keeps the code independent of the other module. Hence, all the functionalities,which are provided by RocketChat, are divided into packages. This is an efficient implementation of High Cohesion tactic of modularity.
The sequence of modules exemplifies the Low Coupling tactic for modularity. The system modules are working independently as shown in Figure 2. The packages have their defined set of concerns and interactions through interfaces which hide the internal implementation details. Therefore, changes to one module can be implemented without changing the behavior of the system.
Overall, RocketChat is built with modularity. This would allow easy contributions to the system.Therefore, developers can focus on issues/enhancements in independent packages and improve the system in a modular manner. Moreover, this provides integration with external libraries.
A Component and Connector view represents the runtime instances and the protocols of connection between the components. The connectors represent the properties such as concurrency, protocols and information flows. In this section, we analysed RocketChat from component-and-connector view for the user authentication.
Primary presentation shows the elements and the relationships amongst them that populate the view[5]. The primary presentation shown in Figure 5. represents how components interact with each other and indicates the external dependent packages. More specifically we chose client-server view for C&C view. Client-server view consists of clients and servers as components.
Figure 5. Primary presentation for client-server view
Element catalog lists the components and relationship among each other in the primary presentation. Element catalog shown in Table 7. was omitted from the primary presentation shown in Figure 5.
Table 7. Element catalog for primary presentation
Element Name
Type
Description
Web Service Client
Client
Web Service Client submits the request to Authentication Server(RocketChat) and renders response.
Authentication Server
Server
It provides Web Service Interface for the RocketChat system. It uses MongoDB to handle user authentication. It supports REST API which supports HTTP request and response. It connects to MongoDB database server with a URI. It sends Web Service Client the status of the request.
MongoDB
Server
RocketChat sends the Web Service requests to MongoDB to authenticate the user with username and password. It sends the Authentication Server the status of request and data which consists of authentication token and userID.
A behavior diagram is a dynamic diagram of the elements in the system. It provides a place to describe aspects of the transfer of information and the stimulation of actions from one element to another[5]. Figure 6. depicts how the application works when a user tries to login to the system.
Figure 6. Sequence Diagram
Elements
Description
Interface Identity
LoginWithPassword
Resources Provided
Syntax: The syntax uses the concept of Dictionary of functions, where the function definition is stored as a key-value pair in a dictionary object. The function has the arguments as user, password, IP, userAgent and Promise <Object>. The same are further described below in data types section. Semantics: The resource performs the functionality of checking the username and hashed password of the user, by retrieving it from MongoDb and authenticates the user.
Data Types
1. {Object} user (Mandatory)-This is the user name or the email which is an object type. 2. {PasswordType} password (Mandatory) - Password of user to login which is a PasswordType. 3. {string} IP - User IP variable which is a string data type. 4. {string} userAgent - User agent which is a string data type. 5. {Promise} - A promise object which is a LoginReturnType. This promise returns an object that contain the success, failure and error message of the login.
Error Handling
1. Unrecognized username or password - A user can login with with no password or username. At this point an exception is thrown with “Unrecognized options for login request”. This error is sent to the promise object.
throw new _common.AccountsError('Unrecognized options for login request', user, 400);
2. Username or Password not matching - When the username or password is unmatched, “Matched failed” exception is executed and the error is sent to promise object.
throw new _common.AccountsError('Match failed', user, 400);
3. User not found - The username or email is not available in the system. An exception called “User not found” is thrown and is sent as an error to the promise object.
throw new _common.AccountsError('User not found', user, 403);
Quality attribute
Robustness: This can be the ability for the system to cope with errors during execution and cope with erroneous input. There are several cases covered for handling the error caused when login in with username and password. The errors are handle with exceptions which prevent the breakdown of the system. This would enable consistent error handling and improve robustness of the system. Security: The interface ensures the quality attribute of security, since it allows a mechanism of authentication for the user of the system. Modifiability: Since the interface is an independent module, potential changes such as changing the hashing algorithm for the password, can be done independently of other modules.
Rationale
The interface is the primary mechanism for performing authentication. It has been centralized as a method, to ensure reusability and consistency, for any locations that may use its functionality.
Usage guide
The username and password are the two main arguments which are passed to the “loginWithPassword” function.the data (user, password, ip, userAgent) needs to be passed into the function. The IP and userAgent can be optional parameters.When the promise object is returned from the aforementioned login method, the result is passed into a function to process the errors that needs to displayed to the user. For example, if the promise object contains the property “error.error:’no-valid-email',” then the user need to verify the email for login. Additionally, it will set the instance state as “email-verification”. Similarly, if there was an error with unmatched username or password, the application displays the error as a message.
We chose the client-server view as component and connector view. The primary presentation indicates how the components in RocketChat interact with each other and the external dependent packages for user authentication. The webservice client sends a login request with the username and password to the Authentication server which checks the validity in the database server (mongoDB). Once validated, authentication server authenticates a success or failure state, which either lets user sign in again or logs them into the application if the credentials were correct.
The quality attribute that is in-focus for C&C view is Security. The system must know it's legitimate users in order to provide the best services to its clients. When the authentication server is validating the username and password in the database server, the transfer of information needs to be safe and secure.
During the process of software development, developers sometimes derogate quality in order to ship changes fast. These neglected changes could potentially cause plenty of technical debt, which could block the development of a project after a particular point in time. Quality of the code is one of the main aspects which made the code easier to read for the next developer or anyone doing documentation.
To analyse the code quality and technical debt for RocketChat, multiple tools were used such as SonarQube and CodeScene. These tools were used to check the code smell, vulnerabilities, debt, bugs and look at the different quality attributes overview. In the following sections, each tool is examined with regards to the issues that were identified in their output.
SonarQube is a free open source software developed by SonarSource for performing automated code reviews with static analysis, check code quality, detect bugs, code smells and security vulnerabilities for multiple programming languages. The cloud platform can be accessed from https://about.sonarcloud.io after registering as a user for the team project. After the steps of execution command, three files are created in config folder of snar-scanner. First file is used to set the organization of the project analysis. This can be the organization created from github. The second file shows the project key of the analysis and the last file indicates the source that need to be scanned for the analysis.
When the analysis was successfully completed, the overview of RocketChat is shown in Figure 7.
Figure 7: Overview of RocketChat Analysis
With the help of SonarQube, technical debt of deprecated HTML attribute was found. The technical debt that we found was HTML attribute “width” not supported by the version of HTML that the application is using. Figure below shows the list of files that was affected with deprecated width attribute.
Figure 8: List of files affected with deprecated width attribute.
After research done by the team and comments received from the professor, deprecated HTML attribute is not a technical debt but mere coding preference.
CodeScene is an automated tool that was used to analyse the code of this project. The information about the tool can be found at https://codescene.io/. The tool issued a metric, known as coupling, which signifies the degree of how much the code base files are closely coupled together. For example, when a change is made to one of the file, how does it affect the other one? CodeScene provides the following metrics which were used in the analysis:
Coupled Entities Two files that tend to change together over time. Degree of Coupling How often the files change together.
The figure below shows the analysis of coupling and degree of coupling under Technical Debt -> Temporal Coupling:
Figure 9: Codescene under temporal couple for a file used to build RocketChat
For our specific case, the main focus was on cloud file upload functionality of RocketChat system which allows file upload to Amazon S3 and Google Cloud platform. The degree of coupling for this specific file is 66 %. The comparative code base, for the two functionalities, is shown in figure 10.
Figure 10: Comparison between amazons3.js and googlestorage.js
As seen from the comparison, the code base is identical, with difference in provider specific initializations.
The code bases which are designed modularly, with common concerns being packaged into a single object and specific ones, being inherited into that object, allow an ease of change. In our particular example, adding a new cloud provider would require the developer to essentially create a new file with same code base duplicated for Amazon and Google cloud providers. The quality attribute related to code duplication would be Maintainability. The issue of code duplication could be either intentional which means other quality attributes of the system such as performance and optimized. The issue could be unintentional which means that the developer was unskilled and did not understand the system. One simple and straightforward way to fix code duplication could be to create method and place calls for the new method in multiple places.
RocketChat is a free open source web chat application that allows team collaboration and communication. This documentation contains information about the application to better understand the thought process behind how the application was built. It has been a great learning opportunity to work with an application that is widely known and used. The process of identifying the stakeholders, business goals, generating module and component and connector view helped team analyze and understand the structure of the code. Some of the technical debts encountered in the process were not technical debt but different coding practise or a shortcut that developers took. For future projects in Documenting and Understanding Software System, a project with better coding practice and better structure would be recommended. RocketChat has provided an amazing opportunity to get familiar with the different coding practise, the thought process of how an application is built and the importance of architectural knowledge of the application.
[1] "Rocket.Chat - Free, Open Source, Enterprise Team Chat", Rocket.chat, 2018. [Online]. Available: https://rocket.chat/. [Accessed: 05- Apr- 2018].
[2] "Concept: Architecturally Significant Requirements", Epf.eclipse.org, 2018. [Online]. Available:http://epf.eclipse.org/wikis/openup/core.tech.common.extend_supp/guidances/concepts/arch_significant_requirements_1EE5D757.html. [Accessed: 05- Apr- 2018].
[3] R. Kazman, M. Klein and P. Clements, ATAM: Method for Architecture Evaluation. Carnegie Mellon Software Engineering Institute, 2000, p. 16.
[4] "4.4 Quality Attribute Scenarios in Practice :: Chapter 4. Understanding Quality Attributes :: Part Two: Creating an Architecture :: Software architecture in practice :: Programming :: eTutorials.org", Etutorials.org, 2018. [Online]. Available:http://etutorials.org/Programming/Software+architecture+in+practice,+second+edition/Part+Two+Creating+an+Architecture/Chapter+4.+Understanding+Quality+Attributes/4.4+Quality+Attribute+Scenarios+in+Practice/. [Accessed: 05- Apr- 2018].
[5] Ece.ubc.ca, 2018. [Online]. Available: http://www.ece.ubc.ca/~matei/EECE417/BASS/ch02lev1sec5.html. [Accessed: 05- Apr- 2018].
[6] "Underscore.js", Underscorejs.org, 2018. [Online]. Available: http://underscorejs.org/. [Accessed: 05- Apr- 2018].
RocketChat Security Team (security@RocketChat), Open source vulnerability check (), Github contributors
RocketChat , RocketChat , RocketChat .
, ,,
,
RocketChat core developer team &
, ,
Brazilian Space Agency, whoGloo, ownCloud, Buddy, Infoshift, Sodep, iiLab, SZL, Lisk, Skrz.cz, Datafactor, Leonis holding, Bleemeo, AresRPG, eClick’s Stack,Zei .