.github/FUNDING.yml

-github: nhooyr

.github/dependabot.yml

+version: 2
+updates:
+  # Track in case we ever add dependencies.
+  - package-ecosystem: 'gomod'
+    directory: '/'
+    schedule:
+      interval: 'weekly'
+    commit-message:
+      prefix: 'chore'
+
+  # Keep example and test/benchmark deps up-to-date.
+  - package-ecosystem: 'gomod'
+    directories:
+      - '/internal/examples'
+      - '/internal/thirdparty'
+    schedule:
+      interval: 'monthly'
+    commit-message:
+      prefix: 'chore'
+    labels: []
+    groups:
+      internal-deps:
+        patterns:
+          - '*'

.github/workflows/ci.yml

 name: ci
-on: [push, pull_request]
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    branches:
+      - master
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: true
@@ -9,30 +15,45 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-go@v4
+      - uses: actions/setup-go@v5
         with:
           go-version-file: ./go.mod
-      - run: ./ci/fmt.sh
+      - run: make fmt
 
   lint:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
       - run: go version
-      - uses: actions/setup-go@v4
+      - uses: actions/setup-go@v5
         with:
           go-version-file: ./go.mod
-      - run: ./ci/lint.sh
+      - run: make lint
 
   test:
     runs-on: ubuntu-latest
     steps:
+      - name: Disable AppArmor
+        if: runner.os == 'Linux'
+        run: |
+          # Disable AppArmor for Ubuntu 23.10+.
+          # https://chromium.googlesource.com/chromium/src/+/main/docs/security/apparmor-userns-restrictions.md
+          echo 0 | sudo tee /proc/sys/kernel/apparmor_restrict_unprivileged_userns
       - uses: actions/checkout@v4
-      - uses: actions/setup-go@v4
+      - uses: actions/setup-go@v5
         with:
           go-version-file: ./go.mod
-      - run: ./ci/test.sh
-      - uses: actions/upload-artifact@v3
+      - run: make test
+      - uses: actions/upload-artifact@v4
         with:
           name: coverage.html
           path: ./ci/out/coverage.html
+
+  bench:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: ./go.mod
+      - run: make bench

.github/workflows/daily.yml

@@ -12,19 +12,55 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-go@v4
+      - uses: actions/setup-go@v5
         with:
           go-version-file: ./go.mod
-      - run: AUTOBAHN=1 ./ci/bench.sh
+      - run: AUTOBAHN=1 make bench
   test:
     runs-on: ubuntu-latest
     steps:
+      - name: Disable AppArmor
+        if: runner.os == 'Linux'
+        run: |
+          # Disable AppArmor for Ubuntu 23.10+.
+          # https://chromium.googlesource.com/chromium/src/+/main/docs/security/apparmor-userns-restrictions.md
+          echo 0 | sudo tee /proc/sys/kernel/apparmor_restrict_unprivileged_userns
       - uses: actions/checkout@v4
-      - uses: actions/setup-go@v4
+      - uses: actions/setup-go@v5
         with:
           go-version-file: ./go.mod
-      - run: AUTOBAHN=1 ./ci/test.sh
-      - uses: actions/upload-artifact@v3
+      - run: AUTOBAHN=1 make test
+      - uses: actions/upload-artifact@v4
         with:
           name: coverage.html
           path: ./ci/out/coverage.html
+  bench-dev:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: dev
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: ./go.mod
+      - run: AUTOBAHN=1 make bench
+  test-dev:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Disable AppArmor
+        if: runner.os == 'Linux'
+        run: |
+          # Disable AppArmor for Ubuntu 23.10+.
+          # https://chromium.googlesource.com/chromium/src/+/main/docs/security/apparmor-userns-restrictions.md
+          echo 0 | sudo tee /proc/sys/kernel/apparmor_restrict_unprivileged_userns
+      - uses: actions/checkout@v4
+        with:
+          ref: dev
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: ./go.mod
+      - run: AUTOBAHN=1 make test
+      - uses: actions/upload-artifact@v4
+        with:
+          name: coverage-dev.html
+          path: ./ci/out/coverage.html

.github/workflows/static.yml

+name: static
+
+on:
+  push:
+    branches: ['master']
+  workflow_dispatch:
+
+# Set permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages.
+permissions:
+  contents: read
+  pages: write
+  id-token: write
+
+concurrency:
+  group: pages
+  cancel-in-progress: true
+
+jobs:
+  deploy:
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Disable AppArmor
+        if: runner.os == 'Linux'
+        run: |
+          # Disable AppArmor for Ubuntu 23.10+.
+          # https://chromium.googlesource.com/chromium/src/+/main/docs/security/apparmor-userns-restrictions.md
+          echo 0 | sudo tee /proc/sys/kernel/apparmor_restrict_unprivileged_userns
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Setup Pages
+        uses: actions/configure-pages@v5
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: ./go.mod
+      - name: Generate coverage and badge
+        run: |
+          make test
+          mkdir -p ./ci/out/static
+          cp ./ci/out/coverage.html ./ci/out/static/coverage.html
+          percent=$(go tool cover -func ./ci/out/coverage.prof | tail -n1 | awk '{print $3}' | tr -d '%')
+          wget -O ./ci/out/static/coverage.svg "https://img.shields.io/badge/coverage-${percent}%25-success"
+      - name: Upload artifact
+        uses: actions/upload-pages-artifact@v3
+        with:
+          path: ./ci/out/static/
+      - name: Deploy to GitHub Pages
+        id: deployment
+        uses: actions/deploy-pages@v4

.gitignore

-websocket.test

LICENSE.txt

-Copyright (c) 2023 Anmol Sethi <hi@nhooyr.io>
+Copyright (c) 2025 Coder
 
 Permission to use, copy, modify, and distribute this software for any
 purpose with or without fee is hereby granted, provided that the above

Makefile

+.PHONY: all
+all: fmt lint test
+
+.PHONY: fmt
+fmt:
+	./ci/fmt.sh
+
+.PHONY: lint
+lint:
+	./ci/lint.sh
+
+.PHONY: test
+test:
+	./ci/test.sh
+
+.PHONY: bench
+bench:
+	./ci/bench.sh
\ No newline at end of file

README.md

 # websocket
 
-[![godoc](https://godoc.org/nhooyr.io/websocket?status.svg)](https://pkg.go.dev/nhooyr.io/websocket)
-[![coverage](https://img.shields.io/badge/coverage-86%25-success)](https://nhooyrio-websocket-coverage.netlify.app)
+[![Go Reference](https://pkg.go.dev/badge/github.com/coder/websocket.svg)](https://pkg.go.dev/github.com/coder/websocket)
+[![Go Coverage](https://coder.github.io/websocket/coverage.svg)](https://coder.github.io/websocket/coverage.html)
 
 websocket is a minimal and idiomatic WebSocket library for Go.
 
-> **note**: I haven't been responsive for questions/reports on the issue tracker but I do
-> read through and there are no outstanding bugs. There are certainly some nice to haves
-> that I should merge in/figure out but nothing critical. I haven't given up on adding new
-> features and cleaning up the code further, just been busy. Should anything critical
-> arise, I will fix it.
-
 ## Install
 
-```bash
-go get nhooyr.io/websocket
+```sh
+go get github.com/coder/websocket
 ```
 
+> [!NOTE]
+> Coder now maintains this project as explained in [this blog post](https://coder.com/blog/websocket).
+> We're grateful to [nhooyr](https://github.com/nhooyr) for authoring and maintaining this project from
+> 2019 to 2024.
+
 ## Highlights
 
 - Minimal and idiomatic API
 - First class [context.Context](https://blog.golang.org/context) support
 - Fully passes the WebSocket [autobahn-testsuite](https://github.com/crossbario/autobahn-testsuite)
-- [Zero dependencies](https://pkg.go.dev/nhooyr.io/websocket?tab=imports)
-- JSON and protobuf helpers in the [wsjson](https://pkg.go.dev/nhooyr.io/websocket/wsjson) and [wspb](https://pkg.go.dev/nhooyr.io/websocket/wspb) subpackages
+- [Zero dependencies](https://pkg.go.dev/github.com/coder/websocket?tab=imports)
+- JSON helpers in the [wsjson](https://pkg.go.dev/github.com/coder/websocket/wsjson) subpackage
 - Zero alloc reads and writes
 - Concurrent writes
-- [Close handshake](https://pkg.go.dev/nhooyr.io/websocket#Conn.Close)
-- [net.Conn](https://pkg.go.dev/nhooyr.io/websocket#NetConn) wrapper
-- [Ping pong](https://pkg.go.dev/nhooyr.io/websocket#Conn.Ping) API
+- [Close handshake](https://pkg.go.dev/github.com/coder/websocket#Conn.Close)
+- [net.Conn](https://pkg.go.dev/github.com/coder/websocket#NetConn) wrapper
+- [Ping pong](https://pkg.go.dev/github.com/coder/websocket#Conn.Ping) API
 - [RFC 7692](https://tools.ietf.org/html/rfc7692) permessage-deflate compression
-- Compile to [Wasm](https://pkg.go.dev/nhooyr.io/websocket#hdr-Wasm)
+- [CloseRead](https://pkg.go.dev/github.com/coder/websocket#Conn.CloseRead) helper for write only connections
+- Compile to [Wasm](https://pkg.go.dev/github.com/coder/websocket#hdr-Wasm)
 
 ## Roadmap
 
+See GitHub issues for minor issues but the major future enhancements are:
+
+- [ ] Perfect examples [#217](https://github.com/nhooyr/websocket/issues/217)
+- [ ] wstest.Pipe for in memory testing [#340](https://github.com/nhooyr/websocket/issues/340)
+- [ ] Ping pong heartbeat helper [#267](https://github.com/nhooyr/websocket/issues/267)
+- [ ] Ping pong instrumentation callbacks [#246](https://github.com/nhooyr/websocket/issues/246)
+- [ ] Graceful shutdown helpers [#209](https://github.com/nhooyr/websocket/issues/209)
+- [ ] Assembly for WebSocket masking [#16](https://github.com/nhooyr/websocket/issues/16)
+  - WIP at [#326](https://github.com/nhooyr/websocket/pull/326), about 3x faster
 - [ ] HTTP/2 [#4](https://github.com/nhooyr/websocket/issues/4)
+- [ ] The holy grail [#402](https://github.com/nhooyr/websocket/issues/402)
 
 ## Examples
 
@@ -51,9 +61,11 @@ http.HandlerFunc(func (w http.ResponseWriter, r *http.Request) {
 	if err != nil {
 		// ...
 	}
-	defer c.Close(websocket.StatusInternalError, "the sky is falling")
+	defer c.CloseNow()
 
-	ctx, cancel := context.WithTimeout(r.Context(), time.Second*10)
+	// Set the context as needed. Use of r.Context() is not recommended
+	// to avoid surprising behavior (see http.Hijacker).
+	ctx, cancel := context.WithTimeout(context.Background(), time.Second*10)
 	defer cancel()
 
 	var v interface{}
@@ -78,7 +90,7 @@ c, _, err := websocket.Dial(ctx, "ws://localhost:8080", nil)
 if err != nil {
 	// ...
 }
-defer c.Close(websocket.StatusInternalError, "the sky is falling")
+defer c.CloseNow()
 
 err = wsjson.Write(ctx, c, "hi")
 if err != nil {
@@ -97,12 +109,14 @@ Advantages of [gorilla/websocket](https://github.com/gorilla/websocket):
 - Mature and widely used
 - [Prepared writes](https://pkg.go.dev/github.com/gorilla/websocket#PreparedMessage)
 - Configurable [buffer sizes](https://pkg.go.dev/github.com/gorilla/websocket#hdr-Buffers)
+- No extra goroutine per connection to support cancellation with context.Context. This costs github.com/coder/websocket 2 KB of memory per connection.
+  - Will be removed soon with [context.AfterFunc](https://github.com/golang/go/issues/57928). See [#411](https://github.com/nhooyr/websocket/issues/411)
 
-Advantages of nhooyr.io/websocket:
+Advantages of github.com/coder/websocket:
 
 - Minimal and idiomatic API
-  - Compare godoc of [nhooyr.io/websocket](https://pkg.go.dev/nhooyr.io/websocket) with [gorilla/websocket](https://pkg.go.dev/github.com/gorilla/websocket) side by side.
-- [net.Conn](https://pkg.go.dev/nhooyr.io/websocket#NetConn) wrapper
+  - Compare godoc of [github.com/coder/websocket](https://pkg.go.dev/github.com/coder/websocket) with [gorilla/websocket](https://pkg.go.dev/github.com/gorilla/websocket) side by side.
+- [net.Conn](https://pkg.go.dev/github.com/coder/websocket#NetConn) wrapper
 - Zero alloc reads and writes ([gorilla/websocket#535](https://github.com/gorilla/websocket/issues/535))
 - Full [context.Context](https://blog.golang.org/context) support
 - Dial uses [net/http.Client](https://golang.org/pkg/net/http/#Client)
@@ -110,28 +124,39 @@ Advantages of nhooyr.io/websocket:
   - Gorilla writes directly to a net.Conn and so duplicates features of net/http.Client.
 - Concurrent writes
 - Close handshake ([gorilla/websocket#448](https://github.com/gorilla/websocket/issues/448))
-- Idiomatic [ping pong](https://pkg.go.dev/nhooyr.io/websocket#Conn.Ping) API
+- Idiomatic [ping pong](https://pkg.go.dev/github.com/coder/websocket#Conn.Ping) API
   - Gorilla requires registering a pong callback before sending a Ping
 - Can target Wasm ([gorilla/websocket#432](https://github.com/gorilla/websocket/issues/432))
-- Transparent message buffer reuse with [wsjson](https://pkg.go.dev/nhooyr.io/websocket/wsjson) and [wspb](https://pkg.go.dev/nhooyr.io/websocket/wspb) subpackages
+- Transparent message buffer reuse with [wsjson](https://pkg.go.dev/github.com/coder/websocket/wsjson) subpackage
 - [1.75x](https://github.com/nhooyr/websocket/releases/tag/v1.7.4) faster WebSocket masking implementation in pure Go
   - Gorilla's implementation is slower and uses [unsafe](https://golang.org/pkg/unsafe/).
+    Soon we'll have assembly and be 3x faster [#326](https://github.com/nhooyr/websocket/pull/326)
 - Full [permessage-deflate](https://tools.ietf.org/html/rfc7692) compression extension support
   - Gorilla only supports no context takeover mode
-- [CloseRead](https://pkg.go.dev/nhooyr.io/websocket#Conn.CloseRead) helper ([gorilla/websocket#492](https://github.com/gorilla/websocket/issues/492))
-- Actively maintained ([gorilla/websocket#370](https://github.com/gorilla/websocket/issues/370))
+- [CloseRead](https://pkg.go.dev/github.com/coder/websocket#Conn.CloseRead) helper for write only connections ([gorilla/websocket#492](https://github.com/gorilla/websocket/issues/492))
 
 #### golang.org/x/net/websocket
 
 [golang.org/x/net/websocket](https://pkg.go.dev/golang.org/x/net/websocket) is deprecated.
 See [golang/go/issues/18152](https://github.com/golang/go/issues/18152).
 
-The [net.Conn](https://pkg.go.dev/nhooyr.io/websocket#NetConn) can help in transitioning
-to nhooyr.io/websocket.
+The [net.Conn](https://pkg.go.dev/github.com/coder/websocket#NetConn) can help in transitioning
+to github.com/coder/websocket.
 
 #### gobwas/ws
 
 [gobwas/ws](https://github.com/gobwas/ws) has an extremely flexible API that allows it to be used
 in an event driven style for performance. See the author's [blog post](https://medium.freecodecamp.org/million-websockets-and-go-cc58418460bb).
 
-However when writing idiomatic Go, nhooyr.io/websocket will be faster and easier to use.
+However it is quite bloated. See https://pkg.go.dev/github.com/gobwas/ws
+
+When writing idiomatic Go, github.com/coder/websocket will be faster and easier to use.
+
+#### lesismal/nbio
+
+[lesismal/nbio](https://github.com/lesismal/nbio) is similar to gobwas/ws in that the API is
+event driven for performance reasons.
+
+However it is quite bloated. See https://pkg.go.dev/github.com/lesismal/nbio
+
+When writing idiomatic Go, github.com/coder/websocket will be faster and easier to use.

accept.go

@@ -5,6 +5,7 @@ package websocket
 
 import (
 	"bytes"
+	"context"
 	"crypto/sha1"
 	"encoding/base64"
 	"errors"
@@ -14,10 +15,10 @@ import (
 	"net/http"
 	"net/textproto"
 	"net/url"
-	"path/filepath"
+	"path"
 	"strings"
 
-	"nhooyr.io/websocket/internal/errd"
+	"github.com/coder/websocket/internal/errd"
 )
 
 // AcceptOptions represents Accept's options.
@@ -41,8 +42,8 @@ type AcceptOptions struct {
 	// One would set this field to []string{"example.com"} to authorize example.com to connect.
 	//
 	// Each pattern is matched case insensitively against the request origin host
-	// with filepath.Match.
-	// See https://golang.org/pkg/path/filepath/#Match
+	// with path.Match.
+	// See https://golang.org/pkg/path/#Match
 	//
 	// Please ensure you understand the ramifications of enabling this.
 	// If used incorrectly your WebSocket server will be open to CSRF attacks.
@@ -62,6 +63,22 @@ type AcceptOptions struct {
 	// Defaults to 512 bytes for CompressionNoContextTakeover and 128 bytes
 	// for CompressionContextTakeover.
 	CompressionThreshold int
+
+	// OnPingReceived is an optional callback invoked synchronously when a ping frame is received.
+	//
+	// The payload contains the application data of the ping frame.
+	// If the callback returns false, the subsequent pong frame will not be sent.
+	// To avoid blocking, any expensive processing should be performed asynchronously using a goroutine.
+	OnPingReceived func(ctx context.Context, payload []byte) bool
+
+	// OnPongReceived is an optional callback invoked synchronously when a pong frame is received.
+	//
+	// The payload contains the application data of the pong frame.
+	// To avoid blocking, any expensive processing should be performed asynchronously using a goroutine.
+	//
+	// Unlike OnPingReceived, this callback does not return a value because a pong frame
+	// is a response to a ping and does not trigger any further frame transmission.
+	OnPongReceived func(ctx context.Context, payload []byte)
 }
 
 func (opts *AcceptOptions) cloneWithDefaults() *AcceptOptions {
@@ -79,6 +96,9 @@ func (opts *AcceptOptions) cloneWithDefaults() *AcceptOptions {
 // See the InsecureSkipVerify and OriginPatterns options to allow cross origin requests.
 //
 // Accept will write a response to w on all errors.
+//
+// Note that using the http.Request Context after Accept returns may lead to
+// unexpected behavior (see http.Hijacker).
 func Accept(w http.ResponseWriter, r *http.Request, opts *AcceptOptions) (*Conn, error) {
 	return accept(w, r, opts)
 }
@@ -96,7 +116,7 @@ func accept(w http.ResponseWriter, r *http.Request, opts *AcceptOptions) (_ *Con
 	if !opts.InsecureSkipVerify {
 		err = authenticateOrigin(r, opts.OriginPatterns)
 		if err != nil {
-			if errors.Is(err, filepath.ErrBadPattern) {
+			if errors.Is(err, path.ErrBadPattern) {
 				log.Printf("websocket: %v", err)
 				err = errors.New(http.StatusText(http.StatusForbidden))
 			}
@@ -105,7 +125,7 @@ func accept(w http.ResponseWriter, r *http.Request, opts *AcceptOptions) (_ *Con
 		}
 	}
 
-	hj, ok := w.(http.Hijacker)
+	hj, ok := hijacker(w)
 	if !ok {
 		err = errors.New("http.ResponseWriter does not implement http.Hijacker")
 		http.Error(w, http.StatusText(http.StatusNotImplemented), http.StatusNotImplemented)
@@ -153,6 +173,8 @@ func accept(w http.ResponseWriter, r *http.Request, opts *AcceptOptions) (_ *Con
 		client:         false,
 		copts:          copts,
 		flateThreshold: opts.CompressionThreshold,
+		onPingReceived: opts.OnPingReceived,
+		onPongReceived: opts.OnPongReceived,
 
 		br: brw.Reader,
 		bw: brw.Writer,
@@ -185,10 +207,21 @@ func verifyClientRequest(w http.ResponseWriter, r *http.Request) (errCode int, _
 		return http.StatusBadRequest, fmt.Errorf("unsupported WebSocket protocol version (only 13 is supported): %q", r.Header.Get("Sec-WebSocket-Version"))
 	}
 
-	if r.Header.Get("Sec-WebSocket-Key") == "" {
+	websocketSecKeys := r.Header.Values("Sec-WebSocket-Key")
+	if len(websocketSecKeys) == 0 {
 		return http.StatusBadRequest, errors.New("WebSocket protocol violation: missing Sec-WebSocket-Key")
 	}
 
+	if len(websocketSecKeys) > 1 {
+		return http.StatusBadRequest, errors.New("WebSocket protocol violation: multiple Sec-WebSocket-Key headers")
+	}
+
+	// The RFC states to remove any leading or trailing whitespace.
+	websocketSecKey := strings.TrimSpace(websocketSecKeys[0])
+	if v, err := base64.StdEncoding.DecodeString(websocketSecKey); err != nil || len(v) != 16 {
+		return http.StatusBadRequest, fmt.Errorf("WebSocket protocol violation: invalid Sec-WebSocket-Key %q, must be a 16 byte base64 encoded string", websocketSecKey)
+	}
+
 	return 0, nil
 }
 
@@ -210,7 +243,7 @@ func authenticateOrigin(r *http.Request, originHosts []string) error {
 	for _, hostPattern := range originHosts {
 		matched, err := match(hostPattern, u.Host)
 		if err != nil {
-			return fmt.Errorf("failed to parse filepath pattern %q: %w", hostPattern, err)
+			return fmt.Errorf("failed to parse path pattern %q: %w", hostPattern, err)
 		}
 		if matched {
 			return nil
@@ -223,7 +256,7 @@ func authenticateOrigin(r *http.Request, originHosts []string) error {
 }
 
 func match(pattern, s string) (bool, error) {
-	return filepath.Match(strings.ToLower(pattern), strings.ToLower(s))
+	return path.Match(strings.ToLower(pattern), strings.ToLower(s))
 }
 
 func selectSubprotocol(r *http.Request, subprotocols []string) string {
@@ -244,7 +277,7 @@ func selectDeflate(extensions []websocketExtension, mode CompressionMode) (*comp
 	}
 	for _, ext := range extensions {
 		switch ext.name {
-		// We used to implement x-webkit-deflate-fram too but Safari has bugs.
+		// We used to implement x-webkit-deflate-frame too for Safari but Safari has bugs...
 		// See https://github.com/nhooyr/websocket/issues/218
 		case "permessage-deflate":
 			copts, ok := acceptDeflate(ext, mode)

accept_test.go

@@ -10,9 +10,11 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"strings"
+	"sync"
 	"testing"
 
-	"nhooyr.io/websocket/internal/test/assert"
+	"github.com/coder/websocket/internal/test/assert"
+	"github.com/coder/websocket/internal/test/xrand"
 )
 
 func TestAccept(t *testing.T) {
@@ -36,7 +38,7 @@ func TestAccept(t *testing.T) {
 		r.Header.Set("Connection", "Upgrade")
 		r.Header.Set("Upgrade", "websocket")
 		r.Header.Set("Sec-WebSocket-Version", "13")
-		r.Header.Set("Sec-WebSocket-Key", "meow123")
+		r.Header.Set("Sec-WebSocket-Key", xrand.Base64(16))
 		r.Header.Set("Origin", "harhar.com")
 
 		_, err := Accept(w, r, nil)
@@ -52,7 +54,7 @@ func TestAccept(t *testing.T) {
 		r.Header.Set("Connection", "Upgrade")
 		r.Header.Set("Upgrade", "websocket")
 		r.Header.Set("Sec-WebSocket-Version", "13")
-		r.Header.Set("Sec-WebSocket-Key", "meow123")
+		r.Header.Set("Sec-WebSocket-Key", xrand.Base64(16))
 		r.Header.Set("Origin", "https://harhar.com")
 
 		_, err := Accept(w, r, nil)
@@ -67,7 +69,7 @@ func TestAccept(t *testing.T) {
 			r.Header.Set("Connection", "Upgrade")
 			r.Header.Set("Upgrade", "websocket")
 			r.Header.Set("Sec-WebSocket-Version", "13")
-			r.Header.Set("Sec-WebSocket-Key", "meow123")
+			r.Header.Set("Sec-WebSocket-Key", xrand.Base64(16))
 			r.Header.Set("Sec-WebSocket-Extensions", extensions)
 			return r
 		}
@@ -116,7 +118,7 @@ func TestAccept(t *testing.T) {
 		r.Header.Set("Connection", "Upgrade")
 		r.Header.Set("Upgrade", "websocket")
 		r.Header.Set("Sec-WebSocket-Version", "13")
-		r.Header.Set("Sec-WebSocket-Key", "meow123")
+		r.Header.Set("Sec-WebSocket-Key", xrand.Base64(16))
 
 		_, err := Accept(w, r, nil)
 		assert.Contains(t, err, `http.ResponseWriter does not implement http.Hijacker`)
@@ -136,11 +138,74 @@ func TestAccept(t *testing.T) {
 		r.Header.Set("Connection", "Upgrade")
 		r.Header.Set("Upgrade", "websocket")
 		r.Header.Set("Sec-WebSocket-Version", "13")
-		r.Header.Set("Sec-WebSocket-Key", "meow123")
+		r.Header.Set("Sec-WebSocket-Key", xrand.Base64(16))
 
 		_, err := Accept(w, r, nil)
 		assert.Contains(t, err, `failed to hijack connection`)
 	})
+
+	t.Run("wrapperHijackerIsUnwrapped", func(t *testing.T) {
+		t.Parallel()
+
+		rr := httptest.NewRecorder()
+		w := mockUnwrapper{
+			ResponseWriter: rr,
+			unwrap: func() http.ResponseWriter {
+				return mockHijacker{
+					ResponseWriter: rr,
+					hijack: func() (conn net.Conn, writer *bufio.ReadWriter, err error) {
+						return nil, nil, errors.New("haha")
+					},
+				}
+			},
+		}
+
+		r := httptest.NewRequest("GET", "/", nil)
+		r.Header.Set("Connection", "Upgrade")
+		r.Header.Set("Upgrade", "websocket")
+		r.Header.Set("Sec-WebSocket-Version", "13")
+		r.Header.Set("Sec-WebSocket-Key", xrand.Base64(16))
+
+		_, err := Accept(w, r, nil)
+		assert.Contains(t, err, "failed to hijack connection")
+	})
+
+	t.Run("closeRace", func(t *testing.T) {
+		t.Parallel()
+
+		server, _ := net.Pipe()
+
+		rw := bufio.NewReadWriter(bufio.NewReader(server), bufio.NewWriter(server))
+		newResponseWriter := func() http.ResponseWriter {
+			return mockHijacker{
+				ResponseWriter: httptest.NewRecorder(),
+				hijack: func() (net.Conn, *bufio.ReadWriter, error) {
+					return server, rw, nil
+				},
+			}
+		}
+		w := newResponseWriter()
+
+		r := httptest.NewRequest("GET", "/", nil)
+		r.Header.Set("Connection", "Upgrade")
+		r.Header.Set("Upgrade", "websocket")
+		r.Header.Set("Sec-WebSocket-Version", "13")
+		r.Header.Set("Sec-WebSocket-Key", xrand.Base64(16))
+
+		c, err := Accept(w, r, nil)
+		wg := &sync.WaitGroup{}
+		wg.Add(2)
+		go func() {
+			c.Close(StatusInternalError, "the sky is falling")
+			wg.Done()
+		}()
+		go func() {
+			c.CloseNow()
+			wg.Done()
+		}()
+		wg.Wait()
+		assert.Success(t, err)
+	})
 }
 
 func Test_verifyClientHandshake(t *testing.T) {
@@ -183,7 +248,15 @@ func Test_verifyClientHandshake(t *testing.T) {
 			},
 		},
 		{
-			name: "badWebSocketKey",
+			name: "missingWebSocketKey",
+			h: map[string]string{
+				"Connection":            "Upgrade",
+				"Upgrade":               "websocket",
+				"Sec-WebSocket-Version": "13",
+			},
+		},
+		{
+			name: "emptyWebSocketKey",
 			h: map[string]string{
 				"Connection":            "Upgrade",
 				"Upgrade":               "websocket",
@@ -191,13 +264,43 @@ func Test_verifyClientHandshake(t *testing.T) {
 				"Sec-WebSocket-Key":     "",
 			},
 		},
+		{
+			name: "shortWebSocketKey",
+			h: map[string]string{
+				"Connection":            "Upgrade",
+				"Upgrade":               "websocket",
+				"Sec-WebSocket-Version": "13",
+				"Sec-WebSocket-Key":     xrand.Base64(15),
+			},
+		},
+		{
+			name: "invalidWebSocketKey",
+			h: map[string]string{
+				"Connection":            "Upgrade",
+				"Upgrade":               "websocket",
+				"Sec-WebSocket-Version": "13",
+				"Sec-WebSocket-Key":     "notbase64",
+			},
+		},
+		{
+			name: "extraWebSocketKey",
+			h: map[string]string{
+				"Connection":            "Upgrade",
+				"Upgrade":               "websocket",
+				"Sec-WebSocket-Version": "13",
+				// Kinda cheeky, but http headers are case-insensitive.
+				// If 2 sec keys are present, this is a failure condition.
+				"Sec-WebSocket-Key": xrand.Base64(16),
+				"sec-webSocket-key": xrand.Base64(16),
+			},
+		},
 		{
 			name: "badHTTPVersion",
 			h: map[string]string{
 				"Connection":            "Upgrade",
 				"Upgrade":               "websocket",
 				"Sec-WebSocket-Version": "13",
-				"Sec-WebSocket-Key":     "meow123",
+				"Sec-WebSocket-Key":     xrand.Base64(16),
 			},
 			http1: true,
 		},
@@ -207,7 +310,17 @@ func Test_verifyClientHandshake(t *testing.T) {
 				"Connection":            "keep-alive, Upgrade",
 				"Upgrade":               "websocket",
 				"Sec-WebSocket-Version": "13",
-				"Sec-WebSocket-Key":     "meow123",
+				"Sec-WebSocket-Key":     xrand.Base64(16),
+			},
+			success: true,
+		},
+		{
+			name: "successSecKeyExtraSpace",
+			h: map[string]string{
+				"Connection":            "keep-alive, Upgrade",
+				"Upgrade":               "websocket",
+				"Sec-WebSocket-Version": "13",
+				"Sec-WebSocket-Key":     "   " + xrand.Base64(16) + "  ",
 			},
 			success: true,
 		},
@@ -227,7 +340,7 @@ func Test_verifyClientHandshake(t *testing.T) {
 			}
 
 			for k, v := range tc.h {
-				r.Header.Set(k, v)
+				r.Header.Add(k, v)
 			}
 
 			_, err := verifyClientRequest(httptest.NewRecorder(), r)
@@ -448,3 +561,14 @@ var _ http.Hijacker = mockHijacker{}
 func (mj mockHijacker) Hijack() (net.Conn, *bufio.ReadWriter, error) {
 	return mj.hijack()
 }
+
+type mockUnwrapper struct {
+	http.ResponseWriter
+	unwrap func() http.ResponseWriter
+}
+
+var _ rwUnwrapper = mockUnwrapper{}
+
+func (mu mockUnwrapper) Unwrap() http.ResponseWriter {
+	return mu.unwrap()
+}

autobahn_test.go

@@ -6,6 +6,7 @@ package websocket_test
 import (
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
 	"net"
@@ -16,10 +17,11 @@ import (
 	"testing"
 	"time"
 
-	"nhooyr.io/websocket"
-	"nhooyr.io/websocket/internal/errd"
-	"nhooyr.io/websocket/internal/test/assert"
-	"nhooyr.io/websocket/internal/test/wstest"
+	"github.com/coder/websocket"
+	"github.com/coder/websocket/internal/errd"
+	"github.com/coder/websocket/internal/test/assert"
+	"github.com/coder/websocket/internal/test/wstest"
+	"github.com/coder/websocket/internal/util"
 )
 
 var excludedAutobahnCases = []string{
@@ -37,8 +39,7 @@ var autobahnCases = []string{"*"}
 // Used to run individual test cases. autobahnCases runs only those cases matched
 // and not excluded by excludedAutobahnCases. Adding cases here means excludedAutobahnCases
 // is niled.
-// TODO:
-// var forceAutobahnCases = []string{}
+var onlyAutobahnCases = []string{}
 
 func TestAutobahn(t *testing.T) {
 	t.Parallel()
@@ -54,10 +55,15 @@ func TestAutobahn(t *testing.T) {
 		)
 	}
 
+	if len(onlyAutobahnCases) > 0 {
+		excludedAutobahnCases = []string{}
+		autobahnCases = onlyAutobahnCases
+	}
+
 	ctx, cancel := context.WithTimeout(context.Background(), time.Hour)
 	defer cancel()
 
-	wstestURL, closeFn, err := wstestServer(ctx)
+	wstestURL, closeFn, err := wstestServer(t, ctx)
 	assert.Success(t, err)
 	defer func() {
 		assert.Success(t, closeFn())
@@ -86,11 +92,11 @@ func TestAutobahn(t *testing.T) {
 		}
 	})
 
-	c, _, err := websocket.Dial(ctx, fmt.Sprintf(wstestURL+"/updateReports?agent=main"), nil)
+	c, _, err := websocket.Dial(ctx, wstestURL+"/updateReports?agent=main", nil)
 	assert.Success(t, err)
 	c.Close(websocket.StatusNormalClosure, "")
 
-	checkWSTestIndex(t, "./ci/out/wstestClientReports/index.json")
+	checkWSTestIndex(t, "./ci/out/autobahn-report/index.json")
 }
 
 func waitWS(ctx context.Context, url string) error {
@@ -109,9 +115,7 @@ func waitWS(ctx context.Context, url string) error {
 	return ctx.Err()
 }
 
-// TODO: Let docker pick the port and use docker port to find it.
-// Does mean we can't use -i but that's fine.
-func wstestServer(ctx context.Context) (url string, closeFn func() error, err error) {
+func wstestServer(tb testing.TB, ctx context.Context) (url string, closeFn func() error, err error) {
 	defer errd.Wrap(&err, "failed to start autobahn wstest server")
 
 	serverAddr, err := unusedListenAddr()
@@ -124,7 +128,7 @@ func wstestServer(ctx context.Context) (url string, closeFn func() error, err er
 	}
 
 	url = "ws://" + serverAddr
-	const outDir = "ci/out/wstestClientReports"
+	const outDir = "ci/out/autobahn-report"
 
 	specFile, err := tempJSONFile(map[string]interface{}{
 		"url":           url,
@@ -144,9 +148,15 @@ func wstestServer(ctx context.Context) (url string, closeFn func() error, err er
 	}()
 
 	dockerPull := exec.CommandContext(ctx, "docker", "pull", "crossbario/autobahn-testsuite")
-	// TODO: log to *testing.T
-	dockerPull.Stdout = os.Stdout
-	dockerPull.Stderr = os.Stderr
+	dockerPull.Stdout = util.WriterFunc(func(p []byte) (int, error) {
+		tb.Log(string(p))
+		return len(p), nil
+	})
+	dockerPull.Stderr = util.WriterFunc(func(p []byte) (int, error) {
+		tb.Log(string(p))
+		return len(p), nil
+	})
+	tb.Log(dockerPull)
 	err = dockerPull.Run()
 	if err != nil {
 		return "", nil, fmt.Errorf("failed to pull docker image: %w", err)
@@ -169,23 +179,32 @@ func wstestServer(ctx context.Context) (url string, closeFn func() error, err er
 		// See https://github.com/crossbario/autobahn-testsuite/blob/058db3a36b7c3a1edf68c282307c6b899ca4857f/autobahntestsuite/autobahntestsuite/wstest.py#L124
 		"--webport=0",
 	)
-	fmt.Println(strings.Join(args, " "))
 	wstest := exec.CommandContext(ctx, "docker", args...)
-	// TODO: log to *testing.T
-	wstest.Stdout = os.Stdout
-	wstest.Stderr = os.Stderr
+	wstest.Stdout = util.WriterFunc(func(p []byte) (int, error) {
+		tb.Log(string(p))
+		return len(p), nil
+	})
+	wstest.Stderr = util.WriterFunc(func(p []byte) (int, error) {
+		tb.Log(string(p))
+		return len(p), nil
+	})
+	tb.Log(wstest)
 	err = wstest.Start()
 	if err != nil {
 		return "", nil, fmt.Errorf("failed to start wstest: %w", err)
 	}
 
-	// TODO: kill
 	return url, func() error {
 		err = wstest.Process.Kill()
 		if err != nil {
 			return fmt.Errorf("failed to kill wstest: %w", err)
 		}
-		return nil
+		err = wstest.Wait()
+		var ee *exec.ExitError
+		if errors.As(err, &ee) && ee.ExitCode() == -1 {
+			return nil
+		}
+		return err
 	}, nil
 }
 

ci/bench.sh

@@ -2,8 +2,19 @@
 set -eu
 cd -- "$(dirname "$0")/.."
 
-go test --run=^$ --bench=. "$@" ./...
+go test --run=^$ --bench=. --benchmem "$@" ./...
+# For profiling add: --memprofile ci/out/prof.mem --cpuprofile ci/out/prof.cpu -o ci/out/websocket.test
 (
   cd ./internal/thirdparty
-  go test --run=^$ --bench=. "$@" ./...
+  go test --run=^$ --bench=. --benchmem "$@" .
+
+  GOARCH=arm64 go test -c -o ../../ci/out/thirdparty-arm64.test "$@" .
+  if [ "$#" -eq 0 ]; then
+    if [ "${CI-}" ]; then
+      sudo apt-get update
+      sudo apt-get install -y qemu-user-static
+	  ln -s /usr/bin/qemu-aarch64-static /usr/local/bin/qemu-aarch64
+    fi
+    qemu-aarch64 ../../ci/out/thirdparty-arm64.test --test.run=^$ --test.bench=Benchmark_mask --test.benchmem
+  fi
 )

ci/fmt.sh

@@ -2,17 +2,24 @@
 set -eu
 cd -- "$(dirname "$0")/.."
 
+X_TOOLS_VERSION=v0.31.0
+
 go mod tidy
+(cd ./internal/thirdparty && go mod tidy)
+(cd ./internal/examples && go mod tidy)
 gofmt -w -s .
-go run golang.org/x/tools/cmd/goimports@latest -w "-local=$(go list -m)" .
+go run golang.org/x/tools/cmd/goimports@${X_TOOLS_VERSION} -w "-local=$(go list -m)" .
 
-npx prettier@3.0.3 \
-  --write \
+git ls-files "*.yml" "*.md" "*.js" "*.css" "*.html" | xargs npx prettier@3.3.3 \
+  --check \
   --log-level=warn \
   --print-width=90 \
   --no-semi \
   --single-quote \
-  --arrow-parens=avoid \
-  $(git ls-files "*.yml" "*.md" "*.js" "*.css" "*.html")
+  --arrow-parens=avoid
+
+go run golang.org/x/tools/cmd/stringer@${X_TOOLS_VERSION} -type=opcode,MessageType,StatusCode -output=stringer.go
 
-go run golang.org/x/tools/cmd/stringer@latest -type=opcode,MessageType,StatusCode -output=stringer.go
+if [ "${CI-}" ]; then
+  git diff --exit-code
+fi

ci/lint.sh

@@ -2,14 +2,13 @@
 set -eu
 cd -- "$(dirname "$0")/.."
 
+STATICCHECK_VERSION=v0.6.1
+GOVULNCHECK_VERSION=v1.1.4
+
 go vet ./...
 GOOS=js GOARCH=wasm go vet ./...
 
-go install golang.org/x/lint/golint@latest
-golint -set_exit_status ./...
-GOOS=js GOARCH=wasm golint -set_exit_status ./...
-
-go install honnef.co/go/tools/cmd/staticcheck@latest
+go install honnef.co/go/tools/cmd/staticcheck@${STATICCHECK_VERSION}
 staticcheck ./...
 GOOS=js GOARCH=wasm staticcheck ./...
 
@@ -19,7 +18,7 @@ govulncheck() {
 		cat "$tmpf"
 	fi
 }
-go install golang.org/x/vuln/cmd/govulncheck@latest
+go install golang.org/x/vuln/cmd/govulncheck@${GOVULNCHECK_VERSION}
 govulncheck ./...
 GOOS=js GOARCH=wasm govulncheck ./...
 

ci/test.sh

@@ -2,17 +2,6 @@
 set -eu
 cd -- "$(dirname "$0")/.."
 
-go install github.com/agnivade/wasmbrowsertest@latest
-go test --race --timeout=1h --covermode=atomic --coverprofile=ci/out/coverage.prof --coverpkg=./... "$@" ./...
-sed -i.bak '/stringer\.go/d' ci/out/coverage.prof
-sed -i.bak '/nhooyr.io\/websocket\/internal\/test/d' ci/out/coverage.prof
-sed -i.bak '/examples/d' ci/out/coverage.prof
-
-# Last line is the total coverage.
-go tool cover -func ci/out/coverage.prof | tail -n1
-
-go tool cover -html=ci/out/coverage.prof -o=ci/out/coverage.html
-
 (
   cd ./internal/examples
   go test "$@" ./...
@@ -21,3 +10,27 @@ go tool cover -html=ci/out/coverage.prof -o=ci/out/coverage.html
   cd ./internal/thirdparty
   go test "$@" ./...
 )
+
+(
+  GOARCH=arm64 go test -c -o ./ci/out/websocket-arm64.test "$@" .
+  if [ "$#" -eq 0 ]; then
+    if [ "${CI-}" ]; then
+      sudo apt-get update
+      sudo apt-get install -y qemu-user-static
+	  ln -s /usr/bin/qemu-aarch64-static /usr/local/bin/qemu-aarch64
+    fi
+    qemu-aarch64 ./ci/out/websocket-arm64.test -test.run=TestMask
+  fi
+)
+
+
+go install github.com/agnivade/wasmbrowsertest@8be019f6c6dceae821467b4c589eb195c2b761ce
+go test --race --bench=. --timeout=1h --covermode=atomic --coverprofile=ci/out/coverage.prof --coverpkg=./... "$@" ./...
+sed -i.bak '/stringer\.go/d' ci/out/coverage.prof
+sed -i.bak '/nhooyr.io\/websocket\/internal\/test/d' ci/out/coverage.prof
+sed -i.bak '/examples/d' ci/out/coverage.prof
+
+# Last line is the total coverage.
+go tool cover -func ci/out/coverage.prof | tail -n1
+
+go tool cover -html=ci/out/coverage.prof -o=ci/out/coverage.html

close.go

@@ -8,10 +8,10 @@ import (
 	"encoding/binary"
 	"errors"
 	"fmt"
-	"log"
+	"net"
 	"time"
 
-	"nhooyr.io/websocket/internal/errd"
+	"github.com/coder/websocket/internal/errd"
 )
 
 // StatusCode represents a WebSocket status code.
@@ -93,73 +93,110 @@ func CloseStatus(err error) StatusCode {
 // The connection can only be closed once. Additional calls to Close
 // are no-ops.
 //
-// The maximum length of reason must be 125 bytes. Avoid
-// sending a dynamic reason.
+// The maximum length of reason must be 125 bytes. Avoid sending a dynamic reason.
 //
 // Close will unblock all goroutines interacting with the connection once
 // complete.
-func (c *Conn) Close(code StatusCode, reason string) error {
-	return c.closeHandshake(code, reason)
+func (c *Conn) Close(code StatusCode, reason string) (err error) {
+	defer errd.Wrap(&err, "failed to close WebSocket")
+
+	if c.casClosing() {
+		err = c.waitGoroutines()
+		if err != nil {
+			return err
+		}
+		return net.ErrClosed
+	}
+	defer func() {
+		if errors.Is(err, net.ErrClosed) {
+			err = nil
+		}
+	}()
+
+	err = c.closeHandshake(code, reason)
+
+	err2 := c.close()
+	if err == nil && err2 != nil {
+		err = err2
+	}
+
+	err2 = c.waitGoroutines()
+	if err == nil && err2 != nil {
+		err = err2
+	}
+
+	return err
 }
 
-func (c *Conn) closeHandshake(code StatusCode, reason string) (err error) {
-	defer errd.Wrap(&err, "failed to close WebSocket")
+// CloseNow closes the WebSocket connection without attempting a close handshake.
+// Use when you do not want the overhead of the close handshake.
+func (c *Conn) CloseNow() (err error) {
+	defer errd.Wrap(&err, "failed to immediately close WebSocket")
 
-	writeErr := c.writeClose(code, reason)
-	closeHandshakeErr := c.waitCloseHandshake()
+	if c.casClosing() {
+		err = c.waitGoroutines()
+		if err != nil {
+			return err
+		}
+		return net.ErrClosed
+	}
+	defer func() {
+		if errors.Is(err, net.ErrClosed) {
+			err = nil
+		}
+	}()
+
+	err = c.close()
 
-	if writeErr != nil {
-		return writeErr
+	err2 := c.waitGoroutines()
+	if err == nil && err2 != nil {
+		err = err2
 	}
+	return err
+}
 
-	if CloseStatus(closeHandshakeErr) == -1 {
-		return closeHandshakeErr
+func (c *Conn) closeHandshake(code StatusCode, reason string) error {
+	err := c.writeClose(code, reason)
+	if err != nil {
+		return err
 	}
 
+	err = c.waitCloseHandshake()
+	if CloseStatus(err) != code {
+		return err
+	}
 	return nil
 }
 
 func (c *Conn) writeClose(code StatusCode, reason string) error {
-	c.closeMu.Lock()
-	wroteClose := c.wroteClose
-	c.wroteClose = true
-	c.closeMu.Unlock()
-	if wroteClose {
-		return errClosed
-	}
-
 	ce := CloseError{
 		Code:   code,
 		Reason: reason,
 	}
 
 	var p []byte
-	var marshalErr error
+	var err error
 	if ce.Code != StatusNoStatusRcvd {
-		p, marshalErr = ce.bytes()
-		if marshalErr != nil {
-			log.Printf("websocket: %v", marshalErr)
+		p, err = ce.bytes()
+		if err != nil {
+			return err
 		}
 	}
 
-	writeErr := c.writeControl(context.Background(), opClose, p)
-	if CloseStatus(writeErr) != -1 {
-		// Not a real error if it's due to a close frame being received.
-		writeErr = nil
-	}
-
-	// We do this after in case there was an error writing the close frame.
-	c.setCloseErr(fmt.Errorf("sent close frame: %w", ce))
+	ctx, cancel := context.WithTimeout(context.Background(), time.Second*5)
+	defer cancel()
 
-	if marshalErr != nil {
-		return marshalErr
+	err = c.writeControl(ctx, opClose, p)
+	// If the connection closed as we're writing we ignore the error as we might
+	// have written the close frame, the peer responded and then someone else read it
+	// and closed the connection.
+	if err != nil && !errors.Is(err, net.ErrClosed) {
+		return err
 	}
-	return writeErr
+	return nil
 }
 
 func (c *Conn) waitCloseHandshake() error {
-	defer c.close(nil)
-
 	ctx, cancel := context.WithTimeout(context.Background(), time.Second*5)
 	defer cancel()
 
@@ -169,8 +206,11 @@ func (c *Conn) waitCloseHandshake() error {
 	}
 	defer c.readMu.unlock()
 
-	if c.readCloseFrameErr != nil {
-		return c.readCloseFrameErr
+	for i := int64(0); i < c.msgReader.payloadLength; i++ {
+		_, err := c.br.ReadByte()
+		if err != nil {
+			return err
+		}
 	}
 
 	for {
@@ -188,6 +228,36 @@ func (c *Conn) waitCloseHandshake() error {
 	}
 }
 
+func (c *Conn) waitGoroutines() error {
+	t := time.NewTimer(time.Second * 15)
+	defer t.Stop()
+
+	select {
+	case <-c.timeoutLoopDone:
+	case <-t.C:
+		return errors.New("failed to wait for timeoutLoop goroutine to exit")
+	}
+
+	c.closeReadMu.Lock()
+	closeRead := c.closeReadCtx != nil
+	c.closeReadMu.Unlock()
+	if closeRead {
+		select {
+		case <-c.closeReadDone:
+		case <-t.C:
+			return errors.New("failed to wait for close read goroutine to exit")
+		}
+	}
+
+	select {
+	case <-c.closed:
+	case <-t.C:
+		return errors.New("failed to wait for connection to be closed")
+	}
+
+	return nil
+}
+
 func parseClosePayload(p []byte) (CloseError, error) {
 	if len(p) == 0 {
 		return CloseError{
@@ -258,16 +328,8 @@ func (ce CloseError) bytesErr() ([]byte, error) {
 	return buf, nil
 }
 
-func (c *Conn) setCloseErr(err error) {
-	c.closeMu.Lock()
-	c.setCloseErrLocked(err)
-	c.closeMu.Unlock()
-}
-
-func (c *Conn) setCloseErrLocked(err error) {
-	if c.closeErr == nil {
-		c.closeErr = fmt.Errorf("WebSocket closed: %w", err)
-	}
+func (c *Conn) casClosing() bool {
+	return c.closing.Swap(true)
 }
 
 func (c *Conn) isClosed() bool {

close_go113.go

-//go:build !go1.16 && !js
-
-package websocket
-
-import (
-	"errors"
-)
-
-var errClosed = errors.New("use of closed network connection")

close_go116.go

-//go:build go1.16 && !js
-
-package websocket
-
-import (
-	"net"
-)
-
-var errClosed = net.ErrClosed

close_test.go

@@ -9,7 +9,7 @@ import (
 	"strings"
 	"testing"
 
-	"nhooyr.io/websocket/internal/test/assert"
+	"github.com/coder/websocket/internal/test/assert"
 )
 
 func TestCloseError(t *testing.T) {