WBO

WBO is an online collaborative whiteboard that allows many users to draw simultaneously on a large virtual board. The board is updated in real time for all connected users, and its state is always persisted. It can be used for many different purposes, including art, entertainment, design, teaching.

A demonstration server is available at wbo.ophir.dev

Screenshots

The anonymous board		collaborative diagram editing
teaching math on WBO		drawing art

Running your own instance of WBO

If you have your own web server, and want to run a private instance of WBO on it, you can. It should be very easy to get it running on your own server.

Running the code in a container (safer)

If you use the docker containerization service, you can easily run WBO as a container. An official docker image for WBO is hosted on dockerhub as lovasoa/wbo: .

You can run the following bash command to launch WBO on port 5001, while persisting the boards outside of docker:

mkdir wbo-boards # Create a directory that will contain your whiteboards
chown -R 1000:1000 wbo-boards # Make this directory accessible to WBO
docker run -it --publish 5001:80 --volume "$(pwd)/wbo-boards:/opt/app/server-data" lovasoa/wbo:latest # run wbo

You can then access WBO at http://localhost:5001.

The official Docker image defaults WBO_IP_SOURCE to X-Forwarded-For, which matches the common Docker/Dokku deployment pattern behind a reverse proxy. If you expose the container directly without a trusted proxy in front of it, override this with -e WBO_IP_SOURCE=remoteAddress.

Running the code without a container

Alternatively, you can run the code with node.js directly, without docker.

First, download the sources:

git clone https://github.com/lovasoa/whitebophir.git
cd whitebophir

Then install node.js (v22 or superior) if you don't have it already, then install WBO's dependencies:

npm install --production

Finally, you can start the server:

PORT=5001 npm start

This will run WBO directly on your machine, on port 5001, without any isolation from the other services. You can also use an invokation like

PORT=5001 HOST=127.0.0.1 npm start

to make whitebophir only listen on the loopback device. This is useful if you want to put whitebophir behind a reverse proxy.

Running WBO on a subfolder

By default, WBO launches its own web server and serves all of its content at the root of the server (on /). If you want to make the server accessible with a different path like https://your.domain.com/wbo/ you have to setup a reverse proxy. See instructions on our Wiki about how to setup a reverse proxy for WBO.

Translations

WBO is available in multiple languages. The translations are stored in server/translations.json. If you feel like contributing to this collaborative project, you can translate WBO into your own language.

Authentication

WBO supports authentication using Json Web Tokens. Pass the token as a token query parameter, for example http://myboard.com/boards/test?token={token}.

The AUTH_SECRET_KEY variable in configuration.js should be filled with the secret key for the JWT.

Roles

WBO recognizes two privileged roles:

• editor: can modify accessible boards.
• moderator: can modify accessible boards and use the Clear tool.

Roles are declared in the JWT payload:

{
  "iat": 1516239022,
  "exp": 1516298489,
  "roles": ["editor"]
}

Moderators have access to the Clear tool, which wipes all content from the board.

Board Visibility / Access

If AUTH_SECRET_KEY is not set, boards are visible to anyone who knows the URL.

If AUTH_SECRET_KEY is set, opening a board requires a valid token. You can then restrict which board names a token may open by adding :<boardName> to a claim:

{
  "roles": ["editor:board-a", "moderator:board-b", "reader:board-c"]
}

• editor:<boardName> allows editing that board.
• moderator:<boardName> allows moderating that board.
• reader:<boardName> allows opening that board without granting editor or moderator privileges.

For example, http://myboard.com/boards/mySecretBoardName?token={token} with:

{
  "iat": 1516239022,
  "exp": 1516298489,
  "roles": ["moderator:mySecretBoardName"]
}

If a token contains any board-scoped claims, it can only open the boards named in those claims.

Board Editability / Read-Only

Board visibility and board editability are separate.

• A writable board accepts writes from users who can access it.
• A read-only board can be opened by users who have access to it.
• On a read-only board, only editor and moderator claims may write.
• On instances without JWT authentication, a read-only board blocks all writes because there is no authenticated editor or moderator identity.

Read-only state is stored in the board JSON file itself under the reserved key __wbo_meta__:

{
  "__wbo_meta__": {
    "readonly": true
  }
}

How To Change Board Visibility

• Without JWT auth: visibility is controlled by sharing or not sharing the board URL.
• With JWT auth: visibility is controlled by the token you issue. Add or remove board-scoped claims to decide which boards a token may open.
• Use editor or moderator claims for users who should write.
• Use reader:<boardName> for users who should only view a read-only board.

How To Change A Board Between Writable And Read-Only

1. Find the board file in WBO_HISTORY_DIR. The filename is board-${encodeURIComponent(boardName)}.json.
2. Add or update the __wbo_meta__.readonly flag in that file.
3. Reload the board after it is unloaded from memory, or restart the server, so the new state is picked up.
4. Remove the flag or set it to false to make the board writable.

Configuration

When you start a WBO server, it loads its configuration from several environment variables. You can see a list of these variables in configuration.js. Some important environment variables are :

• WBO_HISTORY_DIR : configures the directory where the boards are saved. Defaults to ./server-data/.
• WBO_MAX_EMIT_COUNT : the maximum number of messages that a client can send per unit of time. Increase this value if you want smoother drawings, at the expense of being susceptible to denial of service attacks if your server does not have enough processing power. By default, the units of this quantity are messages per 4 seconds, and the default value is 192.
• WBO_MAX_DESTRUCTIVE_ACTIONS_PER_IP : the maximum number of delete-like actions (delete, clear, and batched child deletes) accepted from one resolved client IP during WBO_MAX_DESTRUCTIVE_ACTIONS_PERIOD_MS. The default is 100.
• WBO_MAX_DESTRUCTIVE_ACTIONS_PERIOD_MS : the destructive-action rate-limit window in milliseconds. The default is 60000.
• WBO_IP_SOURCE : which request attribute to trust for client IP based limits and logs. Accepted values are remoteAddress, X-Forwarded-For, and Forwarded. The application defaults to remoteAddress; the official Docker image defaults to X-Forwarded-For.
• AUTH_SECRET_KEY : If you would like to authenticate your boards using jwt, this declares the secret key.

Troubleshooting

If you experience an issue or want to propose a new feature in WBO, please open a github issue.

Monitoring

If you are self-hosting a WBO instance, you may want to monitor its load, the number of connected users, and various other metrics.

You can start WBO with the STATSD_URL environment variable to send it to a statsd-compatible metrics collection agent.

Example: docker run -e STATSD_URL=udp://127.0.0.1:8125 lovasoa/wbo.

• If you use prometheus, you can collect the metrics with statsd-exporter.
• If you use datadog, you can collect the metrics with dogstatsd.

Download SVG preview

To download a preview of a board in SVG format you can got to /preview/{boardName}, e.g. change https://wbo.ophir.dev/board/anonymous to https://wbo.ophir.dev/preview/anonymous. The renderer is not 100% faithful, but it's often good enough.