From 36efac099fc4d70fc24dbaf8f3617cf225812839 Mon Sep 17 00:00:00 2001 From: MICHAEL JACKSON Date: Tue, 14 Nov 2017 16:47:57 -0800 Subject: [PATCH] Add support for scoped packages in blacklist URLs --- server/__tests__/server-test.js | 13 +++++++++ server/actions/removeFromBlacklist.js | 19 ++++-------- server/createServer.js | 39 ++++++++++++++++--------- server/middleware/validatePackageURL.js | 25 ++++++++++++++++ 4 files changed, 69 insertions(+), 27 deletions(-) create mode 100644 server/middleware/validatePackageURL.js diff --git a/server/__tests__/server-test.js b/server/__tests__/server-test.js index edacad7..5bed007 100644 --- a/server/__tests__/server-test.js +++ b/server/__tests__/server-test.js @@ -199,6 +199,19 @@ describe('The server', () => { }) }) }) + + it('can remove a scoped package from the blacklist', done => { + withToken({ blacklist: { remove: true } }, token => { + request(server) + .delete('/_blacklist/@scope/bad-package') + .send({ token }) + .end((err, res) => { + expect(res.statusCode).toBe(200) + expect(res.body.ok).toBe(true) + done() + }) + }) + }) }) }) }) diff --git a/server/actions/removeFromBlacklist.js b/server/actions/removeFromBlacklist.js index 1afa409..72aa62e 100644 --- a/server/actions/removeFromBlacklist.js +++ b/server/actions/removeFromBlacklist.js @@ -2,17 +2,7 @@ const validateNpmPackageName = require('validate-npm-package-name') const BlacklistAPI = require('../BlacklistAPI') function removeFromBlacklist(req, res) { - const packageName = req.params.packageName - - const nameErrors = validateNpmPackageName(packageName).errors - - // Disallow invalid package names. - if (nameErrors) { - const reason = nameErrors.join(', ') - return res.status(403).send({ - error: `Invalid package name "${packageName}" (${reason})` - }) - } + const packageName = req.packageName BlacklistAPI.removePackage(packageName).then( removed => { @@ -25,13 +15,14 @@ function removeFromBlacklist(req, res) { res.send({ ok: true, - message: `Package "${packageName}" was ${removed - ? 'removed from' - : 'not in'} the blacklist` + message: `Package "${packageName}" was ${ + removed ? 'removed from' : 'not in' + } the blacklist` }) }, error => { console.error(error) + res.status(500).send({ error: `Unable to remove "${packageName}" from the blacklist` }) diff --git a/server/createServer.js b/server/createServer.js index adc3edb..a91878e 100644 --- a/server/createServer.js +++ b/server/createServer.js @@ -11,6 +11,7 @@ const parseURL = require('./middleware/parseURL') const requireAuth = require('./middleware/requireAuth') const serveFile = require('./middleware/serveFile') const userToken = require('./middleware/userToken') +const validatePackageURL = require('./middleware/validatePackageURL') morgan.token('fwd', function(req) { return req.get('x-forwarded-for').replace(/\s/g, '') @@ -27,6 +28,12 @@ function errorHandler(err, req, res, next) { next(err) } +function createRouter(setup) { + const app = express.Router() + setup(app) + return app +} + function createServer() { const app = express() @@ -61,20 +68,26 @@ function createServer() { app.post('/_auth', require('./actions/createAuth')) app.get('/_auth', require('./actions/showAuth')) - app.post( + app.use( '/_blacklist', - requireAuth('blacklist.add'), - require('./actions/addToBlacklist') - ) - app.get( - '/_blacklist', - requireAuth('blacklist.read'), - require('./actions/showBlacklist') - ) - app.delete( - '/_blacklist/:packageName', - requireAuth('blacklist.remove'), - require('./actions/removeFromBlacklist') + createRouter(app => { + app.post( + '/', + requireAuth('blacklist.add'), + require('./actions/addToBlacklist') + ) + app.get( + '/', + requireAuth('blacklist.read'), + require('./actions/showBlacklist') + ) + app.delete( + /.*/, + requireAuth('blacklist.remove'), + validatePackageURL, + require('./actions/removeFromBlacklist') + ) + }) ) if (process.env.NODE_ENV !== 'test') { diff --git a/server/middleware/validatePackageURL.js b/server/middleware/validatePackageURL.js new file mode 100644 index 0000000..cc592ac --- /dev/null +++ b/server/middleware/validatePackageURL.js @@ -0,0 +1,25 @@ +const parsePackageURL = require('../utils/parsePackageURL') + +/** + * Adds various properties to the request object to do with the + * package/file being requested. + */ +function validatePackageURL(req, res, next) { + const url = parsePackageURL(req.url) + + if (url == null) { + return res.status(403).send({ error: `Invalid URL: ${req.url}` }) + } + + req.packageName = url.packageName + req.packageVersion = url.packageVersion + req.packageSpec = `${url.packageName}@${url.packageVersion}` + req.pathname = url.pathname + req.filename = url.filename + req.search = url.search + req.query = url.query + + next() +} + +module.exports = validatePackageURL