Better error message for invalid queries

server/PackageURL.js

@@ -3,37 +3,16 @@ const url = require('url')
 const URLFormat = /^\/((?:@[^\/@]+\/)?[^\/@]+)(?:@([^\/]+))?(\/.*)?$/
 
 function decodeParam(param) {
-  if (param) {
+  try {
-    try {
+    return decodeURIComponent(param)
-      return decodeURIComponent(param) : ''
+  } catch (error) {
-    } catch (error) {
+    return null
-      // Ignore param parsing errors.
-    }
   }
-
-  return null
-}
-
-const ValidQueryKeys = {
-  main: true,
-  meta: true,
-  json: true
-}
-
-function queryIsValid(query) {
-  return Object.keys(query).every(function (key) {
-    return ValidQueryKeys[key]
-  })
 }
 
 function parsePackageURL(packageURL) {
   const { pathname, search, query } = url.parse(packageURL, true)
 
-  // Do not allow unrecognized query parameters because
-  // some people use them to bust the cache.
-  if (!queryIsValid(query))
-    return null
-
   const match = URLFormat.exec(pathname)
 
   if (match == null)

server/middleware/parseURL.js

@@ -1,5 +1,17 @@
 const PackageURL = require('../PackageURL')
 
+const ValidQueryKeys = {
+  main: true,
+  meta: true,
+  json: true // deprecated
+}
+
+function queryIsValid(query) {
+  return Object.keys(query).every(function (key) {
+    return ValidQueryKeys[key]
+  })
+}
+
 /**
  * Parse and validate the URL.
  */
@@ -9,6 +21,11 @@ function parseURL(req, res, next) {
   if (url == null)
     return res.status(403).send(`Invalid URL: ${req.url}`)
 
+  // Do not allow unrecognized query parameters because
+  // some people use them to bust the cache.
+  if (!queryIsValid(url.query))
+    return res.status(403).send(`Invalid query: ${JSON.stringify(url.query)}`)
+
   req.packageName = url.packageName
   req.packageVersion = url.packageVersion
   req.packageSpec = `${req.packageName}@${req.packageVersion}`