verdaccio/lib/middleware.js

var crypto = require('crypto')
  , utils = require('./utils')
  , UError = require('./error').UserError
  , Logger = require('./logger')

module.exports.validate_name = function validate_name(req, res, next, value, name) {
	if (value.charAt(0) === '-') {
		// special case in couchdb usually
		next('route')
	} else if (utils.validate_name(value)) {
		next()
	} else {
		next(new UError({
			status: 403,
			msg: 'invalid ' + name,
		}))
	}
}

module.exports.media = function media(expect) {
	return function(req, res, next) {
		if (req.headers['content-type'] !== expect) {
			next(new UError({
				status: 415,
				msg: 'wrong content-type, expect: '+expect+', got: '+req.headers['content-type'],
			}))
		} else {
			next()
		}
	}
}

module.exports.expect_json = function expect_json(req, res, next) {
	if (!utils.is_object(req.body)) {
		return next({
			status: 400,
			msg: 'can\'t parse incoming json',
		})
	}
	next()
}

module.exports.basic_auth = function basic_auth(callback) {
	return function(req, res, _next) {
		req.pause()
		function next(err) {
			req.resume()
			// uncomment this to reject users with bad auth headers
			//return _next.apply(null, arguments)

			// swallow error, user remains unauthorized
			// set remoteUserError to indicate that user was attempting authentication
			if (err) req.remoteUserError = err.msg
			return _next()
		}

		var authorization = req.headers.authorization

		if (req.remoteUser != null) return next()
		if (authorization == null) return next()

		var parts = authorization.split(' ')

		if (parts.length !== 2) return next({
			status: 400,
			msg: 'bad authorization header',
		})

		var scheme = parts[0]
		  , credentials = new Buffer(parts[1], 'base64').toString()
		  , index = credentials.indexOf(':')

		if (scheme !== 'Basic' || index < 0) return next({
			status: 400,
			msg: 'bad authorization header',
		})

		var user = credentials.slice(0, index)
		  , pass = credentials.slice(index + 1)

		callback(user, pass, function(err, is_ok) {
			if (err) return next(err)
			if (is_ok) {
				req.remoteUser = user
				next()
			} else {
				next({
					status: 403,
					msg: 'bad username/password, access denied',
				})
			}
		})
	}
}

module.exports.anti_loop = function(config) {
	return function(req, res, next) {
		if (req.headers.via != null) {
			var arr = req.headers.via.split(',')
			for (var i=0; i<arr.length; i++) {
				var m = arr[i].match(/\s*(\S+)\s+(\S+)/)
				if (m && m[2] === config.server_id) {
					return next(new UError({
						status: 508,
						msg: 'loop detected',
					}))
				}
			}
		}
		next()
	}
}

// express doesn't do etags with requests <= 1024b
// we use md5 here, it works well on 1k+ bytes, but sucks with fewer data
// could improve performance using crc32 after benchmarks
function md5sum(data) {
	return crypto.createHash('md5').update(data).digest('hex')
}

module.exports.log_and_etagify = function(req, res, next) {
	// logger
	req.log = Logger.logger.child({sub: 'in'})

	var _auth = req.headers.authorization
	if (_auth) req.headers.authorization = '<Classified>'
	req.log.info({req: req, ip: req.ip}, '@{ip} requested \'@{req.method} @{req.url}\'')
	if (_auth) req.headers.authorization = _auth

	var bytesin = 0
	req.on('data', function(chunk) {
		bytesin += chunk.length
	})

	var _send = res.send
	res.send = function(body) {
		try {
			if (typeof(body) === 'string' || typeof(body) === 'object') {
				res.header('Content-type', 'application/json')

				if (typeof(body) === 'object' && body != null) {
					if (typeof(body.error) === 'string') {
						res._sinopia_error = body.error
					}
					body = JSON.stringify(body, undefined, '\t') + '\n'
				}

				// don't send etags with errors
				if (!res.statusCode || (res.statusCode >= 200 && res.statusCode < 300)) {
					res.header('ETag', '"' + md5sum(body) + '"')
				}
			} else {
				// send(null), send(204), etc.
			}
		} catch(err) {
			// if sinopia sends headers first, and then calls res.send()
			// as an error handler, we can't report error properly,
			// and should just close socket
			if (err.message.match(/set headers after they are sent/)) {
				return res.socket.destroy()
			} else {
				throw err
			}
		}

		res.send = _send
		res.send(body)
	}

	var bytesout = 0
	  , _write = res.write
	res.write = function(buf) {
		bytesout += buf.length
		_write.apply(res, arguments)
	}

	function log() {
		var msg = '@{status}, user: @{user}, req: \'@{request.method} @{request.url}\''
		if (res._sinopia_error) {
			msg += ', error: @{!error}'
		} else {
			msg += ', bytes: @{bytes.in}/@{bytes.out}'
		}
		req.log.warn({
			request: {method: req.method, url: req.url},
			level: 35, // http
			user: req.remoteUser,
			status: res.statusCode,
			error: res._sinopia_error,
			bytes: {
				in: bytesin,
				out: bytesout,
			}
		}, msg)
	}

	req.on('close', function() {
		log(true)
	})

	var _end = res.end
	res.end = function(buf) {
		if (buf) bytesout += buf.length
		_end.apply(res, arguments)
		log()
	}
	next()
}
style fix 2013-10-26 14:18:36 +02:00			`var crypto = require('crypto')`
			`, utils = require('./utils')`
			`, UError = require('./error').UserError`
			`, Logger = require('./logger')`
name change + a lot of work... 2013-06-08 03:16:28 +02:00
			`module.exports.validate_name = function validate_name(req, res, next, value, name) {`
validate all url parameters better 2014-02-01 09:08:48 +01:00			`if (value.charAt(0) === '-') {`
			`// special case in couchdb usually`
			`next('route')`
			`} else if (utils.validate_name(value)) {`
style fix 2013-10-26 14:18:36 +02:00			`next()`
name change + a lot of work... 2013-06-08 03:16:28 +02:00			`} else {`
working on storage... 2013-06-14 10:34:29 +02:00			`next(new UError({`
name change + a lot of work... 2013-06-08 03:16:28 +02:00			`status: 403,`
better error message for incorrect package names 2013-12-15 00:09:55 +01:00			`msg: 'invalid ' + name,`
style fix 2013-10-26 14:18:36 +02:00			`}))`
name change + a lot of work... 2013-06-08 03:16:28 +02:00			`}`
style fix 2013-10-26 14:18:36 +02:00			`}`
name change + a lot of work... 2013-06-08 03:16:28 +02:00
			`module.exports.media = function media(expect) {`
			`return function(req, res, next) {`
			`if (req.headers['content-type'] !== expect) {`
working on storage... 2013-06-14 10:34:29 +02:00			`next(new UError({`
name change + a lot of work... 2013-06-08 03:16:28 +02:00			`status: 415,`
showing expected content type in errors 2013-09-27 10:55:42 +02:00			`msg: 'wrong content-type, expect: '+expect+', got: '+req.headers['content-type'],`
style fix 2013-10-26 14:18:36 +02:00			`}))`
name change + a lot of work... 2013-06-08 03:16:28 +02:00			`} else {`
style fix 2013-10-26 14:18:36 +02:00			`next()`
name change + a lot of work... 2013-06-08 03:16:28 +02:00			`}`
			`}`
			`}`

			`module.exports.expect_json = function expect_json(req, res, next) {`
added utils.is_object function for convenience 2013-10-22 09:29:57 +02:00			`if (!utils.is_object(req.body)) {`
name change + a lot of work... 2013-06-08 03:16:28 +02:00			`return next({`
			`status: 400,`
			`msg: 'can\'t parse incoming json',`
style fix 2013-10-26 14:18:36 +02:00			`})`
name change + a lot of work... 2013-06-08 03:16:28 +02:00			`}`
style fix 2013-10-26 14:18:36 +02:00			`next()`
name change + a lot of work... 2013-06-08 03:16:28 +02:00			`}`

			`module.exports.basic_auth = function basic_auth(callback) {`
swallow bad auth errors, fixes #17 2013-12-06 18:46:51 +01:00			`return function(req, res, _next) {`
basic support for .htpasswd 2014-06-26 18:21:23 +02:00			`req.pause()`
swallow bad auth errors, fixes #17 2013-12-06 18:46:51 +01:00			`function next(err) {`
basic support for .htpasswd 2014-06-26 18:21:23 +02:00			`req.resume()`
swallow bad auth errors, fixes #17 2013-12-06 18:46:51 +01:00			`// uncomment this to reject users with bad auth headers`
			`//return _next.apply(null, arguments)`
tag support, closes #8 2013-12-29 07:41:31 +01:00
swallow bad auth errors, fixes #17 2013-12-06 18:46:51 +01:00			`// swallow error, user remains unauthorized`
better error message when publishing with bad auth header 2013-12-15 21:38:16 +01:00			`// set remoteUserError to indicate that user was attempting authentication`
			`if (err) req.remoteUserError = err.msg`
swallow bad auth errors, fixes #17 2013-12-06 18:46:51 +01:00			`return _next()`
			`}`

style fix 2013-10-26 14:18:36 +02:00			`var authorization = req.headers.authorization`
name change + a lot of work... 2013-06-08 03:16:28 +02:00
swallow bad auth errors, fixes #17 2013-12-06 18:46:51 +01:00			`if (req.remoteUser != null) return next()`
			`if (authorization == null) return next()`
name change + a lot of work... 2013-06-08 03:16:28 +02:00
style fix 2013-10-26 14:18:36 +02:00			`var parts = authorization.split(' ')`
name change + a lot of work... 2013-06-08 03:16:28 +02:00
			`if (parts.length !== 2) return next({`
			`status: 400,`
			`msg: 'bad authorization header',`
style fix 2013-10-26 14:18:36 +02:00			`})`
name change + a lot of work... 2013-06-08 03:16:28 +02:00
			`var scheme = parts[0]`
style fix 2013-12-19 04:18:45 +01:00			`, credentials = new Buffer(parts[1], 'base64').toString()`
			`, index = credentials.indexOf(':')`
name change + a lot of work... 2013-06-08 03:16:28 +02:00
move eslint config to yaml 2014-02-06 21:56:46 +01:00			`if (scheme !== 'Basic' \|\| index < 0) return next({`
name change + a lot of work... 2013-06-08 03:16:28 +02:00			`status: 400,`
			`msg: 'bad authorization header',`
style fix 2013-10-26 14:18:36 +02:00			`})`

name change + a lot of work... 2013-06-08 03:16:28 +02:00			`var user = credentials.slice(0, index)`
style fix 2013-12-19 04:18:45 +01:00			`, pass = credentials.slice(index + 1)`
name change + a lot of work... 2013-06-08 03:16:28 +02:00
make authentication function async 2014-06-26 17:23:21 +02:00			`callback(user, pass, function(err, is_ok) {`
			`if (err) return next(err)`
			`if (is_ok) {`
			`req.remoteUser = user`
			`next()`
			`} else {`
			`next({`
			`status: 403,`
			`msg: 'bad username/password, access denied',`
			`})`
			`}`
			`})`
name change + a lot of work... 2013-06-08 03:16:28 +02:00			`}`
style fix 2013-10-26 14:18:36 +02:00			`}`
detecting http loops 2013-12-09 04:59:31 +01:00
			`module.exports.anti_loop = function(config) {`
			`return function(req, res, next) {`
			`if (req.headers.via != null) {`
			`var arr = req.headers.via.split(',')`
			`for (var i=0; i<arr.length; i++) {`
			`var m = arr[i].match(/\s*(\S+)\s+(\S+)/)`
			`if (m && m[2] === config.server_id) {`
			`return next(new UError({`
			`status: 508,`
			`msg: 'loop detected',`
			`}))`
			`}`
			`}`
			`}`
			`next()`
			`}`
			`}`
name change + a lot of work... 2013-06-08 03:16:28 +02:00
add md5 etags for json 2013-07-03 03:49:24 +02:00			`// express doesn't do etags with requests <= 1024b`
			`// we use md5 here, it works well on 1k+ bytes, but sucks with fewer data`
			`// could improve performance using crc32 after benchmarks`
			`function md5sum(data) {`
style fix 2013-10-26 14:18:36 +02:00			`return crypto.createHash('md5').update(data).digest('hex')`
add md5 etags for json 2013-07-03 03:49:24 +02:00			`}`

logging engine added, much better logs now 2013-10-11 07:32:59 +02:00			`module.exports.log_and_etagify = function(req, res, next) {`
			`// logger`
style fix 2013-10-26 14:18:36 +02:00			`req.log = Logger.logger.child({sub: 'in'})`
hide authorization header in logs 2013-10-12 16:37:47 +02:00
			`var _auth = req.headers.authorization`
			`if (_auth) req.headers.authorization = '<Classified>'`
			`req.log.info({req: req, ip: req.ip}, '@{ip} requested \'@{req.method} @{req.url}\'')`
			`if (_auth) req.headers.authorization = _auth`
logging engine added, much better logs now 2013-10-11 07:32:59 +02:00
style fix 2013-10-26 14:18:36 +02:00			`var bytesin = 0`
eslint version bump 2014-06-18 03:59:22 +02:00			`req.on('data', function(chunk) {`
			`bytesin += chunk.length`
			`})`
logging engine added, much better logs now 2013-10-11 07:32:59 +02:00
style fix 2013-10-26 14:18:36 +02:00			`var _send = res.send`
add md5 etags for json 2013-07-03 03:49:24 +02:00			`res.send = function(body) {`
fix crash in #52 2014-03-07 19:20:41 +01:00			`try {`
			`if (typeof(body) === 'string' \|\| typeof(body) === 'object') {`
			`res.header('Content-type', 'application/json')`

			`if (typeof(body) === 'object' && body != null) {`
fix logging: in search "error" can be legitimate output (package named "error"), not an actual error ref #65 2014-06-22 16:06:16 +02:00			`if (typeof(body.error) === 'string') {`
Revert "fix logs and tests for #56" This reverts commit df49fb84c1670fa629f69340d32a0dbafb8ee421. 2014-03-29 02:08:00 +01:00			`res._sinopia_error = body.error`
fix crash in #52 2014-03-07 19:20:41 +01:00			`}`
			`body = JSON.stringify(body, undefined, '\t') + '\n'`
			`}`
add md5 etags for json 2013-07-03 03:49:24 +02:00
fix crash in #52 2014-03-07 19:20:41 +01:00			`// don't send etags with errors`
			`if (!res.statusCode \|\| (res.statusCode >= 200 && res.statusCode < 300)) {`
			`res.header('ETag', '"' + md5sum(body) + '"')`
logging engine added, much better logs now 2013-10-11 07:32:59 +02:00			`}`
fix crash in #52 2014-03-07 19:20:41 +01:00			`} else {`
			`// send(null), send(204), etc.`
add md5 etags for json 2013-07-03 03:49:24 +02:00			`}`
fix crash in #52 2014-03-07 19:20:41 +01:00			`} catch(err) {`
			`// if sinopia sends headers first, and then calls res.send()`
			`// as an error handler, we can't report error properly,`
			`// and should just close socket`
			`if (err.message.match(/set headers after they are sent/)) {`
			`return res.socket.destroy()`
			`} else {`
			`throw err`
don't send etags with errors 2013-12-06 18:46:11 +01:00			`}`
add md5 etags for json 2013-07-03 03:49:24 +02:00			`}`
logging engine added, much better logs now 2013-10-11 07:32:59 +02:00
style fix 2013-10-26 14:18:36 +02:00			`res.send = _send`
			`res.send(body)`
logging didn't work on chunked output 2013-10-18 23:53:27 +02:00			`}`

			`var bytesout = 0`
style fix 2013-10-26 14:18:36 +02:00			`, _write = res.write`
logging didn't work on chunked output 2013-10-18 23:53:27 +02:00			`res.write = function(buf) {`
			`bytesout += buf.length`
			`_write.apply(res, arguments)`
			`}`

better error logging 2013-10-22 11:37:28 +02:00			`function log() {`
style fix 2013-10-26 14:18:36 +02:00			`var msg = '@{status}, user: @{user}, req: \'@{request.method} @{request.url}\''`
logging didn't work on chunked output 2013-10-18 23:53:27 +02:00			`if (res._sinopia_error) {`
style fix 2013-10-26 14:18:36 +02:00			`msg += ', error: @{!error}'`
logging engine added, much better logs now 2013-10-11 07:32:59 +02:00			`} else {`
style fix 2013-10-26 14:18:36 +02:00			`msg += ', bytes: @{bytes.in}/@{bytes.out}'`
logging engine added, much better logs now 2013-10-11 07:32:59 +02:00			`}`
			`req.log.warn({`
			`request: {method: req.method, url: req.url},`
			`level: 35, // http`
req.user -> req.remoteUser 2013-12-27 12:29:23 +01:00			`user: req.remoteUser,`
logging engine added, much better logs now 2013-10-11 07:32:59 +02:00			`status: res.statusCode,`
logging didn't work on chunked output 2013-10-18 23:53:27 +02:00			`error: res._sinopia_error,`
logging engine added, much better logs now 2013-10-11 07:32:59 +02:00			`bytes: {`
			`in: bytesin,`
logging didn't work on chunked output 2013-10-18 23:53:27 +02:00			`out: bytesout,`
logging engine added, much better logs now 2013-10-11 07:32:59 +02:00			`}`
style fix 2013-10-26 14:18:36 +02:00			`}, msg)`
better error logging 2013-10-22 11:37:28 +02:00			`}`

			`req.on('close', function() {`
			`log(true)`
			`})`

style fix 2013-10-26 14:18:36 +02:00			`var _end = res.end`
better error logging 2013-10-22 11:37:28 +02:00			`res.end = function(buf) {`
			`if (buf) bytesout += buf.length`
			`_end.apply(res, arguments)`
			`log()`
			`}`
			`next()`
add md5 etags for json 2013-07-03 03:49:24 +02:00			`}`