'use strict'; let Cookies = require('cookies'); let express = require('express'); let bodyParser = require('body-parser'); let Error = require('http-errors'); let Path = require('path'); let Middleware = require('./middleware'); let Notify = require('./notify'); let Utils = require('./utils'); let expect_json = Middleware.expect_json; let match = Middleware.match; let media = Middleware.media; let validate_name = Middleware.validate_name; let validate_pkg = Middleware.validate_package; module.exports = function(config, auth, storage) { let app = express.Router(); let can = Middleware.allow(auth); let notify = Notify.notify; // validate all of these params as a package name // this might be too harsh, so ask if it causes trouble app.param('package', validate_pkg); app.param('filename', validate_name); app.param('tag', validate_name); app.param('version', validate_name); app.param('revision', validate_name); app.param('token', validate_name); // these can't be safely put into express url for some reason app.param('_rev', match(/^-rev$/)); app.param('org_couchdb_user', match(/^org\.couchdb\.user:/)); app.param('anything', match(/.*/)); app.use(auth.basic_middleware()); // app.use(auth.bearer_middleware()) app.use(bodyParser.json({strict: false, limit: config.max_body_size || '10mb'})); app.use(Middleware.anti_loop(config)); // encode / in a scoped package name to be matched as a single parameter in routes app.use(function(req, res, next) { if (req.url.indexOf('@') != -1) { // e.g.: /@org/pkg/1.2.3 -> /@org%2Fpkg/1.2.3, /@org%2Fpkg/1.2.3 -> /@org%2Fpkg/1.2.3 req.url = req.url.replace(/^(\/@[^\/%]+)\/(?!$)/, '$1%2F'); } next(); }); // for "npm whoami" app.get('/whoami', function(req, res, next) { if (req.headers.referer === 'whoami') { next({username: req.remote_user.name}); } else { next('route'); } }); app.get('/-/whoami', function(req, res, next) { next({username: req.remote_user.name}); }); // TODO: anonymous user? app.get('/:package/:version?', can('access'), function(req, res, next) { storage.get_package(req.params.package, {req: req}, function(err, info) { if (err) return next(err); info = Utils.filter_tarball_urls(info, req, config); let version = req.params.version; if (!version) return next(info); let t = Utils.get_version(info, version); if (t != null) return next(t); if (info['dist-tags'] != null) { if (info['dist-tags'][version] != null) { version = info['dist-tags'][version]; t = Utils.get_version(info, version); if (t != null) return next(t); } } return next( Error[404]('version not found: ' + req.params.version) ); }); }); app.get('/:package/-/:filename', can('access'), function(req, res, next) { let stream = storage.get_tarball(req.params.package, req.params.filename); stream.on('content-length', function(v) { res.header('Content-Length', v); }); stream.on('error', function(err) { return res.report_error(err); }); res.header('Content-Type', 'application/octet-stream'); stream.pipe(res); }); // searching packages app.get('/-/all(\/since)?', function(req, res, next) { let received_end = false; let response_finished = false; let processing_pkgs = 0; let firstPackage = true; res.status(200); /* * Offical NPM registry (registry.npmjs.org) no longer return whole database, * They only return packages matched with keyword in `referer: search pkg-name`, * And NPM client will request server in every search. * * The magic number 99999 was sent by NPM registry. Modify it may caused strange * behaviour in the future. * * BTW: NPM will not return result if user-agent does not contain string 'npm', * See: method 'request' in up-storage.js * * If there is no cache in local, NPM will request /-/all, then get response with * _updated: 99999, 'Date' in response header was Mon, 10 Oct 1983 00:12:48 GMT, * this will make NPM always query from server * * Data structure also different, whel request /-/all, response is an object, but * when request /-/all/since, response is an array */ const respShouldBeArray = req.path.endsWith('/since'); res.set('Date', 'Mon, 10 Oct 1983 00:12:48 GMT'); if (respShouldBeArray) { res.write('['); } else { res.write('{"_updated":' + 99999); } let stream = storage.search(req.query.startkey || 0, {req: req}); stream.on('data', function each(pkg) { processing_pkgs++; auth.allow_access(pkg.name, req.remote_user, function(err, allowed) { processing_pkgs--; if (err) { if (err.status && String(err.status).match(/^4\d\d$/)) { // auth plugin returns 4xx user error, // that's equivalent of !allowed basically allowed = false; } else { stream.abort(err); } } if (allowed) { if (respShouldBeArray) { res.write(`${firstPackage ? '' : ','}${JSON.stringify(pkg)}\n`); if (firstPackage) { firstPackage = false; } } else { res.write(',\n' + JSON.stringify(pkg.name) + ':' + JSON.stringify(pkg)); } } check_finish(); }); }); stream.on('error', function(_err) { res.socket.destroy(); }); stream.on('end', function() { received_end = true; check_finish(); }); function check_finish() { if (!received_end) return; if (processing_pkgs) return; if (response_finished) return; response_finished = true; if (respShouldBeArray) { res.end(']\n'); } else { res.end('}\n'); } } }); // placeholder 'cause npm require to be authenticated to publish // we do not do any real authentication yet app.post('/_session', Cookies.express(), function(req, res, next) { res.cookies.set('AuthSession', String(Math.random()), { // npmjs.org sets 10h expire expires: new Date(Date.now() + 10*60*60*1000), }); next({ok: true, name: 'somebody', roles: []}); }); app.get('/-/user/:org_couchdb_user', function(req, res, next) { res.status(200); next({ ok: 'you are authenticated as "' + req.remote_user.name + '"', }); }); app.put('/-/user/:org_couchdb_user/:_rev?/:revision?', function(req, res, next) { let token = (req.body.name && req.body.password) ? auth.aes_encrypt(req.body.name + ':' + req.body.password).toString('base64') : undefined; if (req.remote_user.name != null) { res.status(201); return next({ ok: 'you are authenticated as \'' + req.remote_user.name + '\'', // token: auth.issue_token(req.remote_user), token: token, }); } else { if (typeof(req.body.name) !== 'string' || typeof(req.body.password) !== 'string') { if (typeof(req.body.password_sha)) { return next( Error[422]('your npm version is outdated\nPlease update to npm@1.4.5 or greater.\nSee https://github.com/rlidwka/sinopia/issues/93 for details.') ); } else { return next( Error[422]('user/password is not found in request (npm issue?)') ); } } auth.add_user(req.body.name, req.body.password, function(err, user) { if (err) { if (err.status >= 400 && err.status < 500) { // With npm registering is the same as logging in, // and npm accepts only an 409 error. // So, changing status code here. return next( Error[409](err.message) ); } return next(err); } req.remote_user = user; res.status(201); return next({ ok: 'user \'' + req.body.name + '\' created', // token: auth.issue_token(req.remote_user), token: token, }); }); } }); app.delete('/-/user/token/*', function(req, res, next) { res.status(200); next({ ok: 'Logged out', }); }); function tag_package_version(req, res, next) { if (typeof(req.body) !== 'string') return next('route'); let tags = {}; tags[req.params.tag] = req.body; storage.merge_tags(req.params.package, tags, function(err) { if (err) return next(err); res.status(201); return next({ok: 'package tagged'}); }); } // tagging a package app.put('/:package/:tag', can('publish'), media('application/json'), tag_package_version); app.post('/-/package/:package/dist-tags/:tag', can('publish'), media('application/json'), tag_package_version); app.put('/-/package/:package/dist-tags/:tag', can('publish'), media('application/json'), tag_package_version); app.delete('/-/package/:package/dist-tags/:tag', can('publish'), function(req, res, next) { let tags = {}; tags[req.params.tag] = null; storage.merge_tags(req.params.package, tags, function(err) { if (err) return next(err); res.status(201); return next({ok: 'tag removed'}); }); }); app.get('/-/package/:package/dist-tags', can('access'), function(req, res, next) { storage.get_package(req.params.package, {req: req}, function(err, info) { if (err) return next(err); next(info['dist-tags']); }); }); app.post('/-/package/:package/dist-tags', can('publish'), media('application/json'), expect_json, function(req, res, next) { storage.merge_tags(req.params.package, req.body, function(err) { if (err) return next(err); res.status(201); return next({ok: 'tags updated'}); }); }); app.put('/-/package/:package/dist-tags', can('publish'), media('application/json'), expect_json, function(req, res, next) { storage.replace_tags(req.params.package, req.body, function(err) { if (err) return next(err); res.status(201); return next({ok: 'tags updated'}); }); }); app.delete('/-/package/:package/dist-tags', can('publish'), media('application/json'), function(req, res, next) { storage.replace_tags(req.params.package, {}, function(err) { if (err) return next(err); res.status(201); return next({ok: 'tags removed'}); }); }); // publishing a package app.put('/:package/:_rev?/:revision?', can('publish'), media('application/json'), expect_json, function(req, res, next) { let name = req.params.package; if (Object.keys(req.body).length == 1 && Utils.is_object(req.body.users)) { // 501 status is more meaningful, but npm doesn't show error message for 5xx return next( Error[404]('npm star|unstar calls are not implemented') ); } try { var metadata = Utils.validate_metadata(req.body, name); } catch(err) { return next( Error[422]('bad incoming package data') ); } if (req.params._rev) { storage.change_package(name, metadata, req.params.revision, function(err) { after_change(err, 'package changed'); }); } else { storage.add_package(name, metadata, function(err) { after_change(err, 'created new package'); }); } function after_change(err, ok_message) { // old npm behaviour if (metadata._attachments == null) { if (err) return next(err); res.status(201); return next({ok: ok_message}); } // npm-registry-client 0.3+ embeds tarball into the json upload // https://github.com/isaacs/npm-registry-client/commit/e9fbeb8b67f249394f735c74ef11fe4720d46ca0 // issue #31, dealing with it here: if (typeof(metadata._attachments) !== 'object' || Object.keys(metadata._attachments).length !== 1 || typeof(metadata.versions) !== 'object' || Object.keys(metadata.versions).length !== 1) { // npm is doing something strange again // if this happens in normal circumstances, report it as a bug return next( Error[400]('unsupported registry call') ); } if (err && err.status != 409) return next(err); // at this point document is either created or existed before let t1 = Object.keys(metadata._attachments)[0]; create_tarball(Path.basename(t1), metadata._attachments[t1], function(err) { if (err) return next(err); let t2 = Object.keys(metadata.versions)[0]; metadata.versions[t2].readme = metadata.readme != null ? String(metadata.readme) : ''; create_version(t2, metadata.versions[t2], function(err) { if (err) return next(err); add_tags(metadata['dist-tags'], function(err) { if (err) return next(err); notify(metadata, config); res.status(201); return next({ok: ok_message}); }); }); }); } function create_tarball(filename, data, cb) { let stream = storage.add_tarball(name, filename); stream.on('error', function(err) { cb(err); }); stream.on('success', function() { cb(); }); // this is dumb and memory-consuming, but what choices do we have? stream.end(new Buffer(data.data, 'base64')); stream.done(); } function create_version(version, data, cb) { storage.add_version(name, version, data, null, cb); } function add_tags(tags, cb) { storage.merge_tags(name, tags, cb); } }); // unpublishing an entire package app.delete('/:package/-rev/*', can('publish'), function(req, res, next) { storage.remove_package(req.params.package, function(err) { if (err) return next(err); res.status(201); return next({ok: 'package removed'}); }); }); // removing a tarball app.delete('/:package/-/:filename/-rev/:revision', can('publish'), function(req, res, next) { storage.remove_tarball(req.params.package, req.params.filename, req.params.revision, function(err) { if (err) return next(err); res.status(201); return next({ok: 'tarball removed'}); }); }); // uploading package tarball app.put('/:package/-/:filename/*', can('publish'), media('application/octet-stream'), function(req, res, next) { let name = req.params.package; let stream = storage.add_tarball(name, req.params.filename); req.pipe(stream); // checking if end event came before closing let complete = false; req.on('end', function() { complete = true; stream.done(); }); req.on('close', function() { if (!complete) { stream.abort(); } }); stream.on('error', function(err) { return res.report_error(err); }); stream.on('success', function() { res.status(201); return next({ ok: 'tarball uploaded successfully', }); }); }); // adding a version app.put('/:package/:version/-tag/:tag', can('publish'), media('application/json'), expect_json, function(req, res, next) { let name = req.params.package; let version = req.params.version; let tag = req.params.tag; storage.add_version(name, version, req.body, tag, function(err) { if (err) return next(err); res.status(201); return next({ok: 'package published'}); }); }); return app; };