cors: Add specific support for supporting all origin

README.md

@@ -126,9 +126,9 @@ flaska.get('/api/test', function(ctx) {
 })
 ```
 
-### File stream/pipe
+### pipe
 
-In cases where the response body is a pipe object (detected from the existance of `.pipe` property), flaska will automatically pipe the file for you. In addition, if a file stream is used, it will read the extension of the file being streamed and automatically fill in the mime-type for you in the `Content-Type` header.
+In cases where the response body is a pipe object (detected from the existance of `.pipe` property), flaska will automatically pipe it for you. In addition, if a file stream is used, it will read the extension of the file being streamed and automatically fill in the mime-type for you in the `Content-Type` header.
 
 ```
 flaska.get('/test.png', function(ctx) {
@@ -138,6 +138,22 @@ flaska.get('/test.png', function(ctx) {
 
 Flaska will automatically close the file stream for you so you don't have to worry about that.
 
+### FileResponse
+
+Alternatively, if you want proper file support, I recommend using FileResponse object:
+
+```
+import { FileResponse } from '../flaska.mjs'
+
+flaska.get('/test.txt', function(ctx) {
+  return fs.stat('./test/test.txt').then(function(stat) {
+    ctx.body = new FileResponse('./test/test.txt', stat)
+  })
+})
+```
+
+This performs a real file stream support, uses pipes and supports all the HTTP shenanigans when it comes to dealing with files, including sending proper etag header, supporting partial response and lots of other things. This is one of the few libraries that actually implements full HTTP partial and etag support in a proper way, almost all other have one or two quirks that don't follow the spec properly.
+
 ### String
 
 In other instances, Flaska will `.toString()` the body and send it in response with the specified type or default to `text/plain` if unspecified.

benchmark/random.js

@@ -0,0 +1,46 @@
+import crypto from 'crypto'
+import Benchmark from 'benchmarkjs-pretty'
+
+function TestGenerateRandomString() {
+
+  return new Benchmark.default('test different method to generate random string)')
+    .add('crypto.randomBytes(16)', function() {
+      for (let i = 0; i < 25; i++) {
+        crypto.randomBytes(16).toString('base64')
+      }
+    })
+    .add('crypto.randomBytes(32)', function() {
+      for (let i = 0; i < 25; i++) {
+        crypto.randomBytes(32).toString('base64')
+      }
+    })
+    .add('random (11 characters long)', function() {
+      for (let i = 0; i < 25; i++) {
+        let out = Math.random().toString(36).substring(2, 14)
+      }
+    })
+    .add('random (22 characters long)', function() {
+      for (let i = 0; i < 25; i++) {
+        let out = Math.random().toString(36).substring(2, 24)
+                  + Math.random().toString(36).substring(2, 24)
+      }
+    })
+    .add('random (44 characters long)', function() {
+      for (let i = 0; i < 25; i++) {
+        let out = Math.random().toString(36).substring(2, 24)
+                + Math.random().toString(36).substring(2, 24)
+                + Math.random().toString(36).substring(2, 24)
+                + Math.random().toString(36).substring(2, 24)
+      }
+    })
+    .run()
+    .then(function() {}, function(e) {
+      console.error('error:', e)
+      process.exit(1)
+    })
+}
+
+TestGenerateRandomString()
+.then(function() {
+  process.exit(0)
+})

flaska.mjs

@@ -139,6 +139,7 @@ export function CorsHandler(opts = {}) {
     exposeHeaders: opts.exposeHeaders || '',
     maxAge: opts.maxAge || '',
   }
+  const allowAll = options.allowedOrigins.includes('*')
 
   return function(ctx) {
     // Always add vary header on origin. Prevent caches from
@@ -154,7 +155,7 @@ export function CorsHandler(opts = {}) {
     // Check origin is specified. Nothing needs to be done if
     // there is no origin or it doesn't match
     let origin = ctx.req.headers['origin']
-    if (!origin || !options.allowedOrigins.includes(origin)) {
+    if (!origin || (!allowAll && !options.allowedOrigins.includes(origin))) {
       return
     }
 
@@ -1061,6 +1062,22 @@ ctx.state.nonce = nonce;
     }
   }
 
+  create() {
+    this.compile()
+    this.server = this.http.createServer(this.requestStart.bind(this))
+
+    this.server.on('connection', function (socket) {
+      // Set socket idle timeout in milliseconds
+      socket.setTimeout(1000 * 60 * 5) // 5 minutes
+  
+      // Wait for timeout event (socket will emit it when idle timeout elapses)
+      socket.on('timeout', function () {
+        // Call destroy again
+        socket.destroy();
+      })
+    })
+  }
+
   listen(port, orgIp, orgcb) {
     let ip = orgIp
     let cb = orgcb
@@ -1071,8 +1088,8 @@ ctx.state.nonce = nonce;
     if (typeof(port) !== 'number') {
       throw new Error('Flaska.listen() called with non-number in port')
     }
-    this.compile()
-    this.server = this.http.createServer(this.requestStart.bind(this))
+
+    this.create()
     
     this.server.listen(port, ip, cb)
   }
@@ -1082,8 +1099,7 @@ ctx.state.nonce = nonce;
       return Promise.reject(new Error('Flaska.listen() called with non-number in port'))
     }
 
-    this.compile()
-    this.server = this.http.createServer(this.requestStart.bind(this))
+    this.create()
 
     if (this.server.listenAsync && typeof(this.server.listenAsync) === 'function') {
       return this.server.listenAsync(port, ip)

package.json

@@ -1,6 +1,6 @@
 {
   "name": "flaska",
-  "version": "1.3.3",
+  "version": "1.3.5",
   "description": "Flaska is a micro web-framework for node. It is designed to be fast, simple and lightweight, and is distributed as a single file module with no dependencies.",
   "main": "flaska.mjs",
   "scripts": {

test/flaska.api.test.mjs

@@ -988,6 +988,7 @@ t.describe('#listenAsync()', function() {
       createServer: function() {
         return {
           listenAsync: stubListenAsync,
+          on: stub(),
         }
       }
     })
@@ -1011,6 +1012,7 @@ t.describe('#listenAsync()', function() {
       createServer: function() {
         return {
           listenAsync: stubListenAsync,
+          on: stub(),
         }
       }
     })

test/flaska.out.test.mjs

@@ -91,6 +91,38 @@ t.describe('#requestEnd()', function() {
         flaska.requestEnd(null, ctx)
       })
 
+      t.test('call res and end correctly when dealing with buffers', function(cb) {
+        const assertStatus = 202
+        // Calculated manually just in case
+        const assertBodyLength = 11
+        const assertBody = Buffer.from('hello world')
+        let onFinish = cb.finish(function(body) {
+          assert.strictEqual(ctx.status, assertStatus)
+          assert.strictEqual(ctx.body, assertBody)
+          assert.strictEqual(ctx.headers['Content-Type'], 'application/octet-stream')
+          assert.strictEqual(ctx.headers['Content-Length'], assertBodyLength)
+
+          if (method === 'GET') {
+            assert.ok(body)
+            assert.strictEqual(body, assertBody)
+          } else {
+            assert.notOk(body)
+          }
+
+          assert.ok(ctx.res.writeHead.called)
+          assert.strictEqual(ctx.res.writeHead.firstCall[0], ctx.status)
+          assert.strictEqual(ctx.res.writeHead.firstCall[1], ctx.headers)
+        })
+        const ctx = createCtx({
+          method: method,
+          status: assertStatus,
+        }, onFinish)
+        ctx.body = assertBody
+    
+        let flaska = new Flaska({}, fakerHttp, fakeStream)
+        flaska.requestEnd(null, ctx)
+      })
+
       t.test('call res and end correctly when dealing with null and no status override', function(cb) {
         // Calculated manually just in case
         const assertBodyLength = 0

test/helper.mjs

@@ -6,7 +6,7 @@ const indexMap = [
   'thirdCall',
 ]
 
-export function fakeHttp(inj1, inj2) {
+export function fakeHttp(inj1, inj2, inj3) {
   let intermediate = {
     createServer: function(cb) {
       if (inj1) inj1(cb)
@@ -15,6 +15,9 @@ export function fakeHttp(inj1, inj2) {
         listen: function(port, ip, cb) {
           if (inj2) inj2(port, ip, cb)
           else if (cb) cb()
+        },
+        on: function(name, handler) {
+          if (inj3) inj3(name, handler)
         }
       }
     }

test/http.test.mjs

@@ -145,15 +145,15 @@ t.describe('/json', function() {
   t.test('should fail if not a valid json', async function() {
     reset()
 
-    let err = await assert.isRejected(client.customRequest('POST', '/json', 'aaaa'))
+    let err = await assert.isRejected(client.customRequest('POST', '/json', 'XXXXX'))
 
     assert.strictEqual(err.body.status, 400)
     assert.match(err.body.message, /invalid json/i)
-    assert.match(err.body.message, /token a/i)
-    assert.strictEqual(err.body.request, 'aaaa')
+    assert.match(err.body.message, /token[^X]+X/i)
+    assert.strictEqual(err.body.request, 'XXXXX')
     assert.strictEqual(log.error.callCount, 1)
     assert.match(log.error.firstCall[0].message, /invalid json/i)
-    assert.match(log.error.firstCall[0].message, /token a/i)
+    assert.match(log.error.firstCall[0].message, /token[^X]+X/i)
   })
 
   t.test('should handle incomplete requests correctly', async function() {

test/middlewares.test.mjs

@@ -253,6 +253,27 @@ t.describe('#CorsHandler()', function() {
       assert.notOk(ctx.headers['Access-Control-Allow-Headers'])
       assert.strictEqual(ctx.status, 204)
     })
+    
+    t.test('should set headers if allowedOrigins has a *', function() {
+      const assertOrigin = 'http://my.site.here'
+
+      corsHandler = CorsHandler({
+        allowedOrigins: ['*'],
+      })
+      ctx.req.headers['origin'] = assertOrigin
+      ctx.req.headers['access-control-request-method'] = 'GET'
+
+      assert.notOk(ctx.headers['Access-Control-Allow-Origin'])
+      assert.notOk(ctx.headers['Access-Control-Allow-Methods'])
+      assert.notOk(ctx.headers['Access-Control-Allow-Headers'])
+
+      corsHandler(ctx)
+
+      assert.strictEqual(ctx.headers['Vary'], 'Origin')
+      assert.strictEqual(ctx.headers['Access-Control-Allow-Origin'], assertOrigin)
+      assert.ok(ctx.headers['Access-Control-Allow-Methods'])
+      assert.strictEqual(ctx.status, 204)
+    })
   })
 
   t.describe('GET/POST/DELETE/PATCH/PUT', function() {
@@ -498,8 +519,8 @@ t.describe('#JsonHandler()', function() {
       finished = true
     })
 
-    ctx.req.on.firstCall[1](Buffer.alloc(10, 'a'))
-    ctx.req.on.firstCall[1](Buffer.alloc(10, 'a'))
+    ctx.req.on.firstCall[1](Buffer.alloc(10, 'X'))
+    ctx.req.on.firstCall[1](Buffer.alloc(10, 'X'))
     ctx.req.on.secondCall[1]()
     
     await setTimeout(10)
@@ -510,11 +531,11 @@ t.describe('#JsonHandler()', function() {
     assert.ok(err instanceof HttpError)
     assert.strictEqual(err.status, 400)
     assert.match(err.message, /JSON/)
-    assert.match(err.message, /Unexpected token a in/i)
+    assert.match(err.message, /Unexpected token[^X]+X/i)
     assert.strictEqual(err.body.status, 400)
     assert.match(err.body.message, /Invalid JSON/i)
-    assert.match(err.body.message, /Unexpected token a in/i)
-    assert.strictEqual(err.body.request, 'aaaaaaaaaaaaaaaaaaaa')
+    assert.match(err.body.message, /Unexpected token[^X]+X/i)
+    assert.strictEqual(err.body.request, 'XXXXXXXXXXXXXXXXXXXX')
   })
 
   t.test('should not throw if body is empty', async function() {