@techiev2/vajra 1.4.3 → 1.5.0

package/README.md

@@ -22,6 +22,9 @@ Like the Vajra, this server delivers maximum power in minimal form.
 
 ## Changelog
 
+### 1.5.0 (2026-01-03)
+- Adds support for res.sendFile.
+
 ### 1.4.3 (2026-01-02)
 - Adds guardrails for unsafe operations with template paths.
 

package/_

@@ -1,5 +0,0 @@
-const MIMES={html: 'text/html',js: 'application/javascript',css: 'text/css',json: 'application/json',png: 'image/png',jpg: 'image/jpeg',jpeg: 'image/jpeg',gif: 'image/gif',svg: 'image/svg+xml'}
-
-res.sendFile = (filePath) => new Promise((resolve) => {
-createReadStream(filePath).on('open', () => { res.setHeader('Content-Type', MIMES[filePath.split('.').pop()?.toLowerCase()] || 'application/octet-stream'); !res.getHeader('Accept-Ranges') && res.setHeader('Accept-Ranges', 'bytes'); }).on('error', (err) => { (err.code === 'ENOENT' ? default_404(req, res, `${filePath.split('/').slice(-1)} not found.`) : default_500(req, res)); resolve() }).pipe(res).on('finish', resolve).on('error', resolve);
-});

package/benchmark.sh

@@ -0,0 +1,58 @@
+#!/usr/bin/env bash
+set -euo pipefail
+declare -A portMap=(
+    ["elysia"]=4000
+    ["express"]=4001
+    ["fastify"]=4002
+    ["hono"]=4003
+    ["vajra"]=4004
+)
+declare -A runnerMap=(
+    ["elysia"]="index.js"
+    ["elysia_node"]="index.js"
+    ["express"]="index.js"
+    ["fastify"]="index.js"
+    ["hono"]="index.js"
+    ["vajra"]="examples/api.js"
+)
+frameworks=$(ls -d */ | sed 's|/$||' | grep -v auth | grep vajra)
+
+LOOPS=5
+
+runWrk() {
+    port=$1
+    sync && echo 3 > tee /proc/sys/vm/drop_caches
+    wrk -t16 -c600 -d10s \
+         -H "Content-Type: multipart/form-data; boundary=BOUNDARY123456" \
+         "http://localhost:${port}/upload" < ../test_upload_2mb.txt
+}
+main() {
+    echo "" > report.txt
+    for framework in ${frameworks[@]}; do
+        cd $framework
+        mkdir -p benchmarks
+        echo "" > benchmarks/report.txt
+        port=${portMap[$framework]}
+        runner=${runnerMap[$framework]}
+        for i in $(seq 1 $LOOPS); do
+            bun $runner &
+            sleep 2
+            runningPID=$(lsof | grep -P ":$port" | head -n1 | awk '{print $2}')
+            echo "$framework running at $runningPID"
+            sleep 2
+            runWrk $port >> benchmarks/report.txt
+            sleep 2
+            echo "Killing $framework running at $runningPID"
+            kill -9 $runningPID
+        done
+        avg_rps=$(grep "Requests/sec:" benchmarks/report.txt | awk -F' ' '{print $2}' | awk '{x+=$1; n++} END { print x/n}')
+        avg_tps=$(grep "Transfer/sec:" benchmarks/report.txt | awk -F' ' '{print $2}' | awk '{x+=$1; n++} END { print x/n}')
+        echo "${framework}
+Average RPS: ${avg_rps}/s
+Average TPS: ${avg_tps}MB/s
+
+" >> "../report.txt"
+        cd ..
+    done
+}
+main

package/examples/api.js

@@ -51,4 +51,8 @@ get('/web/users', async ({ query }, res) => {
   const users = await getUsers(query)
   const headers = Object.keys(users[0]).slice(0, 2)
   return res.html(`users.html`, { users, headers })
+})
+
+get('/files/:path', async ({ params, params: { path }}, res) => {
+  return res.sendFile(`${import.meta.dirname}/${path}`)
 })

package/index.js

@@ -1,25 +1,16 @@
 import { createServer } from 'node:http'
 import { readFile, access } from 'node:fs/promises'
-import { resolve, isAbsolute } from 'path'
+import { createReadStream, existsSync } from 'node:fs'
+import { resolve } from 'path'
 
 const BLOCK_MATCHER=/{{\s*#\s*(?<grpStart>\w+)\s*}}\s*(?<block>.*?)\s*{{\s*\/\s*(?<grpEnd>\w+)\s*}}/gmsi; const INNER_BLOCK_MATCHER = /{\s*(.*?)\s*}/gmsi
 const LOOP_MATCHER=/({\s*\w+@\s*})/gmis; const ESCAPE = { regex: /[&<>"']/g, map: { '&': '&amp;', '<': '&lt;', '>': '&gt;', '"': '&quot;', "'": '&#x27;' }}
+const MIMES={html: 'text/html; charset=utf-8',js: 'application/javascript; charset=utf-8',css: 'text/css; charset=utf-8',json: 'application/json; charset=utf-8',png: 'image/png',jpg: 'image/jpeg',jpeg: 'image/jpeg',gif: 'image/gif',svg: 'image/svg+xml', webp: 'image/webp', txt: 'text/plain; charset=utf-8'}
 
-function default_404({ url, method, isPossibleJSON }, res) {
-  const message = `Route ${url} not found for method ${method}.`
-  res.status(404); return isPossibleJSON ? res.json({ message }) : res.writeMessage(message)
-}
-function default_405({ url, method, isPossibleJSON }, res) {
-  const message = `Method ${method} not allowed by route ${url}.`
-  res.status(405); return isPossibleJSON ? res.json({ message }) : res.writeMessage(message)
-}
-function default_500({ url, method }, res, error) {
-  process.env.DEBUG && console.log({ error })
-  res.status(500).writeMessage(process.env.DEBUG ? `${error.stack}` : `Server error.\nRoute: ${url}\nMethod: ${method}\nTimestamp: ${new Date().getTime()}\n`)
-}
-function default_413(res) {
-  res.status(413).writeMessage('Payload Too Large')
-}
+function default_404({ url, method, isPossibleJSON }, res, message) { message = message || `Route ${url} not found for method ${method}.`; res.status(404); return isPossibleJSON ? res.json({ message }) : res.writeMessage(message) }
+function default_405({ url, method, isPossibleJSON }, res, message) { message = message || `Method ${method} not allowed by route ${url}.`; res.status(405); return isPossibleJSON ? res.json({ message }) : res.writeMessage(message) }
+function default_500({ url, method }, res, error) { process.env.DEBUG && console.log({ error }); res.status(500).writeMessage(process.env.DEBUG && error?.stack ? `${error.stack}` : `Server error.\nRoute: ${url}\nMethod: ${method}\nTimestamp: ${new Date().getTime()}\n`) }
+function default_413(res) { res.status(413).writeMessage('Payload Too Large') }
 
 const MAX_MB = 2; const MAX_FILE_SIZE = MAX_MB * 1024 * 1024
 
@@ -36,13 +27,19 @@ export default class Vajra {
       res.sent = false; res.status = (/**@type{code} Number*/ code) => { if (!+code || +code < 100 || +code > 599) { throw new Error(`Invalid status code ${code}`) }; res.statusCode = code; res.statusSet = true; return res }
       res.json = data => {
         if (res.sent) return res; if (!res.statusSet) res.statusCode = 200
-        const response = JSON.stringify(data); res.sent = true; res.setHeader('Content-Type', 'application/json'); res.setHeader('Content-Length', Buffer.from(response).byteLength); res.write(response); res.end(); return res
+        const _data = JSON.stringify(data); res.sent = true; res.setHeader('Content-Type', 'application/json'); res.setHeader('Content-Length', Buffer.byteLength(_data)); res.write(_data); res.end(); return res
       }
       res.writeMessage = (message = '') => {
         if (res.sent) { return res };  if (!message) { res.status(500); message = 'Server error'; }
-        res.sent = true; res.setHeader('Content-Type', 'text/plain'); res.setHeader('Content-Length', Buffer.from(message).byteLength); res.write(message); res.end()
+        res.sent = true; res.setHeader('Content-Type', 'text/plain'); res.setHeader('Content-Length', Buffer.byteLength(message)); res.write(message); res.end()
         return res
       }
+      res.sendFile = (filePath) => {
+        let [filePath_, extension] = filePath.split('.')
+        const _filePath = !extension ? filePath : existsSync(filePath) ? filePath : existsSync(`${filePath_}.${extension.toLowerCase()}`) ? `${filePath_}.${extension.toLowerCase()}` : existsSync(`${filePath_}.${extension.toUpperCase()}`) ? `${filePath_}.${extension.toLowerCase()}` : ''
+        if (!filePath) { return default_404(req, res, new Error(`File ${filePath} not found`)) }
+        return new Promise((resolve) => createReadStream(_filePath).on('open', () => { res.setHeader('Content-Type', MIMES[filePath.split('.').pop()?.toLowerCase()] || 'application/octet-stream'); !res.getHeader('Accept-Ranges') && res.setHeader('Accept-Ranges', 'bytes'); }).on('error', (err) => { (err.code === 'ENOENT' ? default_404(req, res, `${filePath.split('/').slice(-1)} not found.`) : default_500(req, res, err)); resolve() }).pipe(res).on('finish', resolve).on('error', resolve))
+      };
       function sanitize(value) { if (value == null) return ''; return String(value).replace(ESCAPE.regex, m => ESCAPE.map[m]); }
       res.html = async (templatePath, data = {}) => {
         templatePath = resolve(templatePath); const appRoot = resolve(process.cwd()); const root = this.#props.viewRoot ? resolve(this.#props.viewRoot) : appRoot;
@@ -70,19 +67,19 @@ export default class Vajra {
         const formDataMatcher = /Content-Disposition: form-data; name=['"](?<name>[^"']+)['"]\s+(?<value>.*?)$/smi;
         let boundaryMatch = (req.headers['Content-Type'] || '').match(/boundary=(.*)/); const boundary = boundaryMatch ? '--' + boundaryMatch[1] : null; const fileDataMatcher = /^Content-Disposition:.*?name=["'](?<field>[^"']+)["'].*?filename=["'](?<fileName>[^"']+)["'].*?Content-Type:\s*(?<contentType>[^\r\n]*)\r?\n\r?\n(?<content>[\s\S]*)$/ims
         req.on('end', async () => {
-          req.files = []; if (boundary) { req.rawData.split(boundary).filter(Boolean).map((line) => {
+          req.files = []; if (boundary) {
+            req.rawData.split(boundary).filter(Boolean).map((line) => {
               let key, value; if (line.includes('filename')) { req.files.push(fileDataMatcher.exec(line)?.groups || {}); return }
-              [key, value] = Object.values(line.match(formDataMatcher)?.groups || {}); (key && value) && Object.assign(req.formData, { [key]: value });  return
+              [key, value] = Object.values(line.match(formDataMatcher)?.groups || {}); (key && value) && Object.assign(req.formData, { [key]: value }); return
             })
           }
           if (Object.keys(req.formData).length) { req.body = req.formData } else {
             try { req.body = JSON.parse(req.rawData); req.isPossibleJSON = true } catch (_) { req.body = Object.fromEntries(req.rawData.split('&').map((pair) => pair.split('='))) }
           }; setImmediate(runMiddlwares)
-        })
-        req.cookies = Object.fromEntries((req.headers.Cookie || req.headers.cookie || '').split(/;\s*/).map((k) => k.split('=')).map(([k, v]) => [k.trim(), decodeURIComponent(v).trim()]))
+        }); req.cookies = Object.fromEntries((req.headers.Cookie || req.headers.cookie || '').split(/;\s*/).map((k) => k.split('=')).map(([k, v]) => [k.trim(), decodeURIComponent(v).trim()]))
       })
       async function handleRoute() {
-        let _url = req.url.split('?')[0]; if (_url.endsWith('/')) _url = _url.split('/').slice(0, -1).join('/')
+        req.url = decodeURIComponent(req.url); let _url = req.url.split('?')[0]; if (_url.endsWith('/')) _url = _url.split('/').slice(0, -1).join('/')
         let match_; const directHandler = (Vajra.#straightRoutes[_url] || Vajra.#straightRoutes[`${_url}/`] || {})[req.method.toLowerCase()]
         if (directHandler) { try { await directHandler(req, res); if (!res.sent && !res.writableEnded) res.end() } catch (error) { return default_500(req, res, error) }; return }
         Object.entries(Vajra.#routes).map(([route, handler]) => {
@@ -97,7 +94,7 @@ export default class Vajra {
     function start({ port, host = '127.0.0.1' }, cb) { Vajra.#app.listen(port, () => { console.log(`App listening at http://${host}:${port}`); if (typeof cb === 'function') { cb() } }); return defaults }
     function register(method, path, handler) {
       const paramMatcher = /.*?(?<param>\:[a-zA-Z]{1,})/g; let pathMatcherStr = path
-      path.matchAll(paramMatcher).forEach(match => pathMatcherStr = pathMatcherStr.replace(match.groups.param, `{0,1}(?<${match.groups.param.slice(1)}>[\\w|\.]+)`))
+      path.matchAll(paramMatcher).forEach(match => pathMatcherStr = pathMatcherStr.replace(match.groups.param, `{0,1}(?<${match.groups.param.slice(1)}>[\\w|\\/|\\.|\\s|\\-]+)`))
       if (path !== '/' && pathMatcherStr.endsWith('/')) { pathMatcherStr = pathMatcherStr.replace(/(\/)$/, '/?') }
       if (!paramMatcher.exec(path)?.groups) { Vajra.#straightRoutes[pathMatcherStr] = Object.assign(Vajra.#straightRoutes[pathMatcherStr] || {}, { [method]: handler }); return }
       Vajra.#routes[pathMatcherStr] = Object.assign(Vajra.#routes[pathMatcherStr] || {}, {[method]: handler}); return defaults

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@techiev2/vajra",
-  "version": "1.4.3",
+  "version": "1.5.0",
   "description": "Blazing-fast, zero-dependency Node.js server with routing, middleware, multipart uploads, and templating. 111 lines · ~95k req/s · ~52 MB idle.",
   "keywords": [
     "http-server",

package/tests/tests.js

@@ -2,6 +2,8 @@ import assert from 'node:assert';
 import { encode } from 'node:querystring';
 import { afterEach, beforeEach, suite, test } from 'node:test';
 import { randomBytes, randomUUID } from 'node:crypto';
+import { readFile, writeFile, mkdir, rm } from 'node:fs/promises';
+import path, { resolve } from 'node:path';
 
 import pkg from '../package.json' with {type: 'json'}
 import { sign, verify } from '../libs/auth/jwt.js';
@@ -17,9 +19,9 @@ async function getJSON(url, method = 'GET', body) {
   return (await getResponse(url, method, body)).json()
 }
 
+const BASE_URL = 'http://localhost:4002'
 
 suite('Test HTTP API at port 4002', () => {
-  const BASE_URL = 'http://localhost:4002'
   suite('Test HTTP GET', () => {
     test('Basic HTTP GET to respond with a now and empty query/params', async () => {
       assert.deepEqual((await (await getResponse(BASE_URL)).text()), 'Hello from Vajra ⚡')
@@ -35,6 +37,48 @@ suite('Test HTTP API at port 4002', () => {
       assert.deepEqual(res_query, query)
       assert.deepEqual(res_params, {})
     })
+    test('Plain ../ traversal should be normalized by URL parser and result in 404 (safe)', async () => {
+      const url = `${BASE_URL}/files/../../../../etc/passwd`
+      const res = await getResponse(url)
+      // It should NOT succeed (200) and typically 404 because file doesn't exist inside app root
+      assert.notStrictEqual(res.status, 200)
+      assert.strictEqual(res.status, 404)
+    })
+    
+    test('URL-encoded ../ (%2e%2e) should be decoded BEFORE normalization, still resulting in safe 404', async () => {
+      const url = `${BASE_URL}/files/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd`
+      const res = await getResponse(url)
+      assert.notStrictEqual(res.status, 200)
+      // Expected: pathname becomes /etc/passwd → safe 404
+    })
+    
+    test('Double-encoded traversal should also be normalized safely', async () => {
+      const url = `${BASE_URL}/files/%252e%252e/%252e%252e/%252e%252e/%252e%252e/etc/passwd`
+      const res = await getResponse(url)
+      assert.notStrictEqual(res.status, 200)
+    })
+    
+    test('Attempt with null byte (old exploit) should not crash and return error', async () => {
+      // Note: modern Node.js rejects %00 in URLs early, often with parse error
+      const url = `${BASE_URL}/files/test_files/hello.txt%00../../etc/passwd`
+      const res = await getResponse(url)
+      assert.notStrictEqual(res.status, 200)
+      // Likely 400 or 404 depending on framework
+    })
+    
+    test('Absolute path attempt should be treated as relative (inside app root) and 404', async () => {
+      const url = `${BASE_URL}/files//etc/passwd`  // leading // becomes /
+      const res = await getResponse(url)
+      assert.notStrictEqual(res.status, 200)
+    })
+    
+    test('Very deep normalized path (many ../ collapsing to root) should still be safe', async () => {
+      const deep = '../'.repeat(50) + 'hello.txt'
+      const url = `${BASE_URL}/files/${deep}`
+      const res = await getResponse(url)
+      // After normalization: /hello.txt → tries to open hello.txt in app root → 404 (unless exists)
+      assert.strictEqual(res.status, 404)  // or whatever your non-existent handler returns
+    })
   })
   suite('Test HTTP POST', () => {
     test('Basic HTTP POST to respond with a now and body', async () => {
@@ -299,4 +343,163 @@ suite('Tests for library functions', () => {
     })
   });
 
-})
+})
+
+
+suite('res.sendFile(path)', async () => {
+
+  const TEST_DIR = path.resolve(`${import.meta.dirname}/../examples/test_files`);
+  const textContent = 'Hello from Vajra!\nThis is a test file.'
+  const textContentBuffer = new Uint8Array(Buffer.from(textContent))
+  const minimalJpeg = Buffer.from([
+    0xff, 0xd8, 0xff, 0xe0, 0x00, 0x10, 0x4a, 0x46, 0x49, 0x46, 0x00, 0x01,
+    0x01, 0x01, 0x00, 0x48, 0x00, 0x48, 0x00, 0x00, 0xff, 0xdb, 0x00, 0x43,
+    0x00, 0x03, 0x02, 0x02, 0x03, 0x02, 0x02, 0x03, 0x03, 0x03, 0x03, 0x04,
+    0x03, 0x03, 0x04, 0x05, 0x08, 0x05, 0x05, 0x04, 0x04, 0x05, 0x0a, 0x07,
+    0x07, 0x06, 0x08, 0x0c, 0x0a, 0x0c, 0x0c, 0x0b, 0x0a, 0x0b, 0x0b, 0x0d,
+    0x0e, 0x12, 0x10, 0x0d, 0x0e, 0x11, 0x0e, 0x0b, 0x0b, 0x10, 0x16, 0x10,
+    0x11, 0x13, 0x14, 0x15, 0x15, 0x15, 0x0c, 0x0f, 0x17, 0x18, 0x16, 0x14,
+    0x18, 0x12, 0x14, 0x15, 0x14, 0xff, 0xc0, 0x00, 0x0b, 0x08, 0x00, 0x01,
+    0x00, 0x01, 0x01, 0x01, 0x11, 0x00, 0xff, 0xc4, 0x00, 0x14, 0x00, 0x01,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x08, 0xff, 0xc4, 0x00, 0x14, 0x10, 0x01, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0xff, 0xda, 0x00, 0x08, 0x01, 0x01, 0x00, 0x01, 0x3f, 0x00,
+    0xd2, 0xcf, 0x20, 0xff, 0xd9
+  ]);
+  beforeEach(async () => {
+    await mkdir(TEST_DIR, { recursive: true });
+    await writeFile(`${TEST_DIR}/test.txt`, textContentBuffer)
+    await writeFile(`${TEST_DIR}/test.TXT`, textContentBuffer)
+    await writeFile(path.join(TEST_DIR, 'test.jpg'), minimalJpeg);
+    await writeFile(path.join(TEST_DIR, 'test.JPG'), minimalJpeg);
+    await writeFile(`${TEST_DIR}/unknown.ext`, new Uint8Array(Buffer.from('some data')))
+  });
+  afterEach(async () => {
+    await rm(TEST_DIR, { recursive: true, force: true });
+  });
+  test('On GET at /files/test.txt, server should return the file contents', async () => {
+    const filePath = `test_files/test.txt`
+    const url = `${BASE_URL}/files/${filePath}`
+    const apiResponseText = await (await getResponse(url)).text()
+    const filetext = (await readFile(resolve(`${import.meta.dirname}/../examples/${filePath}`))).toString()
+    assert.strictEqual(apiResponseText, filetext)
+  })
+  test('On GET at /files/random.txt, server should return the file contents', async () => {
+    const id = randomUUID()
+    const filePath = `test_files/${id}`
+    const url = `${BASE_URL}/files/${filePath}`
+    const res = await getResponse(url)
+    const json = await res.json()
+    assert.strictEqual(res.status, 404)
+    assert.strictEqual(json.message, `${id} not found.`)
+  })
+  test('On GET at /files/test.txt, server should return the file contents with correct Content-Type', async () => {
+    const filePath = 'test_files/test.txt'
+    const url = `${BASE_URL}/files/${filePath}`
+    const res = await getResponse(url)
+  
+    assert.strictEqual(res.status, 200)
+    assert.strictEqual(res.headers.get('content-type'), 'text/plain; charset=utf-8')
+    assert.strictEqual(res.headers.get('accept-ranges'), 'bytes')
+  
+    const apiResponseText = await res.text()
+    assert.strictEqual(apiResponseText.trim(), textContent.trim())
+  })
+  
+  test('On GET at /files/test.png, server should return the image with correct Content-Type and exact bytes', async () => {
+    const filePath = 'test_files/test.jpg'
+    const url = `${BASE_URL}/files/${filePath}`
+    const res = await getResponse(url)
+  
+    assert.strictEqual(res.status, 200)
+    assert.strictEqual(res.headers.get('content-type'), 'image/jpeg')
+    assert.strictEqual(res.headers.get('accept-ranges'), 'bytes')
+  
+    const buffer = Buffer.from(await res.arrayBuffer())
+    const fileData = await readFile(resolve(`${import.meta.dirname}/../examples/test_files/test.jpg`))
+    assert.strictEqual(buffer.length, fileData.length)
+    assert.ok(buffer.equals(fileData))
+  })
+  
+  test('On GET at non-existent random file, server should return 404 with filename in message', async () => {
+    const id = randomUUID()
+    const filePath = `test_files/${id}.txt`
+    const url = `${BASE_URL}/files/${filePath}`
+    const res = await getResponse(url)
+    const json = await res.json()
+  
+    assert.strictEqual(res.status, 404)
+    assert.strictEqual(json.message, `${id}.txt not found.`)
+  })
+  
+  test('On GET at file with unknown extension, server should use application/octet-stream', async () => {
+    const unknownFileName = 'unknown.ext'
+    await writeFile(path.join(TEST_DIR, unknownFileName), 'some data')
+  
+    const filePath = `test_files/${unknownFileName}`
+    const url = `${BASE_URL}/files/${filePath}`
+    const res = await getResponse(url)
+  
+    assert.strictEqual(res.status, 200)
+    assert.strictEqual(res.headers.get('content-type'), 'application/octet-stream')
+    assert.strictEqual(await res.text(), 'some data')
+  })
+  
+  test('Path traversal with ../ should not allow access outside test_files directory', async () => {
+    const url = `${BASE_URL}/files/../examples/test_files/test.txt`
+    const res = await getResponse(url)
+    assert.notStrictEqual(res.status, 200) // Should be 404 (or 400/403 if sanitized better)
+  })
+  
+  test('Path traversal with encoded %2e%2e should be blocked', async () => {
+    const url = `${BASE_URL}/files/%2e%2e/%2e%2e/examples/test_files/test.txt`
+    const res = await getResponse(url)
+    assert.notStrictEqual(res.status, 200)
+  })
+  
+  test('Path traversal with null byte %00 should be rejected (if not already handled by framework)', async () => {
+    const url = `${BASE_URL}/files/test_files/test.txt%00../../etc/passwd`
+    const res = await getResponse(url)
+    assert.notStrictEqual(res.status, 200)
+  })
+  
+  test('Request for directory (trailing slash) should not serve or list contents', async () => {
+    const url = `${BASE_URL}/files/test_files/`
+    const res = await getResponse(url)
+    assert.notStrictEqual(res.status, 200) // Expect 404 or 400, no directory listing
+  })
+  
+  test('File with multiple extensions should use MIME based on final extension', async () => {
+    const multiFile = 'archive.tar.gz'
+    await writeFile(path.join(TEST_DIR, multiFile), 'gzipped tar')
+  
+    const filePath = `test_files/${multiFile}`
+    const url = `${BASE_URL}/files/${filePath}`
+    const res = await getResponse(url)
+  
+    assert.strictEqual(res.status, 200)
+    const ct = res.headers.get('content-type')
+    assert.ok(ct.includes('gzip') || ct.includes('octet-stream'))
+  })
+  
+  test('Case-insensitive extension handling', async () => {
+    const upperFile = 'test.JPG'
+    // await writeFile(path.join(TEST_DIR, upperFile), imageContent)
+    const filePath = `test_files/${upperFile}`
+    const url = `${BASE_URL}/files/${filePath}`
+    const res = await getResponse(url)
+    assert.strictEqual(res.status, 200)
+    assert.strictEqual(res.headers.get('content-type'), 'image/jpeg')
+  })
+  
+  test('Query parameters should be ignored and file still served correctly', async () => {
+    const url = `${BASE_URL}/files/test_files/test.txt?cache_bust=123`
+    const res = await getResponse(url)
+  
+    assert.strictEqual(res.status, 200)
+    const text = await res.text()
+    assert.strictEqual(text.trim(), textContent.trim())
+  })
+  
+});