adapt-authoring-server 1.1.0 → 1.2.0

package/errors/errors.json

@@ -7,6 +7,15 @@
     "description": "API endpoint does not exist",
     "statusCode": 404
   },
+  "METHOD_NOT_ALLOWED": {
+    "data": {
+      "endpoint": "The endpoint",
+      "method": "The HTTP method",
+      "allowedMethods": "The allowed HTTP methods"
+    },
+    "description": "HTTP method not allowed for this endpoint",
+    "statusCode": 405
+  },
   "NO_NET_CONN": {
     "data": {
       "hostname": "The hostname we were trying to reach"

package/lib/ServerModule.js

@@ -66,6 +66,7 @@ class ServerModule extends AbstractModule {
     this.api.init()
     this.root.init()
     // add not-found handlers
+    this.api.expressRouter.use(ServerUtils.methodNotAllowedHandler(this.api))
     this.api.expressRouter.use(ServerUtils.apiNotFoundHandler.bind(this))
     this.root.expressRouter.use(ServerUtils.rootNotFoundHandler.bind(this))
     // add generic error handling

package/lib/ServerUtils.js

@@ -15,6 +15,45 @@ class ServerUtils {
     next(App.instance.errors.ENDPOINT_NOT_FOUND.setData({ endpoint: req.originalUrl, method: req.method }))
   }
 
+  /**
+   * Middleware for handling 405 Method Not Allowed errors
+   * Checks if the requested path exists with a different HTTP method
+   * @param {Router} router The router to check routes against
+   * @return {Function} Middleware function
+   */
+  static methodNotAllowedHandler (router) {
+    const routePatterns = []
+    const routeMap = ServerUtils.getAllRoutes(router)
+
+    for (const [path, methods] of routeMap.entries()) {
+      const pathPattern = path
+        .replace(/\/:([^/?]+)\?/g, '(?:/([^/]+))?')
+        .replace(/:([^/]+)/g, '([^/]+)')
+      const regex = new RegExp(`^${pathPattern}$`)
+      routePatterns.push({ regex, methods })
+    }
+
+    return (req, res, next) => {
+      const requestMethod = req.method.toUpperCase()
+
+      for (const { regex, methods } of routePatterns) {
+        if (regex.test(req.path)) {
+          if (!methods.has(requestMethod)) {
+            const allowedMethods = Array.from(methods).sort().join(', ')
+            return next(App.instance.errors.METHOD_NOT_ALLOWED.setData({
+              endpoint: req.originalUrl,
+              method: req.method,
+              allowedMethods
+            }))
+          }
+          return next()
+        }
+      }
+
+      next()
+    }
+  }
+
   /**
    * Generic error handling middleware for the API router
    * @param {Error} error
@@ -45,6 +84,31 @@ class ServerUtils {
     return (req, res) => res.json(topRouter.map)
   }
 
+  /**
+   * Collects all registered routes with their methods across the router hierarchy
+   * @param {Router} router The router to traverse
+   * @return {Map<string, Set<string>>} Map of route paths to sets of allowed methods
+   */
+  static getAllRoutes (router) {
+    const routeMap = new Map()
+
+    router.flattenRouters().forEach(r => {
+      r.routes.forEach(route => {
+        const fullPath = `${r.path !== '/' ? r.path : ''}${route.route}`
+
+        if (!routeMap.has(fullPath)) {
+          routeMap.set(fullPath, new Set())
+        }
+
+        Object.keys(route.handlers).forEach(method => {
+          routeMap.get(fullPath).add(method.toUpperCase())
+        })
+      })
+    })
+
+    return routeMap
+  }
+
   /**
    * Generates a map for a given router
    * @param {Router} topRouter

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "adapt-authoring-server",
-  "version": "1.1.0",
+  "version": "1.2.0",
   "description": "Provides an Express application routing and more",
   "homepage": "https://github.com/adapt-security/adapt-authoring-server",
   "license": "GPL-3.0",