caldav-adapter 8.3.0 → 8.3.1

package/common/parse-body.js

@@ -12,9 +12,19 @@ module.exports = async function (ctx) {
     if (ctx.logger) ctx.logger.warn(err);
     else if (ctx?.app?.emit) ctx.app.emit('error', err, ctx);
     else console.warn(err);
+    // Set body to empty string on error to prevent undefined issues
+    ctx.request.body = '';
   }
 
-  if (ctx.request.type.includes('xml')) {
+  // Initialize xml to null by default
+  ctx.request.xml = null;
+
+  if (
+    ctx.request.type.includes('xml') && // Only attempt to parse if we have a non-empty body
+    ctx.request.body &&
+    typeof ctx.request.body === 'string' &&
+    ctx.request.body.trim()
+  ) {
     try {
       ctx.request.xml = new DOMParser().parseFromString(ctx.request.body);
       // Ensure we have a valid document, otherwise set to null
@@ -25,6 +35,7 @@ module.exports = async function (ctx) {
       if (ctx.logger) ctx.logger.warn(err);
       else if (ctx?.app?.emit) ctx.app.emit('error', err, ctx);
       else console.warn(err);
+      ctx.request.xml = null;
     }
   }
 };

package/common/x-build.js

@@ -58,7 +58,10 @@ module.exports.multistatus = multistatus;
 const status = {
   200: 'HTTP/1.1 200 OK',
   403: 'HTTP/1.1 403 Forbidden',
-  404: 'HTTP/1.1 404 Not Found'
+  404: 'HTTP/1.1 404 Not Found',
+  409: 'HTTP/1.1 409 Conflict',
+  424: 'HTTP/1.1 424 Failed Dependency',
+  500: 'HTTP/1.1 500 Internal Server Error'
 };
 module.exports.status = status;
 

package/common/xml.js

@@ -22,8 +22,10 @@ const select = xpath.useNamespaces(namespaces);
 
 function get(path, doc) {
   // Validate that doc is a proper XML document
+  // Return empty array for null/invalid documents instead of throwing
+  // This handles cases where the request body was not received or parsed
   if (!doc || typeof doc !== 'object') {
-    throw new Error('Invalid XML document: document is null or not an object');
+    return [];
   }
 
   return select(path, doc);

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "caldav-adapter",
   "description": "CalDAV server for Node.js and Koa. Modernized and maintained for Forward Email.",
-  "version": "8.3.0",
+  "version": "8.3.1",
   "author": "Sanders DeNardi and Forward Email LLC",
   "contributors": [
     "Sanders DeNardi <sedenardi@gmail.com> (http://www.sandersdenardi.com/)",

package/routes/calendar/calendar/proppatch.js

@@ -1,9 +1,282 @@
 const _ = require('lodash');
 const xml = require('../../../common/xml');
-const { build, multistatus } = require('../../../common/x-build');
+const {
+  build,
+  multistatus,
+  response,
+  status
+} = require('../../../common/x-build');
 const { setMissingMethod } = require('../../../common/response');
 const commonTags = require('../../../common/tags');
 
+// Protected properties that cannot be modified via PROPPATCH
+// Per RFC 4791 Section 5.2.3 and related sections
+const PROTECTED_PROPERTIES = new Set([
+  'supported-calendar-component-set',
+  'supported-calendar-data',
+  'max-resource-size',
+  'min-date-time',
+  'max-date-time',
+  'max-instances',
+  'max-attendees-per-instance',
+  'getctag', // CalendarServer extension, typically read-only
+  'getetag',
+  'getcontenttype',
+  'getcontentlength',
+  'getlastmodified',
+  'creationdate',
+  'resourcetype',
+  'sync-token',
+  'current-user-privilege-set',
+  'owner',
+  'supported-report-set'
+]);
+
+// Properties that can be modified via PROPPATCH
+const MODIFIABLE_PROPERTIES = new Set([
+  'displayname',
+  'calendar-description',
+  'calendar-timezone',
+  'calendar-color',
+  'calendar-order'
+]);
+
+/**
+ * Validate VTIMEZONE content per RFC 4791 Section 5.2.2
+ * The calendar-timezone property MUST be a valid iCalendar object
+ * containing exactly one valid VTIMEZONE component.
+ * @param {string} value - The timezone value to validate
+ * @returns {{valid: boolean, error: string|null}} - Validation result
+ */
+function validateCalendarTimezone(value) {
+  // Empty value is valid (clearing the timezone)
+  if (!value || value.trim() === '') {
+    return { valid: true, error: null };
+  }
+
+  // Must contain VCALENDAR wrapper
+  if (!value.includes('BEGIN:VCALENDAR') || !value.includes('END:VCALENDAR')) {
+    return {
+      valid: false,
+      error:
+        'calendar-timezone must be a valid iCalendar object (missing VCALENDAR)'
+    };
+  }
+
+  // Must contain exactly one VTIMEZONE component
+  const vtimezoneCount = (value.match(/BEGIN:VTIMEZONE/g) || []).length;
+  if (vtimezoneCount === 0) {
+    return {
+      valid: false,
+      error: 'calendar-timezone must contain a VTIMEZONE component'
+    };
+  }
+
+  if (vtimezoneCount > 1) {
+    return {
+      valid: false,
+      error: 'calendar-timezone must contain exactly one VTIMEZONE component'
+    };
+  }
+
+  // Must have matching END:VTIMEZONE
+  const endVtimezoneCount = (value.match(/END:VTIMEZONE/g) || []).length;
+  if (vtimezoneCount !== endVtimezoneCount) {
+    return {
+      valid: false,
+      error: 'calendar-timezone has malformed VTIMEZONE component'
+    };
+  }
+
+  // Must have TZID property
+  if (!value.includes('TZID:') && !value.includes('TZID;')) {
+    return {
+      valid: false,
+      error: 'VTIMEZONE component must have a TZID property'
+    };
+  }
+
+  return { valid: true, error: null };
+}
+
+/**
+ * Extract xml:lang attribute from an element
+ * Per RFC 4791 Section 5.2.1: Language tagging information appearing
+ * in the scope of the 'prop' element MUST be persistently stored
+ * @param {Element} child - XML element node
+ * @returns {string|null} - The xml:lang value or null
+ */
+function extractXmlLang(child) {
+  // Check for xml:lang attribute on the element itself
+  if (child.getAttributeNS) {
+    const lang = child.getAttributeNS(
+      'http://www.w3.org/XML/1998/namespace',
+      'lang'
+    );
+    if (lang) return lang;
+  }
+
+  // Check for xml:lang attribute using getAttribute
+  if (child.getAttribute) {
+    const lang = child.getAttribute('xml:lang');
+    if (lang) return lang;
+  }
+
+  // Walk up the tree to find inherited xml:lang
+  let parent = child.parentNode;
+  while (parent && parent.getAttribute) {
+    const lang = parent.getAttribute('xml:lang');
+    if (lang) return lang;
+    parent = parent.parentNode;
+  }
+
+  return null;
+}
+
+/**
+ * Process a 'set' property and return the update object
+ * @param {Element} child - XML element node
+ * @param {Array} validationErrors - Array to collect validation errors
+ * @returns {Object|null} - Update object or null if not handled
+ */
+function processSetProperty(child, validationErrors) {
+  const xmlLang = extractXmlLang(child);
+
+  switch (child.localName) {
+    case 'displayname': {
+      // Allow empty string to clear the display name
+      const result = { name: child.textContent };
+      if (xmlLang) result.nameXmlLang = xmlLang;
+      return result;
+    }
+
+    case 'calendar-description': {
+      // Allow empty string to clear the description
+      // Per RFC 4791 Section 5.2.1, calendar-description is (#PCDATA)
+      const result = { description: child.textContent };
+      if (xmlLang) result.descriptionXmlLang = xmlLang;
+      return result;
+    }
+
+    case 'calendar-timezone': {
+      // Validate timezone per RFC 4791 Section 5.2.2
+      const validation = validateCalendarTimezone(child.textContent);
+      if (!validation.valid) {
+        validationErrors.push({
+          child,
+          error: validation.error,
+          precondition: 'valid-calendar-data'
+        });
+        return null;
+      }
+
+      return { timezone: child.textContent };
+    }
+
+    case 'calendar-color': {
+      // Allow empty string to clear the color
+      return { color: child.textContent };
+    }
+
+    case 'calendar-order': {
+      // For numeric values, parse if content exists, otherwise set to null
+      return {
+        order: child.textContent ? Number.parseInt(child.textContent, 10) : null
+      };
+    }
+
+    default: {
+      return null;
+    }
+  }
+}
+
+/**
+ * Process a 'remove' property and return the update object
+ * Per RFC 4918 Section 14.23: removing sets property to empty/null
+ * @param {Element} child - XML element node
+ * @returns {Object|null} - Update object or null if not handled
+ */
+function processRemoveProperty(child) {
+  switch (child.localName) {
+    case 'displayname': {
+      return { name: '', nameXmlLang: null };
+    }
+
+    case 'calendar-description': {
+      return { description: '', descriptionXmlLang: null };
+    }
+
+    case 'calendar-timezone': {
+      return { timezone: '' };
+    }
+
+    case 'calendar-color': {
+      return { color: '' };
+    }
+
+    case 'calendar-order': {
+      return { order: null };
+    }
+
+    default: {
+      // Per RFC 4918: removing non-existent property is not an error
+      return null;
+    }
+  }
+}
+
+/**
+ * Build error response for protected property modification attempt
+ * Per RFC 4918 Section 9.2: atomicity requires all or nothing
+ * @param {string} url - Request URL
+ * @param {Array} allChildren - All property children
+ * @param {Array} protectedErrors - Protected property elements
+ * @returns {string} - XML response
+ */
+function buildProtectedPropertyErrorResponse(
+  url,
+  allChildren,
+  protectedErrors
+) {
+  const responses = allChildren.map(({ child }) => {
+    const propName = `${child.prefix || 'D'}:${child.localName}`;
+    if (protectedErrors.includes(child)) {
+      // Return 403 for protected properties
+      return response(url, status[403], [{ [propName]: '' }]);
+    }
+
+    // Return 424 Failed Dependency for other properties
+    return response(url, status[424], [{ [propName]: '' }]);
+  });
+
+  return build(multistatus(_.compact(responses)));
+}
+
+/**
+ * Build error response for validation failures
+ * Per RFC 4918 Section 9.2: atomicity requires all or nothing
+ * @param {string} url - Request URL
+ * @param {Array} allChildren - All property children
+ * @param {Array} validationErrors - Validation error objects
+ * @returns {string} - XML response
+ */
+function buildValidationErrorResponse(url, allChildren, validationErrors) {
+  const errorChildren = new Set(validationErrors.map((e) => e.child));
+  const responses = allChildren.map(({ child }) => {
+    const propName = `${child.prefix || 'D'}:${child.localName}`;
+    if (errorChildren.has(child)) {
+      // Return 409 Conflict for validation errors (per RFC 4791 Section 5.3.2.1)
+      return response(url, status[409], [{ [propName]: '' }]);
+    }
+
+    // Return 424 Failed Dependency for other properties
+    return response(url, status[424], [{ [propName]: '' }]);
+  });
+
+  return build(multistatus(_.compact(responses)));
+}
+
 module.exports = function (options) {
   const tags = commonTags(options);
 
@@ -13,73 +286,143 @@ module.exports = function (options) {
       return;
     }
 
-    const { children } = xml.getWithChildren(
+    //
+    // Per RFC 4918 Section 9.2:
+    // - Servers MUST process PROPPATCH instructions in document order
+    // - Instructions MUST either all be executed or none executed (atomicity)
+    // - The propertyupdate element can contain both 'set' and 'remove' instructions
+    //
+    const { children: setChildren } = xml.getWithChildren(
       '/D:propertyupdate/D:set/D:prop',
       ctx.request.xml
     );
 
-    const updates = {};
-    for (const child of children) {
-      if (!child.localName || !child.textContent) continue;
-      switch (child.localName) {
-        case 'displayname': {
-          updates.name = child.textContent;
-
-          break;
-        }
+    const { children: removeChildren } = xml.getWithChildren(
+      '/D:propertyupdate/D:remove/D:prop',
+      ctx.request.xml
+    );
 
-        case 'calendar-description': {
-          updates.description = child.textContent;
+    const updates = {};
+    const protectedErrors = [];
+    const validationErrors = [];
+    const allChildren = [];
 
-          break;
-        }
+    // Process 'set' instructions
+    for (const child of setChildren) {
+      if (!child.localName) continue;
+      allChildren.push({ child, action: 'set' });
 
-        case 'calendar-timezone': {
-          updates.timezone = child.textContent;
+      if (PROTECTED_PROPERTIES.has(child.localName)) {
+        protectedErrors.push(child);
+        continue;
+      }
 
-          break;
-        }
+      const update = processSetProperty(child, validationErrors);
+      if (update) {
+        Object.assign(updates, update);
+      }
+    }
 
-        case 'calendar-color': {
-          updates.color = child.textContent;
+    // Process 'remove' instructions
+    for (const child of removeChildren) {
+      if (!child.localName) continue;
+      allChildren.push({ child, action: 'remove' });
 
-          break;
-        }
+      if (PROTECTED_PROPERTIES.has(child.localName)) {
+        protectedErrors.push(child);
+        continue;
+      }
 
-        case 'calendar-order': {
-          updates.order = Number.parseInt(child.textContent, 10);
+      const update = processRemoveProperty(child);
+      if (update) {
+        Object.assign(updates, update);
+      }
+    }
 
-          break;
-        }
+    //
+    // Atomicity check: If any errors, fail entire request
+    // Per RFC 4918 Section 9.2: "Instructions MUST either all be executed or none executed"
+    //
 
-        // TODO: finish me
+    // Check for protected property errors first
+    if (protectedErrors.length > 0) {
+      return buildProtectedPropertyErrorResponse(
+        ctx.url,
+        allChildren,
+        protectedErrors
+      );
+    }
 
-        // No default
+    // Check for validation errors (e.g., invalid timezone)
+    if (validationErrors.length > 0) {
+      // Log validation errors for debugging
+      for (const { child, error } of validationErrors) {
+        const err = new Error(
+          `CalDAV PROPPATCH validation error for ${child.localName}: ${error}`
+        );
+        err.isCodeBug = false;
+        console.warn(err.message);
+        if (ctx.logger) ctx.logger.warn(err.message);
       }
+
+      return buildValidationErrorResponse(
+        ctx.url,
+        allChildren,
+        validationErrors
+      );
     }
 
-    //
-    // if updates was empty then we should log so we can alert admins
-    // as to what other properties clients are attempting to update
-    // (this code is an anti-pattern but temporary so we can improve)
-    //
-    if (_.isEmpty(updates)) {
-      const err = new TypeError('CalDAV PROPPATCH missing fields');
-      err.isCodeBug = true; // Specific to Forward Email (can be removed later)
-      err.str = ctx.request.body; // Sensitive and should be removed later
+    // Log warning for unhandled properties
+    const unhandledProps = allChildren
+      .filter(
+        ({ child }) =>
+          child.localName &&
+          !MODIFIABLE_PROPERTIES.has(child.localName) &&
+          !PROTECTED_PROPERTIES.has(child.localName)
+      )
+      .map(({ child }) => child.localName);
+
+    if (unhandledProps.length > 0) {
+      const err = new TypeError(
+        `CalDAV PROPPATCH unhandled properties: ${unhandledProps.join(', ')}`
+      );
+      err.isCodeBug = true;
+      err.str = ctx.request.body;
       err.xml = ctx.request.xml;
       console.error(err);
       if (ctx.logger) ctx.logger.error(err);
     }
 
-    const updatedCalendar = await options.data.updateCalendar(ctx, {
-      principalId: ctx.state.params.principalId,
-      calendarId: ctx.state.params.calendarId,
-      user: ctx.state.user,
-      updates
-    });
+    //
+    // Apply updates atomically
+    // The updateCalendar function should handle rollback on failure
+    //
+    let updatedCalendar = calendar;
+    if (!_.isEmpty(updates)) {
+      try {
+        updatedCalendar = await options.data.updateCalendar(ctx, {
+          principalId: ctx.state.params.principalId,
+          calendarId: ctx.state.params.calendarId,
+          user: ctx.state.user,
+          updates
+        });
+      } catch (err) {
+        // If update fails, return 500 for all properties (atomicity)
+        console.error('CalDAV PROPPATCH update failed:', err);
+        if (ctx.logger)
+          ctx.logger.error('CalDAV PROPPATCH update failed:', err);
+
+        const responses = allChildren.map(({ child }) => {
+          const propName = `${child.prefix || 'D'}:${child.localName}`;
+          return response(ctx.url, status[500], [{ [propName]: '' }]);
+        });
+
+        return build(multistatus(_.compact(responses)));
+      }
+    }
 
-    const actions = _.map(children, async (child) => {
+    // Build response for each property
+    const actions = allChildren.map(async ({ child }) => {
       return tags.getResponse({
         resource: 'calendarProppatch',
         child,

package/routes/calendar/calendar/put.js

@@ -1,5 +1,4 @@
-const { notFound } = require('../../../common/x-build');
-// const { notFound, preconditionFail } = require('../../../common/x-build');
+const { notFound, preconditionFail } = require('../../../common/x-build');
 const { setMissingMethod } = require('../../../common/response');
 const winston = require('../../../common/winston');
 
@@ -57,14 +56,18 @@ module.exports = function (options) {
     log.debug(`existing event${existing ? '' : ' not'} found`);
 
     if (existing) {
-      /*
+      //
+      // RFC 7232 Section 3.2: If-None-Match
+      // When a client sends "If-None-Match: *", the server MUST NOT perform
+      // the requested method if the target resource exists.
+      // This is used by clients to prevent overwriting existing resources.
+      //
       if (ctx.get('if-none-match') === '*') {
         log.warn('if-none-match: * header present, precondition failed');
         ctx.status = 412;
         ctx.body = preconditionFail(ctx.url, 'no-uid-conflict');
         return;
       }
-      */
 
       const updateObject = await options.data.updateEvent(ctx, {
         eventId: ctx.state.params.eventId,

package/routes/calendar/user/propfind.js

@@ -1,5 +1,6 @@
 const _ = require('lodash');
 const xml = require('../../../common/xml');
+const winston = require('../../../common/winston');
 const {
   build,
   multistatus,
@@ -10,10 +11,20 @@ const calPropfind = require('../calendar/propfind');
 const commonTags = require('../../../common/tags');
 
 module.exports = function (options) {
+  const log = winston({ ...options, label: 'user/propfind' });
   const { calendarResponse } = calPropfind(options);
   const tags = commonTags(options);
 
   const exec = async function (ctx) {
+    // Handle missing or invalid XML body gracefully
+    // This can happen when the client connection is interrupted
+    // or the body was not received properly
+    if (!ctx.request.xml) {
+      log.warn('PROPFIND request received with missing or invalid XML body');
+      // Return a minimal valid response for allprop
+      // RFC 4918 Section 9.1: If no body is included, the request MUST be treated as allprop
+    }
+
     const { children } = xml.getWithChildren(
       '/D:propfind/D:prop',
       ctx.request.xml