hypercore-fetch 9.4.0 → 9.5.0

package/README.md

@@ -53,6 +53,10 @@ Thus you can get the previous version of a file by using `hyper://NAME/$/version
 
 If the resource is a file, it may contain the `Last-Modified` header if the file has had a `metadata.mtime` flag set upon update.
 
+If the resource is a directory, it will contain the `Allow` header to
+indicate whether a hyperdrive is writable (`'HEAD,GET'`) or not
+(`'HEAD,GET,PUT,DELETE'`).
+
 ### `fetch('hyper://NAME/example.txt', {method: 'GET'})`
 
 This will attempt to load `example.txt` from the archive labeled by `NAME`.
@@ -124,6 +128,9 @@ The `body` can be any of the options supported by the Fetch API such as a `Strin
 
 Note that this is only available with the `writable: true` flag.
 
+An attempt to `PUT` a file to a hyperdrive which is not writable will
+fail with status `403`.
+
 ### `fetch('hyper://NAME/folder/', {method: 'PUT', body: new FormData()})`
 
 You can add multiple files to a folder using the `PUT` method with a [FormData](https://developer.mozilla.org/en-US/docs/Web/API/FormData) body.
@@ -141,6 +148,11 @@ You can delete a file or directory tree in a Hyperdrive by using the `DELETE` me
 
 `NAME` can either be the 52 character [z32 encoded](https://github.com/mafintosh/z32) key for a Hyperdrive or Hypercore , or a domain to parse with the [DNSLink](https://www.dnslink.io/) standard.
 
+Note that this is only available with the `writable: true` flag.
+
+An attempt to `DELETE` a file in a hyperdrive which is not writable
+will fail with status `403`.
+
 ### `fetch('hyper://NAME/$/extensions/')`
 
 You can list the current [hypercore extensions](https://github.com/hypercore-protocol/hypercore#ext--feedregisterextensionname-handlers) that are enabled by doing a `GET` on the `/$/extensions/` directory.

package/index.js

@@ -89,7 +89,9 @@ export default async function makeHyperFetch ({
     router.get(`hyper://${SPECIAL_DOMAIN}/`, getKey)
     router.post(`hyper://${SPECIAL_DOMAIN}/`, createKey)
 
+    router.put(`hyper://*/${SPECIAL_FOLDER}/${VERSION_FOLDER_NAME}/**`, putFilesVersioned)
     router.put('hyper://*/**', putFiles)
+    router.delete(`hyper://*/${SPECIAL_FOLDER}/${VERSION_FOLDER_NAME}/**`, deleteFilesVersioned)
     router.delete('hyper://*/**', deleteFiles)
   }
 
@@ -361,6 +363,10 @@ export default async function makeHyperFetch ({
 
     const drive = await getDrive(`hyper://${hostname}`)
 
+    if (!drive.db.feed.writable) {
+      return { status: 403, body: `Cannot PUT file to read-only drive: ${drive.url}`, headers: { Location: request.url } }
+    }
+
     if (isFormData) {
       // It's a form! Get the files out and process them
       const formData = await request.formData()
@@ -394,12 +400,20 @@ export default async function makeHyperFetch ({
     return { status: 201, headers: { Location: request.url } }
   }
 
+  function putFilesVersioned (request) {
+    return { status: 405, body: 'Cannot PUT file to old version', headers: { Location: request.url } }
+  }
+
   async function deleteFiles (request) {
     const { hostname, pathname: rawPathname } = new URL(request.url)
     const pathname = decodeURI(ensureLeadingSlash(rawPathname))
 
     const drive = await getDrive(`hyper://${hostname}`)
 
+    if (!drive.db.feed.writable) {
+      return { status: 403, body: `Cannot DELETE file in read-only drive: ${drive.url}`, headers: { Location: request.url } }
+    }
+
     if (pathname.endsWith('/')) {
       let didDelete = false
       for await (const entry of drive.list(pathname)) {
@@ -422,6 +436,10 @@ export default async function makeHyperFetch ({
     return { status: 200 }
   }
 
+  function deleteFilesVersioned (request) {
+    return { status: 405, body: 'Cannot DELETE old version', headers: { Location: request.url } }
+  }
+
   async function headFilesVersioned (request) {
     const url = new URL(request.url)
     const { hostname, pathname: rawPathname, searchParams } = url
@@ -460,7 +478,7 @@ export default async function makeHyperFetch ({
     const isDirectory = pathname.endsWith('/')
     const fullURL = new URL(pathname, drive.url).href
 
-    const isWritable = writable && drive.writable
+    const isWritable = writable && drive.db.feed.writable
 
     const Allow = isWritable ? BASIC_METHODS.concat(WRITABLE_METHODS) : BASIC_METHODS
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "hypercore-fetch",
-  "version": "9.4.0",
+  "version": "9.5.0",
   "description": "Implementation of Fetch that uses the Dat SDK for loading p2p content",
   "type": "module",
   "main": "index.js",

package/test.js

@@ -484,7 +484,7 @@ test('Error on invalid hostname', async (t) => {
   }
 })
 
-test('GET older version of file from VERSION folder', async (t) => {
+test('Old versions in VERSION folder', async (t) => {
   const created = await nextURL(t)
 
   const fileName = 'example.txt'
@@ -512,6 +512,27 @@ test('GET older version of file from VERSION folder', async (t) => {
   await checkResponse(versionedRootResponse, t, 'Able to GET versioned root')
   const versionedRootContents = await versionedRootResponse.json()
   t.deepEqual(versionedRootContents, [], 'Old root content got loaded')
+
+  // PUT on old version should fail
+  const putResponse = await fetch(versionFileURL, {
+    method: 'PUT',
+    body: SAMPLE_CONTENT
+  })
+  if (putResponse.ok) {
+    throw new Error('PUT old version of file should have failed')
+  } else {
+    t.equal(putResponse.status, 405, 'PUT old version returned status 405 Not Allowed')
+  }
+
+  // DELETE on old version should fail
+  const deleteResponse = await fetch(versionFileURL, {
+    method: 'delete'
+  })
+  if (deleteResponse.ok) {
+    throw new Error('DELETE old version of file should have failed')
+  } else {
+    t.equal(deleteResponse.status, 405, 'DELETE old version returned status 405 Not Allowed')
+  }
 })
 
 test('Handle empty string pathname', async (t) => {
@@ -565,6 +586,39 @@ test('Handle empty string pathname', async (t) => {
   t.deepEqual(await versionedGetResponse.json(), ['example.txt', 'example2.txt'], 'Returns root directory prior to DELETE')
 })
 
+test('Return status 403 Forbidden on attempt to modify read-only hyperdrive', async (t) => {
+  const readOnlyURL = 'hyper://blog.mauve.moe/new-file.txt'
+  const putResponse = await fetch(readOnlyURL, { method: 'PUT', body: SAMPLE_CONTENT })
+  if (putResponse.ok) {
+    throw new Error('PUT file to read-only drive should have failed')
+  } else {
+    t.equal(putResponse.status, 403, 'PUT file to read-only drive returned status 403 Forbidden')
+  }
+
+  const deleteResponse = await fetch(readOnlyURL, { method: 'DELETE' })
+  if (deleteResponse.ok) {
+    throw new Error('DELETE file in read-only drive should have failed')
+  } else {
+    t.equal(deleteResponse.status, 403, 'DELETE file to read-only drive returned status 403 Forbidden')
+  }
+})
+
+test('Check hyperdrive writability', async (t) => {
+  const created = await nextURL(t)
+
+  const readOnlyRootDirectory = 'hyper://blog.mauve.moe/?noResolve'
+  const readOnlyHeadResponse = await fetch(readOnlyRootDirectory, { method: 'HEAD' })
+  await checkResponse(readOnlyHeadResponse, t, 'Able to load HEAD')
+  const readOnlyHeadersAllow = readOnlyHeadResponse.headers.get('Allow')
+  t.equal(readOnlyHeadersAllow, 'HEAD,GET', 'Expected read-only Allows header')
+
+  const writableRootDirectory = new URL('/', created)
+  const writableHeadResponse = await fetch(writableRootDirectory, { method: 'HEAD' })
+  await checkResponse(writableHeadResponse, t, 'Able to load HEAD')
+  const writableHeadersAllow = writableHeadResponse.headers.get('Allow')
+  t.equal(writableHeadersAllow, 'HEAD,GET,PUT,DELETE', 'Expected writable Allows header')
+})
+
 async function checkResponse (response, t, successMessage = 'Response OK') {
   if (!response.ok) {
     const message = await response.text()