hypercore-fetch 9.4.0 → 9.6.0

package/README.md

@@ -53,6 +53,10 @@ Thus you can get the previous version of a file by using `hyper://NAME/$/version
 
 If the resource is a file, it may contain the `Last-Modified` header if the file has had a `metadata.mtime` flag set upon update.
 
+If the resource is a directory, it will contain the `Allow` header to
+indicate whether a hyperdrive is writable (`'HEAD,GET'`) or not
+(`'HEAD,GET,PUT,DELETE'`).
+
 ### `fetch('hyper://NAME/example.txt', {method: 'GET'})`
 
 This will attempt to load `example.txt` from the archive labeled by `NAME`.
@@ -124,6 +128,9 @@ The `body` can be any of the options supported by the Fetch API such as a `Strin
 
 Note that this is only available with the `writable: true` flag.
 
+An attempt to `PUT` a file to a hyperdrive which is not writable will
+fail with status `403`.
+
 ### `fetch('hyper://NAME/folder/', {method: 'PUT', body: new FormData()})`
 
 You can add multiple files to a folder using the `PUT` method with a [FormData](https://developer.mozilla.org/en-US/docs/Web/API/FormData) body.
@@ -141,6 +148,11 @@ You can delete a file or directory tree in a Hyperdrive by using the `DELETE` me
 
 `NAME` can either be the 52 character [z32 encoded](https://github.com/mafintosh/z32) key for a Hyperdrive or Hypercore , or a domain to parse with the [DNSLink](https://www.dnslink.io/) standard.
 
+Note that this is only available with the `writable: true` flag.
+
+An attempt to `DELETE` a file in a hyperdrive which is not writable
+will fail with status `403`.
+
 ### `fetch('hyper://NAME/$/extensions/')`
 
 You can list the current [hypercore extensions](https://github.com/hypercore-protocol/hypercore#ext--feedregisterextensionname-handlers) that are enabled by doing a `GET` on the `/$/extensions/` directory.

package/index.js

@@ -89,7 +89,9 @@ export default async function makeHyperFetch ({
     router.get(`hyper://${SPECIAL_DOMAIN}/`, getKey)
     router.post(`hyper://${SPECIAL_DOMAIN}/`, createKey)
 
+    router.put(`hyper://*/${SPECIAL_FOLDER}/${VERSION_FOLDER_NAME}/**`, putFilesVersioned)
     router.put('hyper://*/**', putFiles)
+    router.delete(`hyper://*/${SPECIAL_FOLDER}/${VERSION_FOLDER_NAME}/**`, deleteFilesVersioned)
     router.delete('hyper://*/**', deleteFiles)
   }
 
@@ -361,6 +363,12 @@ export default async function makeHyperFetch ({
 
     const drive = await getDrive(`hyper://${hostname}`)
 
+    if (!drive.db.feed.writable) {
+      return { status: 403, body: `Cannot PUT file to read-only drive: ${drive.url}`, headers: { Location: request.url } }
+    }
+
+    const mtime = Date.now()
+
     if (isFormData) {
       // It's a form! Get the files out and process them
       const formData = await request.formData()
@@ -371,7 +379,7 @@ export default async function makeHyperFetch ({
           Readable.from(data.stream()),
           drive.createWriteStream(filePath, {
             metadata: {
-              mtime: Date.now()
+              mtime
             }
           })
         )
@@ -384,14 +392,31 @@ export default async function makeHyperFetch ({
           Readable.from(request.body),
           drive.createWriteStream(pathname, {
             metadata: {
-              mtime: Date.now()
+              mtime
             }
           })
         )
       }
     }
 
-    return { status: 201, headers: { Location: request.url } }
+    const fullURL = new URL(pathname, drive.url).href
+
+    const headers = {
+      Location: request.url,
+      ETag: `${drive.version}`,
+      Link: `<${fullURL}>; rel="canonical"`,
+      [HEADER_LAST_MODIFIED]: isFormData ? undefined : new Date(mtime).toUTCString()
+    }
+
+    return { status: 201, headers }
+  }
+
+  function putFilesVersioned (request) {
+    return {
+      status: 405,
+      body: 'Cannot PUT file to old version',
+      headers: { Location: request.url }
+    }
   }
 
   async function deleteFiles (request) {
@@ -400,6 +425,10 @@ export default async function makeHyperFetch ({
 
     const drive = await getDrive(`hyper://${hostname}`)
 
+    if (!drive.db.feed.writable) {
+      return { status: 403, body: `Cannot DELETE file in read-only drive: ${drive.url}`, headers: { Location: request.url } }
+    }
+
     if (pathname.endsWith('/')) {
       let didDelete = false
       for await (const entry of drive.list(pathname)) {
@@ -419,7 +448,18 @@ export default async function makeHyperFetch ({
     }
     await drive.del(pathname)
 
-    return { status: 200 }
+    const fullURL = new URL(pathname, drive.url).href
+
+    const headers = {
+      ETag: `${drive.version}`,
+      Link: `<${fullURL}>; rel="canonical"`
+    }
+
+    return { status: 200, headers }
+  }
+
+  function deleteFilesVersioned (request) {
+    return { status: 405, body: 'Cannot DELETE old version', headers: { Location: request.url } }
   }
 
   async function headFilesVersioned (request) {
@@ -460,7 +500,7 @@ export default async function makeHyperFetch ({
     const isDirectory = pathname.endsWith('/')
     const fullURL = new URL(pathname, drive.url).href
 
-    const isWritable = writable && drive.writable
+    const isWritable = writable && drive.db.feed.writable
 
     const Allow = isWritable ? BASIC_METHODS.concat(WRITABLE_METHODS) : BASIC_METHODS
 
@@ -723,7 +763,7 @@ function makeToTry (pathname) {
 
 async function resolvePath (drive, pathname, noResolve) {
   if (noResolve) {
-    const entry = drive.entry(pathname)
+    const entry = await drive.entry(pathname)
 
     return { entry, path: pathname }
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "hypercore-fetch",
-  "version": "9.4.0",
+  "version": "9.6.0",
   "description": "Implementation of Fetch that uses the Dat SDK for loading p2p content",
   "type": "module",
   "main": "index.js",

package/test.js

@@ -333,6 +333,22 @@ test('Ignore index.html with noResolve', async (t) => {
   const entries = await listDirRequest.json()
   t.deepEqual(entries, ['index.html'], 'able to list index.html')
 })
+test('Ensure that noResolve works with file paths', async (t) => {
+  const created = await nextURL(t)
+  const uploadLocation = new URL('./example.txt', created)
+  const uploadResponse = await fetch(uploadLocation, {
+    method: 'put',
+    body: SAMPLE_CONTENT
+  })
+  await checkResponse(uploadResponse, t)
+
+  const noResolve = uploadLocation.href + '?noResolve'
+  const getRequest = await fetch(noResolve)
+  await checkResponse(getRequest, t)
+
+  const headRequest = await fetch(noResolve, { method: 'HEAD' })
+  await checkResponse(headRequest, t)
+})
 test('Render index.gmi', async (t) => {
   const created = await nextURL(t)
   const uploadLocation = new URL('./index.gmi', created)
@@ -484,7 +500,7 @@ test('Error on invalid hostname', async (t) => {
   }
 })
 
-test('GET older version of file from VERSION folder', async (t) => {
+test('Old versions in VERSION folder', async (t) => {
   const created = await nextURL(t)
 
   const fileName = 'example.txt'
@@ -512,6 +528,27 @@ test('GET older version of file from VERSION folder', async (t) => {
   await checkResponse(versionedRootResponse, t, 'Able to GET versioned root')
   const versionedRootContents = await versionedRootResponse.json()
   t.deepEqual(versionedRootContents, [], 'Old root content got loaded')
+
+  // PUT on old version should fail
+  const putResponse = await fetch(versionFileURL, {
+    method: 'PUT',
+    body: SAMPLE_CONTENT
+  })
+  if (putResponse.ok) {
+    throw new Error('PUT old version of file should have failed')
+  } else {
+    t.equal(putResponse.status, 405, 'PUT old version returned status 405 Not Allowed')
+  }
+
+  // DELETE on old version should fail
+  const deleteResponse = await fetch(versionFileURL, {
+    method: 'delete'
+  })
+  if (deleteResponse.ok) {
+    throw new Error('DELETE old version of file should have failed')
+  } else {
+    t.equal(deleteResponse.status, 405, 'DELETE old version returned status 405 Not Allowed')
+  }
 })
 
 test('Handle empty string pathname', async (t) => {
@@ -565,6 +602,39 @@ test('Handle empty string pathname', async (t) => {
   t.deepEqual(await versionedGetResponse.json(), ['example.txt', 'example2.txt'], 'Returns root directory prior to DELETE')
 })
 
+test('Return status 403 Forbidden on attempt to modify read-only hyperdrive', async (t) => {
+  const readOnlyURL = 'hyper://blog.mauve.moe/new-file.txt'
+  const putResponse = await fetch(readOnlyURL, { method: 'PUT', body: SAMPLE_CONTENT })
+  if (putResponse.ok) {
+    throw new Error('PUT file to read-only drive should have failed')
+  } else {
+    t.equal(putResponse.status, 403, 'PUT file to read-only drive returned status 403 Forbidden')
+  }
+
+  const deleteResponse = await fetch(readOnlyURL, { method: 'DELETE' })
+  if (deleteResponse.ok) {
+    throw new Error('DELETE file in read-only drive should have failed')
+  } else {
+    t.equal(deleteResponse.status, 403, 'DELETE file to read-only drive returned status 403 Forbidden')
+  }
+})
+
+test('Check hyperdrive writability', async (t) => {
+  const created = await nextURL(t)
+
+  const readOnlyRootDirectory = 'hyper://blog.mauve.moe/?noResolve'
+  const readOnlyHeadResponse = await fetch(readOnlyRootDirectory, { method: 'HEAD' })
+  await checkResponse(readOnlyHeadResponse, t, 'Able to load HEAD')
+  const readOnlyHeadersAllow = readOnlyHeadResponse.headers.get('Allow')
+  t.equal(readOnlyHeadersAllow, 'HEAD,GET', 'Expected read-only Allows header')
+
+  const writableRootDirectory = new URL('/', created)
+  const writableHeadResponse = await fetch(writableRootDirectory, { method: 'HEAD' })
+  await checkResponse(writableHeadResponse, t, 'Able to load HEAD')
+  const writableHeadersAllow = writableHeadResponse.headers.get('Allow')
+  t.equal(writableHeadersAllow, 'HEAD,GET,PUT,DELETE', 'Expected writable Allows header')
+})
+
 async function checkResponse (response, t, successMessage = 'Response OK') {
   if (!response.ok) {
     const message = await response.text()