npm - koa-classic-server - Versions diffs - 2.6.1 → 3.0.0 - Mend

koa-classic-server 2.6.1 → 3.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (57) hide show

package/CLAUDE.md +101 -0
package/README.md +564 -591
package/__tests__/benchmark-results-v3.0.0.txt +372 -0
package/__tests__/benchmark.js +1 -1
package/__tests__/caching-headers.test.js +30 -30
package/__tests__/compression-fixtures/data.json +1 -0
package/__tests__/compression-fixtures/large.txt +1 -0
package/__tests__/compression-fixtures/small.txt +1 -0
package/__tests__/compression.test.js +284 -0
package/__tests__/customTest/serversToLoad.util.js +5 -5
package/__tests__/demo-regex-index.js +4 -4
package/__tests__/deprecation-warnings.test.js +71 -183
package/__tests__/directory-sorting-links.test.js +1 -1
package/__tests__/dt-unknown.test.js +39 -28
package/__tests__/ejs.test.js +1 -1
package/__tests__/hidden-fixtures/.dot-dir/inside.txt +1 -0
package/__tests__/hidden-fixtures/.env +2 -0
package/__tests__/hidden-fixtures/.well-known/acme-challenge.txt +1 -0
package/__tests__/hidden-fixtures/config/secrets/password.txt +1 -0
package/__tests__/hidden-fixtures/data.key +1 -0
package/__tests__/hidden-fixtures/file.secret +1 -0
package/__tests__/hidden-fixtures/index.html +1 -0
package/__tests__/hidden-fixtures/normal.txt +1 -0
package/__tests__/hidden-fixtures/subdir/.env +1 -0
package/__tests__/hidden-fixtures/subdir/regular.txt +1 -0
package/__tests__/hidden-option.test.js +407 -0
package/__tests__/hideExtension.test.js +70 -13
package/__tests__/index-option.test.js +18 -16
package/__tests__/index.test.js +14 -10
package/__tests__/listing.test.js +437 -0
package/__tests__/logger.test.js +232 -0
package/__tests__/range-fixtures/sample.txt +1 -0
package/__tests__/range.test.js +223 -0
package/__tests__/security-headers.test.js +165 -0
package/__tests__/security.test.js +148 -162
package/__tests__/server-cache-fixtures/large.txt +1 -0
package/__tests__/server-cache-fixtures/small.txt +1 -0
package/__tests__/server-cache.test.js +594 -0
package/__tests__/symlink.test.js +18 -15
package/__tests__/template-timeout.test.js +321 -0
package/docs/ACTION_PLAN.md +293 -0
package/docs/CHANGELOG.md +289 -0
package/docs/CODE_REVIEW.md +2 -0
package/docs/DOCUMENTATION.md +259 -32
package/docs/EXAMPLES_INDEX_OPTION.md +3 -3
package/docs/FLOW_DIAGRAM.md +15 -13
package/docs/INDEX_OPTION_PRIORITY.md +2 -2
package/docs/OPTIMIZATION_HTTP_CACHING.md +2 -0
package/docs/OPTIMIZATION_ROADMAP_for_V3.md +864 -0
package/docs/PERFORMANCE_COMPARISON.md +7 -7
package/docs/security_improvement_for_V3.md +421 -0
package/docs/template-engine/TEMPLATE_ENGINE_GUIDE.md +5 -5
package/docs/template-engine/esempi-incrementali.js +1 -1
package/eslint.config.mjs +17 -0
package/index.cjs +1507 -429
package/index.mjs +1 -5
package/package.json +9 -1

package/__tests__/range.test.js ADDED Viewed

@@ -0,0 +1,223 @@
+const supertest = require('supertest');
+const koaClassicServer = require('../index.cjs');
+const Koa = require('koa');
+const path = require('path');
+const root = path.join(__dirname, 'range-fixtures');
+// Fixture: sample.txt contains '0123456789abcdefghij' — exactly 20 bytes, no newline
+const FILE_SIZE = 20;
+const FILE_CONTENT = '0123456789abcdefghij';
+function createApp(opts = {}) {
+    const app = new Koa();
+    app.use(koaClassicServer(root, { dirListing: { enabled: false }, ...opts }));
+    return app.listen();
+}
+// ─── Accept-Ranges advertisement ─────────────────────────────────────────────
+describe('Range — Accept-Ranges header', () => {
+    let server;
+    beforeAll(() => { server = createApp(); });
+    afterAll(() => server.close());
+    test('Accept-Ranges: bytes present on 200 response', async () => {
+        const res = await supertest(server).get('/sample.txt');
+        expect(res.status).toBe(200);
+        expect(res.headers['accept-ranges']).toBe('bytes');
+    });
+    test('Accept-Ranges not added to directory listings', async () => {
+        const listServer = createApp({ dirListing: { enabled: true } });
+        const res = await supertest(listServer).get('/');
+        listServer.close();
+        expect(res.headers['accept-ranges']).toBeUndefined();
+    });
+});
+// ─── Basic 206 responses ──────────────────────────────────────────────────────
+describe('Range — basic 206 Partial Content', () => {
+    let server;
+    beforeAll(() => { server = createApp(); });
+    afterAll(() => server.close());
+    test('bytes=0-4 → first 5 bytes', async () => {
+        const res = await supertest(server).get('/sample.txt').set('Range', 'bytes=0-4');
+        expect(res.status).toBe(206);
+        expect(res.headers['content-range']).toBe(`bytes 0-4/${FILE_SIZE}`);
+        expect(res.headers['content-length']).toBe('5');
+        expect(res.text).toBe('01234');
+    });
+    test('bytes=10- → open range from offset 10', async () => {
+        const res = await supertest(server).get('/sample.txt').set('Range', 'bytes=10-');
+        expect(res.status).toBe(206);
+        expect(res.headers['content-range']).toBe(`bytes 10-19/${FILE_SIZE}`);
+        expect(res.headers['content-length']).toBe('10');
+        expect(res.text).toBe('abcdefghij');
+    });
+    test('bytes=-5 → last 5 bytes', async () => {
+        const res = await supertest(server).get('/sample.txt').set('Range', 'bytes=-5');
+        expect(res.status).toBe(206);
+        expect(res.headers['content-range']).toBe(`bytes 15-19/${FILE_SIZE}`);
+        expect(res.headers['content-length']).toBe('5');
+        expect(res.text).toBe('fghij');
+    });
+    test('bytes=0-19 (full file) → 206', async () => {
+        const res = await supertest(server).get('/sample.txt').set('Range', 'bytes=0-19');
+        expect(res.status).toBe(206);
+        expect(res.headers['content-range']).toBe(`bytes 0-19/${FILE_SIZE}`);
+        expect(res.headers['content-length']).toBe('20');
+        expect(res.text).toBe(FILE_CONTENT);
+    });
+    test('bytes=-999 (suffix > file size) → 206 full file', async () => {
+        const res = await supertest(server).get('/sample.txt').set('Range', 'bytes=-999');
+        expect(res.status).toBe(206);
+        expect(res.headers['content-range']).toBe(`bytes 0-19/${FILE_SIZE}`);
+        expect(res.headers['content-length']).toBe('20');
+        expect(res.text).toBe(FILE_CONTENT);
+    });
+    test('bytes=5-999 (end > file size) → end clamped to 19', async () => {
+        const res = await supertest(server).get('/sample.txt').set('Range', 'bytes=5-999');
+        expect(res.status).toBe(206);
+        expect(res.headers['content-range']).toBe(`bytes 5-19/${FILE_SIZE}`);
+        expect(res.headers['content-length']).toBe('15');
+        expect(res.text).toBe('56789abcdefghij');
+    });
+    test('Accept-Ranges present on 206 response', async () => {
+        const res = await supertest(server).get('/sample.txt').set('Range', 'bytes=0-4');
+        expect(res.headers['accept-ranges']).toBe('bytes');
+    });
+    test('single byte range bytes=7-7', async () => {
+        const res = await supertest(server).get('/sample.txt').set('Range', 'bytes=7-7');
+        expect(res.status).toBe(206);
+        expect(res.headers['content-range']).toBe(`bytes 7-7/${FILE_SIZE}`);
+        expect(res.headers['content-length']).toBe('1');
+        expect(res.text).toBe('7');
+    });
+});
+// ─── 416 Range Not Satisfiable ────────────────────────────────────────────────
+describe('Range — 416 Range Not Satisfiable', () => {
+    let server;
+    beforeAll(() => { server = createApp(); });
+    afterAll(() => server.close());
+    test('start beyond file size → 416', async () => {
+        const res = await supertest(server).get('/sample.txt').set('Range', 'bytes=100-200');
+        expect(res.status).toBe(416);
+        expect(res.headers['content-range']).toBe(`bytes */${FILE_SIZE}`);
+    });
+    test('start exactly at file size → 416', async () => {
+        const res = await supertest(server).get('/sample.txt').set('Range', `bytes=${FILE_SIZE}-`);
+        expect(res.status).toBe(416);
+        expect(res.headers['content-range']).toBe(`bytes */${FILE_SIZE}`);
+    });
+});
+// ─── Fallback to 200 ──────────────────────────────────────────────────────────
+describe('Range — fallback to 200 on invalid Range', () => {
+    let server;
+    beforeAll(() => { server = createApp(); });
+    afterAll(() => server.close());
+    test('malformed Range header → 200 full file', async () => {
+        const res = await supertest(server).get('/sample.txt').set('Range', 'bytes=abc');
+        expect(res.status).toBe(200);
+        expect(res.text).toBe(FILE_CONTENT);
+    });
+    test('multi-range → 200 full file', async () => {
+        const res = await supertest(server).get('/sample.txt').set('Range', 'bytes=0-2,5-7');
+        expect(res.status).toBe(200);
+        expect(res.text).toBe(FILE_CONTENT);
+    });
+    test('non-bytes unit → 200 full file', async () => {
+        const res = await supertest(server).get('/sample.txt').set('Range', 'kilobytes=0-100');
+        expect(res.status).toBe(200);
+        expect(res.text).toBe(FILE_CONTENT);
+    });
+    test('inverted range bytes=10-5 → 200 full file', async () => {
+        const res = await supertest(server).get('/sample.txt').set('Range', 'bytes=10-5');
+        expect(res.status).toBe(200);
+        expect(res.text).toBe(FILE_CONTENT);
+    });
+});
+// ─── If-Range ────────────────────────────────────────────────────────────────
+describe('Range — If-Range', () => {
+    let server;
+    let currentEtag;
+    beforeAll(async () => {
+        server = createApp({ browserCacheEnabled: true });
+        const res = await supertest(server).get('/sample.txt');
+        currentEtag = res.headers['etag'];
+    });
+    afterAll(() => server.close());
+    test('If-Range with matching ETag → 206', async () => {
+        const res = await supertest(server)
+            .get('/sample.txt')
+            .set('Range', 'bytes=0-4')
+            .set('If-Range', currentEtag);
+        expect(res.status).toBe(206);
+        expect(res.text).toBe('01234');
+    });
+    test('If-Range with wrong ETag → 200 full file', async () => {
+        const res = await supertest(server)
+            .get('/sample.txt')
+            .set('Range', 'bytes=0-4')
+            .set('If-Range', '"wrong-etag-does-not-match"');
+        expect(res.status).toBe(200);
+        expect(res.text).toBe(FILE_CONTENT);
+    });
+});
+// ─── HEAD + Range ─────────────────────────────────────────────────────────────
+describe('Range — HEAD method', () => {
+    let server;
+    beforeAll(() => { server = createApp({ method: ['GET', 'HEAD'] }); });
+    afterAll(() => server.close());
+    test('HEAD + Range → 206 status and correct headers, no body', async () => {
+        const res = await supertest(server)
+            .head('/sample.txt')
+            .set('Range', 'bytes=0-4');
+        expect(res.status).toBe(206);
+        expect(res.headers['content-range']).toBe(`bytes 0-4/${FILE_SIZE}`);
+        expect(res.headers['content-length']).toBe('5');
+        // HEAD response: no body sent (supertest reports undefined, not '')
+        expect(res.body).toEqual({});
+    });
+    test('HEAD without Range → 200, Accept-Ranges present', async () => {
+        const res = await supertest(server).head('/sample.txt');
+        expect(res.status).toBe(200);
+        expect(res.headers['accept-ranges']).toBe('bytes');
+    });
+    test('HEAD + out-of-bounds Range → 416', async () => {
+        const res = await supertest(server)
+            .head('/sample.txt')
+            .set('Range', 'bytes=999-');
+        expect(res.status).toBe(416);
+        expect(res.headers['content-range']).toBe(`bytes */${FILE_SIZE}`);
+    });
+});

package/__tests__/security-headers.test.js ADDED Viewed

@@ -0,0 +1,165 @@
+const supertest = require('supertest');
+const crypto = require('crypto');
+const koaClassicServer = require('../index.cjs');
+const Koa = require('koa');
+const path = require('path');
+const root = path.join(__dirname, 'publicWwwTest');
+// Compute the expected CSP hash from the actual inline CSS in the response, so
+// CSS edits to the listing template do not require updating a hardcoded hash here.
+async function expectedListingCsp(server, requestPath = '/') {
+    const res = await supertest(server).get(requestPath);
+    const m = res.text.match(/<style>([\s\S]*?)<\/style>/);
+    if (!m) throw new Error('No <style> block in listing HTML — cannot compute expected CSP');
+    const cssHash = 'sha256-' + crypto.createHash('sha256').update(m[1], 'utf8').digest('base64');
+    return `default-src 'none'; style-src '${cssHash}'; frame-ancestors 'none'; base-uri 'none'; form-action 'none'`;
+}
+const NOT_FOUND_CSP = "default-src 'none'; frame-ancestors 'none'; base-uri 'none'; form-action 'none'";
+const COMMON_HEADERS = {
+  'x-content-type-options': 'nosniff',
+  'x-frame-options': 'DENY',
+  'referrer-policy': 'no-referrer',
+  'permissions-policy': 'camera=(), microphone=(), geolocation=(), payment=()',
+};
+function createApp(opts = {}) {
+  const app = new Koa();
+  app.use(koaClassicServer(root, { dirListing: { enabled: true }, ...opts }));
+  return app.listen();
+}
+// ─── Directory listing ────────────────────────────────────────────────────────
+describe('Security headers — directory listing page', () => {
+  let server;
+  beforeAll(() => { server = createApp(); });
+  afterAll(() => server.close());
+  test('Content-Security-Policy uses hash-based style-src', async () => {
+    const res = await supertest(server).get('/');
+    expect(res.headers['content-security-policy']).toBe(await expectedListingCsp(server));
+  });
+  test('X-Content-Type-Options: nosniff', async () => {
+    const res = await supertest(server).get('/');
+    expect(res.headers['x-content-type-options']).toBe('nosniff');
+  });
+  test('X-Frame-Options: DENY', async () => {
+    const res = await supertest(server).get('/');
+    expect(res.headers['x-frame-options']).toBe('DENY');
+  });
+  test('Referrer-Policy: no-referrer', async () => {
+    const res = await supertest(server).get('/');
+    expect(res.headers['referrer-policy']).toBe('no-referrer');
+  });
+  test('Permissions-Policy disables camera, microphone, geolocation, payment', async () => {
+    const res = await supertest(server).get('/');
+    expect(res.headers['permissions-policy']).toBe('camera=(), microphone=(), geolocation=(), payment=()');
+  });
+  test('All common security headers present on listing', async () => {
+    const res = await supertest(server).get('/');
+    for (const [header, value] of Object.entries(COMMON_HEADERS)) {
+      expect(res.headers[header]).toBe(value);
+    }
+  });
+  test('CSP style-src hash in listing matches actual inline CSS', async () => {
+    const res = await supertest(server).get('/');
+    const styleMatch = res.text.match(/<style>([\s\S]*?)<\/style>/);
+    expect(styleMatch).toBeTruthy();
+    const expectedHash = 'sha256-' + crypto.createHash('sha256').update(styleMatch[1], 'utf8').digest('base64');
+    expect(res.headers['content-security-policy']).toContain(expectedHash);
+  });
+});
+// ─── 404 Not Found page ───────────────────────────────────────────────────────
+describe('Security headers — 404 Not Found page', () => {
+  let server;
+  beforeAll(() => { server = createApp(); });
+  afterAll(() => server.close());
+  test('Content-Security-Policy on 404 is fully restrictive (no style-src)', async () => {
+    const res = await supertest(server).get('/nonexistent-file-xyz.txt');
+    expect(res.status).toBe(404);
+    expect(res.headers['content-security-policy']).toBe(NOT_FOUND_CSP);
+  });
+  test('All common security headers present on 404', async () => {
+    const res = await supertest(server).get('/nonexistent-file-xyz.txt');
+    for (const [header, value] of Object.entries(COMMON_HEADERS)) {
+      expect(res.headers[header]).toBe(value);
+    }
+  });
+  test('CSP on 404 does NOT contain style-src', async () => {
+    const res = await supertest(server).get('/nonexistent-file-xyz.txt');
+    expect(res.headers['content-security-policy']).not.toContain('style-src');
+  });
+});
+// ─── Directory listing disabled (dirListing: { enabled: false }) ─────────────────────
+describe('Security headers — 404 when directory listing disabled', () => {
+  let server;
+  beforeAll(() => { server = createApp({ dirListing: { enabled: false } }); });
+  afterAll(() => server.close());
+  test('Security headers present when directory listing disabled', async () => {
+    const res = await supertest(server).get('/');
+    expect(res.status).toBe(404);
+    expect(res.headers['content-security-policy']).toBe(NOT_FOUND_CSP);
+    for (const [header, value] of Object.entries(COMMON_HEADERS)) {
+      expect(res.headers[header]).toBe(value);
+    }
+  });
+});
+// ─── Served user files — NO security headers ─────────────────────────────────
+describe('Security headers — NOT added to user-served files', () => {
+  let server;
+  beforeAll(() => { server = createApp(); });
+  afterAll(() => server.close());
+  test('Served static file has no Content-Security-Policy', async () => {
+    const res = await supertest(server).get('/test.txt');
+    expect(res.status).toBe(200);
+    expect(res.headers['content-security-policy']).toBeUndefined();
+  });
+  test('Served static file has no X-Frame-Options', async () => {
+    const res = await supertest(server).get('/test.txt');
+    expect(res.headers['x-frame-options']).toBeUndefined();
+  });
+  test('Served HTML file has no Content-Security-Policy (user file)', async () => {
+    const res = await supertest(server).get('/test-page.html');
+    expect(res.status).toBe(200);
+    expect(res.headers['content-security-policy']).toBeUndefined();
+  });
+});
+// ─── Subdirectory listing ─────────────────────────────────────────────────────
+describe('Security headers — subdirectory listing page', () => {
+  let server;
+  beforeAll(() => { server = createApp(); });
+  afterAll(() => server.close());
+  test('Listing of subdirectory also has security headers', async () => {
+    const res = await supertest(server).get('/cartella/');
+    expect(res.status).toBe(200);
+    expect(res.headers['content-security-policy']).toBe(await expectedListingCsp(server, '/cartella/'));
+    for (const [header, value] of Object.entries(COMMON_HEADERS)) {
+      expect(res.headers[header]).toBe(value);
+    }
+  });
+});