From 4a6d21f0b560adc451bbaa9789a3b820eab2111c Mon Sep 17 00:00:00 2001
From: tigerbot <seth.gibelyou@daplie.com>
Date: Tue, 20 Jun 2017 16:29:07 -0600
Subject: [PATCH] moved where invalid method request are rejected

---
 packages/apis/com.daplie.goldilocks/index.js | 24 +++++++++++---------
 1 file changed, 13 insertions(+), 11 deletions(-)

diff --git a/packages/apis/com.daplie.goldilocks/index.js b/packages/apis/com.daplie.goldilocks/index.js
index 6f97d2e..293fdaa 100644
--- a/packages/apis/com.daplie.goldilocks/index.js
+++ b/packages/apis/com.daplie.goldilocks/index.js
@@ -31,13 +31,21 @@ module.exports.create = function (deps, conf) {
     res.setHeader('Access-Control-Allow-Methods', methods.join(', '));
     res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization');
 
-    if (req.method.toUpperCase() !== 'OPTIONS') {
-      return false;
+    if (req.method.toUpperCase() === 'OPTIONS') {
+      res.setHeader('Allow', methods.join(', '));
+      res.end();
+      return true;
     }
 
-    res.setHeader('Allow', methods.join(', '));
-    res.end();
-    return true;
+    if (methods.indexOf('*') >= 0) {
+      return false;
+    }
+    if (methods.indexOf(req.method.toUpperCase()) < 0) {
+      res.statusCode = 405;
+      res.setHeader('Content-Type', 'application/json');
+      res.end(JSON.stringify({ error: { message: 'method '+req.method+' not allowed', code: 'EBADMETHOD'}}));
+      return true;
+    }
   }
 
   function isAuthorized(req, res, fn) {
@@ -143,12 +151,6 @@ module.exports.create = function (deps, conf) {
       if (handleCors(req, res, 'POST')) {
         return;
       }
-      if (req.method !== 'POST') {
-        res.statusCode = 405;
-        res.setHeader('Content-Type', 'application/json');
-        res.end(JSON.stringify({ error: { message: 'method '+req.method+' not allowed'}}));
-        return;
-      }
 
       jsonParser(req, res, function () {