moved where invalid method request are rejected

2017-06-20 16:29:07 -06:00 · 2017-06-20 16:29:07 -06:00 · 4a6d21f0b5
parent e901f1679b
commit 4a6d21f0b5
1 changed files with 13 additions and 11 deletions
--- a/packages/apis/com.daplie.goldilocks/index.js
+++ b/packages/apis/com.daplie.goldilocks/index.js
@ -31,15 +31,23 @@ module.exports.create = function (deps, conf) {
    res.setHeader('Access-Control-Allow-Methods', methods.join(', '));
    res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization');

-    if (req.method.toUpperCase() !== 'OPTIONS') {
-      return false;
-    }
-
+    if (req.method.toUpperCase() === 'OPTIONS') {
      res.setHeader('Allow', methods.join(', '));
      res.end();
      return true;
    }

+    if (methods.indexOf('*') >= 0) {
+      return false;
+    }
+    if (methods.indexOf(req.method.toUpperCase()) < 0) {
+      res.statusCode = 405;
+      res.setHeader('Content-Type', 'application/json');
+      res.end(JSON.stringify({ error: { message: 'method '+req.method+' not allowed', code: 'EBADMETHOD'}}));
+      return true;
+    }
+  }
+
  function isAuthorized(req, res, fn) {
    var auth = jwt.decode((req.headers.authorization||'').replace(/^bearer\s+/i, ''));
    if (!auth) {
@ -143,12 +151,6 @@ module.exports.create = function (deps, conf) {
      if (handleCors(req, res, 'POST')) {
        return;
      }
-      if (req.method !== 'POST') {
-        res.statusCode = 405;
-        res.setHeader('Content-Type', 'application/json');
-        res.end(JSON.stringify({ error: { message: 'method '+req.method+' not allowed'}}));
-        return;
-      }

      jsonParser(req, res, function () {