redirect-https.js/index.js

'use strict';

module.exports = function (opts) {
  var escapeHtml = require('escape-html');

  if (!opts) {
    opts = {};
  }
  if (!isFinite(opts.port)) {
    opts.port = 443;
  }
  if (!opts.browsers) {
    opts.browsers = 301;
  }
  if (!opts.apis) {
    opts.apis = 'meta';
  }
  if (!Array.isArray(opts.paths)) {
    opts.paths = [ { match: '/' } ];
  }
  if (!('body' in opts)) {
    opts.body = "<!-- Hello Developer Person! We don't serve insecure resources around here."
      + "\n    Please use HTTPS instead. -->";
  }
  opts.body = opts.body.replace(/{{\s+PORT\s+}}/ig, opts.port);

  return function (req, res, next) {
    if (req.connection.encrypted
      || 'https' === req.protocol
      || (opts.trustProxy && 'https' === req.headers['x-forwarded-proto'])
    ) {
      next();
      return;
    }

    var url = (req.originalUrl || req.url);
    // We don't want chrome showing the "Not Secure" badge during the redirect.
    var probablyBrowser = (0 === (req.headers['user-agent']||'').indexOf('Mozilla/'));
    // But we don't want devs, APIs, or Bots to accidentally browse insecure.
    var redirect = probablyBrowser ? opts.browsers : opts.apis;
    var host = req.headers.host || '';
		if (!/:\d+/.test(host) && 443 !== opts.port) {
			// we are using standard port 80, but we aren't using standard port 443
			host += ':80';
		}
    var newLocation = 'https://'
      + host.replace(/:\d+/, ':' + opts.port) + url
      ;

    //var encodedLocation = encodeURI(newLocation);
    var escapedLocation = escapeHtml(newLocation);
    var decodedLocation;
    try {
      decodedLocation = decodeURIComponent(newLocation);
    } catch(e) {
      decodedLocation = newLocation; // "#/error/?error_message=" + e.toString();
    }

    var body = opts.body
          .replace(/{{\s*HTML_URL\s*}}/ig, escapeHtml(decodedLocation))
          .replace(/{{\s*URL\s*}}/ig, escapedLocation)
          .replace(/{{\s*UNSAFE_URL\s*}}/ig, newLocation)
          ;

    var metaRedirect = ''
      + '<html>'
      + '\n<head><META http-equiv="refresh" content="0;URL=\'' + escapedLocation + '\'"></head>'
      + '\n<body>' + body + '</body>'
      + '\n</html>\n'
      ;
    var pathMatch;

    opts.paths.some(function (p) {
      if (!p.match) {
        // ignore
      } else if ('string' === typeof p.match) {
        pathMatch = (url === p.match) && (p.redirect || 301);
      } else {
        pathMatch = p.match.test && p.match.test(url) && (p.redirect || 301);
      }
      if (pathMatch) {
        redirect = pathMatch;
      }
      return pathMatch;
    });
    // If it's not a non-0 number (because null is 0) then 'meta' is assumed.
    if (redirect && isFinite(redirect)) {
      res.statusCode = redirect;
      res.setHeader('Location', newLocation);
    }
    res.setHeader('Content-Type', 'text/html; charset=utf-8');
    res.end(metaRedirect);
  };
};
v1.0.0 2015-07-07 23:19:44 +00:00			`'use strict';`

			`module.exports = function (opts) {`
			`var escapeHtml = require('escape-html');`

			`if (!opts) {`
			`opts = {};`
			`}`
v1.2.0: browsers shall pass, apis... not so much 2018-10-02 23:49:24 +00:00			`if (!isFinite(opts.port)) {`
v1.0.0 2015-07-07 23:19:44 +00:00			`opts.port = 443;`
			`}`
v1.2.0: browsers shall pass, apis... not so much 2018-10-02 23:49:24 +00:00			`if (!opts.browsers) {`
			`opts.browsers = 301;`
			`}`
			`if (!opts.apis) {`
			`opts.apis = 'meta';`
			`}`
v1.3.0: redirect root '/' with 301 by default (for curl \| bash installers) 2018-10-03 00:25:04 +00:00			`if (!Array.isArray(opts.paths)) {`
			`opts.paths = [ { match: '/' } ];`
			`}`
v1.0.0 2015-07-07 23:19:44 +00:00			`if (!('body' in opts)) {`
v1.1.6: don't be so insensitive 2018-08-17 02:50:50 +00:00			`opts.body = "<!-- Hello Developer Person! We don't serve insecure resources around here."`
v1.0.0 2015-07-07 23:19:44 +00:00			`+ "\n Please use HTTPS instead. -->";`
			`}`
backport lost commits 2018-02-27 22:42:26 +00:00			`opts.body = opts.body.replace(/{{\s+PORT\s+}}/ig, opts.port);`
v1.0.0 2015-07-07 23:19:44 +00:00
			`return function (req, res, next) {`
			`if (req.connection.encrypted`
			`\|\| 'https' === req.protocol`
			`\|\| (opts.trustProxy && 'https' === req.headers['x-forwarded-proto'])`
			`) {`
			`next();`
			`return;`
			`}`

backport lost commits 2018-02-27 22:42:26 +00:00			`var url = (req.originalUrl \|\| req.url);`
v1.2.0: browsers shall pass, apis... not so much 2018-10-02 23:49:24 +00:00			`// We don't want chrome showing the "Not Secure" badge during the redirect.`
			`var probablyBrowser = (0 === (req.headers['user-agent']\|\|'').indexOf('Mozilla/'));`
			`// But we don't want devs, APIs, or Bots to accidentally browse insecure.`
			`var redirect = probablyBrowser ? opts.browsers : opts.apis;`
v1.0.0 2015-07-07 23:19:44 +00:00			`var host = req.headers.host \|\| '';`
fix #2 2016-11-21 22:45:05 +00:00			`if (!/:\d+/.test(host) && 443 !== opts.port) {`
			`// we are using standard port 80, but we aren't using standard port 443`
			`host += ':80';`
			`}`
v1.0.0 2015-07-07 23:19:44 +00:00			`var newLocation = 'https://'`
			`+ host.replace(/:\d+/, ':' + opts.port) + url`
			`;`
add headerRedirect option 2018-09-07 19:30:29 +00:00
v1.0.0 2015-07-07 23:19:44 +00:00			`//var encodedLocation = encodeURI(newLocation);`
			`var escapedLocation = escapeHtml(newLocation);`
backport lost commits 2018-02-27 22:42:26 +00:00			`var decodedLocation;`
workaround for malforrmed url 2018-02-26 19:02:44 +00:00			`try {`
backport lost commits 2018-02-27 22:42:26 +00:00			`decodedLocation = decodeURIComponent(newLocation);`
workaround for malforrmed url 2018-02-26 19:02:44 +00:00			`} catch(e) {`
backport lost commits 2018-02-27 22:42:26 +00:00			`decodedLocation = newLocation; // "#/error/?error_message=" + e.toString();`
workaround for malforrmed url 2018-02-26 19:02:44 +00:00			`}`
add headerRedirect option 2018-09-07 19:30:29 +00:00
v1.0.0 2015-07-07 23:19:44 +00:00			`var body = opts.body`
backport lost commits 2018-02-27 22:42:26 +00:00			`.replace(/{{\sHTML_URL\s}}/ig, escapeHtml(decodedLocation))`
v1.0.0 2015-07-07 23:19:44 +00:00			`.replace(/{{\sURL\s}}/ig, escapedLocation)`
			`.replace(/{{\sUNSAFE_URL\s}}/ig, newLocation)`
			`;`

			`var metaRedirect = ''`
adjust spacing to be easier to read from curl output 2020-04-26 23:31:25 +00:00			`+ '<html>'`
			`+ '\n<head><META http-equiv="refresh" content="0;URL=\'' + escapedLocation + '\'"></head>'`
			`+ '\n<body>' + body + '</body>'`
			`+ '\n</html>\n'`
v1.0.0 2015-07-07 23:19:44 +00:00			`;`
v1.3.0: redirect root '/' with 301 by default (for curl \| bash installers) 2018-10-03 00:25:04 +00:00			`var pathMatch;`
v1.0.0 2015-07-07 23:19:44 +00:00
v1.3.0: redirect root '/' with 301 by default (for curl \| bash installers) 2018-10-03 00:25:04 +00:00			`opts.paths.some(function (p) {`
			`if (!p.match) {`
			`// ignore`
			`} else if ('string' === typeof p.match) {`
			`pathMatch = (url === p.match) && (p.redirect \|\| 301);`
			`} else {`
			`pathMatch = p.match.test && p.match.test(url) && (p.redirect \|\| 301);`
			`}`
			`if (pathMatch) {`
			`redirect = pathMatch;`
			`}`
			`return pathMatch;`
			`});`
v1.2.0: browsers shall pass, apis... not so much 2018-10-02 23:49:24 +00:00			`// If it's not a non-0 number (because null is 0) then 'meta' is assumed.`
			`if (redirect && isFinite(redirect)) {`
			`res.statusCode = redirect;`
add headerRedirect option 2018-09-07 19:30:29 +00:00			`res.setHeader('Location', newLocation);`
			`}`
v1.0.0 2015-07-07 23:19:44 +00:00			`res.setHeader('Content-Type', 'text/html; charset=utf-8');`
			`res.end(metaRedirect);`
			`};`
			`};`