From fd044d6467098ade85a6c8c3c563f4f1f5120455 Mon Sep 17 00:00:00 2001
From: AJ ONeal <coolaj86@gmail.com>
Date: Tue, 2 Oct 2018 18:25:04 -0600
Subject: [PATCH] v1.3.0: redirect root '/' with 301 by default (for curl |
 bash installers)

---
 README.md    | 30 ++++++++++++++++++++++++++----
 index.js     | 17 +++++++++++++++++
 package.json |  2 +-
 3 files changed, 44 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index 3030e0c..5b69186 100644
--- a/README.md
+++ b/README.md
@@ -1,9 +1,12 @@
 # redirect-https
 
-Redirect from HTTP to HTTPS.
+Secure-by-default redirects from HTTP to HTTPS.
 
-Makes for a seemless experience to end users in browsers (defaults to `301 Permanent + Location` redirect)
-and tightens security for apis and bots, without adversely affecting strange browsers (fallback to `meta` redirect).
+* Browsers get a 301 + Location redirect
+* Only developers, bots, and APIs see security warning (advising to use HTTPS)
+* Always uses meta redirect as a fallback, for everyone
+* '/' always gets a 301 (for `curl | bash` installers)
+* minimally configurable, don't get fancy
 
 See <https://coolaj86.com/articles/secure-your-redirects/>
 
@@ -28,7 +31,7 @@ module.exports = app;
 
 ## Options
 
-```
+```js
 { port: 443           // defaults to 443
 , body: ''            // defaults to an html comment to use https
 , trustProxy: true    // useful if you haven't set this option in express
@@ -42,6 +45,25 @@ module.exports = app;
 * If you use `{{URL}}` in the body text it will be replaced with a URI encoded and HTML escaped url (it'll look just like it is)
 * If you use `{{HTML_URL}}` in the body text it will be replaced with a URI decoded and HTML escaped url (it'll look just like it would in Chrome's URL bar)
 
+## Advanced Options
+
+For the sake of `curl | bash` installers and the like there is also the option to cause bots and apis (i.e. curl)
+to get a certain redirect for an exact path match:
+
+```js
+{ paths: [
+    { match: '/'
+    , redirect: 301
+    }
+  , { match: /^\/$/
+    , redirect: 301
+    }
+  ]
+}
+```
+
+If you're using this, you're probably getting too fancy (but hey, I get too fancy sometimes too).
+
 ## Demo
 
 ```javascript
diff --git a/index.js b/index.js
index d14d583..e3f3b9a 100644
--- a/index.js
+++ b/index.js
@@ -15,6 +15,9 @@ module.exports = function (opts) {
   if (!opts.apis) {
     opts.apis = 'meta';
   }
+  if (!Array.isArray(opts.paths)) {
+    opts.paths = [ { match: '/' } ];
+  }
   if (!('body' in opts)) {
     opts.body = "<!-- Hello Developer Person! We don't serve insecure resources around here."
       + "\n    Please use HTTPS instead. -->";
@@ -68,7 +71,21 @@ module.exports = function (opts) {
       + '<body>\n' + body + '\n</body>\n'
       + '</html>\n'
       ;
+    var pathMatch;
 
+    opts.paths.some(function (p) {
+      if (!p.match) {
+        // ignore
+      } else if ('string' === typeof p.match) {
+        pathMatch = (url === p.match) && (p.redirect || 301);
+      } else {
+        pathMatch = p.match.test && p.match.test(url) && (p.redirect || 301);
+      }
+      if (pathMatch) {
+        redirect = pathMatch;
+      }
+      return pathMatch;
+    });
     // If it's not a non-0 number (because null is 0) then 'meta' is assumed.
     if (redirect && isFinite(redirect)) {
       res.statusCode = redirect;
diff --git a/package.json b/package.json
index 6a2e708..5ee089e 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "redirect-https",
-  "version": "1.2.0",
+  "version": "1.3.0",
   "description": "Redirect from HTTP to HTTPS using meta redirects",
   "main": "index.js",
   "scripts": {