more strict API prefix checking (and better error)

lib/bootstrap.js

@@ -47,13 +47,18 @@ module.exports.create = function (app, xconfx, models) {
     var resolve;
 
     function errorIfNotApi(req, res, next) {
-      // if it's not an ip address
-      if (/[a-z]+/.test(req.hostname || req.headers.host)) {
-        if (!/^api\./.test(req.hostname || req.headers.host)) {
-          console.warn('not API req.headers.host:', req.hostname || req.headers.host);
-          res.send({ error: { message: "no api. subdomain prefix" } });
-          return;
-        }
+      var hostname = req.hostname || req.headers.host;
+
+      if (!/^api\.[a-z0-9\-]+/.test(hostname)) {
+        res.send({ error:
+         { message: "API access is restricted to proper 'api'-prefixed lowercase subdomains."
+             + " The HTTP 'Host' header must exist and must begin with 'api.' as in 'api.example.com'."
+             + " For development you may test with api.localhost.daplie.me (or any domain by modifying your /etc/hosts)"
+         , code: 'E_NOT_API'
+         , _hostname: hostname
+         }
+        });
+        return;
       }
 
       next();