From 1e5fd8484f6ac1a69a1526eae1017c3cd5856d1e Mon Sep 17 00:00:00 2001
From: AJ ONeal <aj@daplie.com>
Date: Thu, 11 May 2017 01:11:31 +0000
Subject: [PATCH] more strict API prefix checking (and better error)

---
 lib/bootstrap.js | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/lib/bootstrap.js b/lib/bootstrap.js
index 540e55e..671fc9e 100644
--- a/lib/bootstrap.js
+++ b/lib/bootstrap.js
@@ -47,13 +47,18 @@ module.exports.create = function (app, xconfx, models) {
     var resolve;
 
     function errorIfNotApi(req, res, next) {
-      // if it's not an ip address
-      if (/[a-z]+/.test(req.hostname || req.headers.host)) {
-        if (!/^api\./.test(req.hostname || req.headers.host)) {
-          console.warn('not API req.headers.host:', req.hostname || req.headers.host);
-          res.send({ error: { message: "no api. subdomain prefix" } });
-          return;
-        }
+      var hostname = req.hostname || req.headers.host;
+
+      if (!/^api\.[a-z0-9\-]+/.test(hostname)) {
+        res.send({ error:
+         { message: "API access is restricted to proper 'api'-prefixed lowercase subdomains."
+             + " The HTTP 'Host' header must exist and must begin with 'api.' as in 'api.example.com'."
+             + " For development you may test with api.localhost.daplie.me (or any domain by modifying your /etc/hosts)"
+         , code: 'E_NOT_API'
+         , _hostname: hostname
+         }
+        });
+        return;
       }
 
       next();