3 * Copyright(c) 2012 TJ Holowaychuk
4 * Copyright(c) 2014-2015 Douglas Christopher Wilson
11 * Module dependencies.
15 var createError = require('http-errors')
16 var debug = require('debug')('send')
17 var deprecate = require('depd')('send')
18 var destroy = require('destroy')
19 var escapeHtml = require('escape-html')
20 , parseRange = require('range-parser')
21 , Stream = require('stream')
22 , mime = require('mime')
23 , fresh = require('fresh')
24 , path = require('path')
26 , normalize = path.normalize
28 var etag = require('etag')
29 var EventEmitter = require('events').EventEmitter;
30 var ms = require('ms');
31 var onFinished = require('on-finished')
32 var statuses = require('statuses')
37 var extname = path.extname
38 var maxMaxAge = 60 * 60 * 24 * 365 * 1000; // 1 year
39 var resolve = path.resolve
41 var toString = Object.prototype.toString
42 var upPathRegexp = /(?:^|[\\\/])\.\.(?:[\\\/]|$)/
50 module.exports.mime = mime
53 * Shim EventEmitter.listenerCount for node.js < 0.10
56 /* istanbul ignore next */
57 var listenerCount = EventEmitter.listenerCount
58 || function(emitter, type){ return emitter.listeners(type).length; };
61 * Return a `SendStream` for `req` and `path`.
64 * @param {string} path
65 * @param {object} [options]
66 * @return {SendStream}
70 function send(req, path, options) {
71 return new SendStream(req, path, options);
75 * Initialize a `SendStream` with the given `path`.
77 * @param {Request} req
78 * @param {String} path
79 * @param {object} [options]
83 function SendStream(req, path, options) {
84 var opts = options || {}
90 this._etag = opts.etag !== undefined
94 this._dotfiles = opts.dotfiles !== undefined
98 if (this._dotfiles !== 'ignore' && this._dotfiles !== 'allow' && this._dotfiles !== 'deny') {
99 throw new TypeError('dotfiles option must be "allow", "deny", or "ignore"')
102 this._hidden = Boolean(opts.hidden)
104 if (opts.hidden !== undefined) {
105 deprecate('hidden: use dotfiles: \'' + (this._hidden ? 'allow' : 'ignore') + '\' instead')
109 if (opts.dotfiles === undefined) {
110 this._dotfiles = undefined
113 this._extensions = opts.extensions !== undefined
114 ? normalizeList(opts.extensions, 'extensions option')
117 this._index = opts.index !== undefined
118 ? normalizeList(opts.index, 'index option')
121 this._lastModified = opts.lastModified !== undefined
122 ? Boolean(opts.lastModified)
125 this._maxage = opts.maxAge || opts.maxage
126 this._maxage = typeof this._maxage === 'string'
128 : Number(this._maxage)
129 this._maxage = !isNaN(this._maxage)
130 ? Math.min(Math.max(0, this._maxage), maxMaxAge)
133 this._root = opts.root
137 if (!this._root && opts.from) {
143 * Inherits from `Stream.prototype`.
146 SendStream.prototype.__proto__ = Stream.prototype;
149 * Enable or disable etag generation.
151 * @param {Boolean} val
152 * @return {SendStream}
156 SendStream.prototype.etag = deprecate.function(function etag(val) {
158 debug('etag %s', val);
161 }, 'send.etag: pass etag as option');
164 * Enable or disable "hidden" (dot) files.
166 * @param {Boolean} path
167 * @return {SendStream}
171 SendStream.prototype.hidden = deprecate.function(function hidden(val) {
173 debug('hidden %s', val);
175 this._dotfiles = undefined
177 }, 'send.hidden: use dotfiles option');
180 * Set index `paths`, set to a falsy
181 * value to disable index support.
183 * @param {String|Boolean|Array} paths
184 * @return {SendStream}
188 SendStream.prototype.index = deprecate.function(function index(paths) {
189 var index = !paths ? [] : normalizeList(paths, 'paths argument');
190 debug('index %o', paths);
193 }, 'send.index: pass index as option');
198 * @param {String} path
199 * @return {SendStream}
203 SendStream.prototype.root = function(path){
205 this._root = resolve(path)
209 SendStream.prototype.from = deprecate.function(SendStream.prototype.root,
210 'send.from: pass root as option');
212 SendStream.prototype.root = deprecate.function(SendStream.prototype.root,
213 'send.root: pass root as option');
216 * Set max-age to `maxAge`.
218 * @param {Number} maxAge
219 * @return {SendStream}
223 SendStream.prototype.maxage = deprecate.function(function maxage(maxAge) {
224 maxAge = typeof maxAge === 'string'
227 if (isNaN(maxAge)) maxAge = 0;
228 if (Infinity == maxAge) maxAge = 60 * 60 * 24 * 365 * 1000;
229 debug('max-age %d', maxAge);
230 this._maxage = maxAge;
232 }, 'send.maxage: pass maxAge as option');
235 * Emit error with `status`.
237 * @param {number} status
238 * @param {Error} [error]
242 SendStream.prototype.error = function error(status, error) {
243 // emit if listeners instead of responding
244 if (listenerCount(this, 'error') !== 0) {
245 return this.emit('error', createError(error, status, {
251 var msg = statuses[status]
253 // wipe all existing headers
256 // send basic response
257 res.statusCode = status
258 res.setHeader('Content-Type', 'text/plain; charset=UTF-8')
259 res.setHeader('Content-Length', Buffer.byteLength(msg))
260 res.setHeader('X-Content-Type-Options', 'nosniff')
265 * Check if the pathname ends with "/".
271 SendStream.prototype.hasTrailingSlash = function(){
272 return '/' == this.path[this.path.length - 1];
276 * Check if this is a conditional GET request.
282 SendStream.prototype.isConditionalGET = function(){
283 return this.req.headers['if-none-match']
284 || this.req.headers['if-modified-since'];
288 * Strip content-* header fields.
293 SendStream.prototype.removeContentHeaderFields = function removeContentHeaderFields() {
295 var headers = Object.keys(res._headers || {})
297 for (var i = 0; i < headers.length; i++) {
298 var header = headers[i]
299 if (header.substr(0, 8) === 'content-' && header !== 'content-location') {
300 res.removeHeader(header)
306 * Respond with 304 not modified.
311 SendStream.prototype.notModified = function(){
313 debug('not modified');
314 this.removeContentHeaderFields();
315 res.statusCode = 304;
320 * Raise error that headers already sent.
325 SendStream.prototype.headersAlreadySent = function headersAlreadySent(){
326 var err = new Error('Can\'t set headers after they are sent.');
327 debug('headers already sent');
328 this.error(500, err);
332 * Check if the request is cacheable, aka
333 * responded with 2xx or 304 (see RFC 2616 section 14.2{5,6}).
339 SendStream.prototype.isCachable = function(){
341 return (res.statusCode >= 200 && res.statusCode < 300) || 304 == res.statusCode;
345 * Handle stat() error.
347 * @param {Error} error
351 SendStream.prototype.onStatError = function onStatError(error) {
352 switch (error.code) {
356 this.error(404, error)
359 this.error(500, error)
365 * Check if the cache is fresh.
371 SendStream.prototype.isFresh = function(){
372 return fresh(this.req.headers, this.res._headers);
376 * Check if the range is fresh.
382 SendStream.prototype.isRangeFresh = function isRangeFresh(){
383 var ifRange = this.req.headers['if-range'];
385 if (!ifRange) return true;
387 return ~ifRange.indexOf('"')
388 ? ~ifRange.indexOf(this.res._headers['etag'])
389 : Date.parse(this.res._headers['last-modified']) <= Date.parse(ifRange);
395 * @param {string} path
399 SendStream.prototype.redirect = function redirect(path) {
400 if (listenerCount(this, 'directory') !== 0) {
401 this.emit('directory')
405 if (this.hasTrailingSlash()) {
411 var msg = 'Redirecting to <a href="' + escapeHtml(loc) + '">' + escapeHtml(loc) + '</a>\n'
416 res.setHeader('Content-Type', 'text/html; charset=UTF-8')
417 res.setHeader('Content-Length', Buffer.byteLength(msg))
418 res.setHeader('X-Content-Type-Options', 'nosniff')
419 res.setHeader('Location', loc)
426 * @param {Stream} res
427 * @return {Stream} res
431 SendStream.prototype.pipe = function(res){
440 var path = decode(this.path)
441 if (path === -1) return this.error(400)
444 if (~path.indexOf('\0')) return this.error(400);
449 if (upPathRegexp.test(normalize('.' + sep + path))) {
450 debug('malicious path "%s"', path)
451 return this.error(403)
454 // join / normalize from optional root dir
455 path = normalize(join(root, path))
456 root = normalize(root + sep)
458 // explode path parts
459 parts = path.substr(root.length).split(sep)
461 // ".." is malicious without "root"
462 if (upPathRegexp.test(path)) {
463 debug('malicious path "%s"', path)
464 return this.error(403)
467 // explode path parts
468 parts = normalize(path).split(sep)
475 if (containsDotFile(parts)) {
476 var access = this._dotfiles
479 if (access === undefined) {
480 access = parts[parts.length - 1][0] === '.'
481 ? (this._hidden ? 'allow' : 'ignore')
485 debug('%s dotfile "%s"', access, path)
490 return this.error(403)
493 return this.error(404)
497 // index file support
498 if (this._index.length && this.path[this.path.length - 1] === '/') {
499 this.sendIndex(path);
510 * @param {String} path
514 SendStream.prototype.send = function(path, stat){
516 var options = this.options
520 var ranges = req.headers.range;
521 var offset = options.start || 0;
524 // impossible to send now
525 return this.headersAlreadySent();
528 debug('pipe "%s"', path)
531 this.setHeader(path, stat);
536 // conditional GET support
537 if (this.isConditionalGET()
540 return this.notModified();
543 // adjust len to start/end options
544 len = Math.max(0, len - offset);
545 if (options.end !== undefined) {
546 var bytes = options.end - offset + 1;
547 if (len > bytes) len = bytes;
552 ranges = parseRange(len, ranges);
555 if (!this.isRangeFresh()) {
556 debug('range stale');
562 debug('range unsatisfiable');
563 res.setHeader('Content-Range', 'bytes */' + stat.size);
564 return this.error(416);
567 // valid (syntactically invalid/multiple ranges are treated as a regular response)
568 if (-2 != ranges && ranges.length === 1) {
569 debug('range %j', ranges);
572 res.statusCode = 206;
573 res.setHeader('Content-Range', 'bytes '
580 offset += ranges[0].start;
581 len = ranges[0].end - ranges[0].start + 1;
586 for (var prop in options) {
587 opts[prop] = options[prop]
592 opts.end = Math.max(offset, offset + len - 1)
595 res.setHeader('Content-Length', len);
598 if ('HEAD' == req.method) return res.end();
600 this.stream(path, opts)
604 * Transfer file for `path`.
606 * @param {String} path
609 SendStream.prototype.sendFile = function sendFile(path) {
613 debug('stat "%s"', path);
614 fs.stat(path, function onstat(err, stat) {
615 if (err && err.code === 'ENOENT'
617 && path[path.length - 1] !== sep) {
618 // not found, check extensions
621 if (err) return self.onStatError(err)
622 if (stat.isDirectory()) return self.redirect(self.path)
623 self.emit('file', path, stat)
624 self.send(path, stat)
628 if (self._extensions.length <= i) {
630 ? self.onStatError(err)
634 var p = path + '.' + self._extensions[i++]
636 debug('stat "%s"', p)
637 fs.stat(p, function (err, stat) {
638 if (err) return next(err)
639 if (stat.isDirectory()) return next()
640 self.emit('file', p, stat)
647 * Transfer index for `path`.
649 * @param {String} path
652 SendStream.prototype.sendIndex = function sendIndex(path){
657 if (++i >= self._index.length) {
658 if (err) return self.onStatError(err);
659 return self.error(404);
662 var p = join(path, self._index[i]);
664 debug('stat "%s"', p);
665 fs.stat(p, function(err, stat){
666 if (err) return next(err);
667 if (stat.isDirectory()) return next();
668 self.emit('file', p, stat);
677 * Stream `path` to the response.
679 * @param {String} path
680 * @param {Object} options
684 SendStream.prototype.stream = function(path, options){
685 // TODO: this is all lame, refactor meeee
686 var finished = false;
692 var stream = fs.createReadStream(path, options);
693 this.emit('stream', stream);
696 // response finished, done with the fd
697 onFinished(res, function onfinished(){
702 // error handling code-smell
703 stream.on('error', function onerror(err){
704 // request already finished
705 if (finished) return;
712 self.onStatError(err);
716 stream.on('end', function onend(){
722 * Set content-type based on `path`
723 * if it hasn't been explicitly set.
725 * @param {String} path
729 SendStream.prototype.type = function type(path) {
732 if (res.getHeader('Content-Type')) return;
734 var type = mime.lookup(path);
737 debug('no content-type');
741 var charset = mime.charsets.lookup(type);
743 debug('content-type %s', type);
744 res.setHeader('Content-Type', type + (charset ? '; charset=' + charset : ''));
748 * Set response header fields, most
749 * fields may be pre-defined.
751 * @param {String} path
752 * @param {Object} stat
756 SendStream.prototype.setHeader = function setHeader(path, stat){
759 this.emit('headers', res, path, stat);
761 if (!res.getHeader('Accept-Ranges')) res.setHeader('Accept-Ranges', 'bytes');
762 if (!res.getHeader('Cache-Control')) res.setHeader('Cache-Control', 'public, max-age=' + Math.floor(this._maxage / 1000));
764 if (this._lastModified && !res.getHeader('Last-Modified')) {
765 var modified = stat.mtime.toUTCString()
766 debug('modified %s', modified)
767 res.setHeader('Last-Modified', modified)
770 if (this._etag && !res.getHeader('ETag')) {
772 debug('etag %s', val)
773 res.setHeader('ETag', val)
778 * Determine if path parts contain a dotfile.
783 function containsDotFile(parts) {
784 for (var i = 0; i < parts.length; i++) {
785 if (parts[i][0] === '.') {
794 * decodeURIComponent.
796 * Allows V8 to only deoptimize this fn instead of all
799 * @param {String} path
803 function decode(path) {
805 return decodeURIComponent(path)
812 * Normalize the index option into an array.
814 * @param {boolean|string|array} val
815 * @param {string} name
819 function normalizeList(val, name) {
820 var list = [].concat(val || [])
822 for (var i = 0; i < list.length; i++) {
823 if (typeof list[i] !== 'string') {
824 throw new TypeError(name + ' must be array of strings or false')