From 8b0203dd7c50567dd77de07f6bb27d12ae0b6dd9 Mon Sep 17 00:00:00 2001
From: Charlie Humphreys <ahumphreys3@gmail.com>
Date: Sat, 21 Jan 2023 00:48:41 -0600
Subject: [PATCH] add content negotiation middleware and tests

---
 server/app.js                                 |  3 +-
 server/middleware/content-negotiation.js      | 12 ++++++
 server/middleware/content-negotiation.spec.js | 41 +++++++++++++++++++
 3 files changed, 54 insertions(+), 2 deletions(-)
 create mode 100644 server/middleware/content-negotiation.js
 create mode 100644 server/middleware/content-negotiation.spec.js

diff --git a/server/app.js b/server/app.js
index de7586209..b852160ca 100644
--- a/server/app.js
+++ b/server/app.js
@@ -43,8 +43,7 @@ const sanitizeBrew = (brew, accessType)=>{
 };
 
 app.use('/', serveCompressedStaticAssets(`build`));
-
-//app.use(express.static(`${__dirname}/build`));
+app.use(require('./middleware/content-negotiation.js'));
 app.use(require('body-parser').json({ limit: '25mb' }));
 app.use(require('cookie-parser')());
 app.use(require('./forcessl.mw.js'));
diff --git a/server/middleware/content-negotiation.js b/server/middleware/content-negotiation.js
new file mode 100644
index 000000000..81f7b842d
--- /dev/null
+++ b/server/middleware/content-negotiation.js
@@ -0,0 +1,12 @@
+module.exports = (req, res, next)=>{
+	const isImageRequest = req.get('Accept').split(',')
+        .filter((h)=>!h.includes('q='))
+        .every((h)=>/image\/.*/.test(h));
+	if(isImageRequest) {
+		return res.status(406).send({
+			message : 'Request for image at this URL is not supported'
+		});
+	}
+
+	next();
+};
\ No newline at end of file
diff --git a/server/middleware/content-negotiation.spec.js b/server/middleware/content-negotiation.spec.js
new file mode 100644
index 000000000..68f22eb1c
--- /dev/null
+++ b/server/middleware/content-negotiation.spec.js
@@ -0,0 +1,41 @@
+const contentNegotiationMiddleware = require('./content-negotiation.js');
+
+describe('content-negotiation-middleware', ()=>{
+	let request;
+	let response;
+	let next;
+
+	beforeEach(()=>{
+		request = {
+			get : function(key) {
+				return this[key];
+			}
+		};
+		response = {
+			status : jest.fn(()=>response),
+			send   : jest.fn(()=>{})
+		};
+		next = jest.fn();
+	});
+
+	it('should return 406 on image request', ()=>{
+		contentNegotiationMiddleware({
+			Accept : 'image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8',
+			...request
+		}, response);
+
+		expect(response.status).toHaveBeenLastCalledWith(406);
+		expect(response.send).toHaveBeenCalledWith({
+			message : 'Request for image at this URL is not supported'
+		});
+	});
+
+	it('should call next on non-image request', ()=>{
+		contentNegotiationMiddleware({
+			Accept : 'text,image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8',
+			...request
+		}, response, next);
+
+		expect(next).toHaveBeenCalled();
+	});
+});
\ No newline at end of file