Improved middleware

Author: SomajitDey

api/index.js

@@ -21,7 +21,7 @@ const fastify = Fastify({
 fastify.addHook('onRequest', (request, reply, done) => {
     reply.headers({
         'Access-Control-Allow-Origin': '*',
-        'Access-Control-Allow-Methods': 'GET,POST,PATCH,DELETE'
+        'Access-Control-Allow-Methods': 'HEAD,GET,POST,PATCH,DELETE'
     })
     done();
 })
@@ -368,15 +368,14 @@ fastify.get('/private/:privateKey/:key', async (request, reply) => {
 
 const streamHandler = async (request, reply) => {
   const { key } = request.params;
-  const fromMiddleware = request.headers['x-middleware'] === middlewareSig;
   try {
-    if (! fromMiddleware) throw new Error('Unauthorized');
     let recvBool;
     switch (request.method) {
       case 'POST': // Using fallthrough! POST and PUT cases run the same code.
       case 'PUT':
         recvBool = false;
         break;
+      case 'HEAD': // HEAD and GET handled similarly
       case 'GET':
         recvBool = true;
         break;
@@ -398,7 +397,7 @@ const streamHandler = async (request, reply) => {
   }
 }
 
-fastify.all('/stream/:key', streamHandler);
+fastify.all('/pipe/:key', streamHandler);
 
 export default async function handler(req, res) {
   await fastify.ready();

middleware.js

@@ -13,36 +13,110 @@ import { Ratelimit } from '@upstash/ratelimit';
 import { Redis } from '@upstash/redis';
 
 const middlewareSig = process.env.SECRET; // Secret known to middleware only
+const bodyLimit = parseInt(process.env.BODYLIMIT);
 
 const cache = new Map(); // must be outside of your serverless function handler
 
 const ratelimit = new Ratelimit({
   redis: new Redis({
     url: process.env.UPSTASH_REDIS_REST_URL_CACHE,
-    token: process.env.UPSTASH_REDIS_REST_TOKEN_CACHE,
+    token: process.env.UPSTASH_REDIS_REST_TOKEN_CACHE
   }),
   ephemeralCache: cache,
   analytics: false,
   limiter: Ratelimit.slidingWindow(parseInt(process.env.RATELIMIT), process.env.RATELIMIT_WINDOW + ' s'),
-  prefix: "rl:",
+  prefix: 'rl:',
   enableProtection: true
-})
-
-// Forwards requests at path /pipe/* to /stream/* in index.js after trimming the request body and headers
-// and returns the response. This is done in middleware.js because, unlike index.js, middleware.js doesn't have
-// problems with the `Expect: 100-continue` header sent by `curl -T- <url>`. middleware.js also doesn't read the
-// request body. index.js also has a set bodyLimit which is incompatible with payloads at /pipe/* of arbitrary size.
-// /stream/ path is exposed only to middleware.
-// For requests not at path /pipe/*, returns null.
-async function pipeToStream(request) {
-  const pipeUrl = new URL(request.url);
-  if (!pipeUrl.pathname.startsWith('/pipe/')) return null;
-  const streamUrl = pipeUrl.href.replace('/pipe/', '/stream/');
-  return fetch(streamUrl, { method: request.method, headers: { 'x-middleware' : middlewareSig }, redirect: 'manual' });
+});
+
+const allowedMethods = ['HEAD', 'GET', 'POST', 'PATCH', 'DELETE'];
+
+const statusCodes = {
+  400: 'Bad Request',
+  405: 'Method Not Allowed',
+  417: 'Expectation Failed',
+  429: 'Too Many Requests'
+};
+
+// Returns Response object with JSON body containing error details for given statusCode
+// message parameter is optional
+function errorResponse (statusCode, message) {
+  const statusText = statusCodes[statusCode];
+  const supportedMethods = allowedMethods.join(',');
+  return Response.json(
+    { message: message ?? statusText, error: statusText, statusCode },
+    {
+      status: statusCode,
+      statusText,
+      headers: {
+        'Access-Control-Allow-Origin': '*',
+        'Access-Control-Allow-Methods': supportedMethods,
+        Allow: supportedMethods
+      }
+    }
+  );
 }
 
-export default async function middleware(request) {
-  const fromMiddleware = request.headers.get('x-middleware') === middlewareSig;
+// Returns a response from the backend (serverless-function) to the piped request modified to have no body.
+// Prevents Fastify in the backend from parsing the original request.body unnecessarily.
+// May not be needed when Fastify dependency is removed from the backend.
+async function processPipe (request) {
+  // No need to worry with GET/HEAD requests as Fastify at backend won't parse content for these methods
+  if (request.method.match(/(GET|HEAD)/gi)) return next();
+  return fetch(request.url, {
+    method: request.method,
+    headers: { 'x-middleware-auth': middlewareSig },
+    redirect: 'manual'
+  });
+}
+
+// Performs basic validation and limiting
+// Returns a Response object or Promise that resolves to a Response
+// Calling next() actually returns a Response with added header 'x-middleware-next'
+// Ref: @vercel/edge source - https://www.npmjs.com/package/@vercel/edge?activeTab=code
+export default async function middleware (request) {
+  // Block requests with Expect headers
+  if (request.headers.has('expect')) return errorResponse(417, 'Expect header is not allowed');
+
+  // Detect a pipe request to let it have any Content-Type and Length, including `Transfer-Encoding: chunked` header
+  const isPiped = new URL(request.url).pathname.startsWith('/pipe/');
+
+  // Block unallowed methods and chunked transfer if not pipe
+  if (!isPiped) {
+    if (allowedMethods.includes(request.method.toUpperCase()) === false) {
+      return errorResponse(405, `Method: ${request.method}, is not allowed`);
+    }
+    if (request.headers.get('transfer-encoding')?.toLowerCase()?.includes('chunked')) {
+      return errorResponse(400, 'Provide content-length header instead of chunked transfer');
+    }
+  }
+
+  const contentType = request.headers.get('content-type') ?? '';
+  const contentLength = parseInt(request.headers.get('content-length') ?? 0);
+  // Absent content-length is as good as 0, as Transfer-Encoding: chunked is not allowed
+
+  switch (true) {
+    case isPiped:
+      break; // Allowed to have any Content-Type and Length, including `Transfer-Encoding: chunked` header
+    case contentLength === 0:
+      break; // Doesn't matter what the content-type is as it wont be parsed
+    case contentType.includes('application/json'):
+    case contentType.includes('application/x-www-form-urlencoded'):
+    case contentType.includes('text/plain'):
+    case contentType.includes('text/html'):
+      if (contentLength > bodyLimit) {
+        return errorResponse(400, `Content-Length: ${contentLength}, is not within ${bodyLimit}`);
+      } else {
+        break;
+      }
+    default:
+      return errorResponse(400, `Content-Type: '${contentType}', is not allowed`);
+  }
+
+  // If one invocation of this middleware modifies the Request and resends,
+  // another invocation of this middleware will intercept it before it reaches the backend.
+  // The following flag tells the latter invocation that it need not re-process the request.
+  const isFromMiddleware = request.headers.get('x-middleware-auth') === middlewareSig;
 
   // Ratelimiting by ip is too restrictive: may block users accessing internet from the same router
   const ratelimitBy = [
@@ -52,21 +126,16 @@ export default async function middleware(request) {
   ].join('@');
 
   // For requests from middleware, no rate-limiting is necessary
-  const { success, reset } = fromMiddleware ? { success: true, reset: 0 } : await ratelimit.limit(ratelimitBy);
+  const { success, reset } = isFromMiddleware ? { success: true, reset: 0 } : await ratelimit.limit(ratelimitBy);
 
   if (success) {
-    const streamResponse = await pipeToStream(request);
-    // For non-pipe requests, streamResponse is null.
-    return streamResponse ?? next();
-  }
-  else {
-    return Response.json(
-    { message: `Try after ${(reset - Date.now())/1000} seconds`, error: "Too Many Requests", statusCode: 429 },
-    {
-      status: 429,
-      statusText: "Too Many Requests",
-      headers: {"Access-Control-Allow-Origin":"*"}
-    },
-  )
+    switch (true) {
+      case isPiped:
+        if (!isFromMiddleware) return processPipe(request);
+      default:
+        return next();
+    }
+  } else {
+    return errorResponse(429, `Try after ${(reset - Date.now()) / 1000} seconds`);
   }
 }

vercel.json

@@ -20,7 +20,7 @@
   ],
   "rewrites": [
     {
-      "source": "/(public|private|keys|stream)/:path*",
+      "source": "/(public|private|keys|pipe)/:path*",
       "destination": "/api"
     },
     {