@@ -256,6 +256,76 @@ describe('redirects', function () {
256256 } ) ;
257257} ) ;
258258
259+ describe ( 'endpoints' , function ( ) {
260+ it ( "should be on the 'secured' whitelist (pouchdb/pouchdb-server#290)" , function ( ) {
261+ // https://stackoverflow.com/a/14934933
262+ var unguardedRoutes = inMemoryConfigApp . _router . stack . filter ( function ( layer ) {
263+ if ( layer . route ) {
264+ return typeof {
265+ // A lookup that maps [a route we know is never exposed to a user
266+ // without proper authorization] to [the file, module or other reason
267+ // that the route is secured (the value of which is given here only
268+ // for human convenience)].
269+ //
270+ // Before adding to this list, make sure of the following:
271+ // - the security document is respected
272+ // - validation documents are respected
273+ // - extra system database restrictions (_users & _replicator) are
274+ // handled correctly
275+ //
276+ '/_config' : 'routes/authorization.js' ,
277+ '/_config/:section' : 'routes/authorization.js' ,
278+ '/_config/:section/:key' : 'routes/authorization.js' ,
279+ '/_log' : 'routes/authorization.js' ,
280+ '/_active_tasks' : 'routes/authorization.js' ,
281+ '/_db_updates' : 'routes/authorization.js' ,
282+ '/_restart' : 'routes/authorization.js' ,
283+ '/' : 'publicly accessible API' ,
284+ '/_session' : 'publicly accessable API' ,
285+ '/_utils' : 'publicly accessable API' ,
286+ '/_membership' : 'publicly accessable API' ,
287+ '/_cluster_setup' : 'publically accessable API' ,
288+ '/_uuids' : 'publically accessable API' ,
289+ '/_all_dbs' : 'publically accessable API' ,
290+ '/_replicate' : 'publically accessable API' ,
291+ '/_stats' : 'publically accessable API' ,
292+ '/:db' : 'pouchdb-security' ,
293+ '/:db/*' : 'pouchdb-security + pouchdb-system-db + pouchdb-validation' ,
294+ '/:db/_ensure_full_commit' : 'db.js: for now at least' ,
295+ '/:db/_bulk_docs' : 'pouchdb-security + pouchdb-validation' ,
296+ '/:db/_all_docs' : 'pouchdb-security + pouchdb-system-db' ,
297+ '/:db/_bulk_get' : 'pouchdb-security + pouchdb-system-db' ,
298+ '/:db/_changes' : 'pouchdb-security + pouchdb-system-db' ,
299+ '/:db/_compact' : 'pouchdb-security' ,
300+ '/:db/_revs_diff' : 'pouchdb-security + pouchdb-system-db' ,
301+ '/:db/_security' : 'pouchdb-security' ,
302+ '/:db/_query' : 'pouchdb-security + pouchdb-system-db' ,
303+ '/:db/_view_cleanup' : 'pouhdb-security' ,
304+ '/:db/_temp_view' : 'pouchdb-security + pouchdb-system-db' ,
305+ '/:db/:id(*)' : 'pouchdb-security + pouchdb-validation' ,
306+ '/:db/:id' : 'pouchdb-security + pouchdb-validation + pouchdb-system-db' ,
307+ '/:db/_index' : 'pouchdb-security + pouchdb-system-db' ,
308+ '/:db/_index/:ddoc/:type/:name' : 'pouchdb-security' ,
309+ '/:db/_find' : 'pouchdb-security + pouchdb-system-db' ,
310+ '/:db/_explain' : 'pouchdb-security + pouchdb-system-db' ,
311+ '/:db/_design/:id/_view/:view' : 'pouchdb-security + pouchdb-system-db' ,
312+ '/:db/_design/:id/_info' : 'ddoc-info.js itself (at least for now)' ,
313+ '/:db/_design/:id/_show/:func*' : 'pouchdb-security + pouchdb-system-db' ,
314+ '/:db/_design/:id/_list/:func/:view' : 'pouchdb-security + pouchdb-system-db' ,
315+ '/:db/_design/:id/_list/:func/:id2/:view' : 'pouchdb-security + pouchdb-system-db' ,
316+ '/:db/_design/:id/_update/:func*' : 'pouchdb-security + pouchdb-validation' ,
317+ '/:db/_design/:id/:attachment(*)' : 'pouchdb-security + pouchdb-validation + pouchdb-system-db' ,
318+ '/:db/:id/:attachment(*)' : 'pouchdb-security + pouchdb-validation + pouchdb-system-db' ,
319+ } [ layer . route . path ] === 'undefined' ;
320+ }
321+ } ) . map ( function ( layer ) {
322+ return layer . route . path ;
323+ } ) ;
324+ var msg = "Not on the whitelist:\n\n" + unguardedRoutes . join ( '\n' ) ;
325+ assert . equal ( unguardedRoutes . length , 0 , msg ) ;
326+ } ) ;
327+ } ) ;
328+
259329function assertException ( func , re ) {
260330 var e ;
261331 try {
0 commit comments