merge http-party/http-server master

Author: whatl3y

.github/ISSUE_TEMPLATE

@@ -0,0 +1,20 @@
+**Do you want to request a *feature* or report a *bug*?**
+
+**If the issue is a bug report, please provide the steps to reproduce it. Please include the actual command causing the issue if applicable.**
+
+<!-- Paste the command here: -->
+
+**What did you expect to happen?**
+
+**What actually happened? Please include the actual error trace and / or stack trace if applicable.**
+
+<!-- Paste the error and / or stack trace here: -->
+
+**If the issue is a feature request, what is the motivation / use case for it?**
+
+**Tell us about your environment**
+- **http-server version:**
+- **Platform:**
+
+**Other information (related issues, suggestions for a fix, etc):**
+

.github/PULL_REQUEST_TEMPLATE

@@ -0,0 +1,19 @@
+**Please ensure that your pull request fulfills these requirements:**
+- [ ] The pull request is being made against the `master` branch
+- [ ] Tests for the changes have been added (for bug fixes / features)
+
+**What is the purpose of this pull request? (bug fix, enhancement, new feature,...)**
+
+<!--
+    Link to the issue this pull request fixes here, if applicable: "Fixes #xxx" or "Resolves #xxx"
+-->
+
+**What changes did you make?**
+
+**Provide some example code that this change will affect, if applicable:**
+
+<!-- Paste the example code here: -->
+
+**Is there anything you'd like reviewers to focus on?**
+
+**Please provide testing instructions, if applicable:**

.gitignore

@@ -1,2 +1,3 @@
 node_modules/*
 npm-debug.log
+.dir-locals.el

LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2011 Charlie Robbins, Marak Squires, and the Contributors.
+Copyright (c) 2011-2019 Charlie Robbins, Marak Squires, and the Contributors.
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

README.md

@@ -17,6 +17,12 @@ Installation via `npm`:
 
 This will install `http-server` globally so that it may be run from the command line.
 
+## Running on-demand:
+
+Using `npx` you can run the script without installing it first:
+
+     npx http-server [path] [options]
+
 ## Usage:
 
      http-server [path] [options]
@@ -25,39 +31,49 @@ This will install `http-server` globally so that it may be run from the command
 
 *Now you can visit http://localhost:8080 to view your server*
 
+**Note:** Caching is on by default. Add `-c-1` as an option to disable caching.
+
 ## Available Options:
 
-`-p` Port to use (defaults to 8080)
+`-p` or `--port` Port to use (defaults to 8080)
 
 `-a` Address to use (defaults to 0.0.0.0)
 
-`-d` Show directory listings (defaults to 'True')
+`-d` Show directory listings (defaults to `true`)
 
-`-i` Display autoIndex (defaults to 'True')
+`-i` Display autoIndex (defaults to `true`)
 
-`-g` or `--gzip` When enabled (defaults to 'False') it will serve `./public/some-file.js.gz` in place of `./public/some-file.js` when a gzipped version of the file exists and the request accepts gzip encoding.
+`-g` or `--gzip` When enabled (defaults to `false`) it will serve `./public/some-file.js.gz` in place of `./public/some-file.js` when a gzipped version of the file exists and the request accepts gzip encoding. If brotli is also enabled, it will try to serve brotli first.
 
-`-e` or `--ext` Default file extension if none supplied (defaults to 'html')
+`-b` or `--brotli` When enabled (defaults to `false`) it will serve `./public/some-file.js.br` in place of `./public/some-file.js` when a brotli compressed version of the file exists and the request accepts `br` encoding. If gzip is also enabled, it will try to serve brotli first.
+
+`-e` or `--ext` Default file extension if none supplied (defaults to `html`)
 
 `-s` or `--silent` Suppress log messages from output
 
 `--cors` Enable CORS via the `Access-Control-Allow-Origin` header
 
-`-o` Open browser window after starting the server
+`-o [path]` Open browser window after starting the server. Optionally provide a URL path to open. e.g.: -o /other/dir/
 
-`-c` Set cache time (in seconds) for cache-control max-age header, e.g. -c10 for 10 seconds (defaults to '3600'). To disable caching, use -c-1.
+`-c` Set cache time (in seconds) for cache-control max-age header, e.g. `-c10` for 10 seconds (defaults to `3600`). To disable caching, use `-c-1`.
 
 `-U` or `--utc` Use UTC time format in log messages.
 
+`--log-ip` Enable logging of the client's IP address (default: `false`).
+
 `-P` or `--proxy` Proxies all requests which can't be resolved locally to the given url. e.g.: -P http://someurl.com
 
+`--username` Username for basic authentication [none]
+
+`--password` Password for basic authentication [none]
+
 `-S` or `--ssl` Enable https.
 
-`-C` or `--cert` Path to ssl cert file (default: cert.pem).
+`-C` or `--cert` Path to ssl cert file (default: `cert.pem`).
 
-`-K` or `--key` Path to ssl key file (default: key.pem).
+`-K` or `--key` Path to ssl key file (default: `key.pem`).
 
-`-r` or `--robots` Provide a /robots.txt (whose content defaults to 'User-agent: *\nDisallow: /').
+`-r` or `--robots` Provide a /robots.txt (whose content defaults to `User-agent: *\nDisallow: /`)
 
 `-m` or `--middleware` Provide a filepath (single or multiple file paths through multiple '-m or --middleware' parameters) to a JS file that exports a function to be used as middleware for each request before anything else happens (or any other middleware is called). e.g. `./my_middldeware.js`
 
@@ -73,6 +89,21 @@ module.exports = function(req, res, next) {
 
 `-h` or `--help` Print this list and exit.
 
+## Magic Files
+
+- `index.html` will be served as the default file to any directory requests.
+- `404.html` will be served if a file is not found. This can be used for Single-Page App (SPA) hosting to serve the entry page.
+
+## Catch-all redirect
+
+To implement a catch-all redirect, use the index page itself as the proxy with:
+
+```
+http-server --proxy http://localhost:8080?
+```
+
+Note the `?` at the end of the proxy URL. Thanks to [@houston3](https://github.com/houston3) for this clever hack!
+
 # Development
 
 Checkout this repository locally, then:

bin/http-server

@@ -9,6 +9,7 @@ var colors     = require('colors/safe'),
     opener     = require('opener'),
     argv       = require('optimist')
       .boolean('cors')
+      .boolean('log-ip')
       .argv;
 
 var ifaces = os.networkInterfaces();
@@ -18,22 +19,31 @@ if (argv.h || argv.help) {
     'usage: http-server [path] [options]',
     '',
     'options:',
-    '  -p           Port to use [8080]',
+    '  -p --port    Port to use [8080]',
     '  -a           Address to use [0.0.0.0]',
     '  -d           Show directory listings [true]',
     '  -i           Display autoIndex [true]',
     '  -g --gzip    Serve gzip files when possible [false]',
+    '  -b --brotli  Serve brotli files when possible [false]',
+    '               If both brotli and gzip are enabled, brotli takes precedence',
     '  -e --ext     Default file extension if none supplied [none]',
     '  -s --silent  Suppress log messages from output',
     '  --cors[=headers]   Enable CORS via the "Access-Control-Allow-Origin" header',
     '                     Optionally provide CORS headers list separated by commas',
-    '  -o [path]    Open browser window after starting the server',
+    '  -o [path]    Open browser window after starting the server.',
+    '               Optionally provide a URL path to open the browser window to.',
     '  -c           Cache time (max-age) in seconds [3600], e.g. -c10 for 10 seconds.',
     '               To disable caching, use -c-1.',
     '  -U --utc     Use UTC time format in log messages.',
+    '  --log-ip     Enable logging of the client\'s IP address',
     '',
     '  -P --proxy   Fallback proxy if the request cannot be resolved. e.g.: http://someurl.com',
     '',
+    '  --username   Username for basic authentication [none]',
+    '               Can also be specified with the env variable NODE_HTTP_SERVER_USERNAME',
+    '  --password   Password for basic authentication [none]',
+    '               Can also be specified with the env variable NODE_HTTP_SERVER_PASSWORD',
+    '',
     '  -S --ssl     Enable https.',
     '  -C --cert    Path to ssl cert file (default: cert.pem).',
     '  -K --key     Path to ssl key file (default: key.pem).',
@@ -46,7 +56,7 @@ if (argv.h || argv.help) {
   process.exit();
 }
 
-var port = argv.p || parseInt(process.env.PORT, 10),
+var port = argv.p || argv.port || parseInt(process.env.PORT, 10),
     host = argv.a || '0.0.0.0',
     ssl = !!argv.S || !!argv.ssl,
     proxy = argv.P || argv.proxy,
@@ -58,17 +68,20 @@ if (!argv.s && !argv.silent) {
     info: console.log,
     request: function (req, res, error) {
       var date = utc ? new Date().toUTCString() : new Date();
+      var ip = argv['log-ip']
+          ? req.headers['x-forwarded-for'] || '' +  req.connection.remoteAddress
+          : '';
       if (error) {
         logger.info(
-          '[%s] "%s %s" Error (%s): "%s"',
-          date, colors.red(req.method), colors.red(req.url),
+          '[%s] %s "%s %s" Error (%s): "%s"',
+          date, ip, colors.red(req.method), colors.red(req.url),
           colors.red(error.status.toString()), colors.red(error.message)
         );
       }
       else {
         logger.info(
-          '[%s] "%s %s" "%s"',
-          date, colors.cyan(req.method), colors.cyan(req.url),
+          '[%s] %s "%s %s" "%s"',
+          date, ip, colors.cyan(req.method), colors.cyan(req.url),
           req.headers['user-agent']
         );
       }
@@ -100,12 +113,15 @@ function listen(port) {
     showDir: argv.d,
     autoIndex: argv.i,
     gzip: argv.g || argv.gzip,
+    brotli: argv.b || argv.brotli,
     robots: argv.r || argv.robots,
     extraMiddleware: argv.m || argv.middleware,
     ext: argv.e || argv.ext,
     logFn: logger.request,
     proxy: proxy,
-    showDotfiles: argv.dotfiles
+    showDotfiles: argv.dotfiles,
+    username: argv.username || process.env.NODE_HTTP_SERVER_USERNAME,
+    password: argv.password || process.env.NODE_HTTP_SERVER_PASSWORD
   };
 
   if (argv.cors) {
@@ -152,10 +168,12 @@ function listen(port) {
 
     logger.info('Hit CTRL-C to stop the server');
     if (argv.o) {
-      opener(
-        protocol + canonicalHost + ':' + port,
-        { command: argv.o !== true ? argv.o : null }
-      );
+      var openUrl = protocol + canonicalHost + ':' + port;
+      if (typeof argv.o === 'string') {
+        openUrl += argv.o[0] === '/' ? argv.o : '/' + argv.o;
+      }
+      logger.info('open: ' + openUrl);
+      opener(openUrl);
     }
   });
 }

lib/http-server.js

@@ -3,8 +3,10 @@
 var fs = require('fs'),
     union = require('union'),
     ecstatic = require('ecstatic'),
+    auth = require('basic-auth'),
     httpProxy = require('http-proxy'),
-    corser = require('corser');
+    corser = require('corser'),
+    secureCompare = require('secure-compare');
 
 //
 // Remark: backwards compatibility for previous
@@ -43,11 +45,18 @@ function HttpServer(options) {
 
   this.headers = options.headers || {};
 
-  this.cache = options.cache === undefined ? 3600 : options.cache; // in seconds.
+  this.cache = (
+    options.cache === undefined ? 3600 :
+    // -1 is a special case to turn off caching.
+    // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control#Preventing_caching
+    options.cache === -1 ? 'no-cache, no-store, must-revalidate' :
+    options.cache // in seconds.
+  );
   this.showDir = options.showDir !== 'false';
   this.autoIndex = options.autoIndex !== 'false';
   this.showDotfiles = options.showDotfiles;
   this.gzip = options.gzip === true;
+  this.brotli = options.brotli === true;
   this.contentType = options.contentType || 'application/octet-stream';
 
   if (options.ext) {
@@ -82,6 +91,27 @@ function HttpServer(options) {
     res.emit('next');
   });
 
+  if (options.username || options.password) {
+    before.push(function (req, res) {
+      var credentials = auth(req);
+
+      // We perform these outside the if to avoid short-circuiting and giving
+      // an attacker knowledge of whether the username is correct via a timing
+      // attack.
+      if (credentials) {
+        var usernameEqual = secureCompare(options.username, credentials.name);
+        var passwordEqual = secureCompare(options.password, credentials.pass);
+        if (usernameEqual && passwordEqual) {
+          return res.emit('next');
+        }
+      }
+
+      res.statusCode = 401;
+      res.setHeader('WWW-Authenticate', 'Basic realm=""');
+      res.end('Access denied');
+    });
+  }
+
   if (options.cors) {
     this.headers['Access-Control-Allow-Origin'] = '*';
     this.headers['Access-Control-Allow-Headers'] = 'Origin, X-Requested-With, Content-Type, Accept, Range';
@@ -117,6 +147,7 @@ function HttpServer(options) {
     autoIndex: this.autoIndex,
     defaultExt: this.ext,
     gzip: this.gzip,
+    brotli: this.brotli,
     contentType: this.contentType,
     handleError: typeof options.proxy !== 'string'
   }));
@@ -127,6 +158,13 @@ function HttpServer(options) {
       proxy.web(req, res, {
         target: options.proxy,
         changeOrigin: true
+      }, function (err, req, res, target) {
+        if (options.logFn) {
+          options.logFn(req, res, {
+            message: err.message,
+            status: res.statusCode });
+        }
+        res.emit('next');
       });
     });
   }