diff --git a/lib/server.js b/lib/server.js index be552ca8c8..a5bca7dbae 100644 --- a/lib/server.js +++ b/lib/server.js @@ -70,14 +70,16 @@ Server.errors = { UNKNOWN_TRANSPORT: 0, UNKNOWN_SID: 1, BAD_HANDSHAKE_METHOD: 2, - BAD_REQUEST: 3 + BAD_REQUEST: 3, + FORBIDDEN: 4 }; Server.errorMessages = { 0: 'Transport unknown', 1: 'Session ID unknown', 2: 'Bad handshake method', - 3: 'Bad request' + 3: 'Bad request', + 4: 'Forbidden' }; /** @@ -242,6 +244,15 @@ Server.prototype.handleRequest = function (req, res) { function sendErrorMessage (req, res, code) { var headers = { 'Content-Type': 'application/json' }; + var isForbidden = !Server.errorMessages.hasOwnProperty(code); + if (isForbidden) { + res.writeHead(403, headers); + res.end(JSON.stringify({ + code: Server.errors.FORBIDDEN, + message: code || Server.errorMessages[Server.errors.FORBIDDEN] + })); + return; + } if (req.headers.origin) { headers['Access-Control-Allow-Credentials'] = 'true'; headers['Access-Control-Allow-Origin'] = req.headers.origin; diff --git a/test/server.js b/test/server.js index f84d43604a..8c49b3ddc7 100644 --- a/test/server.js +++ b/test/server.js @@ -76,6 +76,22 @@ describe('server', function () { }); }); }); + + it('should disallow requests that are rejected by `allowRequest`', function (done) { + listen({ allowRequest: function (req, fn) { fn('Thou shall not pass', false); } }, function (port) { + request.get('http://localhost:%d/engine.io/default/'.s(port)) + .set('Origin', 'http://engine.io') + .query({ transport: 'polling' }) + .end(function (res) { + expect(res.status).to.be(403); + expect(res.body.code).to.be(4); + expect(res.body.message).to.be('Thou shall not pass'); + expect(res.header['access-control-allow-credentials']).to.be(undefined); + expect(res.header['access-control-allow-origin']).to.be(undefined); + done(); + }); + }); + }); }); describe('handshake', function () {