fortunejs / fortune-http Goto Github PK

When include query contains json like in

?include=foo,{"fields":{"bar":true,"baz":true}}

The json parsing fails with SyntaxError: Unexpected end of JSON input because value is split by comma and JSON contains comma.

This is in function attachQueries of initialize_context.js in line

path.push(JSON.parse(parts[1]))

I suggest replacing that with

path.push(JSON.parse(parts.slice(1).join(',')))

v1.0.6 will not initialize. The error is:

TypeError: Invalid value used as weak map key
    at WeakMap.set (native)
    at new WeakMap (native)
    at module.exports (/Users/jmeas/webdev/moolah/node_modules/fortune-http/lib/status_map.js:4:10)
    at createListener (/Users/jmeas/webdev/moolah/node_modules/fortune-http/lib/index.js:108:15)
    at module.exports (/Users/jmeas/webdev/moolah/server/app.js:211:20)
    at throng (/Users/jmeas/webdev/moolah/node_modules/throng/lib/throng.js:25:12)
    at Object.<anonymous> (/Users/jmeas/webdev/moolah/server/index.js:10:1)
    at Module._compile (module.js:571:32)
    at Object.Module._extensions..js (module.js:580:10)
    at Module.load (module.js:488:32)

Locking the dep to 1.0.5 is a temporary solution. I took a look at the source, but nothing immediately stood out as the issue.

MODULE 41183: load "node_modules/sse4_crc32/build/Release/crc32c.node" for module "node_modules/sse4_crc32/build/Release/crc32c.node"
dyld[41183]: missing symbol called
Abort trap: 6

fast-crc32c does not support arm64 architecture 😔 - see ashi009/node-fast-crc32c#38

While trying to set up fortune-http I found that it needs the documentation field to be an object to start to work correctly.

TypeError: Cannot use 'in' operator to search for 'name' in undefined
    at E:\work\node_modules\fortune-http\lib\html_serializer.js:593:15
    at HtmlSerializer.renderCollection (E:\work\node_modules\fortune-http\lib\html_serializer.js:647:4)
    at HtmlSerializer.processResponse (E:\work\node_modules\fortune-http\lib\html_serializer.js:239:10)
    at E:\work\node_modules\fortune-http\lib\index.js:357:12
    at <anonymous>

We are currently using 1.0.4 of fortune-http we have an adapter that returns a promise from the find method. With 1.0.4 of fortune-http this works correctly and requesting the endpoint via the http api it correctly returns the data. After updating to 1.2.27 for fixing security issues the response via the http api results in a empty response. If I add debug logging into the promise that is being returned from the find method the promise does eventually resolve and have the correct expected data however it appears something in the 1.2.27 upgrade is causing the promise to not be correctly waited on for the data before returning the response.

Any thoughts/ideas about what maybe going on here?
Thanks

Hi.
Looks like something went wrong with the latest update. I cant use fortune through fortune-http` API any more.

Before update request like this one

curl 'http://localhost:3000/api/fortune/recall' -H 'Pragma: no-cache' -H 'Origin: http://localhost:8080' -H 'Accept-Encoding: gzip, deflate, sdch, br' -H 'Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4' -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.138 Safari/537.36 Vivaldi/1.8.770.56' -H 'Accept: application/json, text/plain, */*' -H 'Cache-Control: no-cache' -H 'Referer: http://localhost:8080/' -H 'Cookie: _ga=GA1.1.1036470260.1491330952;  connect.sid=s%3AKw-oFoBTn0N3wgQo1qaYjiavjLhE_ZBe.ZGS7MHoGNto0v4UC3Ajxf5Tddqmi66k4uyrwdPYZogE' -H 'Connection: keep-alive' -H 'DNT: 1' --compressed

returned raw string contained json.

After update it seems response containing gzipped json but I cant see any headers which signals about it.
Headers for this request:

X-Powered-By: Express
Access-Control-Allow-Origin: http://localhost:8080
Vary: Origin
Access-Control-Allow-Credentials: true
Date: Mon, 17 Apr 2017 20:58:24 GMT
Connection: keep-alive

I am using express to serve my api. So, problem can be in my config. If you have some idea why it may happen, please tell me.

Thank you for fortune!

Hi,

I'm doing some check in the input hook, and in case of error, I throw an error.

const fortune = require('fortune');
const roles = require('./model').roles;
const { errors: { BadRequestError } } = fortune;

function input(context, record, update) {
  switch (context.request.method) {
    case 'create':
      if (roles.indexOf(record.role) === -1) {
        throw new BadRequestError('Invalid role');
      } else {
        return record;
      }
    case 'update':
      if (!update || !update.replace || !update.replace.role) {
        return update;
      }

      if (roles.indexOf(update.replace.role) === -1) {
        throw new BadRequestError('Invalid role');
      } else {
        return update;
      }
    default: return null;
  }
}

module.exports = {
  input,
};

I use fortune as a middleware for my express server like this (where api = fortuneHTTP(fortuneInstance, options))

app.use((req, res, next) => api(req, res).catch(error => {
  console.log('WAZAAA')
  console.log(error)
}));

The error is catch

WAZAAA
{ BadRequestError: Invalid role
at Array.input (/home/thomasthiebaud/Combain/mate-v2-server/app/user/hooks.js:21:15)
at /home/thomasthiebaud/Combain/mate-v2-server/node_modules/fortune/lib/dispatch/update.js:117:16
at map (/home/thomasthiebaud/Combain/mate-v2-server/node_modules/fortune/lib/common/array/map.js:14:14)
at /home/thomasthiebaud/Combain/mate-v2-server/node_modules/fortune/lib/dispatch/update.js:102:24
at process._tickCallback (internal/process/next_tick.js:103:7)
meta: { headers: { 'Content-Length': 123 } },
payload: <Buffer 1f 8b 08 00 00 00 00 00 00 03 35 cb 31 0a 80 30 0c 40 d1 bd a7 28 99 45 74 75 14 1c 5c 5d c5 a1 d0 0c 91 d2 6a 5a bb 48 ef 6e aa b8 04 f2 f3 72 2b ad ... > }

but I still have

(node:2803) UnhandledPromiseRejectionWarning: Unhandled promise rejection (rejection id: 12): BadRequestError: Invalid role

So here are my questions :

• Is it safe to throw an exception in a hook ?
• If yes, why do I still this error ? Is it a bug or did I do something wrong ?

Hey there, I was warned that:

dicer 0.x is vulnerable to Uncaught Exception via dicer's header parsing behavior. A request to dicer with a folded header will cause the Node process to crash. No patch is available.

I see that Busboy use to use this library (Dicer) but no longer uses it in versions ^1.0.0 and instead uses streamsearch.
I was wondering if you would upgrade the busboy library to 1.0.0 in order to fix this vulnerability?

Currently with fortune-http relationship that are Array of Objects[] aren't editable as the offending line slices the JSON into pieces.

• Add a scripted link for removing cookies.
• Add options for linking to media and showing thumbnails.
• Option to limit size of incoming requests to avoid running out of memory.
• Rewrite HTML serializer. Its string building is too brittle.
• Allow pages to be customized by injecting CSS.
• Read columns by inspecting actual records (currently it omits custom fields).
• Add options for defining virtual inputs (fields which are not part of the database).
• Allow comma separated values in queries in addition to repeating query names.
• Better boolean input #2

It should have three states to choose from:

• null
• true
• false

It should be able to return partial responses, which is particularly useful for media.

Some ideas for improvement:

• Improve error message when serializer is undefined, this would be more helpful for debugging.
• Use textarea tag for String types in the HTML serializer, more useful input.
• Show record type documentation separately in the index of HTML serializer.
• Serialize record type definitions and documentation in the index of the default JSON serializer.
• Document catching unhandled Promise rejections from listener, important for future versions of Node.js.
• Add notes on framework integration in readme.

When adding/editing relationships, the current way is to copy & paste the long ids manually.
Would it be hard to use the select element to provide an appropriate list to select from to add/edit relationships?

It seems that Fortune HTTP relies on several low-level methods such as response.writeHead.

Koa, a web framework designed by the team behind Express, provides access to Node's response object but explicitly states:

Bypassing Koa's response handling is not supported. Avoid using the following node properties:

• res.statusCode
• res.writeHead()
• res.write()
• res.end()

Indeed, trying to pass ctx.req and ctx.res to the fortuneHttp() listener results in errors:

RangeError: Invalid status code: null

and

Error: Can't remove headers after they are sent

Is there any planned support for Koa? It's an awesome framework that would be great to be able to use. For now, I'll use Express instead.

Thank you for any clarity you can provide!