Ignore err.status with non-error code

closes #1

Author: dougwilson

HISTORY.md

@@ -3,6 +3,7 @@ unreleased
 
   * Add `stacktrace` option
   * Add `text/plain` fallback response
+  * Ignore `err.status` with non-error code
   * Remove `env` option; use `stacktrace` option instead
   * Send complete HTML document
   * Set `X-Content-Type-Options: nosniff` header

README.md

@@ -23,7 +23,8 @@ var finalhandler = require('finalhandler')
 Returns function to be invoked as the final step for the given `req` and `res`.
 This function is to be invoked as `fn(err)`. If `err` is falsy, the handler will
 write out a 404 response to the `res`. If it is truthy, an error response will
-be written out to the `res`, and `res.statusCode` is set from `err.status`.
+be written out to the `res`, and `res.statusCode` is set from `err.status` if the
+value is 4xx or 5xx.
 
 #### options.onerror
 

index.js

@@ -51,29 +51,30 @@ function finalhandler(req, res, options) {
     var body
     var constructBody
     var msg
+    var status = res.statusCode
 
     // unhandled error
     if (err) {
       // default status code to 500
-      if (!res.statusCode || res.statusCode < 400) {
-        res.statusCode = 500
+      if (!status || status < 400) {
+        status = 500
       }
 
       // respect err.status
-      if (err.status) {
-        res.statusCode = err.status
+      if (err.status >= 400 && err.status < 600) {
+        status = err.status
       }
 
       // production gets a basic error message
       msg = stacktrace
         ? err.stack || String(err)
-        : http.STATUS_CODES[res.statusCode]
+        : http.STATUS_CODES[status]
     } else {
-      res.statusCode = 404
+      status = 404
       msg = 'Cannot ' + req.method + ' ' + (req.originalUrl || req.url)
     }
 
-    debug('default %s', res.statusCode)
+    debug('default %s', status)
 
     // schedule onerror callback
     if (err && onerror) {
@@ -101,12 +102,13 @@ function finalhandler(req, res, options) {
     }
 
     // construct body
-    body = constructBody(res.statusCode, msg)
+    body = constructBody(status, msg)
 
     // security header for content sniffing
     res.setHeader('X-Content-Type-Options', 'nosniff')
 
     // standard headers
+    res.statusCode = status
     res.setHeader('Content-Type', body.type)
     res.setHeader('Content-Length', body.length)
 

test/test.js

@@ -28,6 +28,24 @@ describe('finalhandler(req, res)', function () {
       .get('/')
       .expect(400, done)
     })
+
+    it('should ignore non-error err.status code', function (done) {
+      var err = new Error()
+      err.status = 201
+      var server = createServer(err)
+      request(server)
+      .get('/')
+      .expect(500, done)
+    })
+
+    it('should ignore weird err.status', function (done) {
+      var err = new Error()
+      err.status = 'oh no'
+      var server = createServer(err)
+      request(server)
+      .get('/')
+      .expect(500, done)
+    })
   })
 
   describe('404 response', function () {