add whitelisting of supported methods to methodOverride()

Author: tj

lib/middleware/methodOverride.js

@@ -6,11 +6,17 @@
  * MIT Licensed
  */
 
+/**
+ * Module dependencies.
+ */
+
+var methods = require('methods');
+
 /**
  * Method Override:
- * 
+ *
  * Provides faux HTTP method support.
- * 
+ *
  * Pass an optional `key` to use when checking for
  * a method override, othewise defaults to _\_method_.
  * The original method is available via `req.originalMethod`.
@@ -23,18 +29,31 @@
 module.exports = function methodOverride(key){
   key = key || "_method";
   return function methodOverride(req, res, next) {
+    var method;
     req.originalMethod = req.originalMethod || req.method;
 
     // req.body
     if (req.body && key in req.body) {
-      req.method = req.body[key].toUpperCase();
+      method = req.body[key].toLowerCase();
       delete req.body[key];
+    }
+
     // check X-HTTP-Method-Override
-    } else if (req.headers['x-http-method-override']) {
-      req.method = req.headers['x-http-method-override'].toUpperCase();
+    if (req.headers['x-http-method-override']) {
+      method = req.headers['x-http-method-override'].toLowerCase();
     }
-    
+
+    // replace
+    if (supports(method)) req.method = method.toUpperCase();
+
     next();
   };
 };
 
+/**
+ * Check if node supports `method`.
+ */
+
+function supports(method) {
+  return ~methods.indexOf(method);
+}

package.json

@@ -2,7 +2,13 @@
   "name": "connect",
   "version": "2.8.1",
   "description": "High performance middleware framework",
-  "keywords": ["framework", "web", "middleware", "connect", "rack"],
+  "keywords": [
+    "framework",
+    "web",
+    "middleware",
+    "connect",
+    "rack"
+  ],
   "repository": "git://github.com/senchalabs/connect.git",
   "author": "TJ Holowaychuk <[email protected]> (http://tjholowaychuk.com)",
   "dependencies": {
@@ -16,7 +22,8 @@
     "fresh": "0.1.0",
     "pause": "0.0.1",
     "uid2": "0.0.2",
-    "debug": "*"
+    "debug": "*",
+    "methods": "0.0.1"
   },
   "devDependencies": {
     "should": "*",

test/methodOverride.js

@@ -0,0 +1,43 @@
+
+var connect = require('../');
+
+var app = connect();
+
+app.use(connect.bodyParser());
+app.use(connect.methodOverride());
+
+app.use(function(req, res){
+  res.end(req.method);
+});
+
+describe('connect.methodOverride()', function(){
+  it('should not touch the method by default', function(done){
+    app.request()
+    .get('/')
+    .expect('GET', done);
+  })
+
+  it('should support req.body._method', function(done){
+    app.request()
+    .post('/')
+    .set('Content-Type', 'application/x-www-form-urlencoded')
+    .write('_method=DELETE')
+    .expect('DELETE', done);
+  })
+
+  it('should be case in-sensitive', function(done){
+    app.request()
+    .post('/')
+    .set('Content-Type', 'application/x-www-form-urlencoded')
+    .write('_method=delete')
+    .expect('DELETE', done);
+  })
+
+  it('should ignore invalid methods', function(done){
+    app.request()
+    .post('/')
+    .set('Content-Type', 'application/x-www-form-urlencoded')
+    .write('_method=<whatever>')
+    .expect('POST', done);
+  })
+})