Normalize headers to lowercase in middleware

mbklein · mbklein · commit 8b922ac57db0 · 2022-08-22T18:33:23.000Z
diff --git a/.gitignore b/.gitignore
@@ -206,5 +206,6 @@ $RECYCLE.BIN/
 *.lnk
 
 samconfig.toml
+env.json
 
 # End of https://www.toptal.com/developers/gitignore/api/osx,node,linux,windows,sam
diff --git a/src/handlers/get-collection-by-id.js b/src/handlers/get-collection-by-id.js
@@ -1,10 +1,12 @@
+const middleware = require("./middleware");
 const { getCollection } = require("../api/opensearch");
 const opensearchResponse = require("../api/response/opensearch");
 
 /**
  * A simple function to get a Collection by id
  */
 exports.handler = async (event) => {
+  event = middleware(event);
   const id = event.pathParameters.id;
   let esResponse = await getCollection(id);
   return opensearchResponse.transform(esResponse);
diff --git a/src/handlers/get-file-set-by-id.js b/src/handlers/get-file-set-by-id.js
@@ -1,10 +1,12 @@
+const middleware = require("./middleware");
 const { getFileSet } = require("../api/opensearch");
 const opensearchResponse = require("../api/response/opensearch");
 
 /**
  * A simple function to get a FileSet by id
  */
 exports.handler = async (event) => {
+  event = middleware(event);
   const id = event.pathParameters.id;
   let esResponse = await getFileSet(id);
   return opensearchResponse.transform(esResponse);
diff --git a/src/handlers/get-work-by-id.js b/src/handlers/get-work-by-id.js
@@ -1,10 +1,12 @@
+const middleware = require("./middleware");
 const { getWork } = require("../api/opensearch");
 const opensearchResponse = require("../api/response/opensearch");
 
 /**
  * A simple function to get a Work by id
  */
 exports.handler = async (event) => {
+  event = middleware(event);
   const id = event.pathParameters.id;
   let esResponse = await getWork(id);
   return opensearchResponse.transform(esResponse);
diff --git a/src/handlers/middleware.js b/src/handlers/middleware.js
@@ -1,10 +1,9 @@
-const base64 = require("base64-js");
+const { decodeEventBody, normalizeHeaders } = require("../helpers");
 
-function decodeEventBody(event) {
-  if (!event.isBase64Encoded) return event;
-  event.body = new Buffer.from(base64.toByteArray(event.body)).toString();
-  event.isBase64Encoded = false;
-  return event;
+function prepareEvent(event) {
+  let result = normalizeHeaders(event);
+  result = decodeEventBody(result);
+  return result;
 }
 
-module.exports = { decodeEventBody };
+module.exports = prepareEvent;
diff --git a/src/handlers/search.js b/src/handlers/search.js
@@ -1,4 +1,4 @@
-const { decodeEventBody } = require("./middleware");
+const middleware = require("./middleware");
 const { baseUrl } = require("../helpers");
 const { modelsToTargets, validModels } = require("../api/request/models");
 const { search } = require("../api/opensearch");
@@ -7,6 +7,7 @@ const { decodeSearchToken, Paginator } = require("../api/pagination");
 const RequestPipeline = require("../api/request/pipeline");
 
 const getSearch = async (event) => {
+  event = middleware(event);
   let token = event.queryStringParameters.searchToken;
   if (token === undefined || token === "") {
     return invalidRequest("searchToken parameter is required");
@@ -26,7 +27,7 @@ const getSearch = async (event) => {
 };
 
 const postSearch = async (event) => {
-  event = decodeEventBody(event);
+  event = middleware(event);
   const eventBody = JSON.parse(event.body);
 
   const requestedModels =
diff --git a/src/helpers.js b/src/helpers.js
@@ -1,5 +1,13 @@
+const base64 = require("base64-js");
 const gatewayRe = /execute-api.[a-z]+-[a-z]+-\d+.amazonaws.com/;
 
+function decodeEventBody(event) {
+  if (!event.isBase64Encoded) return event;
+  event.body = new Buffer.from(base64.toByteArray(event.body)).toString();
+  event.isBase64Encoded = false;
+  return event;
+}
+
 function isApiGateway(event) {
   return gatewayRe.test(event.requestContext.domainName);
 }
@@ -12,19 +20,35 @@ function isLocal(event) {
   return event.requestContext.domainName === "localhost";
 }
 
-function getHeader(event, name) {
-  return event.headers[name] || event.headers[name.toLowerCase()];
+function normalizeHeaders(event) {
+  if (event.normalizedHeaders) return event;
+
+  const headers = { ...event.headers };
+
+  for (header in headers) {
+    const lowerHeader = header.toLowerCase();
+    if (header != lowerHeader) {
+      const value = headers[header];
+      delete headers[header];
+      headers[lowerHeader] = value;
+    }
+  }
+
+  event.headers = headers;
+  event.normalizedHeaders = true;
+  return event;
 }
 
 function baseUrl(event) {
-  const scheme = getHeader(event, "X-Forwarded-Proto");
+  event = normalizeHeaders(event);
+  const scheme = event.headers["x-forwarded-proto"];
 
   // The localhost check only matters in dev mode, but it's
   // really inconvenient not to have it
   const host = isLocal(event)
-    ? getHeader(event, "Host").split(/:/)[0]
+    ? event.headers["host"].split(/:/)[0]
     : event.requestContext.domainName;
-  const port = getHeader(event, "X-Forwarded-Port");
+  const port = event.headers["x-forwarded-port"];
 
   let result = new URL(`${scheme}://${host}:${port}`);
 
@@ -45,4 +69,4 @@ function baseUrl(event) {
   return result.toString();
 }
 
-module.exports = { baseUrl, getHeader };
+module.exports = { baseUrl, decodeEventBody, normalizeHeaders };
diff --git a/test/integration/search.test.js b/test/integration/search.test.js
@@ -57,6 +57,7 @@ describe("Search routes", () => {
         .pathParams({ models: "works,collections,blargh" })
         .body(originalQuery)
         .render();
+
       const result = await handler(event);
       expect(result.statusCode).to.eq(400);
 
diff --git a/test/test-helpers/event-builder.js b/test/test-helpers/event-builder.js
@@ -4,6 +4,7 @@ module.exports = class {
   constructor(method, route) {
     const now = new Date();
     this._method = method;
+    this._pathPrefix = "";
     this._route = route;
     this._event = {
       version: "2.0",
@@ -50,10 +51,15 @@ module.exports = class {
 
   body(body) {
     switch (typeof body) {
+      case "string":
+        this._event.body = body;
+        break;
       case "undefined":
-        this._event.body = {};
+        this._event.body = "";
+        break;
       case "object":
         this._event.body = JSON.stringify(body);
+        break;
     }
     return this;
   }
diff --git a/test/unit/api/helpers.test.js b/test/unit/api/helpers.test.js
@@ -1,6 +1,10 @@
 "use strict";
 
-const { baseUrl, getHeader } = require("../../../src/helpers");
+const {
+  baseUrl,
+  decodeEventBody,
+  normalizeHeaders,
+} = require("../../../src/helpers");
 const chai = require("chai");
 const expect = chai.expect;
 
@@ -11,9 +15,9 @@ describe("helpers", () => {
         routeKey: "GET /route/{param}",
         rawPath: "/route/value",
         headers: {
-          Host: "localhost",
-          "X-Forwarded-Proto": "http",
-          "X-Forwarded-Port": "3000",
+          host: "localhost",
+          "x-forwarded-proto": "http",
+          "x-forwarded-port": "3000",
         },
         requestContext: {
           domainName: "localhost",
@@ -30,9 +34,9 @@ describe("helpers", () => {
         routeKey: "GET /route/{param}",
         rawPath: "/v2/route/value",
         headers: {
-          Host: "abcdefghijz.execute-api.us-east-1.amazonaws.com",
-          "X-Forwarded-Proto": "https",
-          "X-Forwarded-Port": "443",
+          host: "abcdefghijz.execute-api.us-east-1.amazonaws.com",
+          "x-forwarded-proto": "https",
+          "x-forwarded-port": "443",
         },
         requestContext: {
           domainName: "abcdefghijz.execute-api.us-east-1.amazonaws.com",
@@ -51,9 +55,9 @@ describe("helpers", () => {
         routeKey: "GET /route/{param}",
         rawPath: "/route/value",
         headers: {
-          Host: "abcdefghijz.cloudfront.net",
-          "X-Forwarded-Proto": "https",
-          "X-Forwarded-Port": "443",
+          host: "abcdefghijz.cloudfront.net",
+          "x-forwarded-proto": "https",
+          "x-forwarded-port": "443",
         },
         requestContext: {
           domainName: "abcdefghijz.cloudfront.net",
@@ -70,9 +74,9 @@ describe("helpers", () => {
         routeKey: "GET /route/{param}",
         rawPath: "/route/value",
         headers: {
-          Host: "api.test.library.northwestern.edu",
-          "X-Forwarded-Proto": "https",
-          "X-Forwarded-Port": "443",
+          host: "api.test.library.northwestern.edu",
+          "x-forwarded-proto": "https",
+          "x-forwarded-port": "443",
         },
         requestContext: {
           domainName: "api.test.library.northwestern.edu",
@@ -91,9 +95,9 @@ describe("helpers", () => {
         routeKey: "GET /route/{param}",
         rawPath: "/route/value",
         headers: {
-          Host: "localhost",
-          "X-Forwarded-Proto": "http",
-          "X-Forwarded-Port": "3000",
+          host: "localhost",
+          "x-forwarded-proto": "http",
+          "x-forwarded-port": "3000",
         },
         requestContext: {
           domainName: "api.test.library.northwestern.edu",
@@ -121,25 +125,44 @@ describe("helpers", () => {
     });
   });
 
-  describe("getHeader()", () => {
-    it("extracts event headers regardless of case", () => {
-      const event = {
-        routeKey: "GET /route/{param}",
-        rawPath: "/route/value",
-        headers: {
-          Host: "abcdefghijz.execute-api.us-east-1.amazonaws.com",
-          "X-Forwarded-Proto": "https",
-          "x-forwarded-port": "443",
-        },
-        requestContext: {
-          domainName: "abcdefghijz.execute-api.us-east-1.amazonaws.com",
-          domainPrefix: "abcdefghijz",
-          stage: "v2",
-        },
-      };
+  describe("decodeEventBody()", () => {
+    it("passes plain text body through unaltered", () => {
+      const event = helpers
+        .mockEvent("POST", "/search")
+        .body("plain body")
+        .render();
+      const result = decodeEventBody(event);
+      expect(result.isBase64Encoded).to.be.false;
+      expect(result.body).to.eq("plain body");
+    });
+
+    it("decodes base64 encoded body", () => {
+      const event = helpers
+        .mockEvent("POST", "/search")
+        .body("encoded body")
+        .base64Encode()
+        .render();
+      expect(event.isBase64Encoded).to.be.true;
+      expect(event.body).not.to.eq("encoded body");
+
+      const result = decodeEventBody(event);
+      expect(result.isBase64Encoded).to.be.false;
+      expect(result.body).to.eq("encoded body");
+    });
+  });
+
+  describe("normalizeHeaders()", () => {
+    it("converts all headers to lowercase", () => {
+      const upperHeaders = ["Host", "X-Forwarded-For", "X-Forwarded-Proto"];
+      const lowerHeaders = ["host", "x-forwarded-for", "x-forwarded-proto"];
+
+      const event = helpers.mockEvent("GET", "/search").render();
+      expect(event.headers).not.to.include.keys(lowerHeaders);
+      expect(event.headers).to.include.keys(upperHeaders);
 
-      expect(getHeader(event, "X-Forwarded-Proto")).to.eq("https");
-      expect(getHeader(event, "X-Forwarded-Port")).to.eq("443");
+      const result = normalizeHeaders(event);
+      expect(result.headers).to.include.keys(lowerHeaders);
+      expect(result.headers).not.to.include.keys(upperHeaders);
     });
   });
 });
