You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: packages/wobe-documentation/doc/concepts/wobe.md
+3Lines changed: 3 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -17,6 +17,9 @@ The `Wobe` constructor can have some options:
17
17
-`hostname`: The hostname where the server will be listening.
18
18
-`onError`: A function that will be called when an error occurs.
19
19
-`onNotFound`: A function that will be called when a route is not found.
20
+
-`maxBodySize`: Maximum accepted request body size in bytes (default: 1_048_576). Requests above the limit are rejected with `413`.
21
+
-`allowedContentEncodings`: Whitelisted `Content-Encoding` values (default: `['identity', '']`). Add `gzip`, `deflate` or `br` if you want to accept compressed bodies; decompressed size is still enforced by `maxBodySize`.
22
+
-`trustProxy`: When `true`, `X-Forwarded-For` is used to derive client IP (rate limiting/logs). Keep `false` if the app is directly reachable to avoid IP spoofing; enable only behind a trusted proxy that overwrites the header.
20
23
-`tls`: An object with the key, the cert and the passphrase if exist to enable HTTPS.
Copy file name to clipboardExpand all lines: packages/wobe-documentation/doc/ecosystem/hooks/bearer-auth.md
+3-3Lines changed: 3 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -13,7 +13,7 @@ const app = new Wobe()
13
13
.beforeHandler(
14
14
bearerAuth({
15
15
token: 'token',
16
-
}),
16
+
})
17
17
)
18
18
.get('/protected', (req, res) => {
19
19
res.send('Protected')
@@ -38,7 +38,7 @@ const app = new Wobe()
38
38
bearerAuth({
39
39
token: 'token',
40
40
hashFunction: (token) =>token,
41
-
}),
41
+
})
42
42
)
43
43
.get('/protected', (req, res) => {
44
44
res.send('Protected')
@@ -57,4 +57,4 @@ const request = new Request('http://localhost:3000/test', {
57
57
58
58
-`token` (string) : The token to compare with the Authorization header.
59
59
-`realm` (string) : The realm to send in the WWW-Authenticate header.
60
-
-`hashFunction` ((token: string) => string) : A function to hash the token before comparing it.
60
+
-`hashFunction` ((token: string) => string) : A function to hash the token before comparing it. Tokens are compared in constant time; prefer a hash function that returns fixed-length output to avoid timing leaks on length.
Copy file name to clipboardExpand all lines: packages/wobe-documentation/doc/ecosystem/hooks/body-limit.md
+2Lines changed: 2 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -2,6 +2,8 @@
2
2
3
3
Wobe has a `beforeHandler` hook to put a limit to the body size of each requests.
4
4
5
+
Note: Wobe also enforces a global body size limit (default 1 MiB) at the adapter level via the `maxBodySize` option on `new Wobe({ ... })`. Use the hook if you need a tighter or route-specific limit.
Copy file name to clipboardExpand all lines: packages/wobe-documentation/doc/ecosystem/hooks/secure-headers.md
+2-1Lines changed: 2 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -15,7 +15,7 @@ app.beforeHandler(
15
15
'default-src': ["'self'"],
16
16
'report-to': 'endpoint-5',
17
17
},
18
-
}),
18
+
})
19
19
)
20
20
21
21
app.get('/', (req, res) => {
@@ -35,3 +35,4 @@ app.listen(3000)
35
35
-`strictTransportSecurity` (string[]) : The Strict-Transport-Security header value. [For more informations](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security)
36
36
-`xContentTypeOptions` (string) : The X-Content-Type-Options header value. [For more informations](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options)
37
37
-`xDownloadOptions` (string) : The X-Download-Options header value.
38
+
-`xFrameOptions` (string | false) : The X-Frame-Options header value. Defaults to `SAMEORIGIN`; set to `false` to disable (e.g., if you intentionally allow framing).
-`directory` (string) : The directory path from which to serve files. This path should be relative to your project's root directory or an absolute path.
25
28
-`isAuthorized` (boolean) : A boolean value indicating whether the hook should check if the request is authorized. If set to `true`, the hook will be authorized to serve files, otherwise, it will be unauthorized. The default value is `true`. Usefull for example to allow access files only in development mode (with for example S3 storage on production).
29
+
-`allowSymlinks` (boolean) : Allow serving symlinks (default `false`). When `false`, symlinks are rejected.
30
+
-`allowDotfiles` (boolean) : Allow dotfiles like `.env` (default `false`). When `false`, dotfiles are hidden.
26
31
27
32
## Usage
28
33
29
34
To use the uploadDirectory hook, define a route in your Wobe application and pass the directory path as an option. The hook will handle requests to this route by serving the specified file from the directory.
30
35
31
36
```ts
32
-
import { Wobe, uploadDirectory } from'wobe';
37
+
import { Wobe, uploadDirectory } from'wobe'
33
38
34
39
const app =newWobe()
35
-
.get('/bucket/:filename', uploadDirectory({
36
-
directory: './path/to/your/directory',
37
-
}))
38
-
.listen(3000);
40
+
.get(
41
+
'/bucket/:filename',
42
+
uploadDirectory({
43
+
directory: './path/to/your/directory',
44
+
})
45
+
)
46
+
.listen(3000)
39
47
```
40
48
41
49
## Error Handling
42
50
43
51
The `uploadDirectory` hook handles errors gracefully by providing appropriate HTTP responses for common issues:
44
52
45
-
-**Missing Filename Parameter**: If the `filename` parameter is missing in the request, the hook will respond with a `400 Bad Request` status and the message "Filename is required".
53
+
-**Missing Filename Parameter**: If the `filename` parameter is missing in the request, the hook will respond with a `400 Bad Request` status and the message "Filename is required".
console.log(awaitresponse.text()) // "Filename is required"
51
59
```
52
60
53
-
-**File Not Found**: If the file specified by the `filename` parameter does not exist in the directory, the hook will respond with a `404 Not Found` status and the message "File not found".
61
+
-**File Not Found**: If the file specified by the `filename` parameter does not exist in the directory, the hook will respond with a `404 Not Found` status and the message "File not found".
console.log(awaitresponse.text()) // "File not found"
59
69
```
70
+
71
+
-**Traversal or forbidden path**: Paths that escape the configured directory (e.g., `../secret`) return `403 Forbidden`. By default, dotfiles and symlinks are also blocked unless explicitly allowed.
0 commit comments