chore: upgrade @koa/router (#463)

Closes: #458

Author: stropitek

.ncurc.yml

@@ -1,6 +1,4 @@
 reject:
-  # https://github.com/koajs/router/issues/202
-  - '@koa/router'
   # v3 of ldapjs is a large refactoring followed closely by maintainer abandoning the project
   # I am concerned it might not be stable enough
   # Possible alternative more actively maintained is https://github.com/ldapts/ldapts

package-lock.json

@@ -44,7 +44,7 @@
     "node": "22.21.1"
   },
   "dependencies": {
-    "@koa/router": "^13.1.1",
+    "@koa/router": "^15.0.0",
     "@ladjs/koa-views": "^9.0.0",
     "commander": "^14.0.2",
     "debug": "^4.4.3",

package.json

@@ -5,7 +5,7 @@
 const http = require('http');
 const path = require('path');
 
-const Router = require('@koa/router');
+const { Router } = require('@koa/router');
 const fs = require('fs-extra');
 const Koa = require('koa');
 

src/file-drop/server.js

@@ -1,6 +1,6 @@
 'use strict';
 
-const Router = require('@koa/router');
+const { Router } = require('@koa/router');
 
 const router = new Router({
   prefix: '/db',
@@ -47,14 +47,12 @@ router.delete(
 // Entry rights
 router.get('/:dbname/entry/:uuid/_rights/:right', couch.getRights);
 
-// Change the patterns to finish with "*attachment" instead of ":attachment+" when
-// @koa/router is updated to v14+
 // Attachments
-router.get('/:dbname/entry/:uuid/:attachment+', couch.getAttachment);
+router.get('/:dbname/entry/:uuid/*attachment', couch.getAttachment);
 // Delete attachment slightly different from couchdb api. It does not require _rev in the query parameters.
-router.delete('/:dbname/entry/:uuid/:attachment+', couch.deleteAttachment);
+router.delete('/:dbname/entry/:uuid/*attachment', couch.deleteAttachment);
 router.put(
-  '/:dbname/entry/:uuid/:attachment+',
+  '/:dbname/entry/:uuid/*attachment',
   util.parseRawBody({ limit: '100mb' }),
   couch.saveAttachment,
 );

src/server/routes/api.js

@@ -1,6 +1,6 @@
 'use strict';
 
-const Router = require('@koa/router');
+const { Router } = require('@koa/router');
 const passport = require('koa-passport');
 
 const router = new Router({

src/server/routes/auth.js

@@ -162,6 +162,38 @@ describe('rest-api as anonymous (data)', () => {
 
     await request.get('/db/test/entry/B/my%2Battachment.txt').expect(404);
   });
+
+  test('handle attachment names with unescaped slashes', async () => {
+    await authenticateAs(request, '[email protected]', '123');
+    // The attachment name intentionally has an encoded "/" to make sure URLs are
+    // correctly encoded and decoded by the API.
+    let res = await request
+      .put('/db/test/entry/B/my/attachment.txt')
+      .set('Content-Type', 'text/plain')
+      .set('Accept', 'application/json')
+      .send('rest-on-couch!!')
+      .expect(200);
+
+    expect(res.body.id).toBe('B');
+
+    // Unescaped
+    res = await request.get('/db/test/entry/B/my/attachment.txt');
+    expect(res.text).toBe('rest-on-couch!!');
+    expect(res.headers['content-type']).toBe('text/plain');
+
+    // Escaped
+    res = await request.get('/db/test/entry/B/my%2Fattachment.txt');
+    expect(res.text).toBe('rest-on-couch!!');
+
+    await authenticateAs(request, '[email protected]', '123');
+    await request
+      .delete('/db/test/entry/B/my/attachment.txt')
+      .send()
+      .expect(200);
+    await logout(request);
+
+    await request.get('/db/test/entry/B/my/attachment.txt').expect(404);
+  });
 });
 
 describe('basic rest-api as [email protected] (data)', () => {