404 returned insted of 403 when uisng the dotfiles with "deny option"

expressjs / serve-static

Serve static files

MIT License

1.38k stars 227 forks source link

404 returned insted of 403 when uisng the dotfiles with "deny option" #153

Closed mina20088 closed 1 year ago

mina20088 commented 1 year ago

hi when i used the below code with express i resived 404 insted of 403 but the documnetation say it should return 403 js app.use(express.static('public',{ 'dotfiles' : 'deny' }));

dougwilson commented 1 year ago

Hello, and very sorry for that! I used an example from the readme to add that option to and request a dotfile and got a 403. Also our test suite (https://github.com/expressjs/serve-static/blob/master/test/test.js) also shows a 403. So there must be some weried edge case you are encountering I cannot figure out.

Can you provide all of the following so I can reproduce and determine the issue?

Version of Node.js you are using
Version of this module you are using
A complete app that I can run without modification that will allow me to reproduce. Any modules besides this one used be sure to include their exact versions
The exact path to the dotfile so I can recreate it for the app
The http request to make against the app that shows a 404 instead of expected 403

Thank you!

mina20088 commented 1 year ago

Hi thank you very mush for answering me i really appriciate that :+1:

1- node version is v18.12.1 2-express version is 4.16.1 3-server-static version is 1.15.0 4-https://gist.github.com/mina20088/621d2cb80c0a0b8f44e7686ef1237a86 this is a link to the app but there are some files that needs to be createed as public folder 5- and that is part of the code which contain the request to access a startic file app.use(express.static('public',{ 'dotfiles' : 'deny', 'etag' : true, 'fallthrough' : true, immutable: false, maxAge:2300 }));

app.use(express.static('public/javascript',{ 'dotfiles' : 'deny', 'etag' : true, 'fallthrough' : true, immutable: true, maxAge:2300 }))

if you dont mind create the public folder and create the .env file inside it

if there are any other information please send me

dougwilson commented 1 year ago

Thank you. The code there is a lot different from what you first posted. Specifically, fallthrough: true means that when a file is not served (through any error, even the 403s) the error will not be sent and instead the request moves to the next spot. If you want the 403s you need to turn fallthrough off to allow serve-static to send back errors regarding unable to load files.

dougwilson commented 1 year ago

Sorry, didn't mean to close this. I still need to test your example.

mina20088 commented 1 year ago

no problem thank you that you answered in all cases

mina20088 commented 1 year ago

by the way i tried it know and it works as you said the fallthrought needs to be false in order to get the error message on the screen think it is workin know

bdunn313 commented 1 year ago

I think this can be closed now right?

mina20088 commented 1 year ago

solved