Ghost/core/test/unit/middleware_spec.js

/*globals describe, beforeEach, afterEach, it*/
/*jshint expr:true*/
var assert          = require('assert'),
    should          = require('should'),
    sinon           = require('sinon'),
    middleware      = require('../../server/middleware').middleware;

describe('Middleware', function () {
    // TODO: needs new test for ember admin
    // describe('redirectToDashboard', function () {
    //     var req, res;

    //     beforeEach(function () {
    //         req = {
    //             session: {}
    //         };

    //         res = {
    //             redirect: sinon.spy()
    //         };
    //     });

    //     it('should redirect to dashboard', function () {
    //         req.session.user = {};

    //         middleware.redirectToDashboard(req, res, null);
    //         assert(res.redirect.calledWithMatch('/ghost/'));
    //     });

    //     it('should call next if no user in session', function (done) {
    //         middleware.redirectToDashboard(req, res, function (a) {
    //             should.not.exist(a);
    //             assert(res.redirect.calledOnce.should.be.false);
    //             done();
    //         });
    //     });
    // });

    describe('cacheControl', function () {
        var res;

        beforeEach(function () {
            res = {
                set: sinon.spy()
            };
        });

        it('correctly sets the public profile headers', function (done) {
            middleware.cacheControl('public')(null, res, function (a) {
                should.not.exist(a);
                res.set.calledOnce.should.be.true;
                res.set.calledWith({'Cache-Control': 'public, max-age=0'});
                done();
            });
        });

        it('correctly sets the private profile headers', function (done) {
            middleware.cacheControl('private')(null, res, function (a) {
                should.not.exist(a);
                res.set.calledOnce.should.be.true;
                res.set.calledWith({
                    'Cache-Control':
                        'no-cache, private, no-store, must-revalidate, max-stale=0, post-check=0, pre-check=0'
                });
                done();
            });
        });

        it('will not set headers without a profile', function (done) {
            middleware.cacheControl()(null, res, function (a) {
                should.not.exist(a);
                res.set.called.should.be.false;
                done();
            });
        });
    });

    describe('whenEnabled', function () {
        var cbFn, blogApp;

        beforeEach(function () {
            cbFn = sinon.spy();
            blogApp = {
                enabled: function (setting) {
                    if (setting === 'enabled') {
                        return true;
                    } else {
                        return false;
                    }
                }
            };
            middleware.cacheBlogApp(blogApp);
        });

        it('should call function if setting is enabled', function (done) {
            var req = 1, res = 2, next = 3;

            middleware.whenEnabled('enabled', function (a, b, c) {
                assert.equal(a, 1);
                assert.equal(b, 2);
                assert.equal(c, 3);
                done();
            })(req, res, next);
        });

        it('should call next() if setting is disabled', function (done) {
            middleware.whenEnabled('rando', cbFn)(null, null, function (a) {
                should.not.exist(a);
                cbFn.calledOnce.should.be.false;
                done();
            });
        });
    });

    describe('staticTheme', function () {
        beforeEach(function () {
            sinon.stub(middleware, 'forwardToExpressStatic').yields();
        });

        afterEach(function () {
            middleware.forwardToExpressStatic.restore();
        });

        it('should call next if hbs file type', function (done) {
            var req = {
                url: 'mytemplate.hbs'
            };

            middleware.staticTheme(null)(req, null, function (a) {
                should.not.exist(a);
                middleware.forwardToExpressStatic.calledOnce.should.be.false;
                done();
            });
        });

        it('should call next if md file type', function (done) {
            var req = {
                url: 'README.md'
            };

            middleware.staticTheme(null)(req, null, function (a) {
                should.not.exist(a);
                middleware.forwardToExpressStatic.calledOnce.should.be.false;
                done();
            });
        });

        it('should call next if json file type', function (done) {
            var req = {
                url: 'sample.json'
            };

            middleware.staticTheme(null)(req, null, function (a) {
                should.not.exist(a);
                middleware.forwardToExpressStatic.calledOnce.should.be.false;
                done();
            });
        });

        it('should call express.static if valid file type', function (done) {
            var req = {
                    url: 'myvalidfile.css'
                };

            middleware.staticTheme(null)(req, null, function (reqArg, res, next) {
                /*jshint unused:false */
                middleware.forwardToExpressStatic.calledOnce.should.be.true;
                assert.deepEqual(middleware.forwardToExpressStatic.args[0][0], req);
                done();
            });
        });
    });

    describe('isSSLRequired', function () {
        var isSSLrequired = middleware.isSSLrequired;

        it('SSL is required if config.url starts with https', function () {
            isSSLrequired(undefined, 'https://example.com', undefined).should.be.true;
        });

        it('SSL is required if isAdmin and config.forceAdminSSL is set', function () {
            isSSLrequired(true, 'http://example.com', true).should.be.true;
        });

        it('SSL is not required if config.url starts with "http:/" and forceAdminSSL is not set', function () {
            isSSLrequired(false, 'http://example.com', false).should.be.false;
        });
    });

    describe('sslForbiddenOrRedirect', function () {
        var sslForbiddenOrRedirect = middleware.sslForbiddenOrRedirect;
        it('Return forbidden if config forces admin SSL for AdminSSL redirect is false.', function () {
            var response = sslForbiddenOrRedirect({
                forceAdminSSL: {redirect: false},
                configUrl: 'http://example.com'
            });
            response.isForbidden.should.be.true;
        });

        it('If not forbidden, should produce SSL to redirect to when config.url ends with no slash', function () {
            var response = sslForbiddenOrRedirect({
                forceAdminSSL: {redirect: true},
                configUrl: 'http://example.com/config/path',
                reqUrl: '/req/path'
            });
            response.isForbidden.should.be.false;
            response.redirectUrl({}).should.equal('https://example.com/config/path/req/path');
        });

        it('If config ends is slash, potential double-slash in resulting URL is removed', function () {
            var response = sslForbiddenOrRedirect({
                forceAdminSSL: {redirect: true},
                configUrl: 'http://example.com/config/path/',
                reqUrl: '/req/path'
            });
            response.redirectUrl({}).should.equal('https://example.com/config/path/req/path');
        });

        it('If config.urlSSL is provided it is preferred over config.url', function () {
            var response = sslForbiddenOrRedirect({
                forceAdminSSL: {redirect: true},
                configUrl: 'http://example.com/config/path/',
                configUrlSSL: 'https://example.com/ssl/config/path/',
                reqUrl: '/req/path'
            });
            response.redirectUrl({}).should.equal('https://example.com/ssl/config/path/req/path');
        });

        it('query string in request is preserved in redirect URL', function () {
            var response = sslForbiddenOrRedirect({
                forceAdminSSL: {redirect: true},
                configUrl: 'http://example.com/config/path/',
                configUrlSSL: 'https://example.com/ssl/config/path/',
                reqUrl: '/req/path'
            });
            response.redirectUrl({a: 'b'}).should.equal('https://example.com/ssl/config/path/req/path?a=b');
        });
    });
});
Cache control headers & query string asset management closes #1470 issue #1405 - added cache control middleware - added defaults for all routes, assets, etc - updated asset helper to add a query string with a timestamp hash to all assets - added unit tests for asset and ghostScriptTags helpers - added cache-control checks to route tests 2013-12-31 03:13:25 +04:00			`/globals describe, beforeEach, afterEach, it/`
Cleaning up the unit tests 2014-06-05 01:26:03 +04:00			`/jshint expr:true/`
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests. 2013-11-05 09:41:36 +04:00			`var assert = require('assert'),`
			`should = require('should'),`
			`sinon = require('sinon'),`
Move server middleware configuration to related file 2013-11-12 10:03:25 +04:00			`middleware = require('../../server/middleware').middleware;`
Lock down theme static directory to not serve templates, markdown and text files. closes #942 - insert custom middleware to check for blacklisted files - redirect to express.static if file accepted - if not valid return next() to do nothing - currently black listing .hbs, .txt, .md and .json - debatable which is best, black list or white list, either one will probably need tweaks but erred on side of letting a theme serve unknown types 2013-10-05 14:17:08 +04:00
			`describe('Middleware', function () {`
oAuth closes #2759 closes #3027 - added oauth2orize library for server side oAuth handling - added ember-simple-auth library for admin oAuth handling - added tables for client, accesstoken and refreshtoken - implemented RFC6749 4.3 Ressouce Owner Password Credentials Grant - updated api tests with oAuth - removed session, authentication is now token based Known issues: - Restore spam prevention #3128 - Signin after Signup #3125 - Signin validation #3125 Attention - oldClient doesn't work with this PR anymore, session authentication was removed 2014-06-30 16:58:10 +04:00			`// TODO: needs new test for ember admin`
			`// describe('redirectToDashboard', function () {`
			`// var req, res;`

			`// beforeEach(function () {`
			`// req = {`
			`// session: {}`
			`// };`

			`// res = {`
			`// redirect: sinon.spy()`
			`// };`
			`// });`

			`// it('should redirect to dashboard', function () {`
			`// req.session.user = {};`

			`// middleware.redirectToDashboard(req, res, null);`
			`// assert(res.redirect.calledWithMatch('/ghost/'));`
			`// });`

			`// it('should call next if no user in session', function (done) {`
			`// middleware.redirectToDashboard(req, res, function (a) {`
			`// should.not.exist(a);`
			`// assert(res.redirect.calledOnce.should.be.false);`
			`// done();`
			`// });`
			`// });`
			`// });`
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests. 2013-11-05 09:41:36 +04:00
Cache control headers & query string asset management closes #1470 issue #1405 - added cache control middleware - added defaults for all routes, assets, etc - updated asset helper to add a query string with a timestamp hash to all assets - added unit tests for asset and ghostScriptTags helpers - added cache-control checks to route tests 2013-12-31 03:13:25 +04:00			`describe('cacheControl', function () {`
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests. 2013-11-05 09:41:36 +04:00			`var res;`

Test file cleanup on accoutn of OCD 2013-11-11 14:37:09 +04:00			`beforeEach(function () {`
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests. 2013-11-05 09:41:36 +04:00			`res = {`
			`set: sinon.spy()`
			`};`
			`});`

Cache control headers & query string asset management closes #1470 issue #1405 - added cache control middleware - added defaults for all routes, assets, etc - updated asset helper to add a query string with a timestamp hash to all assets - added unit tests for asset and ghostScriptTags helpers - added cache-control checks to route tests 2013-12-31 03:13:25 +04:00			`it('correctly sets the public profile headers', function (done) {`
			`middleware.cacheControl('public')(null, res, function (a) {`
			`should.not.exist(a);`
			`res.set.calledOnce.should.be.true;`
			`res.set.calledWith({'Cache-Control': 'public, max-age=0'});`
updated error handling on all mocha tests - switch to using catch - added error handling where missing 2014-05-06 00:58:58 +04:00			`done();`
Cache control headers & query string asset management closes #1470 issue #1405 - added cache control middleware - added defaults for all routes, assets, etc - updated asset helper to add a query string with a timestamp hash to all assets - added unit tests for asset and ghostScriptTags helpers - added cache-control checks to route tests 2013-12-31 03:13:25 +04:00			`});`
			`});`

			`it('correctly sets the private profile headers', function (done) {`
			`middleware.cacheControl('private')(null, res, function (a) {`
			`should.not.exist(a);`
			`res.set.calledOnce.should.be.true;`
Cleaning up the unit tests 2014-06-05 01:26:03 +04:00			`res.set.calledWith({`
			`'Cache-Control':`
			`'no-cache, private, no-store, must-revalidate, max-stale=0, post-check=0, pre-check=0'`
			`});`
updated error handling on all mocha tests - switch to using catch - added error handling where missing 2014-05-06 00:58:58 +04:00			`done();`
Cache control headers & query string asset management closes #1470 issue #1405 - added cache control middleware - added defaults for all routes, assets, etc - updated asset helper to add a query string with a timestamp hash to all assets - added unit tests for asset and ghostScriptTags helpers - added cache-control checks to route tests 2013-12-31 03:13:25 +04:00			`});`
			`});`

			`it('will not set headers without a profile', function (done) {`
			`middleware.cacheControl()(null, res, function (a) {`
			`should.not.exist(a);`
			`res.set.called.should.be.false;`
updated error handling on all mocha tests - switch to using catch - added error handling where missing 2014-05-06 00:58:58 +04:00			`done();`
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests. 2013-11-05 09:41:36 +04:00			`});`
			`});`
			`});`

Test file cleanup on accoutn of OCD 2013-11-11 14:37:09 +04:00			`describe('whenEnabled', function () {`
Naming cleanup closes #4069 - Rename everything from camelCase to lowercase + dashes - Remove usage of `server`, `app` and `instance` 2014-09-19 20:17:58 +04:00			`var cbFn, blogApp;`
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests. 2013-11-05 09:41:36 +04:00
Test file cleanup on accoutn of OCD 2013-11-11 14:37:09 +04:00			`beforeEach(function () {`
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests. 2013-11-05 09:41:36 +04:00			`cbFn = sinon.spy();`
Naming cleanup closes #4069 - Rename everything from camelCase to lowercase + dashes - Remove usage of `server`, `app` and `instance` 2014-09-19 20:17:58 +04:00			`blogApp = {`
Test file cleanup on accoutn of OCD 2013-11-11 14:37:09 +04:00			`enabled: function (setting) {`
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests. 2013-11-05 09:41:36 +04:00			`if (setting === 'enabled') {`
			`return true;`
			`} else {`
			`return false;`
			`}`
			`}`
			`};`
Naming cleanup closes #4069 - Rename everything from camelCase to lowercase + dashes - Remove usage of `server`, `app` and `instance` 2014-09-19 20:17:58 +04:00			`middleware.cacheBlogApp(blogApp);`
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests. 2013-11-05 09:41:36 +04:00			`});`

Test file cleanup on accoutn of OCD 2013-11-11 14:37:09 +04:00			`it('should call function if setting is enabled', function (done) {`
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests. 2013-11-05 09:41:36 +04:00			`var req = 1, res = 2, next = 3;`

Test file cleanup on accoutn of OCD 2013-11-11 14:37:09 +04:00			`middleware.whenEnabled('enabled', function (a, b, c) {`
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests. 2013-11-05 09:41:36 +04:00			`assert.equal(a, 1);`
			`assert.equal(b, 2);`
			`assert.equal(c, 3);`
updated error handling on all mocha tests - switch to using catch - added error handling where missing 2014-05-06 00:58:58 +04:00			`done();`
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests. 2013-11-05 09:41:36 +04:00			`})(req, res, next);`
			`});`

Test file cleanup on accoutn of OCD 2013-11-11 14:37:09 +04:00			`it('should call next() if setting is disabled', function (done) {`
			`middleware.whenEnabled('rando', cbFn)(null, null, function (a) {`
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests. 2013-11-05 09:41:36 +04:00			`should.not.exist(a);`
			`cbFn.calledOnce.should.be.false;`
updated error handling on all mocha tests - switch to using catch - added error handling where missing 2014-05-06 00:58:58 +04:00			`done();`
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests. 2013-11-05 09:41:36 +04:00			`});`
			`});`
			`});`

Lock down theme static directory to not serve templates, markdown and text files. closes #942 - insert custom middleware to check for blacklisted files - redirect to express.static if file accepted - if not valid return next() to do nothing - currently black listing .hbs, .txt, .md and .json - debatable which is best, black list or white list, either one will probably need tweaks but erred on side of letting a theme serve unknown types 2013-10-05 14:17:08 +04:00			`describe('staticTheme', function () {`
			`beforeEach(function () {`
			`sinon.stub(middleware, 'forwardToExpressStatic').yields();`
			`});`

			`afterEach(function () {`
			`middleware.forwardToExpressStatic.restore();`
			`});`

			`it('should call next if hbs file type', function (done) {`
			`var req = {`
			`url: 'mytemplate.hbs'`
			`};`

			`middleware.staticTheme(null)(req, null, function (a) {`
			`should.not.exist(a);`
			`middleware.forwardToExpressStatic.calledOnce.should.be.false;`
updated error handling on all mocha tests - switch to using catch - added error handling where missing 2014-05-06 00:58:58 +04:00			`done();`
Lock down theme static directory to not serve templates, markdown and text files. closes #942 - insert custom middleware to check for blacklisted files - redirect to express.static if file accepted - if not valid return next() to do nothing - currently black listing .hbs, .txt, .md and .json - debatable which is best, black list or white list, either one will probably need tweaks but erred on side of letting a theme serve unknown types 2013-10-05 14:17:08 +04:00			`});`
			`});`

			`it('should call next if md file type', function (done) {`
			`var req = {`
			`url: 'README.md'`
			`};`

			`middleware.staticTheme(null)(req, null, function (a) {`
			`should.not.exist(a);`
			`middleware.forwardToExpressStatic.calledOnce.should.be.false;`
updated error handling on all mocha tests - switch to using catch - added error handling where missing 2014-05-06 00:58:58 +04:00			`done();`
Lock down theme static directory to not serve templates, markdown and text files. closes #942 - insert custom middleware to check for blacklisted files - redirect to express.static if file accepted - if not valid return next() to do nothing - currently black listing .hbs, .txt, .md and .json - debatable which is best, black list or white list, either one will probably need tweaks but erred on side of letting a theme serve unknown types 2013-10-05 14:17:08 +04:00			`});`
			`});`

			`it('should call next if json file type', function (done) {`
			`var req = {`
			`url: 'sample.json'`
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests. 2013-11-05 09:41:36 +04:00			`};`
Lock down theme static directory to not serve templates, markdown and text files. closes #942 - insert custom middleware to check for blacklisted files - redirect to express.static if file accepted - if not valid return next() to do nothing - currently black listing .hbs, .txt, .md and .json - debatable which is best, black list or white list, either one will probably need tweaks but erred on side of letting a theme serve unknown types 2013-10-05 14:17:08 +04:00
			`middleware.staticTheme(null)(req, null, function (a) {`
			`should.not.exist(a);`
			`middleware.forwardToExpressStatic.calledOnce.should.be.false;`
updated error handling on all mocha tests - switch to using catch - added error handling where missing 2014-05-06 00:58:58 +04:00			`done();`
Lock down theme static directory to not serve templates, markdown and text files. closes #942 - insert custom middleware to check for blacklisted files - redirect to express.static if file accepted - if not valid return next() to do nothing - currently black listing .hbs, .txt, .md and .json - debatable which is best, black list or white list, either one will probably need tweaks but erred on side of letting a theme serve unknown types 2013-10-05 14:17:08 +04:00			`});`
			`});`

			`it('should call express.static if valid file type', function (done) {`
Cleaning up the unit tests 2014-06-05 01:26:03 +04:00			`var req = {`
Test file cleanup on accoutn of OCD 2013-11-11 14:37:09 +04:00			`url: 'myvalidfile.css'`
			`};`
Lock down theme static directory to not serve templates, markdown and text files. closes #942 - insert custom middleware to check for blacklisted files - redirect to express.static if file accepted - if not valid return next() to do nothing - currently black listing .hbs, .txt, .md and .json - debatable which is best, black list or white list, either one will probably need tweaks but erred on side of letting a theme serve unknown types 2013-10-05 14:17:08 +04:00
Create the config module, initially used to standardise getting paths and absolute URLs. Easy to extend for other configurations we may need. 2013-11-20 17:58:52 +04:00			`middleware.staticTheme(null)(req, null, function (reqArg, res, next) {`
Cleaning up the unit tests 2014-06-05 01:26:03 +04:00			`/jshint unused:false /`
Lock down theme static directory to not serve templates, markdown and text files. closes #942 - insert custom middleware to check for blacklisted files - redirect to express.static if file accepted - if not valid return next() to do nothing - currently black listing .hbs, .txt, .md and .json - debatable which is best, black list or white list, either one will probably need tweaks but erred on side of letting a theme serve unknown types 2013-10-05 14:17:08 +04:00			`middleware.forwardToExpressStatic.calledOnce.should.be.true;`
Create the config module, initially used to standardise getting paths and absolute URLs. Easy to extend for other configurations we may need. 2013-11-20 17:58:52 +04:00			`assert.deepEqual(middleware.forwardToExpressStatic.args[0][0], req);`
updated error handling on all mocha tests - switch to using catch - added error handling where missing 2014-05-06 00:58:58 +04:00			`done();`
Lock down theme static directory to not serve templates, markdown and text files. closes #942 - insert custom middleware to check for blacklisted files - redirect to express.static if file accepted - if not valid return next() to do nothing - currently black listing .hbs, .txt, .md and .json - debatable which is best, black list or white list, either one will probably need tweaks but erred on side of letting a theme serve unknown types 2013-10-05 14:17:08 +04:00			`});`
			`});`
			`});`
Refactor: Make checkSSL unit-testable and add unit tests for it. - Code was moved to core/server/middleware/middleware.js, which is the home for unit-testable middleware. - Functional code coverage for this code also exists at: test/functional/routes/admin_test.js 2015-01-18 21:44:50 +03:00
			`describe('isSSLRequired', function () {`
			`var isSSLrequired = middleware.isSSLrequired;`

			`it('SSL is required if config.url starts with https', function () {`
			`isSSLrequired(undefined, 'https://example.com', undefined).should.be.true;`
			`});`

			`it('SSL is required if isAdmin and config.forceAdminSSL is set', function () {`
			`isSSLrequired(true, 'http://example.com', true).should.be.true;`
			`});`

			`it('SSL is not required if config.url starts with "http:/" and forceAdminSSL is not set', function () {`
			`isSSLrequired(false, 'http://example.com', false).should.be.false;`
			`});`
			`});`

			`describe('sslForbiddenOrRedirect', function () {`
			`var sslForbiddenOrRedirect = middleware.sslForbiddenOrRedirect;`
			`it('Return forbidden if config forces admin SSL for AdminSSL redirect is false.', function () {`
			`var response = sslForbiddenOrRedirect({`
			`forceAdminSSL: {redirect: false},`
			`configUrl: 'http://example.com'`
			`});`
			`response.isForbidden.should.be.true;`
			`});`

			`it('If not forbidden, should produce SSL to redirect to when config.url ends with no slash', function () {`
			`var response = sslForbiddenOrRedirect({`
			`forceAdminSSL: {redirect: true},`
			`configUrl: 'http://example.com/config/path',`
			`reqUrl: '/req/path'`
			`});`
			`response.isForbidden.should.be.false;`
			`response.redirectUrl({}).should.equal('https://example.com/config/path/req/path');`
			`});`

			`it('If config ends is slash, potential double-slash in resulting URL is removed', function () {`
			`var response = sslForbiddenOrRedirect({`
			`forceAdminSSL: {redirect: true},`
			`configUrl: 'http://example.com/config/path/',`
			`reqUrl: '/req/path'`
			`});`
			`response.redirectUrl({}).should.equal('https://example.com/config/path/req/path');`
			`});`

			`it('If config.urlSSL is provided it is preferred over config.url', function () {`
			`var response = sslForbiddenOrRedirect({`
			`forceAdminSSL: {redirect: true},`
			`configUrl: 'http://example.com/config/path/',`
			`configUrlSSL: 'https://example.com/ssl/config/path/',`
			`reqUrl: '/req/path'`
			`});`
			`response.redirectUrl({}).should.equal('https://example.com/ssl/config/path/req/path');`
			`});`

			`it('query string in request is preserved in redirect URL', function () {`
			`var response = sslForbiddenOrRedirect({`
			`forceAdminSSL: {redirect: true},`
			`configUrl: 'http://example.com/config/path/',`
			`configUrlSSL: 'https://example.com/ssl/config/path/',`
			`reqUrl: '/req/path'`
			`});`
			`response.redirectUrl({a: 'b'}).should.equal('https://example.com/ssl/config/path/req/path?a=b');`
			`});`
			`});`
Lock down theme static directory to not serve templates, markdown and text files. closes #942 - insert custom middleware to check for blacklisted files - redirect to express.static if file accepted - if not valid return next() to do nothing - currently black listing .hbs, .txt, .md and .json - debatable which is best, black list or white list, either one will probably need tweaks but erred on side of letting a theme serve unknown types 2013-10-05 14:17:08 +04:00			`});`