[fix] allowRequest failures now return 403 Forbidden (#452)

lib/server.js

@@ -70,14 +70,16 @@ Server.errors = {
   UNKNOWN_TRANSPORT: 0,
   UNKNOWN_SID: 1,
   BAD_HANDSHAKE_METHOD: 2,
-  BAD_REQUEST: 3
+  BAD_REQUEST: 3,
+  FORBIDDEN: 4
 };
 
 Server.errorMessages = {
   0: 'Transport unknown',
   1: 'Session ID unknown',
   2: 'Bad handshake method',
-  3: 'Bad request'
+  3: 'Bad request',
+  4: 'Forbidden'
 };
 
 /**
@@ -242,6 +244,15 @@ Server.prototype.handleRequest = function (req, res) {
 function sendErrorMessage (req, res, code) {
   var headers = { 'Content-Type': 'application/json' };
 
+  var isForbidden = !Server.errorMessages.hasOwnProperty(code);
+  if (isForbidden) {
+    res.writeHead(403, headers);
+    res.end(JSON.stringify({
+      code: Server.errors.FORBIDDEN,
+      message: code || Server.errorMessages[Server.errors.FORBIDDEN]
+    }));
+    return;
+  }
   if (req.headers.origin) {
     headers['Access-Control-Allow-Credentials'] = 'true';
     headers['Access-Control-Allow-Origin'] = req.headers.origin;

test/server.js

@@ -76,6 +76,22 @@ describe('server', function () {
           });
       });
     });
+
+    it('should disallow requests that are rejected by `allowRequest`', function (done) {
+      listen({ allowRequest: function (req, fn) { fn('Thou shall not pass', false); } }, function (port) {
+        request.get('http://localhost:%d/engine.io/default/'.s(port))
+          .set('Origin', 'http://engine.io')
+          .query({ transport: 'polling' })
+          .end(function (res) {
+            expect(res.status).to.be(403);
+            expect(res.body.code).to.be(4);
+            expect(res.body.message).to.be('Thou shall not pass');
+            expect(res.header['access-control-allow-credentials']).to.be(undefined);
+            expect(res.header['access-control-allow-origin']).to.be(undefined);
+            done();
+          });
+      });
+    });
   });
 
   describe('handshake', function () {