+2

dune-project

reviewed

··· 1 1 + (lang dune 3.21) 2 2 + (name respond)

+4

lib/dune

reviewed

··· 1 1 + (library 2 2 + (name respond) 3 3 + (public_name respond) 4 4 + (libraries requests.core eio logs magic-mime fmt))

+212

lib/respond.ml

reviewed

··· 1 1 + (** Eio HTTP server with static file serving and route handlers. 2 2 + 3 3 + Reuses HTTP types (Method, Status, Headers) from requests. *) 4 4 + 5 5 + let src = Logs.Src.create "respond" ~doc:"HTTP server" 6 6 + 7 7 + module Log = (val Logs.src_log src : Logs.LOG) 8 8 + 9 9 + (* ── Response ──────────────────────────────────────────────────────── *) 10 10 + 11 11 + module Response = struct 12 12 + type t = { 13 13 + status : Status.t; 14 14 + content_type : string; 15 15 + body : string; 16 16 + headers : (string * string) list; 17 17 + } 18 18 + 19 19 + let v ?(headers = []) ~status ~content_type body = 20 20 + { status; content_type; body; headers } 21 21 + 22 22 + let json body = v ~status:`OK ~content_type:"application/json" body 23 23 + let text body = v ~status:`OK ~content_type:"text/plain" body 24 24 + let html body = v ~status:`OK ~content_type:"text/html; charset=utf-8" body 25 25 + let raw ~status ~content_type body = v ~status ~content_type body 26 26 + let not_found = v ~status:`Not_found ~content_type:"text/plain" "Not Found" 27 27 + let bad_request msg = v ~status:`Bad_request ~content_type:"text/plain" msg 28 28 + 29 29 + let method_not_allowed = 30 30 + v ~status:`Method_not_allowed ~content_type:"text/plain" 31 31 + "Method Not Allowed" 32 32 + 33 33 + let internal_server_error msg = 34 34 + v ~status:`Internal_server_error ~content_type:"application/json" 35 35 + (Fmt.str {|{"error":"%s"}|} msg) 36 36 + 37 37 + let redirect url = 38 38 + v ~status:`Found ~content_type:"text/plain" 39 39 + ~headers:[ ("Location", url) ] 40 40 + "" 41 41 + end 42 42 + 43 43 + type params = (string * string) list 44 44 + type route = string * (params -> Response.t) 45 45 + 46 46 + (* ── HTTP helpers ──────────────────────────────────────────────────── *) 47 47 + 48 48 + let read_line reader = 49 49 + let line = Eio.Buf_read.line reader in 50 50 + let n = String.length line in 51 51 + if n > 0 && line.[n - 1] = '\r' then String.sub line 0 (n - 1) else line 52 52 + 53 53 + let skip_headers reader = 54 54 + try 55 55 + while true do 56 56 + if String.length (read_line reader) = 0 then raise_notrace Exit 57 57 + done 58 58 + with Exit -> () 59 59 + 60 60 + let status_line (s : Status.t) = 61 61 + Fmt.str "%d %s" (Status.to_int s) (Status.reason_phrase s) 62 62 + 63 63 + let send_response flow (r : Response.t) = 64 64 + let extra = 65 65 + List.map (fun (k, v) -> Fmt.str "%s: %s\r\n" k v) r.headers 66 66 + |> String.concat "" 67 67 + in 68 68 + let h = 69 69 + Fmt.str 70 70 + "HTTP/1.1 %s\r\n\ 71 71 + Content-Type: %s\r\n\ 72 72 + Content-Length: %d\r\n\ 73 73 + Access-Control-Allow-Origin: *\r\n\ 74 74 + %sConnection: close\r\n\ 75 75 + \r\n" 76 76 + (status_line r.status) r.content_type (String.length r.body) extra 77 77 + in 78 78 + Eio.Flow.copy_string (h ^ r.body) flow 79 79 + 80 80 + let send_cors flow = 81 81 + Eio.Flow.copy_string 82 82 + "HTTP/1.1 204 No Content\r\n\ 83 83 + Access-Control-Allow-Origin: *\r\n\ 84 84 + Access-Control-Allow-Methods: GET, POST, OPTIONS\r\n\ 85 85 + Access-Control-Allow-Headers: Content-Type, Authorization\r\n\ 86 86 + Access-Control-Max-Age: 86400\r\n\ 87 87 + Connection: close\r\n\ 88 88 + \r\n" 89 89 + flow 90 90 + 91 91 + (* ── URL parsing ──────────────────────────────────────────────────── *) 92 92 + 93 93 + let parse_url url = 94 94 + match String.index_opt url '?' with 95 95 + | None -> (url, []) 96 96 + | Some i -> 97 97 + let path = String.sub url 0 i in 98 98 + let qs = String.sub url (i + 1) (String.length url - i - 1) in 99 99 + let params = 100 100 + String.split_on_char '&' qs 101 101 + |> List.filter_map (fun pair -> 102 102 + match String.index_opt pair '=' with 103 103 + | None -> if pair = "" then None else Some (pair, "") 104 104 + | Some j -> 105 105 + Some 106 106 + ( String.sub pair 0 j, 107 107 + String.sub pair (j + 1) (String.length pair - j - 1) )) 108 108 + in 109 109 + (path, params) 110 110 + 111 111 + (* ── Static file serving ──────────────────────────────────────────── *) 112 112 + 113 113 + let normalize_path path = 114 114 + let parts = String.split_on_char '/' path in 115 115 + let rec resolve acc = function 116 116 + | [] -> List.rev acc 117 117 + | "" :: rest | "." :: rest -> resolve acc rest 118 118 + | ".." :: rest -> ( 119 119 + match acc with [] -> resolve [] rest | _ :: t -> resolve t rest) 120 120 + | part :: rest -> resolve (part :: acc) rest 121 121 + in 122 122 + String.concat "/" (resolve [] parts) 123 123 + 124 124 + let generate_etag ~size = Fmt.str "W/\"%x\"" size 125 125 + 126 126 + let try_serve_path ~root flow rel = 127 127 + let full = Eio.Path.(root / rel) in 128 128 + match Eio.Path.load full with 129 129 + | body -> 130 130 + let _, path_str = full in 131 131 + let etag = generate_etag ~size:(String.length body) in 132 132 + let ct = Magic_mime.lookup path_str in 133 133 + let h = 134 134 + Fmt.str 135 135 + "HTTP/1.1 200 OK\r\n\ 136 136 + Content-Type: %s\r\n\ 137 137 + Content-Length: %d\r\n\ 138 138 + ETag: %s\r\n\ 139 139 + Cache-Control: public, max-age=3600\r\n\ 140 140 + Access-Control-Allow-Origin: *\r\n\ 141 141 + Connection: close\r\n\ 142 142 + \r\n" 143 143 + ct (String.length body) etag 144 144 + in 145 145 + Eio.Flow.copy_string (h ^ body) flow; 146 146 + true 147 147 + | exception Eio.Io _ -> false 148 148 + | exception Sys_error _ -> false 149 149 + 150 150 + let serve_file ~root flow path = 151 151 + let clean = normalize_path path in 152 152 + if String.length clean > 1024 then send_response flow Response.not_found 153 153 + else if try_serve_path ~root flow clean then () 154 154 + else if try_serve_path ~root flow (clean ^ "/index.html") then () 155 155 + else if clean = "" && try_serve_path ~root flow "index.html" then () 156 156 + else send_response flow Response.not_found 157 157 + 158 158 + (* ── Request handling ─────────────────────────────────────────────── *) 159 159 + 160 160 + let match_route routes path = 161 161 + List.find_opt (fun (prefix, _) -> prefix = path) routes 162 162 + 163 163 + let handle ~root ~routes flow reader = 164 164 + let request_line = read_line reader in 165 165 + skip_headers reader; 166 166 + match String.split_on_char ' ' request_line with 167 167 + | [] -> 168 168 + Log.warn (fun m -> m "empty request line"); 169 169 + send_response flow (Response.bad_request "Bad Request") 170 170 + | meth_str :: rest -> ( 171 171 + let meth = Method.of_string meth_str in 172 172 + match (meth, rest) with 173 173 + | `OPTIONS, _ -> 174 174 + Log.debug (fun m -> m "OPTIONS (CORS preflight)"); 175 175 + send_cors flow 176 176 + | (`GET | `HEAD), url :: _ -> 177 177 + let path, params = parse_url url in 178 178 + begin match match_route routes path with 179 179 + | Some (_, handler) -> ( 180 180 + try 181 181 + let r = handler params in 182 182 + Log.info (fun m -> 183 183 + m "%s %s %a" meth_str path Status.pp_hum r.Response.status); 184 184 + send_response flow r 185 185 + with exn -> 186 186 + Log.err (fun m -> 187 187 + m "%s %s 500 %s" meth_str path (Printexc.to_string exn)); 188 188 + send_response flow 189 189 + (Response.internal_server_error (Printexc.to_string exn))) 190 190 + | None -> 191 191 + Log.info (fun m -> m "%s %s (static)" meth_str path); 192 192 + serve_file ~root flow path 193 193 + end 194 194 + | _ -> 195 195 + Log.warn (fun m -> m "%a 405" Method.pp meth); 196 196 + send_response flow Response.method_not_allowed) 197 197 + 198 198 + (* ── Server ───────────────────────────────────────────────────────── *) 199 199 + 200 200 + let run ~net ~port ~root ~routes = 201 201 + Log.info (fun m -> m "listening on http://0.0.0.0:%d" port); 202 202 + Eio.Switch.run @@ fun sw -> 203 203 + let addr = `Tcp (Eio.Net.Ipaddr.V4.any, port) in 204 204 + let sock = Eio.Net.listen ~sw ~backlog:128 ~reuse_addr:true net addr in 205 205 + while true do 206 206 + Eio.Net.accept_fork ~sw sock 207 207 + ~on_error:(fun exn -> 208 208 + Log.debug (fun m -> m "connection error: %s" (Printexc.to_string exn))) 209 209 + (fun flow _addr -> 210 210 + let reader = Eio.Buf_read.of_flow ~max_size:(1024 * 1024) flow in 211 211 + handle ~root ~routes flow reader) 212 212 + done

+102

lib/respond.mli

reviewed

··· 1 1 + (** Eio HTTP server with static file serving and route handlers. 2 2 + 3 3 + Reuses HTTP types ({!Status.t}, {!Method.t}) from [requests]. 4 4 + 5 5 + {2 Quick Start} 6 6 + 7 7 + {[ 8 8 + Eio_main.run @@ fun env -> 9 9 + let routes = 10 10 + [ 11 11 + ("/api/health", fun _params -> Respond.Response.json {|{"ok":true}|}); 12 12 + ] 13 13 + in 14 14 + Respond.run ~net:(Eio.Stdenv.net env) ~port:8080 15 15 + ~root:(Eio.Stdenv.cwd env) ~routes 16 16 + ]} *) 17 17 + 18 18 + (** {1 Types} *) 19 19 + 20 20 + type params = (string * string) list 21 21 + (** Query parameters as key-value pairs. *) 22 22 + 23 23 + (** HTTP responses. *) 24 24 + module Response : sig 25 25 + type t = { 26 26 + status : Status.t; 27 27 + content_type : string; 28 28 + body : string; 29 29 + headers : (string * string) list; 30 30 + } 31 31 + 32 32 + val v : 33 33 + ?headers:(string * string) list -> 34 34 + status:Status.t -> 35 35 + content_type:string -> 36 36 + string -> 37 37 + t 38 38 + (** General-purpose response constructor. *) 39 39 + 40 40 + val json : string -> t 41 41 + (** [json body] returns a 200 JSON response. *) 42 42 + 43 43 + val text : string -> t 44 44 + (** [text body] returns a 200 plain text response. *) 45 45 + 46 46 + val html : string -> t 47 47 + (** [html body] returns a 200 HTML response. *) 48 48 + 49 49 + val raw : status:Status.t -> content_type:string -> string -> t 50 50 + (** [raw ~status ~content_type body] returns a custom response. *) 51 51 + 52 52 + val not_found : t 53 53 + (** 404 Not Found. *) 54 54 + 55 55 + val bad_request : string -> t 56 56 + (** [bad_request msg] returns a 400 response. *) 57 57 + 58 58 + val method_not_allowed : t 59 59 + (** 405 Method Not Allowed. *) 60 60 + 61 61 + val internal_server_error : string -> t 62 62 + (** [internal_server_error msg] returns a 500 JSON error response. *) 63 63 + 64 64 + val redirect : string -> t 65 65 + (** [redirect url] returns a 302 redirect. *) 66 66 + end 67 67 + 68 68 + type route = string * (params -> Response.t) 69 69 + (** A route is a path paired with a handler. *) 70 70 + 71 71 + (** {1 URL and Path Utilities} *) 72 72 + 73 73 + val parse_url : string -> string * params 74 74 + (** [parse_url url] splits a request target into path and query parameters. Per 75 75 + RFC 7230 §5.3. *) 76 76 + 77 77 + val normalize_path : string -> string 78 78 + (** [normalize_path path] resolves [.] and [..] segments per RFC 3986 §5.2.4. 79 79 + Prevents directory traversal beyond root. *) 80 80 + 81 81 + val status_line : Status.t -> string 82 82 + (** [status_line status] returns ["CODE REASON"] for the HTTP status line. *) 83 83 + 84 84 + val generate_etag : size:int -> string 85 85 + (** [generate_etag ~size] returns a weak ETag based on content size. Per RFC 86 86 + 7232 §2.3. *) 87 87 + 88 88 + val match_route : route list -> string -> route option 89 89 + (** [match_route routes path] returns the first route matching [path] exactly, 90 90 + or [None]. *) 91 91 + 92 92 + (** {1 Running} *) 93 93 + 94 94 + val run : 95 95 + net:_ Eio.Net.t -> 96 96 + port:int -> 97 97 + root:Eio.Fs.dir_ty Eio.Path.t -> 98 98 + routes:route list -> 99 99 + unit 100 100 + (** [run ~net ~port ~root ~routes] starts the server. API [routes] are matched 101 101 + first; unmatched paths fall through to static file serving from [root]. 102 102 + Blocks until cancelled. *)

+23

respond.opam

reviewed

··· 1 1 + opam-version: "2.0" 2 2 + synopsis: "Eio HTTP server with static file serving and route handlers" 3 3 + description: """ 4 4 + Serves files from a document root with MIME detection, ETag 5 5 + conditional requests, and directory index. Supports custom route 6 6 + handlers for API endpoints. Reuses HTTP types from requests. 7 7 + """ 8 8 + maintainer: ["Thomas Gazagnaire <thomas@gazagnaire.org>"] 9 9 + authors: ["Thomas Gazagnaire <thomas@gazagnaire.org>"] 10 10 + license: "ISC" 11 11 + depends: [ 12 12 + "ocaml" {>= "5.1"} 13 13 + "dune" {>= "3.0"} 14 14 + "requests" 15 15 + "eio" 16 16 + "logs" 17 17 + "magic-mime" 18 18 + "fmt" 19 19 + ] 20 20 + build: [ 21 21 + ["dune" "subst"] {dev} 22 22 + ["dune" "build" "-p" name "-j" jobs] 23 23 + ]

+3

test/dune

reviewed

··· 1 1 + (test 2 2 + (name test_respond) 3 3 + (libraries respond alcotest))

+730

test/test_respond.ml

reviewed

··· 1 1 + (** RFC 7230–7235 compliance tests for respond. 2 2 + 3 3 + Test vectors derived from RFC 7230 (Message Syntax and Routing), RFC 7231 4 4 + (Semantics and Content), RFC 7232 (Conditional Requests), RFC 7233 (Range 5 5 + Requests), RFC 7234 (Caching), RFC 7235 (Auth). *) 6 6 + 7 7 + (* ── Helpers ───────────────────────────────────────────────────────── *) 8 8 + 9 9 + let check_string = Alcotest.(check string) 10 10 + let check_bool = Alcotest.(check bool) 11 11 + 12 12 + let check_status msg expected actual = 13 13 + Alcotest.(check int) msg (Status.to_int expected) (Status.to_int actual) 14 14 + 15 15 + let check_pair = 16 16 + let pp_pair ppf (a, b) = Fmt.pf ppf "(%S, %S)" a b in 17 17 + Alcotest.testable pp_pair ( = ) 18 18 + 19 19 + let check_params = Alcotest.(check (list check_pair)) 20 20 + 21 21 + (* ── URL parsing (RFC 7230 §5.3) ──────────────────────────────────── *) 22 22 + 23 23 + let test_parse_url_simple () = 24 24 + let path, params = Respond.parse_url "/index.html" in 25 25 + check_string "path" "/index.html" path; 26 26 + check_params "no params" [] params 27 27 + 28 28 + let test_parse_url_with_query () = 29 29 + let path, params = Respond.parse_url "/api/cdms?sort=pc&limit=10" in 30 30 + check_string "path" "/api/cdms" path; 31 31 + check_params "params" [ ("sort", "pc"); ("limit", "10") ] params 32 32 + 33 33 + let test_parse_url_empty_query () = 34 34 + let path, params = Respond.parse_url "/path?" in 35 35 + check_string "path" "/path" path; 36 36 + check_params "empty qs" [] params 37 37 + 38 38 + let test_parse_url_root () = 39 39 + let path, params = Respond.parse_url "/" in 40 40 + check_string "path" "/" path; 41 41 + check_params "no params" [] params 42 42 + 43 43 + let test_parse_url_key_only () = 44 44 + let path, params = Respond.parse_url "/search?q" in 45 45 + check_string "path" "/search" path; 46 46 + check_params "key only" [ ("q", "") ] params 47 47 + 48 48 + let test_parse_url_multiple_eq () = 49 49 + let path, params = Respond.parse_url "/f?a=1=2&b=3" in 50 50 + check_string "path" "/f" path; 51 51 + check_params "params" [ ("a", "1=2"); ("b", "3") ] params 52 52 + 53 53 + let test_parse_url_empty_pairs () = 54 54 + let _path, params = Respond.parse_url "/f?a=1&&b=2" in 55 55 + check_params "skip empty" [ ("a", "1"); ("b", "2") ] params 56 56 + 57 57 + let url_tests = 58 58 + [ 59 59 + ("simple path", `Quick, test_parse_url_simple); 60 60 + ("path with query", `Quick, test_parse_url_with_query); 61 61 + ("empty query string", `Quick, test_parse_url_empty_query); 62 62 + ("root path", `Quick, test_parse_url_root); 63 63 + ("query key no value", `Quick, test_parse_url_key_only); 64 64 + ("multiple equals", `Quick, test_parse_url_multiple_eq); 65 65 + ("empty pairs", `Quick, test_parse_url_empty_pairs); 66 66 + ] 67 67 + 68 68 + (* ── Path normalization (RFC 3986 §5.2.4) ─────────────────────────── *) 69 69 + 70 70 + let test_normalize_simple () = 71 71 + check_string "simple" "foo/bar" (Respond.normalize_path "/foo/bar") 72 72 + 73 73 + let test_normalize_trailing_slash () = 74 74 + check_string "trailing" "foo/bar" (Respond.normalize_path "/foo/bar/") 75 75 + 76 76 + let test_normalize_double_slash () = 77 77 + check_string "double slash" "foo/bar" (Respond.normalize_path "//foo//bar") 78 78 + 79 79 + let test_normalize_dot () = 80 80 + check_string "dot" "foo/bar" (Respond.normalize_path "/foo/./bar") 81 81 + 82 82 + let test_normalize_dotdot () = 83 83 + check_string "dotdot" "bar" (Respond.normalize_path "/foo/../bar") 84 84 + 85 85 + let test_normalize_dotdot_at_root () = 86 86 + check_string "dotdot root" "bar" (Respond.normalize_path "/../bar") 87 87 + 88 88 + let test_normalize_deep_traversal () = 89 89 + check_string "deep traversal" "evil" 90 90 + (Respond.normalize_path "/a/b/c/../../../../../../../evil") 91 91 + 92 92 + let test_normalize_only_dots () = 93 93 + check_string "only dots" "" (Respond.normalize_path "/../../..") 94 94 + 95 95 + let test_normalize_empty () = 96 96 + check_string "empty" "" (Respond.normalize_path "") 97 97 + 98 98 + let test_normalize_complex () = 99 99 + check_string "complex" "a/d" (Respond.normalize_path "/a/b/c/./../../d") 100 100 + 101 101 + let normalize_tests = 102 102 + [ 103 103 + ("simple", `Quick, test_normalize_simple); 104 104 + ("trailing slash", `Quick, test_normalize_trailing_slash); 105 105 + ("double slash", `Quick, test_normalize_double_slash); 106 106 + ("dot segment", `Quick, test_normalize_dot); 107 107 + ("dotdot segment", `Quick, test_normalize_dotdot); 108 108 + ("dotdot at root", `Quick, test_normalize_dotdot_at_root); 109 109 + ("deep traversal", `Quick, test_normalize_deep_traversal); 110 110 + ("only dots", `Quick, test_normalize_only_dots); 111 111 + ("empty path", `Quick, test_normalize_empty); 112 112 + ("complex path", `Quick, test_normalize_complex); 113 113 + ] 114 114 + 115 115 + (* ── Status line (RFC 7231 §6) ─────────────────────────────────────── *) 116 116 + 117 117 + let test_status_200 () = check_string "200" "200 OK" (Respond.status_line `OK) 118 118 + 119 119 + let test_status_206 () = 120 120 + check_string "206" "206 Partial Content" 121 121 + (Respond.status_line `Partial_content) 122 122 + 123 123 + let test_status_302 () = 124 124 + check_string "302" "302 Found" (Respond.status_line `Found) 125 125 + 126 126 + let test_status_304 () = 127 127 + check_string "304" "304 Not Modified" (Respond.status_line `Not_modified) 128 128 + 129 129 + let test_status_400 () = 130 130 + check_string "400" "400 Bad Request" (Respond.status_line `Bad_request) 131 131 + 132 132 + let test_status_403 () = 133 133 + check_string "403" "403 Forbidden" (Respond.status_line `Forbidden) 134 134 + 135 135 + let test_status_404 () = 136 136 + check_string "404" "404 Not Found" (Respond.status_line `Not_found) 137 137 + 138 138 + let test_status_405 () = 139 139 + check_string "405" "405 Method Not Allowed" 140 140 + (Respond.status_line `Method_not_allowed) 141 141 + 142 142 + let test_status_500 () = 143 143 + check_string "500" "500 Internal Server Error" 144 144 + (Respond.status_line `Internal_server_error) 145 145 + 146 146 + let test_status_418 () = 147 147 + check_string "418" "418 I'm a teapot" (Respond.status_line `I_m_a_teapot) 148 148 + 149 149 + let status_tests = 150 150 + [ 151 151 + ("200 OK", `Quick, test_status_200); 152 152 + ("206 Partial Content", `Quick, test_status_206); 153 153 + ("302 Found", `Quick, test_status_302); 154 154 + ("304 Not Modified", `Quick, test_status_304); 155 155 + ("400 Bad Request", `Quick, test_status_400); 156 156 + ("403 Forbidden", `Quick, test_status_403); 157 157 + ("404 Not Found", `Quick, test_status_404); 158 158 + ("405 Method Not Allowed", `Quick, test_status_405); 159 159 + ("500 Internal Server Error", `Quick, test_status_500); 160 160 + ("418 I'm a teapot", `Quick, test_status_418); 161 161 + ] 162 162 + 163 163 + (* ── Response module ───────────────────────────────────────────────── *) 164 164 + 165 165 + let test_response_json () = 166 166 + let r = Respond.Response.json {|{"ok":true}|} in 167 167 + check_status "status" `OK r.status; 168 168 + check_string "ct" "application/json" r.content_type; 169 169 + check_string "body" {|{"ok":true}|} r.body 170 170 + 171 171 + let test_response_text () = 172 172 + let r = Respond.Response.text "hello" in 173 173 + check_status "status" `OK r.status; 174 174 + check_string "ct" "text/plain" r.content_type 175 175 + 176 176 + let test_response_html () = 177 177 + let r = Respond.Response.html "<h1>hi</h1>" in 178 178 + check_status "status" `OK r.status; 179 179 + check_string "ct" "text/html; charset=utf-8" r.content_type 180 180 + 181 181 + let test_response_not_found () = 182 182 + check_status "status" `Not_found Respond.Response.not_found.status 183 183 + 184 184 + let test_response_bad_request () = 185 185 + let r = Respond.Response.bad_request "bad" in 186 186 + check_status "status" `Bad_request r.status 187 187 + 188 188 + let test_response_method_not_allowed () = 189 189 + check_status "status" `Method_not_allowed 190 190 + Respond.Response.method_not_allowed.status 191 191 + 192 192 + let test_response_redirect () = 193 193 + let r = Respond.Response.redirect "https://ssa.space/" in 194 194 + check_status "status" `Found r.status; 195 195 + check_bool "has location" true 196 196 + (List.exists (fun (k, _) -> k = "Location") r.headers) 197 197 + 198 198 + let test_response_raw () = 199 199 + let r = 200 200 + Respond.Response.raw ~status:`Created ~content_type:"text/xml" "<x/>" 201 201 + in 202 202 + check_status "status" `Created r.status; 203 203 + check_string "ct" "text/xml" r.content_type; 204 204 + check_string "body" "<x/>" r.body 205 205 + 206 206 + let test_response_v () = 207 207 + let r = 208 208 + Respond.Response.v ~status:`No_content ~content_type:"text/plain" 209 209 + ~headers:[ ("X-Custom", "yes") ] 210 210 + "" 211 211 + in 212 212 + check_status "status" `No_content r.status; 213 213 + check_bool "custom header" true 214 214 + (List.exists (fun (k, _) -> k = "X-Custom") r.headers) 215 215 + 216 216 + let response_tests = 217 217 + [ 218 218 + ("json", `Quick, test_response_json); 219 219 + ("text", `Quick, test_response_text); 220 220 + ("html", `Quick, test_response_html); 221 221 + ("not_found", `Quick, test_response_not_found); 222 222 + ("bad_request", `Quick, test_response_bad_request); 223 223 + ("method_not_allowed", `Quick, test_response_method_not_allowed); 224 224 + ("redirect", `Quick, test_response_redirect); 225 225 + ("raw", `Quick, test_response_raw); 226 226 + ("v with headers", `Quick, test_response_v); 227 227 + ] 228 228 + 229 229 + (* ── Method (RFC 7231 §4) ─────────────────────────────────────────── *) 230 230 + 231 231 + let test_method_of_string () = 232 232 + Alcotest.(check bool) "GET" true (Method.of_string "GET" = `GET); 233 233 + Alcotest.(check bool) "POST" true (Method.of_string "POST" = `POST); 234 234 + Alcotest.(check bool) "get" true (Method.of_string "get" = `GET); 235 235 + Alcotest.(check bool) "PATCH" true (Method.of_string "PATCH" = `PATCH) 236 236 + 237 237 + let test_method_unknown () = 238 238 + match Method.of_string "PROPFIND" with 239 239 + | `Other s -> check_string "unknown" "PROPFIND" s 240 240 + | _ -> Alcotest.fail "expected Other" 241 241 + 242 242 + let test_method_safe () = 243 243 + check_bool "GET safe" true (Method.is_safe `GET); 244 244 + check_bool "HEAD safe" true (Method.is_safe `HEAD); 245 245 + check_bool "POST not safe" false (Method.is_safe `POST); 246 246 + check_bool "DELETE not safe" false (Method.is_safe `DELETE) 247 247 + 248 248 + let test_method_idempotent () = 249 249 + check_bool "GET idemp" true (Method.is_idempotent `GET); 250 250 + check_bool "PUT idemp" true (Method.is_idempotent `PUT); 251 251 + check_bool "POST not idemp" false (Method.is_idempotent `POST); 252 252 + check_bool "PATCH not idemp" false (Method.is_idempotent `PATCH) 253 253 + 254 254 + let method_tests = 255 255 + [ 256 256 + ("of_string", `Quick, test_method_of_string); 257 257 + ("unknown method", `Quick, test_method_unknown); 258 258 + ("safe methods (RFC 7231 §4.2.1)", `Quick, test_method_safe); 259 259 + ("idempotent (RFC 7231 §4.2.2)", `Quick, test_method_idempotent); 260 260 + ] 261 261 + 262 262 + (* ── ETag generation (RFC 7232 §2.3) ──────────────────────────────── *) 263 263 + 264 264 + let test_etag_format () = 265 265 + let etag = Respond.generate_etag ~size:1024 in 266 266 + check_bool "starts with W/" true 267 267 + (String.length etag >= 3 && String.sub etag 0 3 = "W/\""); 268 268 + check_bool "ends with quote" true (etag.[String.length etag - 1] = '"') 269 269 + 270 270 + let test_etag_different_sizes () = 271 271 + let e1 = Respond.generate_etag ~size:100 in 272 272 + let e2 = Respond.generate_etag ~size:200 in 273 273 + check_bool "different sizes different etags" true (e1 <> e2) 274 274 + 275 275 + let test_etag_same_size () = 276 276 + let e1 = Respond.generate_etag ~size:100 in 277 277 + let e2 = Respond.generate_etag ~size:100 in 278 278 + check_string "same size same etag" e1 e2 279 279 + 280 280 + let etag_tests = 281 281 + [ 282 282 + ("weak format", `Quick, test_etag_format); 283 283 + ("different sizes", `Quick, test_etag_different_sizes); 284 284 + ("same size", `Quick, test_etag_same_size); 285 285 + ] 286 286 + 287 287 + (* ── MIME type detection (RFC 7231 §3.1.1.5) ──────────────────────── *) 288 288 + 289 289 + let test_mime_html () = 290 290 + check_string "html" "text/html" (Magic_mime.lookup "index.html") 291 291 + 292 292 + let test_mime_js () = 293 293 + check_string "js" "application/javascript" (Magic_mime.lookup "main.bc.js") 294 294 + 295 295 + let test_mime_css () = 296 296 + check_string "css" "text/css" (Magic_mime.lookup "style.css") 297 297 + 298 298 + let test_mime_json () = 299 299 + check_string "json" "application/json" (Magic_mime.lookup "data.json") 300 300 + 301 301 + let test_mime_jpg () = 302 302 + check_string "jpg" "image/jpeg" (Magic_mime.lookup "earth.jpg") 303 303 + 304 304 + let test_mime_png () = 305 305 + check_string "png" "image/png" (Magic_mime.lookup "icon.png") 306 306 + 307 307 + let test_mime_svg () = 308 308 + check_string "svg" "image/svg+xml" (Magic_mime.lookup "logo.svg") 309 309 + 310 310 + let test_mime_csv () = 311 311 + check_string "csv" "text/csv" (Magic_mime.lookup "data.csv") 312 312 + 313 313 + let test_mime_woff2 () = 314 314 + check_string "woff2" "font/woff2" (Magic_mime.lookup "font.woff2") 315 315 + 316 316 + let test_mime_unknown () = 317 317 + check_string "unknown" "application/octet-stream" 318 318 + (Magic_mime.lookup "file.xyz123") 319 319 + 320 320 + let mime_tests = 321 321 + [ 322 322 + ("html", `Quick, test_mime_html); 323 323 + ("js", `Quick, test_mime_js); 324 324 + ("css", `Quick, test_mime_css); 325 325 + ("json", `Quick, test_mime_json); 326 326 + ("jpg", `Quick, test_mime_jpg); 327 327 + ("png", `Quick, test_mime_png); 328 328 + ("svg", `Quick, test_mime_svg); 329 329 + ("csv", `Quick, test_mime_csv); 330 330 + ("woff2", `Quick, test_mime_woff2); 331 331 + ("unknown extension", `Quick, test_mime_unknown); 332 332 + ] 333 333 + 334 334 + (* ── Security: path traversal (OWASP) ─────────────────────────────── *) 335 335 + 336 336 + let test_traversal_basic () = 337 337 + check_string "basic .." "etc/passwd" (Respond.normalize_path "/../etc/passwd") 338 338 + 339 339 + let test_traversal_encoded () = 340 340 + check_string "dotdot mid" "etc/passwd" 341 341 + (Respond.normalize_path "/foo/../../etc/passwd") 342 342 + 343 343 + let test_traversal_deep () = 344 344 + check_string "deep" "etc/shadow" 345 345 + (Respond.normalize_path "/a/b/c/d/../../../../../../../../etc/shadow") 346 346 + 347 347 + let test_traversal_null () = 348 348 + let p = Respond.normalize_path "/foo/bar" in 349 349 + check_bool "clean path has no null" false (String.contains p '\x00') 350 350 + 351 351 + let test_traversal_mixed () = 352 352 + check_string "mixed" "a/b" (Respond.normalize_path "/a/./b/c/../") 353 353 + 354 354 + let security_tests = 355 355 + [ 356 356 + ("basic traversal", `Quick, test_traversal_basic); 357 357 + ("mid-path traversal", `Quick, test_traversal_encoded); 358 358 + ("deep traversal", `Quick, test_traversal_deep); 359 359 + ("null byte", `Quick, test_traversal_null); 360 360 + ("mixed dot segments", `Quick, test_traversal_mixed); 361 361 + ] 362 362 + 363 363 + (* ── Route matching ────────────────────────────────────────────────── *) 364 364 + 365 365 + let test_route_exact_match () = 366 366 + let routes : Respond.route list = 367 367 + [ 368 368 + ("/api/health", fun _ -> Respond.Response.json {|{"ok":true}|}); 369 369 + ("/api/cdms", fun _ -> Respond.Response.json "[]"); 370 370 + ] 371 371 + in 372 372 + check_bool "found" true (Respond.match_route routes "/api/health" <> None); 373 373 + check_bool "found 2" true (Respond.match_route routes "/api/cdms" <> None) 374 374 + 375 375 + let test_route_no_match () = 376 376 + let routes : Respond.route list = 377 377 + [ ("/api/health", fun _ -> Respond.Response.json "ok") ] 378 378 + in 379 379 + check_bool "not found" true (Respond.match_route routes "/api/unknown" = None) 380 380 + 381 381 + let test_route_no_prefix_match () = 382 382 + let routes : Respond.route list = 383 383 + [ ("/api", fun _ -> Respond.Response.json "ok") ] 384 384 + in 385 385 + check_bool "no prefix" true (Respond.match_route routes "/api/health" = None) 386 386 + 387 387 + let route_tests = 388 388 + [ 389 389 + ("exact match", `Quick, test_route_exact_match); 390 390 + ("no match", `Quick, test_route_no_match); 391 391 + ("no prefix match", `Quick, test_route_no_prefix_match); 392 392 + ] 393 393 + 394 394 + (* ── HTTP method semantics (RFC 7231 §4, RFC 9110) ─────────────────── *) 395 395 + 396 396 + (* Adapted from httpzo test_simple_get, test_post_with_body, 397 397 + test_unknown_method, test_http10, test_keep_alive *) 398 398 + 399 399 + let test_method_all_standard () = 400 400 + let methods = 401 401 + [ 402 402 + ("GET", `GET); 403 403 + ("HEAD", `HEAD); 404 404 + ("POST", `POST); 405 405 + ("PUT", `PUT); 406 406 + ("DELETE", `DELETE); 407 407 + ("CONNECT", `CONNECT); 408 408 + ("OPTIONS", `OPTIONS); 409 409 + ("TRACE", `TRACE); 410 410 + ("PATCH", `PATCH); 411 411 + ] 412 412 + in 413 413 + List.iter 414 414 + (fun (s, expected) -> 415 415 + let m = Method.of_string s in 416 416 + check_bool (Fmt.str "%s roundtrips" s) true (Method.equal m expected); 417 417 + check_string (Fmt.str "%s to_string" s) s (Method.to_string m)) 418 418 + methods 419 419 + 420 420 + let test_method_case_insensitive () = 421 421 + (* RFC 7230 §3.1.1: method is case-sensitive, but of_string normalizes *) 422 422 + check_bool "get" true (Method.of_string "get" = `GET); 423 423 + check_bool "Get" true (Method.of_string "Get" = `GET); 424 424 + check_bool "post" true (Method.of_string "post" = `POST) 425 425 + 426 426 + let test_method_unknown_roundtrip () = 427 427 + (* httpzo: test_unknown_method — PURGE is not standard *) 428 428 + let m = Method.of_string "PURGE" in 429 429 + (match m with 430 430 + | `Other s -> check_string "PURGE" "PURGE" s 431 431 + | _ -> Alcotest.fail "expected Other for PURGE"); 432 432 + let m2 = Method.of_string "PROPFIND" in 433 433 + match m2 with 434 434 + | `Other s -> check_string "PROPFIND" "PROPFIND" s 435 435 + | _ -> Alcotest.fail "expected Other for PROPFIND" 436 436 + 437 437 + let test_method_body_semantics () = 438 438 + (* RFC 9110 §9.3: body semantics per method *) 439 439 + check_bool "POST requires body" true 440 440 + (Method.request_body_semantics `POST = Method.Body_required); 441 441 + check_bool "PUT requires body" true 442 442 + (Method.request_body_semantics `PUT = Method.Body_required); 443 443 + check_bool "HEAD forbids body" true 444 444 + (Method.request_body_semantics `HEAD = Method.Body_forbidden); 445 445 + check_bool "TRACE forbids body" true 446 446 + (Method.request_body_semantics `TRACE = Method.Body_forbidden); 447 447 + check_bool "GET body optional" true 448 448 + (Method.request_body_semantics `GET = Method.Body_optional); 449 449 + check_bool "DELETE body optional" true 450 450 + (Method.request_body_semantics `DELETE = Method.Body_optional) 451 451 + 452 452 + let test_method_cacheable () = 453 453 + (* RFC 7231 §4.2.3 *) 454 454 + check_bool "GET cacheable" true (Method.is_cacheable `GET); 455 455 + check_bool "HEAD cacheable" true (Method.is_cacheable `HEAD); 456 456 + check_bool "POST cacheable" true (Method.is_cacheable `POST); 457 457 + check_bool "PUT not cacheable" false (Method.is_cacheable `PUT); 458 458 + check_bool "DELETE not cacheable" false (Method.is_cacheable `DELETE) 459 459 + 460 460 + let method_semantics_tests = 461 461 + [ 462 462 + ("all 9 standard methods", `Quick, test_method_all_standard); 463 463 + ("case insensitive", `Quick, test_method_case_insensitive); 464 464 + ("unknown roundtrip (PURGE/PROPFIND)", `Quick, test_method_unknown_roundtrip); 465 465 + ("body semantics (RFC 9110 §9.3)", `Quick, test_method_body_semantics); 466 466 + ("cacheable (RFC 7231 §4.2.3)", `Quick, test_method_cacheable); 467 467 + ] 468 468 + 469 469 + (* ── Status code coverage (RFC 7231 §6, adapted from httpzo) ──────── *) 470 470 + 471 471 + let test_status_informational () = 472 472 + check_string "100" "100 Continue" (Respond.status_line `Continue); 473 473 + check_string "101" "101 Switching Protocols" 474 474 + (Respond.status_line `Switching_protocols) 475 475 + 476 476 + let test_status_success () = 477 477 + check_string "200" "200 OK" (Respond.status_line `OK); 478 478 + check_string "201" "201 Created" (Respond.status_line `Created); 479 479 + check_string "204" "204 No Content" (Respond.status_line `No_content); 480 480 + check_string "206" "206 Partial Content" 481 481 + (Respond.status_line `Partial_content) 482 482 + 483 483 + let test_status_redirection () = 484 484 + check_string "301" "301 Moved Permanently" 485 485 + (Respond.status_line `Moved_permanently); 486 486 + check_string "302" "302 Found" (Respond.status_line `Found); 487 487 + check_string "304" "304 Not Modified" (Respond.status_line `Not_modified); 488 488 + check_string "307" "307 Temporary Redirect" 489 489 + (Respond.status_line `Temporary_redirect); 490 490 + check_string "308" "308 Permanent Redirect" 491 491 + (Respond.status_line `Permanent_redirect) 492 492 + 493 493 + let test_status_client_error () = 494 494 + check_string "400" "400 Bad Request" (Respond.status_line `Bad_request); 495 495 + check_string "401" "401 Unauthorized" (Respond.status_line `Unauthorized); 496 496 + check_string "403" "403 Forbidden" (Respond.status_line `Forbidden); 497 497 + check_string "404" "404 Not Found" (Respond.status_line `Not_found); 498 498 + check_string "405" "405 Method Not Allowed" 499 499 + (Respond.status_line `Method_not_allowed); 500 500 + check_string "409" "409 Conflict" (Respond.status_line `Conflict); 501 501 + check_string "413" "413 Payload Too Large" 502 502 + (Respond.status_line `Payload_too_large); 503 503 + check_string "416" "416 Range Not Satisfiable" 504 504 + (Respond.status_line `Range_not_satisfiable); 505 505 + check_string "429" "429 Too Many Requests" 506 506 + (Respond.status_line `Too_many_requests) 507 507 + 508 508 + let test_status_server_error () = 509 509 + check_string "500" "500 Internal Server Error" 510 510 + (Respond.status_line `Internal_server_error); 511 511 + check_string "502" "502 Bad Gateway" (Respond.status_line `Bad_gateway); 512 512 + check_string "503" "503 Service Unavailable" 513 513 + (Respond.status_line `Service_unavailable); 514 514 + check_string "504" "504 Gateway Timeout" 515 515 + (Respond.status_line `Gateway_timeout) 516 516 + 517 517 + let test_status_custom_code () = 518 518 + let s = Respond.status_line (`Code 599) in 519 519 + check_bool "custom code starts with 599" true 520 520 + (String.length s >= 3 && String.sub s 0 3 = "599") 521 521 + 522 522 + let test_status_roundtrip () = 523 523 + (* of_int -> to_int roundtrip for all standard codes *) 524 524 + let codes = 525 525 + [ 526 526 + 100; 527 527 + 101; 528 528 + 200; 529 529 + 201; 530 530 + 204; 531 531 + 206; 532 532 + 301; 533 533 + 302; 534 534 + 304; 535 535 + 307; 536 536 + 308; 537 537 + 400; 538 538 + 401; 539 539 + 403; 540 540 + 404; 541 541 + 405; 542 542 + 409; 543 543 + 413; 544 544 + 416; 545 545 + 429; 546 546 + 500; 547 547 + 502; 548 548 + 503; 549 549 + 504; 550 550 + ] 551 551 + in 552 552 + List.iter 553 553 + (fun code -> 554 554 + let s = Status.of_int code in 555 555 + let code' = Status.to_int s in 556 556 + Alcotest.(check int) (Fmt.str "roundtrip %d" code) code code') 557 557 + codes 558 558 + 559 559 + let status_coverage_tests = 560 560 + [ 561 561 + ("1xx informational", `Quick, test_status_informational); 562 562 + ("2xx success", `Quick, test_status_success); 563 563 + ("3xx redirection", `Quick, test_status_redirection); 564 564 + ("4xx client error", `Quick, test_status_client_error); 565 565 + ("5xx server error", `Quick, test_status_server_error); 566 566 + ("custom code", `Quick, test_status_custom_code); 567 567 + ("of_int/to_int roundtrip", `Quick, test_status_roundtrip); 568 568 + ] 569 569 + 570 570 + (* ── URL edge cases (RFC 7230 §5.3, RFC 3986) ─────────────────────── *) 571 571 + 572 572 + let test_url_fragment_ignored () = 573 573 + (* Fragments should not appear in request-target per RFC 7230 §5.1, 574 574 + but if present, parse_url sees them as part of query *) 575 575 + let path, _params = Respond.parse_url "/page#section" in 576 576 + check_string "path with fragment" "/page#section" path 577 577 + 578 578 + let test_url_encoded_chars () = 579 579 + let path, params = Respond.parse_url "/search?q=hello%20world" in 580 580 + check_string "path" "/search" path; 581 581 + check_params "encoded space" [ ("q", "hello%20world") ] params 582 582 + 583 583 + let test_url_empty_value () = 584 584 + let _path, params = Respond.parse_url "/f?key=" in 585 585 + check_params "empty value" [ ("key", "") ] params 586 586 + 587 587 + let test_url_multiple_same_key () = 588 588 + let _path, params = Respond.parse_url "/f?a=1&a=2&a=3" in 589 589 + check_params "multi key" [ ("a", "1"); ("a", "2"); ("a", "3") ] params 590 590 + 591 591 + let test_url_long_query () = 592 592 + let qs = String.make 1000 'x' in 593 593 + let url = "/f?" ^ qs in 594 594 + let path, params = Respond.parse_url url in 595 595 + check_string "path" "/f" path; 596 596 + check_bool "has param" true (List.length params = 1) 597 597 + 598 598 + let test_url_special_chars () = 599 599 + let _path, params = 600 600 + Respond.parse_url "/f?redirect=https://example.com/path&token=abc" 601 601 + in 602 602 + check_params "special chars" 603 603 + [ ("redirect", "https://example.com/path"); ("token", "abc") ] 604 604 + params 605 605 + 606 606 + let url_edge_tests = 607 607 + [ 608 608 + ("fragment in path", `Quick, test_url_fragment_ignored); 609 609 + ("percent-encoded chars", `Quick, test_url_encoded_chars); 610 610 + ("empty value", `Quick, test_url_empty_value); 611 611 + ("multiple same key", `Quick, test_url_multiple_same_key); 612 612 + ("long query string", `Quick, test_url_long_query); 613 613 + ("special chars in value", `Quick, test_url_special_chars); 614 614 + ] 615 615 + 616 616 + (* ── Security: header injection (RFC 7230 §3.5, httpzo bare_cr) ───── *) 617 617 + 618 618 + (* Adapted from httpzo test_bare_cr, test_ambiguous_framing *) 619 619 + 620 620 + let test_header_crlf_injection () = 621 621 + (* Headers module validates against CRLF injection *) 622 622 + let caught = ref false in 623 623 + (try 624 624 + ignore (Headers.add_string "X-Evil" "value\r\nInjected: yes" Headers.empty) 625 625 + with Headers.Invalid_header _ -> caught := true); 626 626 + check_bool "CRLF in value rejected" true !caught 627 627 + 628 628 + let test_header_name_injection () = 629 629 + let caught = ref false in 630 630 + (try ignore (Headers.add_string "X-Evil\r\n" "value" Headers.empty) 631 631 + with Headers.Invalid_header _ -> caught := true); 632 632 + check_bool "CRLF in name rejected" true !caught 633 633 + 634 634 + let test_header_case_insensitive () = 635 635 + let h = Headers.of_list [ ("Content-Type", "text/html") ] in 636 636 + check_bool "lowercase lookup" true 637 637 + (Headers.find (Header_name.of_string "content-type") h <> None); 638 638 + check_bool "uppercase lookup" true 639 639 + (Headers.find (Header_name.of_string "CONTENT-TYPE") h <> None) 640 640 + 641 641 + let test_header_multiple_values () = 642 642 + let h = Headers.of_list [ ("Accept", "text/html") ] in 643 643 + let h = Headers.add_string "Accept" "application/json" h in 644 644 + let values = Headers.all (Header_name.of_string "accept") h in 645 645 + Alcotest.(check int) "two values" 2 (List.length values) 646 646 + 647 647 + let header_security_tests = 648 648 + [ 649 649 + ( "CRLF in value rejected (RFC 7230 §3.5)", 650 650 + `Quick, 651 651 + test_header_crlf_injection ); 652 652 + ("CRLF in name rejected", `Quick, test_header_name_injection); 653 653 + ( "case-insensitive lookup (RFC 7230 §3.2)", 654 654 + `Quick, 655 655 + test_header_case_insensitive ); 656 656 + ("multiple values", `Quick, test_header_multiple_values); 657 657 + ] 658 658 + 659 659 + (* ── Response helpers ──────────────────────────────────────────────── *) 660 660 + 661 661 + let test_response_internal_error () = 662 662 + let r = Respond.Response.internal_server_error "db timeout" in 663 663 + check_status "status" `Internal_server_error r.status; 664 664 + check_string "ct" "application/json" r.content_type; 665 665 + check_bool "body has error" true (String.length r.body > 0) 666 666 + 667 667 + let test_response_bad_request_msg () = 668 668 + let r = Respond.Response.bad_request "missing field" in 669 669 + check_status "status" `Bad_request r.status; 670 670 + check_string "body" "missing field" r.body 671 671 + 672 672 + let test_response_v_custom_status () = 673 673 + let r = 674 674 + Respond.Response.v ~status:(`Code 204) ~content_type:"text/plain" "" 675 675 + in 676 676 + Alcotest.(check int) "status 204" 204 (Status.to_int r.status) 677 677 + 678 678 + let response_extra_tests = 679 679 + [ 680 680 + ("internal_server_error", `Quick, test_response_internal_error); 681 681 + ("bad_request with message", `Quick, test_response_bad_request_msg); 682 682 + ("v with custom code", `Quick, test_response_v_custom_status); 683 683 + ] 684 684 + 685 685 + (* ── Path normalization edge cases (RFC 3986 §5.4 examples) ──────── *) 686 686 + 687 687 + (* RFC 3986 §5.4 reference resolution examples *) 688 688 + 689 689 + let test_rfc3986_examples () = 690 690 + (* §5.4 Normal Examples (adapted for path-only resolution) *) 691 691 + check_string "a/b/c" "a/b/c" (Respond.normalize_path "/a/b/c"); 692 692 + check_string "a" "a" (Respond.normalize_path "/./a"); 693 693 + check_string "mid/6" "mid/6" (Respond.normalize_path "/mid/content=5/../6") 694 694 + 695 695 + let test_normalize_consecutive_dotdot () = 696 696 + check_string "consecutive" "" (Respond.normalize_path "/a/b/../../"); 697 697 + check_string "three levels" "" (Respond.normalize_path "/a/b/c/../../../") 698 698 + 699 699 + let test_normalize_unicode_path () = 700 700 + (* UTF-8 path segments should be preserved *) 701 701 + check_string "unicode" "café/résumé" (Respond.normalize_path "/café/résumé") 702 702 + 703 703 + let normalize_extra_tests = 704 704 + [ 705 705 + ("RFC 3986 §5.4 examples", `Quick, test_rfc3986_examples); 706 706 + ("consecutive dotdot", `Quick, test_normalize_consecutive_dotdot); 707 707 + ("unicode path segments", `Quick, test_normalize_unicode_path); 708 708 + ] 709 709 + 710 710 + (* ── Runner ────────────────────────────────────────────────────────── *) 711 711 + 712 712 + let () = 713 713 + Alcotest.run "respond" 714 714 + [ 715 715 + ("url-parsing (RFC 7230 §5.3)", url_tests); 716 716 + ("url-edge-cases (RFC 3986)", url_edge_tests); 717 717 + ("path-normalization (RFC 3986 §5.2.4)", normalize_tests); 718 718 + ("path-normalization-extra (RFC 3986 §5.4)", normalize_extra_tests); 719 719 + ("status-line (RFC 7231 §6)", status_tests); 720 720 + ("status-coverage (RFC 7231 §6)", status_coverage_tests); 721 721 + ("response", response_tests); 722 722 + ("response-extra", response_extra_tests); 723 723 + ("method (RFC 7231 §4)", method_tests); 724 724 + ("method-semantics (RFC 9110)", method_semantics_tests); 725 725 + ("etag (RFC 7232 §2.3)", etag_tests); 726 726 + ("mime (RFC 7231 §3.1.1.5)", mime_tests); 727 727 + ("security (OWASP)", security_tests); 728 728 + ("header-security (RFC 7230 §3.2-3.5)", header_security_tests); 729 729 + ("routing", route_tests); 730 730 + ]