Merge branch 'develop'

README.md

@@ -46,20 +46,30 @@ deployment process requires the [Heroku Toolbelt] application.
 
 ### Step 2: Get *Mooch*
 
-- Obtain *Mooch* by one of the following methods:
-    - Clone the Git repository (`git clone git@github.com:eloquent/mooch.git`).
-    - Download the [latest release] and extract it.
-    - Install via NPM (`npm install mooch`).
+- Clone the Git repository (`git clone git@github.com:eloquent/mooch.git`).
 - Change into the *Mooch* root directory.
 
 ### Step 3: Create a Heroku app
 
 - Sign in with [Heroku Toolbelt][] (`heroku login`).
-- Create a new app with `heroku create` (must be in the *Mooch* root directory).
+- Create a new app with `heroku create`.
 
 ### Step 4: Configuration
 
-#### Step 4.1: Set up allowed and forbidden paths (optional)
+#### Step 4.1: Set up OAuth credentials
+
+Variables: **MOOCH_CONSUMER_KEY** and **MOOCH_CONSUMER_SECRET**.
+
+*Mooch* authenticates requests to the Twitter API using the [application-only
+authentication] method. This requires the consumer key and secret from the
+Twitter application created in [step 1].
+
+##### Example authentication configuration
+
+    heroku config:set MOOCH_CONSUMER_KEY=nQUZqUgo3lCAMBjBKPYRA
+    heroku config:set MOOCH_CONSUMER_SECRET=Na9zq5alYmit2iBIA8Wp04qyqiw3mH0tT9cdYVEcuM
+
+#### Step 4.2: (optional): Set up allowed and forbidden paths
 
 Variables: **MOOCH_ALLOW** and **MOOCH_DENY**.
 
@@ -91,22 +101,11 @@ This configuration would allow access to any user's timeline or statuses, with
 the exclusion of Justin Bieber.
 
     heroku config:set MOOCH_ALLOW='["^/1\\.1/statuses/user_timeline\\.json","^/1\\.1/statuses/show\\.json"]'
-    heroku config:set MOOCH_DENY='["justinbieber"]'
+    heroku config:set MOOCH_DENY='["\\bscreen_name=justinbieber\\b"]'
 
-#### Step 4.2 Set up OAuth credentials
-
-Variables: **MOOCH_CONSUMER_KEY** and **MOOCH_CONSUMER_SECRET**.
-
-*Mooch* authenticates requests to the Twitter API using the [application-only
-authentication] method. This requires the consumer key and secret from the
-Twitter application created in [step 1].
-
-##### Example authentication configuration
-
-    heroku config:set MOOCH_CONSUMER_KEY=nQUZqUgo3lCAMBjBKPYRA
-    heroku config:set MOOCH_CONSUMER_SECRET=Na9zq5alYmit2iBIA8Wp04qyqiw3mH0tT9cdYVEcuM
+### Step 5: Deploy
 
-### Setup complete
+- `git push heroku master`
 
 The new *Mooch* service should now be ready for use. Check the [Heroku
 dashboard] for the service's location.

src/Server.coffee

@@ -7,6 +7,8 @@ For the full copyright and license information, please view the LICENSE
 file that was distributed with this source code.
 ###
 
+querystring = require 'querystring'
+url = require 'url'
 util = require 'util'
 Logger = require './Logger'
 
@@ -116,11 +118,15 @@ module.exports = class Server
     new Buffer(encodedRequestPair).toString 'base64'
 
   _requestAllowed: (request) ->
+    uriParts = url.parse request.url
+    normalizedUri = url.format
+      pathname: decodeURIComponent uriParts.pathname
+      search: querystring.stringify querystring.parse uriParts.query
     allowMatched = @_options.allow.length < 1
     for pattern in @_options.allow
-      if request.url.match pattern
+      if normalizedUri.match pattern
         allowMatched = true
         break
     return false if !allowMatched
-    return false for pattern in @_options.deny when request.url.match pattern
+    return false for pattern in @_options.deny when normalizedUri.match pattern
     return true

test/Server.test.coffee

@@ -262,10 +262,10 @@ suite 'Server', =>
 
     test 'does not allow paths matching the deny rules', (done) =>
       options =
-        uri: util.format 'http://localhost:%d/path/to/bar', @port
+        uri: util.format 'http://localhost:%d/path/to/%62%61%72', @port
 
       request options, (error, response, body) =>
         assert.isNull error
-        sinon.assert.calledWith @logger.log, 'request', '%s "%s %s HTTP/%s" 403 -', '127.0.0.1', 'GET', '/path/to/bar', '1.1'
+        sinon.assert.calledWith @logger.log, 'request', '%s "%s %s HTTP/%s" 403 -', '127.0.0.1', 'GET', '/path/to/%62%61%72', '1.1'
         assert.strictEqual body, '{"errors":[{"message":"Forbidden.","code":64}]}'
         done()