CouchDB allows

only lowercase characters (a-z), digits (0-9), or any of the characters _, $, (, ), +, -, and / are allowed.

See also http://docs.couchdb.org/en/2.0.0/api/database/common.html#put--db

If you’re familiar with Regular Expressions, the rules above could be written as ^[a-z][a-z0-9_$()+/-]*$.

Instead of sanitizing a database name, we should throw an error for invalid database names.

We use the current cleanFilename in 3 places

1. set req.db:

   pouchdb-server/packages/node_modules/express-pouchdb/lib/utils.js

   Line 67 in 55aa193

   dbName = cleanFilename(dbName);

2. PUT :db and DELETE :db
3. rewrite: https://github.com/pouchdb/pouchdb-server/blob/master/packages/node_modules/express-pouchdb/lib/routes/rewrite.js#L35

I’m not sure how CouchDB behaves for the url rewiretes (3.), but for 1. and 2. I’m pretty sure CouchDB throws errors

Good point @gr2m I agree. We should throw errors. I'm also not 100% about 3 but I would default to throwing an error as well if we are unsure.

@garrensmith @nolanlawson @marten-de-vries I can just go ahead and fix it. Can you give me pointers regarding adding tests for it?

Sure thing, you can add tests in tests/express-pouchdb e.g. check out this one:

In general I am cool with just doing whatever CouchDB does. If it's a breaking change, then that's fine, we'll release 3.0.0.

okay, I tested against my local CouchDB 1.6 to see what errors we should return. Sending any request (with any http verb) which includes an invalid databas name returns 400 Bad Request with the body {"error":"illegal_database_name","reason":"Name: '_invalid'. Only lowercase characters (a-z), digits (0-9), and any of the characters _, $, (, ), +, -, and / are allowed. Must begin with a letter."} (where '_invalid' is the invalid database in the requested path)

Current pouchdb-server does not complain:

[info] DELETE /_invalid 200 - 127.0.0.1
[info] GET /_invalid 404 - 127.0.0.1

I’m looking into this now

there you go: #214