refactored server

2018-02-06 14:31:18 -08:00 · 2018-02-06 14:31:18 -08:00 · 3fd2537311
parent 6d470b8eba
commit 3fd2537311
36 changed files with 2944 additions and 792 deletions
--- a/.dockerignore
+++ b/.dockerignore
@ -6,3 +6,4 @@ assets
 docs
 public
 test
+coverage
--- a/.gitignore
+++ b/.gitignore
@ -1,3 +1,6 @@
 node_modules
+coverage
 dist
 .idea
+.DS_Store
+.nyc_output
--- a/circle.yml
+++ b/circle.yml
@ -4,13 +4,6 @@ machine:
  services:
    - docker
    - redis
-  environment:
-    PATH: "/home/ubuntu/send/firefox:$PATH"
-
-dependencies:
-  pre:
-    - npm i -g get-firefox geckodriver nsp
-    - get-firefox --platform linux --extract --target /home/ubuntu/send

 deployment:
  latest:
@ -31,5 +24,5 @@ test:
  override:
    - npm run build
    - npm run lint
-    - npm test
+    - npm run test:ci
    - nsp check
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@ -24,8 +24,10 @@
    "contributors": "git shortlog -s | awk -F\\t '{print $2}' > CONTRIBUTORS",
    "release": "npm-run-all contributors changelog",
    "test": "mocha test/unit",
+    "test:ci": "nyc mocha --reporter=min test/unit",
    "start": "cross-env NODE_ENV=development webpack-dev-server",
-    "prod": "node server/prod.js"
+    "prod": "node server/prod.js",
+    "cover": "nyc --reporter=html mocha test/unit"
  },
  "lint-staged": {
    "*.js": [
@ -39,6 +41,12 @@
      "git add"
    ]
  },
+  "nyc": {
+    "reporter": [
+      "text-summary"
+    ],
+    "cache": true
+  },
  "engines": {
    "node": ">=8.2.0"
  },
@ -73,11 +81,13 @@
    "mocha": "^5.0.0",
    "nanobus": "^4.3.2",
    "npm-run-all": "^4.1.2",
+    "nsp": "^3.1.0",
+    "nyc": "^11.4.1",
    "postcss-loader": "^2.1.0",
    "prettier": "^1.10.2",
    "proxyquire": "^1.8.0",
    "raven-js": "^3.22.1",
-    "redis-mock": "^0.20.0",
+    "redis-mock": "^0.21.0",
    "require-from-string": "^2.0.1",
    "rimraf": "^2.6.2",
    "selenium-webdriver": "^3.6.0",
--- a/server/languages.js
+++ b/server/languages.js
@ -1,16 +0,0 @@
-const { availableLanguages } = require('../package.json');
-const config = require('./config');
-const fs = require('fs');
-const path = require('path');
-
-function allLangs() {
-  return fs.readdirSync(
-    path.join(__dirname, '..', 'dist', 'public', 'locales')
-  );
-}
-
-if (config.l10n_dev) {
-  module.exports = allLangs();
-} else {
-  module.exports = availableLanguages;
-}
--- a/server/metadata.js
+++ b/server/metadata.js
@ -0,0 +1,13 @@
+class Metadata {
+  constructor(obj) {
+    this.dl = +obj.dl || 0;
+    this.dlimit = +obj.dlimit || 1;
+    this.pwd = String(obj.pwd) === 'true';
+    this.owner = obj.owner;
+    this.metadata = obj.metadata;
+    this.auth = obj.auth;
+    this.nonce = obj.nonce;
+  }
+}
+
+module.exports = Metadata;
--- a/server/middleware/auth.js
+++ b/server/middleware/auth.js
@ -0,0 +1,38 @@
+const crypto = require('crypto');
+const storage = require('../storage');
+
+module.exports = async function(req, res, next) {
+  const id = req.params.id;
+  if (id && req.header('Authorization')) {
+    try {
+      const auth = req.header('Authorization').split(' ')[1];
+      const meta = await storage.metadata(id);
+      if (!meta) {
+        return res.sendStatus(404);
+      }
+      const hmac = crypto.createHmac(
+        'sha256',
+        Buffer.from(meta.auth, 'base64')
+      );
+      hmac.update(Buffer.from(meta.nonce, 'base64'));
+      const verifyHash = hmac.digest();
+      if (verifyHash.equals(Buffer.from(auth, 'base64'))) {
+        req.nonce = crypto.randomBytes(16).toString('base64');
+        storage.setField(id, 'nonce', req.nonce);
+        res.set('WWW-Authenticate', `send-v1 ${req.nonce}`);
+        req.authorized = true;
+        req.meta = meta;
+      } else {
+        res.set('WWW-Authenticate', `send-v1 ${meta.nonce}`);
+        req.authorized = false;
+      }
+    } catch (e) {
+      req.authorized = false;
+    }
+  }
+  if (req.authorized) {
+    next();
+  } else {
+    res.sendStatus(401);
+  }
+};
--- a/server/middleware/language.js
+++ b/server/middleware/language.js
@ -0,0 +1,40 @@
+const { availableLanguages } = require('../../package.json');
+const config = require('../config');
+const fs = require('fs');
+const path = require('path');
+const { negotiateLanguages } = require('fluent-langneg');
+const langData = require('cldr-core/supplemental/likelySubtags.json');
+const acceptLanguages = /(([a-zA-Z]+(-[a-zA-Z0-9]+){0,2})|\*)(;q=[0-1](\.[0-9]+)?)?/g;
+
+function allLangs() {
+  return fs.readdirSync(
+    path.join(__dirname, '..', '..', 'dist', 'public', 'locales')
+  );
+}
+
+const languages = config.l10n_dev ? allLangs() : availableLanguages;
+
+module.exports = function(req, res, next) {
+  const header = req.headers['accept-language'] || 'en-US';
+  if (header.length > 255) {
+    req.language = 'en-US';
+    return next();
+  }
+  const langs = header.replace(/\s/g, '').match(acceptLanguages);
+  const preferred = langs
+    .map(l => {
+      const parts = l.split(';');
+      return {
+        locale: parts[0],
+        q: parts[1] ? parseFloat(parts[1].split('=')[1]) : 1
+      };
+    })
+    .sort((a, b) => b.q - a.q)
+    .map(x => x.locale);
+  req.language = negotiateLanguages(preferred, languages, {
+    strategy: 'lookup',
+    likelySubtags: langData.supplemental.likelySubtags,
+    defaultLocale: 'en-US'
+  })[0];
+  next();
+};
--- a/server/middleware/owner.js
+++ b/server/middleware/owner.js
@ -0,0 +1,22 @@
+const storage = require('../storage');
+
+module.exports = async function(req, res, next) {
+  const id = req.params.id;
+  const ownerToken = req.body.owner_token;
+  if (id && ownerToken) {
+    try {
+      req.meta = await storage.metadata(id);
+      if (!req.meta) {
+        return res.sendStatus(404);
+      }
+      req.authorized = req.meta.owner === ownerToken;
+    } catch (e) {
+      req.authorized = false;
+    }
+  }
+  if (req.authorized) {
+    next();
+  } else {
+    res.sendStatus(401);
+  }
+};
--- a/server/routes/delete.js
+++ b/server/routes/delete.js
@ -1,20 +1,9 @@
 const storage = require('../storage');

 module.exports = async function(req, res) {
-  const id = req.params.id;
-
-  const ownerToken = req.body.owner_token || req.body.delete_token;
-
-  if (!ownerToken) {
-    res.sendStatus(404);
-    return;
-  }
-
  try {
-    const err = await storage.delete(id, ownerToken);
-    if (!err) {
-      res.sendStatus(200);
-    }
+    await storage.del(req.params.id);
+    res.sendStatus(200);
  } catch (e) {
    res.sendStatus(404);
  }
--- a/server/routes/download.js
+++ b/server/routes/download.js
@ -1,39 +1,26 @@
 const storage = require('../storage');
 const mozlog = require('../log');
 const log = mozlog('send.download');
-const crypto = require('crypto');

 module.exports = async function(req, res) {
  const id = req.params.id;
-
  try {
-    const auth = req.header('Authorization').split(' ')[1];
-    const meta = await storage.metadata(id);
-    const hmac = crypto.createHmac('sha256', Buffer.from(meta.auth, 'base64'));
-    hmac.update(Buffer.from(meta.nonce, 'base64'));
-    const verifyHash = hmac.digest();
-    if (!verifyHash.equals(Buffer.from(auth, 'base64'))) {
-      res.set('WWW-Authenticate', `send-v1 ${meta.nonce}`);
-      return res.sendStatus(401);
-    }
-    const nonce = crypto.randomBytes(16).toString('base64');
-    storage.setField(id, 'nonce', nonce);
+    const meta = req.meta;
    const contentLength = await storage.length(id);
    res.writeHead(200, {
      'Content-Disposition': 'attachment',
      'Content-Type': 'application/octet-stream',
      'Content-Length': contentLength,
-      'X-File-Metadata': meta.metadata,
-      'WWW-Authenticate': `send-v1 ${nonce}`
+      'WWW-Authenticate': `send-v1 ${req.nonce}`
    });
    const file_stream = storage.get(id);

    file_stream.on('end', async () => {
-      const dl = (+meta.dl || 0) + 1;
-      const dlimit = +meta.dlimit || 1;
+      const dl = meta.dl + 1;
+      const dlimit = meta.dlimit;
      try {
        if (dl >= dlimit) {
-          await storage.forceDelete(id);
+          await storage.del(id);
        } else {
          await storage.setField(id, 'dl', dl);
        }
@ -41,7 +28,6 @@ module.exports = async function(req, res) {
        log.info('StorageError:', id);
      }
    });
-
    file_stream.pipe(res);
  } catch (e) {
    res.sendStatus(404);
--- a/server/routes/exists.js
+++ b/server/routes/exists.js
@ -1,13 +1,11 @@
 const storage = require('../storage');

 module.exports = async (req, res) => {
-  const id = req.params.id;
-
  try {
-    const meta = await storage.metadata(id);
+    const meta = await storage.metadata(req.params.id);
    res.set('WWW-Authenticate', `send-v1 ${meta.nonce}`);
    res.send({
-      password: meta.pwd !== '0'
+      password: meta.pwd
    });
  } catch (e) {
    res.sendStatus(404);
--- a/server/routes/index.js
+++ b/server/routes/index.js
@ -1,41 +1,22 @@
 const busboy = require('connect-busboy');
 const helmet = require('helmet');
 const bodyParser = require('body-parser');
-const languages = require('../languages');
 const storage = require('../storage');
 const config = require('../config');
+const auth = require('../middleware/auth');
+const owner = require('../middleware/owner');
+const language = require('../middleware/language');
 const pages = require('./pages');
-const { negotiateLanguages } = require('fluent-langneg');
+
 const IS_DEV = config.env === 'development';
-const acceptLanguages = /(([a-zA-Z]+(-[a-zA-Z0-9]+){0,2})|\*)(;q=[0-1](\.[0-9]+)?)?/g;
-const langData = require('cldr-core/supplemental/likelySubtags.json');
-const idregx = '([0-9a-fA-F]{10})';
+const ID_REGEX = '([0-9a-fA-F]{10})';
+const uploader = busboy({
+  limits: {
+    fileSize: config.max_file_size
+  }
+});

 module.exports = function(app) {
-  app.use(function(req, res, next) {
-    const header = req.headers['accept-language'] || 'en-US';
-    if (header.length > 255) {
-      req.language = 'en-US';
-      return next();
-    }
-    const langs = header.replace(/\s/g, '').match(acceptLanguages);
-    const preferred = langs
-      .map(l => {
-        const parts = l.split(';');
-        return {
-          locale: parts[0],
-          q: parts[1] ? parseFloat(parts[1].split('=')[1]) : 1
-        };
-      })
-      .sort((a, b) => b.q - a.q)
-      .map(x => x.locale);
-    req.language = negotiateLanguages(preferred, languages, {
-      strategy: 'lookup',
-      likelySubtags: langData.supplemental.likelySubtags,
-      defaultLocale: 'en-US'
-    })[0];
-    next();
-  });
  app.use(helmet());
  app.use(
    helmet.hsts({
@ -69,34 +50,27 @@ module.exports = function(app) {
      })
    );
  }
-  app.use(
-    busboy({
-      limits: {
-        fileSize: config.max_file_size
-      }
-    })
-  );
  app.use(function(req, res, next) {
    res.set('Pragma', 'no-cache');
    res.set('Cache-Control', 'no-cache');
    next();
  });
  app.use(bodyParser.json());
-  app.get('/', pages.index);
-  app.get('/legal', pages.legal);
+  app.get('/', language, pages.index);
+  app.get('/legal', language, pages.legal);
  app.get('/jsconfig.js', require('./jsconfig'));
-  app.get(`/share/:id${idregx}`, pages.blank);
-  app.get(`/download/:id${idregx}`, pages.download);
-  app.get('/completed', pages.blank);
-  app.get('/unsupported/:reason', pages.unsupported);
-  app.get(`/api/download/:id${idregx}`, require('./download'));
-  app.get(`/api/exists/:id${idregx}`, require('./exists'));
-  app.get(`/api/metadata/:id${idregx}`, require('./metadata'));
-  app.post('/api/upload', require('./upload'));
-  app.post(`/api/delete/:id${idregx}`, require('./delete'));
-  app.post(`/api/password/:id${idregx}`, require('./password'));
-  app.post(`/api/params/:id${idregx}`, require('./params'));
-  app.post(`/api/info/:id${idregx}`, require('./info'));
+  app.get(`/share/:id${ID_REGEX}`, language, pages.blank);
+  app.get(`/download/:id${ID_REGEX}`, language, pages.download);
+  app.get('/completed', language, pages.blank);
+  app.get('/unsupported/:reason', language, pages.unsupported);
+  app.get(`/api/download/:id${ID_REGEX}`, auth, require('./download'));
+  app.get(`/api/exists/:id${ID_REGEX}`, require('./exists'));
+  app.get(`/api/metadata/:id${ID_REGEX}`, auth, require('./metadata'));
+  app.post('/api/upload', uploader, require('./upload'));
+  app.post(`/api/delete/:id${ID_REGEX}`, owner, require('./delete'));
+  app.post(`/api/password/:id${ID_REGEX}`, owner, require('./password'));
+  app.post(`/api/params/:id${ID_REGEX}`, owner, require('./params'));
+  app.post(`/api/info/:id${ID_REGEX}`, owner, require('./info'));

  app.get('/__version__', function(req, res) {
    res.sendFile(require.resolve('../../dist/version.json'));
--- a/server/routes/info.js
+++ b/server/routes/info.js
@ -1,21 +1,11 @@
 const storage = require('../storage');

 module.exports = async function(req, res) {
-  const id = req.params.id;
-  const ownerToken = req.body.owner_token;
-  if (!ownerToken) {
-    return res.sendStatus(400);
-  }
-
  try {
-    const meta = await storage.metadata(id);
-    if (meta.owner !== ownerToken) {
-      return res.sendStatus(400);
-    }
-    const ttl = await storage.ttl(id);
+    const ttl = await storage.ttl(req.params.id);
    return res.send({
-      dlimit: +meta.dlimit,
-      dtotal: +meta.dl,
+      dlimit: +req.meta.dlimit,
+      dtotal: +req.meta.dl,
      ttl
    });
  } catch (e) {
--- a/server/routes/metadata.js
+++ b/server/routes/metadata.js
@ -1,28 +1,14 @@
 const storage = require('../storage');
-const crypto = require('crypto');

 module.exports = async function(req, res) {
  const id = req.params.id;
-
+  const meta = req.meta;
  try {
-    const auth = req.header('Authorization').split(' ')[1];
-    const meta = await storage.metadata(id);
-    const hmac = crypto.createHmac('sha256', Buffer.from(meta.auth, 'base64'));
-    hmac.update(Buffer.from(meta.nonce, 'base64'));
-    const verifyHash = hmac.digest();
-    if (!verifyHash.equals(Buffer.from(auth, 'base64'))) {
-      res.set('WWW-Authenticate', `send-v1 ${meta.nonce}`);
-      return res.sendStatus(401);
-    }
-    const nonce = crypto.randomBytes(16).toString('base64');
-    storage.setField(id, 'nonce', nonce);
-    res.set('WWW-Authenticate', `send-v1 ${nonce}`);
-
    const size = await storage.length(id);
    const ttl = await storage.ttl(id);
    res.send({
      metadata: meta.metadata,
-      finalDownload: +meta.dl + 1 === +meta.dlimit,
+      finalDownload: meta.dl + 1 === meta.dlimit,
      size,
      ttl
    });
--- a/server/routes/params.js
+++ b/server/routes/params.js
@ -1,23 +1,13 @@
 const storage = require('../storage');

-module.exports = async function(req, res) {
-  const id = req.params.id;
-  const ownerToken = req.body.owner_token;
-  if (!ownerToken) {
-    return res.sendStatus(400);
-  }
-
+module.exports = function(req, res) {
  const dlimit = req.body.dlimit;
  if (!dlimit || dlimit > 20) {
    return res.sendStatus(400);
  }

  try {
-    const meta = await storage.metadata(id);
-    if (meta.owner !== ownerToken) {
-      return res.sendStatus(400);
-    }
-    storage.setField(id, 'dlimit', dlimit);
+    storage.setField(req.params.id, 'dlimit', dlimit);
    res.sendStatus(200);
  } catch (e) {
    res.sendStatus(404);
--- a/server/routes/password.js
+++ b/server/routes/password.js
@ -1,23 +1,15 @@
 const storage = require('../storage');

-module.exports = async function(req, res) {
+module.exports = function(req, res) {
  const id = req.params.id;
-  const ownerToken = req.body.owner_token;
-  if (!ownerToken) {
-    return res.sendStatus(404);
-  }
  const auth = req.body.auth;
  if (!auth) {
    return res.sendStatus(400);
  }

  try {
-    const meta = await storage.metadata(id);
-    if (meta.owner !== ownerToken) {
-      return res.sendStatus(404);
-    }
    storage.setField(id, 'auth', auth);
-    storage.setField(id, 'pwd', 1);
+    storage.setField(id, 'pwd', true);
    res.sendStatus(200);
  } catch (e) {
    return res.sendStatus(404);
--- a/server/routes/upload.js
+++ b/server/routes/upload.js
@ -14,12 +14,8 @@ module.exports = function(req, res) {
  }
  const owner = crypto.randomBytes(10).toString('hex');
  const meta = {
-    dlimit: 1,
-    dl: 0,
    owner,
-    delete: owner, // delete is deprecated
    metadata,
-    pwd: 0,
    auth: auth.split(' ')[1],
    nonce: crypto.randomBytes(16).toString('base64')
  };
@ -47,7 +43,7 @@ module.exports = function(req, res) {

  req.on('close', async err => {
    try {
-      await storage.forceDelete(newId);
+      await storage.del(newId);
    } catch (e) {
      log.info('DeleteError:', newId);
    }
--- a/server/storage.js
+++ b/server/storage.js
@ -1,285 +0,0 @@
-const AWS = require('aws-sdk');
-const s3 = new AWS.S3();
-const mkdirp = require('mkdirp');
-
-const config = require('./config');
-const fs = require('fs');
-const path = require('path');
-
-const mozlog = require('./log');
-
-const log = mozlog('send.storage');
-
-const redis_lib =
-  config.env === 'development' && config.redis_host === 'localhost'
-    ? 'redis-mock'
-    : 'redis';
-
-const redis = require(redis_lib);
-const redis_client = redis.createClient({
-  host: config.redis_host,
-  connect_timeout: 10000
-});
-
-redis_client.on('error', err => {
-  log.error('Redis:', err);
-});
-
-const fileDir = config.file_dir;
-
-if (config.s3_bucket) {
-  module.exports = {
-    exists: exists,
-    ttl: ttl,
-    length: awsLength,
-    get: awsGet,
-    set: awsSet,
-    setField: setField,
-    delete: awsDelete,
-    forceDelete: awsForceDelete,
-    ping: awsPing,
-    flushall: flushall,
-    quit: quit,
-    metadata
-  };
-} else {
-  mkdirp.sync(config.file_dir);
-  log.info('fileDir', fileDir);
-  module.exports = {
-    exists: exists,
-    ttl: ttl,
-    length: localLength,
-    get: localGet,
-    set: localSet,
-    setField: setField,
-    delete: localDelete,
-    forceDelete: localForceDelete,
-    ping: localPing,
-    flushall: flushall,
-    quit: quit,
-    metadata
-  };
-}
-
-if (config.redis_event_expire) {
-  const forceDelete = config.s3_bucket ? awsForceDelete : localForceDelete;
-  const redis_sub = redis_client.duplicate();
-  const subKey = '__keyevent@0__:expired';
-  redis_sub.psubscribe(subKey, function() {
-    log.info('Redis:', 'subscribed to expired key events');
-  });
-
-  redis_sub.on('pmessage', function(channel, message, id) {
-    log.info('RedisExpired:', id);
-    forceDelete(id);
-  });
-}
-
-function flushall() {
-  redis_client.flushdb();
-}
-
-function quit() {
-  redis_client.quit();
-}
-
-function metadata(id) {
-  return new Promise((resolve, reject) => {
-    redis_client.hgetall(id, (err, reply) => {
-      if (err || !reply) {
-        return reject(err);
-      }
-      resolve(reply);
-    });
-  });
-}
-
-function ttl(id) {
-  return new Promise((resolve, reject) => {
-    redis_client.ttl(id, (err, reply) => {
-      if (err || !reply) {
-        return reject(err);
-      }
-      resolve(reply * 1000);
-    });
-  });
-}
-
-function exists(id) {
-  return new Promise((resolve, reject) => {
-    redis_client.exists(id, (rediserr, reply) => {
-      if (reply === 1 && !rediserr) {
-        resolve();
-      } else {
-        reject(rediserr);
-      }
-    });
-  });
-}
-
-function setField(id, key, value) {
-  redis_client.hset(id, key, value);
-}
-
-function localLength(id) {
-  return new Promise((resolve, reject) => {
-    try {
-      resolve(fs.statSync(path.join(fileDir, id)).size);
-    } catch (err) {
-      reject();
-    }
-  });
-}
-
-function localGet(id) {
-  return fs.createReadStream(path.join(fileDir, id));
-}
-
-function localSet(newId, file, meta) {
-  return new Promise((resolve, reject) => {
-    const filepath = path.join(fileDir, newId);
-    const fstream = fs.createWriteStream(filepath);
-    file.pipe(fstream);
-    file.on('limit', () => {
-      file.unpipe(fstream);
-      fstream.destroy(new Error('limit'));
-    });
-    fstream.on('finish', () => {
-      redis_client.hmset(newId, meta);
-      redis_client.expire(newId, config.expire_seconds);
-      log.info('localSet:', 'Upload Finished of ' + newId);
-      resolve(meta.owner);
-    });
-
-    fstream.on('error', err => {
-      log.error('localSet:', 'Failed upload of ' + newId);
-      fs.unlinkSync(filepath);
-      reject(err);
-    });
-  });
-}
-
-function localDelete(id, ownerToken) {
-  return new Promise((resolve, reject) => {
-    redis_client.hget(id, 'delete', (err, reply) => {
-      if (!reply || ownerToken !== reply) {
-        reject();
-      } else {
-        redis_client.del(id);
-        log.info('Deleted:', id);
-        resolve(fs.unlinkSync(path.join(fileDir, id)));
-      }
-    });
-  });
-}
-
-function localForceDelete(id) {
-  return new Promise((resolve, reject) => {
-    redis_client.del(id);
-    resolve(fs.unlinkSync(path.join(fileDir, id)));
-  });
-}
-
-function localPing() {
-  return new Promise((resolve, reject) => {
-    redis_client.ping(err => {
-      return err ? reject() : resolve();
-    });
-  });
-}
-
-function awsLength(id) {
-  const params = {
-    Bucket: config.s3_bucket,
-    Key: id
-  };
-  return new Promise((resolve, reject) => {
-    s3.headObject(params, function(err, data) {
-      if (!err) {
-        resolve(data.ContentLength);
-      } else {
-        reject();
-      }
-    });
-  });
-}
-
-function awsGet(id) {
-  const params = {
-    Bucket: config.s3_bucket,
-    Key: id
-  };
-
-  try {
-    return s3.getObject(params).createReadStream();
-  } catch (err) {
-    return null;
-  }
-}
-
-function awsSet(newId, file, meta) {
-  const params = {
-    Bucket: config.s3_bucket,
-    Key: newId,
-    Body: file
-  };
-  let hitLimit = false;
-  const upload = s3.upload(params);
-  file.on('limit', () => {
-    hitLimit = true;
-    upload.abort();
-  });
-  return upload.promise().then(
-    () => {
-      redis_client.hmset(newId, meta);
-      redis_client.expire(newId, config.expire_seconds);
-    },
-    err => {
-      if (hitLimit) {
-        throw new Error('limit');
-      } else {
-        throw err;
-      }
-    }
-  );
-}
-
-function awsDelete(id, ownerToken) {
-  return new Promise((resolve, reject) => {
-    redis_client.hget(id, 'delete', (err, reply) => {
-      if (!reply || ownerToken !== reply) {
-        reject();
-      } else {
-        const params = {
-          Bucket: config.s3_bucket,
-          Key: id
-        };
-
-        s3.deleteObject(params, function(err, _data) {
-          redis_client.del(id);
-          err ? reject(err) : resolve(err);
-        });
-      }
-    });
-  });
-}
-
-function awsForceDelete(id) {
-  return new Promise((resolve, reject) => {
-    const params = {
-      Bucket: config.s3_bucket,
-      Key: id
-    };
-
-    s3.deleteObject(params, function(err, _data) {
-      redis_client.del(id);
-      err ? reject(err) : resolve();
-    });
-  });
-}
-
-function awsPing() {
-  return localPing().then(() =>
-    s3.headBucket({ Bucket: config.s3_bucket }).promise()
-  );
-}
--- a/server/storage/fs.js
+++ b/server/storage/fs.js
@ -0,0 +1,50 @@
+const fs = require('fs');
+const path = require('path');
+const promisify = require('util').promisify;
+const mkdirp = require('mkdirp');
+
+const stat = promisify(fs.stat);
+
+class FSStorage {
+  constructor(config, log) {
+    this.log = log;
+    this.dir = config.file_dir;
+    mkdirp.sync(this.dir);
+  }
+
+  async length(id) {
+    const result = await stat(path.join(this.dir, id));
+    return result.size;
+  }
+
+  getStream(id) {
+    return fs.createReadStream(path.join(this.dir, id));
+  }
+
+  set(id, file) {
+    return new Promise((resolve, reject) => {
+      const filepath = path.join(this.dir, id);
+      const fstream = fs.createWriteStream(filepath);
+      file.pipe(fstream);
+      file.on('limit', () => {
+        file.unpipe(fstream);
+        fstream.destroy(new Error('limit'));
+      });
+      fstream.on('error', err => {
+        fs.unlinkSync(filepath);
+        reject(err);
+      });
+      fstream.on('finish', resolve);
+    });
+  }
+
+  del(id) {
+    return Promise.resolve(fs.unlinkSync(path.join(this.dir, id)));
+  }
+
+  ping() {
+    return Promise.resolve();
+  }
+}
+
+module.exports = FSStorage;
--- a/server/storage/index.js
+++ b/server/storage/index.js
@ -0,0 +1,57 @@
+const config = require('../config');
+const Metadata = require('../metadata');
+const mozlog = require('../log');
+const createRedisClient = require('./redis');
+
+class DB {
+  constructor(config) {
+    const Storage = config.s3_bucket ? require('./s3') : require('./fs');
+    this.log = mozlog('send.storage');
+    this.expireSeconds = config.expire_seconds;
+    this.storage = new Storage(config, this.log);
+    this.redis = createRedisClient(config);
+    this.redis.on('error', err => {
+      this.log.error('Redis:', err);
+    });
+  }
+
+  async ttl(id) {
+    const result = await this.redis.ttlAsync(id);
+    return Math.ceil(result) * 1000;
+  }
+
+  length(id) {
+    return this.storage.length(id);
+  }
+
+  get(id) {
+    return this.storage.getStream(id);
+  }
+
+  async set(id, file, meta) {
+    await this.storage.set(id, file);
+    this.redis.hmset(id, meta);
+    this.redis.expire(id, this.expireSeconds);
+  }
+
+  setField(id, key, value) {
+    this.redis.hset(id, key, value);
+  }
+
+  del(id) {
+    this.redis.del(id);
+    return this.storage.del(id);
+  }
+
+  async ping() {
+    await this.redis.pingAsync();
+    await this.storage.ping();
+  }
+
+  async metadata(id) {
+    const result = await this.redis.hgetallAsync(id);
+    return result && new Metadata(result);
+  }
+}
+
+module.exports = new DB(config);
--- a/server/storage/redis.js
+++ b/server/storage/redis.js
@ -0,0 +1,21 @@
+const promisify = require('util').promisify;
+
+module.exports = function(config) {
+  const redis_lib =
+    config.env === 'development' && config.redis_host === 'localhost'
+      ? 'redis-mock'
+      : 'redis';
+
+  //eslint-disable-next-line security/detect-non-literal-require
+  const redis = require(redis_lib);
+  const client = redis.createClient({
+    host: config.redis_host,
+    connect_timeout: 10000
+  });
+
+  client.ttlAsync = promisify(client.ttl);
+  client.hgetallAsync = promisify(client.hgetall);
+  client.hgetAsync = promisify(client.hget);
+  client.pingAsync = promisify(client.ping);
+  return client;
+};
--- a/server/storage/s3.js
+++ b/server/storage/s3.js
@ -0,0 +1,51 @@
+const AWS = require('aws-sdk');
+const s3 = new AWS.S3();
+
+class S3Storage {
+  constructor(config, log) {
+    this.bucket = config.s3_bucket;
+    this.log = log;
+  }
+
+  async length(id) {
+    const result = await s3
+      .headObject({ Bucket: this.bucket, Key: id })
+      .promise();
+    return result.ContentLength;
+  }
+
+  getStream(id) {
+    return s3.getObject({ Bucket: this.bucket, Key: id }).createReadStream();
+  }
+
+  async set(id, file) {
+    let hitLimit = false;
+    const upload = s3.upload({
+      Bucket: this.bucket,
+      Key: id,
+      Body: file
+    });
+    file.on('limit', () => {
+      hitLimit = true;
+      upload.abort();
+    });
+    try {
+      await upload.promise();
+    } catch (e) {
+      if (hitLimit) {
+        throw new Error('limit');
+      }
+      throw e;
+    }
+  }
+
+  del(id) {
+    return s3.deleteObject({ Bucket: this.bucket, Key: id }).promise();
+  }
+
+  ping() {
+    return s3.headBucket({ Bucket: this.bucket }).promise();
+  }
+}
+
+module.exports = S3Storage;
--- a/test/unit/auth-tests.js
+++ b/test/unit/auth-tests.js
@ -0,0 +1,105 @@
+const assert = require('assert');
+const sinon = require('sinon');
+const proxyquire = require('proxyquire').noCallThru();
+
+const storage = {
+  metadata: sinon.stub(),
+  setField: sinon.stub()
+};
+
+function request(id, auth) {
+  return {
+    params: { id },
+    header: sinon.stub().returns(auth)
+  };
+}
+
+function response() {
+  return {
+    sendStatus: sinon.stub(),
+    set: sinon.stub()
+  };
+}
+
+const next = sinon.stub();
+
+const storedMeta = {
+  auth:
+    'r9uFxEs9GEVaQR9CJJ0uTKFGhFSOTRjOY2FCLFlCIZ0Cr-VGTVpMGlXDbNR8RMT55trMpSrzWtBVKq1LffOT2g',
+  nonce: 'FL4oxA7IE1PW8shwFN9qZw=='
+};
+
+const authMiddleware = proxyquire('../../server/middleware/auth', {
+  '../storage': storage
+});
+
+describe('Owner Middleware', function() {
+  afterEach(function() {
+    storage.metadata.reset();
+    storage.setField.reset();
+    next.reset();
+  });
+
+  it('sends a 401 when no auth header is set', async function() {
+    const req = request('x');
+    const res = response();
+    await authMiddleware(req, res, next);
+    sinon.assert.calledWith(res.sendStatus, 401);
+    sinon.assert.notCalled(next);
+  });
+
+  it('sends a 404 when metadata is not found', async function() {
+    const req = request('x', 'y');
+    const res = response();
+    await authMiddleware(req, res, next);
+    sinon.assert.calledWith(res.sendStatus, 404);
+    sinon.assert.notCalled(next);
+  });
+
+  it('sends a 401 when the auth header is invalid base64', async function() {
+    storage.metadata.returns(Promise.resolve(storedMeta));
+    const req = request('x', '1');
+    const res = response();
+    await authMiddleware(req, res, next);
+    sinon.assert.calledWith(res.sendStatus, 401);
+    sinon.assert.notCalled(next);
+  });
+
+  it('authenticates when the hashes match', async function() {
+    storage.metadata.returns(Promise.resolve(storedMeta));
+    const req = request(
+      'x',
+      'send-v1 R7nZk14qJqZXtxpnAtw2uDIRQTRnO1qSO1Q0PiwcNA8'
+    );
+    const res = response();
+    await authMiddleware(req, res, next);
+    sinon.assert.calledOnce(next);
+    sinon.assert.calledWith(storage.setField, 'x', 'nonce', req.nonce);
+    sinon.assert.calledWith(
+      res.set,
+      'WWW-Authenticate',
+      `send-v1 ${req.nonce}`
+    );
+    sinon.assert.notCalled(res.sendStatus);
+    assert.equal(req.authorized, true);
+    assert.equal(req.meta, storedMeta);
+    assert.notEqual(req.nonce, storedMeta.nonce);
+  });
+
+  it('sends a 401 when the hashes do not match', async function() {
+    storage.metadata.returns(Promise.resolve(storedMeta));
+    const req = request(
+      'x',
+      'send-v1 R8nZk14qJqZXtxpnAtw2uDIRQTRnO1qSO1Q0PiwcNA8'
+    );
+    const res = response();
+    await authMiddleware(req, res, next);
+    sinon.assert.calledWith(res.sendStatus, 401);
+    sinon.assert.calledWith(
+      res.set,
+      'WWW-Authenticate',
+      `send-v1 ${storedMeta.nonce}`
+    );
+    sinon.assert.notCalled(next);
+  });
+});
--- a/test/unit/aws.storage.test.js
+++ b/test/unit/aws.storage.test.js
@ -1,173 +0,0 @@
-const assert = require('assert');
-const sinon = require('sinon');
-const proxyquire = require('proxyquire');
-const crypto = require('crypto');
-
-const redisStub = {};
-const exists = sinon.stub();
-const hget = sinon.stub();
-const hmset = sinon.stub();
-const expire = sinon.spy();
-const del = sinon.stub();
-
-redisStub.createClient = function() {
-  return {
-    on: sinon.spy(),
-    exists: exists,
-    hget: hget,
-    hmset: hmset,
-    expire: expire,
-    del: del
-  };
-};
-
-const fsStub = {};
-fsStub.statSync = sinon.stub();
-fsStub.createReadStream = sinon.stub();
-fsStub.createWriteStream = sinon.stub();
-fsStub.unlinkSync = sinon.stub();
-
-const logStub = {};
-logStub.info = sinon.stub();
-logStub.error = sinon.stub();
-
-const s3Stub = {};
-s3Stub.headObject = sinon.stub();
-s3Stub.getObject = sinon.stub();
-s3Stub.upload = sinon.stub();
-s3Stub.deleteObject = sinon.stub();
-
-const awsStub = {
-  S3: function() {
-    return s3Stub;
-  }
-};
-
-const storage = proxyquire('../../server/storage', {
-  redis: redisStub,
-  'redis-mock': redisStub,
-  fs: fsStub,
-  './log': function() {
-    return logStub;
-  },
-  'aws-sdk': awsStub,
-  './config': {
-    s3_bucket: 'test'
-  }
-});
-
-describe('Testing Length using aws', function() {
-  it('Filesize returns properly if id exists', function() {
-    s3Stub.headObject.callsArgWith(1, null, { ContentLength: 1 });
-    return storage
-      .length('123')
-      .then(reply => assert.equal(reply, 1))
-      .catch(err => assert.fail());
-  });
-
-  it('Filesize fails if the id does not exist', function() {
-    s3Stub.headObject.callsArgWith(1, new Error(), null);
-    return storage
-      .length('123')
-      .then(_reply => assert.fail())
-      .catch(err => assert(1));
-  });
-});
-
-describe('Testing Get using aws', function() {
-  it('Should not error out when the file exists', function() {
-    const spy = sinon.spy();
-    s3Stub.getObject.returns({
-      createReadStream: spy
-    });
-
-    storage.get('123');
-    assert(spy.calledOnce);
-  });
-
-  it('Should error when the file does not exist', function() {
-    const err = function() {
-      throw new Error();
-    };
-    const spy = sinon.spy(err);
-    s3Stub.getObject.returns({
-      createReadStream: spy
-    });
-
-    assert.equal(storage.get('123'), null);
-    assert(spy.threw());
-  });
-});
-
-describe('Testing Set using aws', function() {
-  beforeEach(function() {
-    expire.resetHistory();
-  });
-
-  after(function() {
-    crypto.randomBytes.restore();
-  });
-
-  it('Should pass when the file is successfully uploaded', function() {
-    const buf = Buffer.alloc(10);
-    sinon.stub(crypto, 'randomBytes').returns(buf);
-    s3Stub.upload.returns({ promise: () => Promise.resolve() });
-    return storage
-      .set('123', { on: sinon.stub() }, 'Filename.moz', {})
-      .then(() => {
-        assert(expire.calledOnce);
-        assert(expire.calledWith('123', 86400));
-      })
-      .catch(err => assert.fail());
-  });
-
-  it('Should fail if there was an error during uploading', function() {
-    s3Stub.upload.returns({ promise: () => Promise.reject() });
-    return storage
-      .set('123', { on: sinon.stub() }, 'Filename.moz', 'url.com')
-      .then(_reply => assert.fail())
-      .catch(err => assert(1));
-  });
-});
-
-describe('Testing Delete from aws', function() {
-  it('Returns successfully if the id is deleted off aws', function() {
-    hget.callsArgWith(2, null, 'delete_token');
-    s3Stub.deleteObject.callsArgWith(1, null, {});
-    return storage
-      .delete('file_id', 'delete_token')
-      .then(_reply => assert(1), err => assert.fail());
-  });
-
-  it('Delete fails if id exists locally but does not in aws', function() {
-    hget.callsArgWith(2, null, 'delete_token');
-    s3Stub.deleteObject.callsArgWith(1, new Error(), {});
-    return storage
-      .delete('file_id', 'delete_token')
-      .then(_reply => assert.fail(), err => assert(1));
-  });
-
-  it('Delete fails if the delete token does not match', function() {
-    hget.callsArgWith(2, null, {});
-    return storage
-      .delete('Filename.moz', 'delete_token')
-      .then(_reply => assert.fail())
-      .catch(err => assert(1));
-  });
-});
-
-describe('Testing Forced Delete from aws', function() {
-  it('Deletes properly if id exists', function() {
-    s3Stub.deleteObject.callsArgWith(1, null, {});
-    return storage
-      .forceDelete('file_id', 'delete_token')
-      .then(_reply => assert(1), err => assert.fail());
-  });
-
-  it('Deletes fails if id does not exist', function() {
-    s3Stub.deleteObject.callsArgWith(1, new Error(), {});
-    return storage
-      .forceDelete('file_id')
-      .then(_reply => assert.fail(), err => assert(1));
-  });
-});
--- a/test/unit/delete-tests.js
+++ b/test/unit/delete-tests.js
@ -0,0 +1,43 @@
+const sinon = require('sinon');
+const proxyquire = require('proxyquire').noCallThru();
+
+const storage = {
+  del: sinon.stub()
+};
+
+function request(id) {
+  return {
+    params: { id }
+  };
+}
+
+function response() {
+  return {
+    sendStatus: sinon.stub()
+  };
+}
+
+const delRoute = proxyquire('../../server/routes/delete', {
+  '../storage': storage
+});
+
+describe('/api/delete', function() {
+  afterEach(function() {
+    storage.del.reset();
+  });
+
+  it('calls storage.del with the id parameter', async function() {
+    const req = request('x');
+    const res = response();
+    await delRoute(req, res);
+    sinon.assert.calledWith(storage.del, 'x');
+    sinon.assert.calledWith(res.sendStatus, 200);
+  });
+
+  it('sends a 404 on failure', async function() {
+    storage.del.returns(Promise.reject(new Error()));
+    const res = response();
+    await delRoute(request('x'), res);
+    sinon.assert.calledWith(res.sendStatus, 404);
+  });
+});
--- a/test/unit/info-tests.js
+++ b/test/unit/info-tests.js
@ -0,0 +1,59 @@
+const sinon = require('sinon');
+const proxyquire = require('proxyquire').noCallThru();
+
+const storage = {
+  ttl: sinon.stub()
+};
+
+function request(id, meta) {
+  return {
+    params: { id },
+    meta
+  };
+}
+
+function response() {
+  return {
+    sendStatus: sinon.stub(),
+    send: sinon.stub()
+  };
+}
+
+const infoRoute = proxyquire('../../server/routes/info', {
+  '../storage': storage
+});
+
+describe('/api/info', function() {
+  afterEach(function() {
+    storage.ttl.reset();
+  });
+
+  it('calls storage.ttl with the id parameter', async function() {
+    const req = request('x');
+    const res = response();
+    await infoRoute(req, res);
+    sinon.assert.calledWith(storage.ttl, 'x');
+  });
+
+  it('sends a 404 on failure', async function() {
+    storage.ttl.returns(Promise.reject(new Error()));
+    const res = response();
+    await infoRoute(request('x'), res);
+    sinon.assert.calledWith(res.sendStatus, 404);
+  });
+
+  it('returns a json object', async function() {
+    storage.ttl.returns(Promise.resolve(123));
+    const meta = {
+      dlimit: '1',
+      dl: '0'
+    };
+    const res = response();
+    await infoRoute(request('x', meta), res);
+    sinon.assert.calledWithMatch(res.send, {
+      dlimit: 1,
+      dtotal: 0,
+      ttl: 123
+    });
+  });
+});
--- a/test/unit/language-tests.js
+++ b/test/unit/language-tests.js
@ -0,0 +1,67 @@
+const assert = require('assert');
+const sinon = require('sinon');
+const proxyquire = require('proxyquire').noCallThru();
+
+const config = {
+  l10n_dev: false // prod configuration
+};
+const pkg = {
+  availableLanguages: ['en-US', 'fr', 'it', 'es-ES']
+};
+
+function request(acceptLang) {
+  return {
+    headers: {
+      'accept-language': acceptLang
+    }
+  };
+}
+
+const langMiddleware = proxyquire('../../server/middleware/language', {
+  '../config': config,
+  '../../package.json': pkg
+});
+
+describe('Language Middleware', function() {
+  it('defaults to en-US when no header is present', function() {
+    const req = request();
+    const next = sinon.stub();
+    langMiddleware(req, null, next);
+    assert.equal(req.language, 'en-US');
+    sinon.assert.calledOnce(next);
+  });
+
+  it('sets req.language to en-US when accept-language > 255 chars', function() {
+    const accept = Array(257).join('a');
+    assert.equal(accept.length, 256);
+    const req = request(accept);
+    const next = sinon.stub();
+    langMiddleware(req, null, next);
+    assert.equal(req.language, 'en-US');
+    sinon.assert.calledOnce(next);
+  });
+
+  it('defaults to en-US when no accept-language is available', function() {
+    const req = request('fa,cs,ja');
+    const next = sinon.stub();
+    langMiddleware(req, null, next);
+    assert.equal(req.language, 'en-US');
+    sinon.assert.calledOnce(next);
+  });
+
+  it('prefers higher q values', function() {
+    const req = request('fa;q=0.5, it;q=0.9');
+    const next = sinon.stub();
+    langMiddleware(req, null, next);
+    assert.equal(req.language, 'it');
+    sinon.assert.calledOnce(next);
+  });
+
+  it('uses likely subtags', function() {
+    const req = request('es-MX');
+    const next = sinon.stub();
+    langMiddleware(req, null, next);
+    assert.equal(req.language, 'es-ES');
+    sinon.assert.calledOn(next);
+  });
+});
--- a/test/unit/local.storage.test.js
+++ b/test/unit/local.storage.test.js
@ -1,163 +0,0 @@
-const assert = require('assert');
-const sinon = require('sinon');
-const proxyquire = require('proxyquire');
-
-const redisStub = {};
-const exists = sinon.stub();
-const hget = sinon.stub();
-const hmset = sinon.stub();
-const expire = sinon.stub();
-const del = sinon.stub();
-
-redisStub.createClient = function() {
-  return {
-    on: sinon.spy(),
-    exists: exists,
-    hget: hget,
-    hmset: hmset,
-    expire: expire,
-    del: del
-  };
-};
-
-const fsStub = {};
-fsStub.statSync = sinon.stub();
-fsStub.createReadStream = sinon.stub();
-fsStub.createWriteStream = sinon.stub();
-fsStub.unlinkSync = sinon.stub();
-
-const logStub = {};
-logStub.info = sinon.stub();
-logStub.error = sinon.stub();
-
-const storage = proxyquire('../../server/storage', {
-  redis: redisStub,
-  'redis-mock': redisStub,
-  fs: fsStub,
-  './log': function() {
-    return logStub;
-  }
-});
-
-describe('Testing Exists from local filesystem', function() {
-  it('Exists returns true when file exists', function() {
-    exists.callsArgWith(1, null, 1);
-    return storage
-      .exists('test')
-      .then(() => assert(1))
-      .catch(err => assert.fail());
-  });
-
-  it('Exists returns false when file does not exist', function() {
-    exists.callsArgWith(1, null, 0);
-    return storage
-      .exists('test')
-      .then(() => assert.fail())
-      .catch(err => assert(1));
-  });
-});
-
-describe('Testing Length from local filesystem', function() {
-  it('Filesize returns properly if id exists', function() {
-    fsStub.statSync.returns({ size: 10 });
-    return storage
-      .length('Filename.moz')
-      .then(_reply => assert(1))
-      .catch(err => assert.fail());
-  });
-
-  it('Filesize fails if the id does not exist', function() {
-    fsStub.statSync.returns(null);
-    return storage
-      .length('Filename.moz')
-      .then(_reply => assert.fail())
-      .catch(err => assert(1));
-  });
-});
-
-describe('Testing Get from local filesystem', function() {
-  it('Get returns properly if id exists', function() {
-    fsStub.createReadStream.returns(1);
-    if (storage.get('Filename.moz')) {
-      assert(1);
-    } else {
-      assert.fail();
-    }
-  });
-
-  it('Get fails if the id does not exist', function() {
-    fsStub.createReadStream.returns(null);
-    if (storage.get('Filename.moz')) {
-      assert.fail();
-    } else {
-      assert(1);
-    }
-  });
-});
-
-describe('Testing Set to local filesystem', function() {
-  it('Successfully writes the file to the local filesystem', function() {
-    const stub = sinon.stub();
-    stub.withArgs('finish', sinon.match.any).callsArgWithAsync(1);
-    stub.withArgs('error', sinon.match.any).returns(1);
-    fsStub.createWriteStream.returns({ on: stub });
-
-    return storage
-      .set('test', { pipe: sinon.stub(), on: sinon.stub() }, 'Filename.moz', {})
-      .then(() => {
-        assert(1);
-      })
-      .catch(err => assert.fail());
-  });
-
-  it('Fails when the file is not properly written to the local filesystem', function() {
-    const stub = sinon.stub();
-    stub.withArgs('error', sinon.match.any).callsArgWithAsync(1);
-    stub.withArgs('close', sinon.match.any).returns(1);
-    fsStub.createWriteStream.returns({ on: stub });
-
-    return storage
-      .set('test', { pipe: sinon.stub() }, 'Filename.moz', 'moz.la')
-      .then(_reply => assert.fail())
-      .catch(err => assert(1));
-  });
-});
-
-describe('Testing Delete from local filesystem', function() {
-  it('Deletes properly if id exists', function() {
-    hget.callsArgWith(2, null, '123');
-    fsStub.unlinkSync.returns(1);
-    return storage
-      .delete('Filename.moz', '123')
-      .then(reply => assert(reply))
-      .catch(err => assert.fail());
-  });
-
-  it('Delete fails if id does not exist', function() {
-    hget.callsArgWith(2, null, null);
-    return storage
-      .delete('Filename.moz', '123')
-      .then(_reply => assert.fail())
-      .catch(err => assert(1));
-  });
-
-  it('Delete fails if the delete token does not match', function() {
-    hget.callsArgWith(2, null, null);
-    return storage
-      .delete('Filename.moz', '123')
-      .then(_reply => assert.fail())
-      .catch(err => assert(1));
-  });
-});
-
-describe('Testing Forced Delete from local filesystem', function() {
-  it('Deletes properly if id exists', function() {
-    fsStub.unlinkSync.returns(1);
-    return storage.forceDelete('Filename.moz').then(reply => assert(reply));
-  });
-
-  it('Deletes fails if id does not exist, but no reject is called', function() {
-    fsStub.unlinkSync.returns(0);
-    return storage.forceDelete('Filename.moz').then(reply => assert(!reply));
-  });
-});
--- a/test/unit/metadata-tests.js
+++ b/test/unit/metadata-tests.js
@ -0,0 +1,65 @@
+const sinon = require('sinon');
+const proxyquire = require('proxyquire').noCallThru();
+
+const storage = {
+  ttl: sinon.stub(),
+  length: sinon.stub()
+};
+
+function request(id, meta) {
+  return {
+    params: { id },
+    meta
+  };
+}
+
+function response() {
+  return {
+    sendStatus: sinon.stub(),
+    send: sinon.stub()
+  };
+}
+
+const metadataRoute = proxyquire('../../server/routes/metadata', {
+  '../storage': storage
+});
+
+describe('/api/metadata', function() {
+  afterEach(function() {
+    storage.ttl.reset();
+    storage.length.reset();
+  });
+
+  it('calls storage.[ttl|length] with the id parameter', async function() {
+    const req = request('x');
+    const res = response();
+    await metadataRoute(req, res);
+    sinon.assert.calledWith(storage.ttl, 'x');
+    sinon.assert.calledWith(storage.length, 'x');
+  });
+
+  it('sends a 404 on failure', async function() {
+    storage.length.returns(Promise.reject(new Error()));
+    const res = response();
+    await metadataRoute(request('x'), res);
+    sinon.assert.calledWith(res.sendStatus, 404);
+  });
+
+  it('returns a json object', async function() {
+    storage.ttl.returns(Promise.resolve(123));
+    storage.length.returns(Promise.resolve(987));
+    const meta = {
+      dlimit: 1,
+      dl: 0,
+      metadata: 'foo'
+    };
+    const res = response();
+    await metadataRoute(request('x', meta), res);
+    sinon.assert.calledWithMatch(res.send, {
+      metadata: 'foo',
+      finalDownload: true,
+      size: 987,
+      ttl: 123
+    });
+  });
+});
--- a/test/unit/owner-tests.js
+++ b/test/unit/owner-tests.js
@ -0,0 +1,81 @@
+const assert = require('assert');
+const sinon = require('sinon');
+const proxyquire = require('proxyquire').noCallThru();
+
+const storage = {
+  metadata: sinon.stub()
+};
+
+function request(id, owner_token) {
+  return {
+    params: { id },
+    body: { owner_token }
+  };
+}
+
+function response() {
+  return {
+    sendStatus: sinon.stub()
+  };
+}
+
+const ownerMiddleware = proxyquire('../../server/middleware/owner', {
+  '../storage': storage
+});
+
+describe('Owner Middleware', function() {
+  afterEach(function() {
+    storage.metadata.reset();
+  });
+
+  it('sends a 404 when the id is not found', async function() {
+    const next = sinon.stub();
+    storage.metadata.returns(Promise.resolve(null));
+    const res = response();
+    await ownerMiddleware(request('x', 'y'), res);
+    sinon.assert.notCalled(next);
+    sinon.assert.calledWith(res.sendStatus, 404);
+  });
+
+  it('sends a 401 when the owner_token is missing', async function() {
+    const next = sinon.stub();
+    const meta = { owner: 'y' };
+    storage.metadata.returns(Promise.resolve(meta));
+    const res = response();
+    await ownerMiddleware(request('x', null), res);
+    sinon.assert.notCalled(next);
+    sinon.assert.calledWith(res.sendStatus, 401);
+  });
+
+  it('sends a 401 when the owner_token does not match', async function() {
+    const next = sinon.stub();
+    const meta = { owner: 'y' };
+    storage.metadata.returns(Promise.resolve(meta));
+    const res = response();
+    await ownerMiddleware(request('x', 'z'), res);
+    sinon.assert.notCalled(next);
+    sinon.assert.calledWith(res.sendStatus, 401);
+  });
+
+  it('sends a 401 if the metadata call fails', async function() {
+    const next = sinon.stub();
+    storage.metadata.returns(Promise.reject(new Error()));
+    const res = response();
+    await ownerMiddleware(request('x', 'y'), res);
+    sinon.assert.notCalled(next);
+    sinon.assert.calledWith(res.sendStatus, 401);
+  });
+
+  it('sets req.meta and req.authorized on successful auth', async function() {
+    const next = sinon.stub();
+    const meta = { owner: 'y' };
+    storage.metadata.returns(Promise.resolve(meta));
+    const req = request('x', 'y');
+    const res = response();
+    await ownerMiddleware(req, res, next);
+    assert.equal(req.meta, meta);
+    assert.equal(req.authorized, true);
+    sinon.assert.notCalled(res.sendStatus);
+    sinon.assert.calledOnce(next);
+  });
+});
--- a/test/unit/params-tests.js
+++ b/test/unit/params-tests.js
@ -0,0 +1,56 @@
+const sinon = require('sinon');
+const proxyquire = require('proxyquire').noCallThru();
+
+const storage = {
+  setField: sinon.stub()
+};
+
+function request(id) {
+  return {
+    params: { id },
+    body: {}
+  };
+}
+
+function response() {
+  return {
+    sendStatus: sinon.stub()
+  };
+}
+
+const paramsRoute = proxyquire('../../server/routes/params', {
+  '../storage': storage
+});
+
+describe('/api/params', function() {
+  afterEach(function() {
+    storage.setField.reset();
+  });
+
+  it('calls storage.setField with the correct parameter', function() {
+    const req = request('x');
+    const dlimit = 2;
+    req.body.dlimit = dlimit;
+    const res = response();
+    paramsRoute(req, res);
+    sinon.assert.calledWith(storage.setField, 'x', 'dlimit', dlimit);
+    sinon.assert.calledWith(res.sendStatus, 200);
+  });
+
+  it('sends a 400 if dlimit is too large', function() {
+    const req = request('x');
+    const res = response();
+    req.body.dlimit = 21;
+    paramsRoute(req, res);
+    sinon.assert.calledWith(res.sendStatus, 400);
+  });
+
+  it('sends a 404 on failure', function() {
+    storage.setField.throws(new Error());
+    const req = request('x');
+    const res = response();
+    req.body.dlimit = 2;
+    paramsRoute(req, res);
+    sinon.assert.calledWith(res.sendStatus, 404);
+  });
+});
--- a/test/unit/password-tests.js
+++ b/test/unit/password-tests.js
@ -0,0 +1,53 @@
+const sinon = require('sinon');
+const proxyquire = require('proxyquire').noCallThru();
+
+const storage = {
+  setField: sinon.stub()
+};
+
+function request(id, body) {
+  return {
+    params: { id },
+    body
+  };
+}
+
+function response() {
+  return {
+    sendStatus: sinon.stub()
+  };
+}
+
+const passwordRoute = proxyquire('../../server/routes/password', {
+  '../storage': storage
+});
+
+describe('/api/password', function() {
+  afterEach(function() {
+    storage.setField.reset();
+  });
+
+  it('calls storage.setField with the correct parameter', function() {
+    const req = request('x', { auth: 'z' });
+    const res = response();
+    passwordRoute(req, res);
+    sinon.assert.calledWith(storage.setField, 'x', 'auth', 'z');
+    sinon.assert.calledWith(storage.setField, 'x', 'pwd', true);
+    sinon.assert.calledWith(res.sendStatus, 200);
+  });
+
+  it('sends a 400 if auth is missing', function() {
+    const req = request('x', {});
+    const res = response();
+    passwordRoute(req, res);
+    sinon.assert.calledWith(res.sendStatus, 400);
+  });
+
+  it('sends a 404 on failure', function() {
+    storage.setField.throws(new Error());
+    const req = request('x', { auth: 'z' });
+    const res = response();
+    passwordRoute(req, res);
+    sinon.assert.calledWith(res.sendStatus, 404);
+  });
+});
--- a/test/unit/s3-tests.js
+++ b/test/unit/s3-tests.js
@ -0,0 +1,154 @@
+const assert = require('assert');
+const sinon = require('sinon');
+const proxyquire = require('proxyquire').noCallThru();
+
+function resolvedPromise(val) {
+  return {
+    promise: () => Promise.resolve(val)
+  };
+}
+
+function rejectedPromise(err) {
+  return {
+    promise: () => Promise.reject(err)
+  };
+}
+
+const s3Stub = {
+  headObject: sinon.stub(),
+  getObject: sinon.stub(),
+  upload: sinon.stub(),
+  deleteObject: sinon.stub()
+};
+
+const awsStub = {
+  S3: function() {
+    return s3Stub;
+  }
+};
+
+const S3Storage = proxyquire('../../server/storage/s3', {
+  'aws-sdk': awsStub
+});
+
+describe('S3Storage', function() {
+  it('uses config.s3_bucket', function() {
+    const s = new S3Storage({ s3_bucket: 'foo' });
+    assert.equal(s.bucket, 'foo');
+  });
+
+  describe('length', function() {
+    it('returns the ContentLength', async function() {
+      s3Stub.headObject = sinon
+        .stub()
+        .returns(resolvedPromise({ ContentLength: 123 }));
+      const s = new S3Storage({ s3_bucket: 'foo' });
+      const len = await s.length('x');
+      assert.equal(len, 123);
+      sinon.assert.calledWithMatch(s3Stub.headObject, {
+        Bucket: 'foo',
+        Key: 'x'
+      });
+    });
+
+    it('throws when id not found', async function() {
+      const err = new Error();
+      s3Stub.headObject = sinon.stub().returns(rejectedPromise(err));
+      const s = new S3Storage({ s3_bucket: 'foo' });
+      try {
+        await s.length('x');
+        assert.fail();
+      } catch (e) {
+        assert.equal(e, err);
+      }
+    });
+  });
+
+  describe('getStream', function() {
+    it('returns a Stream object', function() {
+      const stream = {};
+      s3Stub.getObject = sinon
+        .stub()
+        .returns({ createReadStream: () => stream });
+      const s = new S3Storage({ s3_bucket: 'foo' });
+      const result = s.getStream('x');
+      assert.equal(result, stream);
+      sinon.assert.calledWithMatch(s3Stub.getObject, {
+        Bucket: 'foo',
+        Key: 'x'
+      });
+    });
+  });
+
+  describe('set', function() {
+    it('calls s3.upload', async function() {
+      const file = { on: sinon.stub() };
+      s3Stub.upload = sinon.stub().returns(resolvedPromise());
+      const s = new S3Storage({ s3_bucket: 'foo' });
+      await s.set('x', file);
+      sinon.assert.calledWithMatch(s3Stub.upload, {
+        Bucket: 'foo',
+        Key: 'x',
+        Body: file
+      });
+    });
+
+    it('aborts upload if limit is hit', async function() {
+      const file = {
+        on: (ev, fn) => fn()
+      };
+      const abort = sinon.stub();
+      const err = new Error();
+      s3Stub.upload = sinon.stub().returns({
+        promise: () => Promise.reject(err),
+        abort
+      });
+      const s = new S3Storage({ s3_bucket: 'foo' });
+      try {
+        await s.set('x', file);
+        assert.fail();
+      } catch (e) {
+        assert.equal(e.message, 'limit');
+        sinon.assert.calledOnce(abort);
+      }
+    });
+
+    it('throws when s3.upload fails', async function() {
+      const file = {
+        on: sinon.stub()
+      };
+      const err = new Error();
+      s3Stub.upload = sinon.stub().returns(rejectedPromise(err));
+      const s = new S3Storage({ s3_bucket: 'foo' });
+      try {
+        await s.set('x', file);
+        assert.fail();
+      } catch (e) {
+        assert.equal(e, err);
+      }
+    });
+  });
+
+  describe('del', function() {
+    it('calls s3.deleteObject', async function() {
+      s3Stub.deleteObject = sinon.stub().returns(resolvedPromise(true));
+      const s = new S3Storage({ s3_bucket: 'foo' });
+      const result = await s.del('x');
+      assert.equal(result, true);
+      sinon.assert.calledWithMatch(s3Stub.deleteObject, {
+        Bucket: 'foo',
+        Key: 'x'
+      });
+    });
+  });
+
+  describe('ping', function() {
+    it('calls s3.headBucket', async function() {
+      s3Stub.headBucket = sinon.stub().returns(resolvedPromise(true));
+      const s = new S3Storage({ s3_bucket: 'foo' });
+      const result = await s.ping();
+      assert.equal(result, true);
+      sinon.assert.calledWithMatch(s3Stub.headBucket, { Bucket: 'foo' });
+    });
+  });
+});
--- a/test/unit/storage-tests.js
+++ b/test/unit/storage-tests.js
@ -0,0 +1,118 @@
+const assert = require('assert');
+const proxyquire = require('proxyquire').noCallThru();
+
+const stream = {};
+class MockStorage {
+  length() {
+    return Promise.resolve(12);
+  }
+  getStream() {
+    return stream;
+  }
+  set() {
+    return Promise.resolve();
+  }
+  del() {
+    return Promise.resolve();
+  }
+  ping() {
+    return Promise.resolve();
+  }
+}
+
+const expire_seconds = 10;
+const storage = proxyquire('../../server/storage', {
+  '../config': {
+    expire_seconds,
+    s3_bucket: 'foo',
+    env: 'development',
+    redis_host: 'localhost'
+  },
+  '../log': () => {},
+  './s3': MockStorage
+});
+
+describe('Storage', function() {
+  describe('ttl', function() {
+    it('returns milliseconds remaining', async function() {
+      await storage.set('x', null, { foo: 'bar' });
+      const ms = await storage.ttl('x');
+      await storage.del('x');
+      assert.equal(ms, expire_seconds * 1000);
+    });
+  });
+
+  describe('length', function() {
+    it('returns the file size', async function() {
+      const len = await storage.length('x');
+      assert.equal(len, 12);
+    });
+  });
+
+  describe('get', function() {
+    it('returns a stream', function() {
+      const s = storage.get('x');
+      assert.equal(s, stream);
+    });
+  });
+
+  describe('set', function() {
+    it('sets expiration to config.expire_seconds', async function() {
+      await storage.set('x', null, { foo: 'bar' });
+      const s = await storage.redis.ttlAsync('x');
+      await storage.del('x');
+      assert.equal(Math.ceil(s), expire_seconds);
+    });
+
+    it('sets metadata', async function() {
+      const m = { foo: 'bar' };
+      await storage.set('x', null, m);
+      const meta = await storage.redis.hgetallAsync('x');
+      await storage.del('x');
+      assert.deepEqual(meta, m);
+    });
+
+    //it('throws when storage fails');
+  });
+
+  describe('setField', function() {
+    it('works', async function() {
+      storage.setField('x', 'y', 'z');
+      const z = await storage.redis.hgetAsync('x', 'y');
+      assert.equal(z, 'z');
+      await storage.del('x');
+    });
+  });
+
+  describe('del', function() {
+    it('works', async function() {
+      await storage.set('x', null, { foo: 'bar' });
+      await storage.del('x');
+      const meta = await storage.metadata('x');
+      assert.equal(meta, null);
+    });
+  });
+
+  describe('ping', function() {
+    it('works', async function() {
+      await storage.ping();
+    });
+  });
+
+  describe('metadata', function() {
+    it('returns all metadata fields', async function() {
+      const m = {
+        pwd: true,
+        dl: 1,
+        dlimit: 1,
+        auth: 'foo',
+        metadata: 'bar',
+        nonce: 'baz',
+        owner: 'bmo'
+      };
+      await storage.set('x', null, m);
+      const meta = await storage.metadata('x');
+      assert.deepEqual(meta, m);
+    });
+  });
+});