From af1331bcc2f90120d47b43687fa9270beb953e6e Mon Sep 17 00:00:00 2001 From: Isra Date: Sat, 9 Sep 2023 01:47:34 -0500 Subject: [PATCH] fix: CORS and body --- routes/index.ts | 105 ++++++++++++++++++++++++------------------------ 1 file changed, 53 insertions(+), 52 deletions(-) diff --git a/routes/index.ts b/routes/index.ts index 180540d..5b14300 100644 --- a/routes/index.ts +++ b/routes/index.ts @@ -1,16 +1,16 @@ import { defineEventHandler, EventHandlerRequest, - readBody, + readRawBody, getQuery, isMethod, H3Event, -} from 'h3'; +} from "h3"; const corsHeaders = { - 'Access-Control-Allow-Origin': '*', - 'Access-Control-Allow-Methods': 'GET,HEAD,POST,OPTIONS', - 'Access-Control-Max-Age': '86400', + "Access-Control-Allow-Origin": "*", + "Access-Control-Allow-Methods": "GET,HEAD,POST,OPTIONS", + "Access-Control-Max-Age": "86400", }; async function handleRequest( @@ -24,7 +24,7 @@ async function handleRequest( ): Promise { console.log( `PROXYING ${requestData.destination}${ - iteration ? ' ON ITERATION ' + iteration : '' + iteration ? " ON ITERATION " + iteration : "" }`, ); @@ -34,45 +34,45 @@ async function handleRequest( method: requestData.method, body: requestData.body, }); - request.headers.set('Origin', new URL(requestData.destination).origin); + request.headers.set("Origin", new URL(requestData.destination).origin); // TODO: Make cookie handling better. PHPSESSID overwrites all other cookie related headers // Add custom X headers from client // These headers are usually forbidden to be set by fetch - const cookieValue = request.headers.get('X-Cookie'); + const cookieValue = request.headers.get("X-Cookie"); if (cookieValue) { - request.headers.set('Cookie', cookieValue); - request.headers.delete('X-Cookie'); + request.headers.set("Cookie", cookieValue); + request.headers.delete("X-Cookie"); } - const refererValue = request.headers.get('X-Referer'); + const refererValue = request.headers.get("X-Referer"); if (refererValue) { - request.headers.set('Referer', refererValue); - request.headers.delete('X-Referer'); + request.headers.set("Referer", refererValue); + request.headers.delete("X-Referer"); } - const originValue = request.headers.get('X-Origin'); + const originValue = request.headers.get("X-Origin"); if (originValue) { - request.headers.set('Origin', originValue); - request.headers.delete('X-Origin'); + request.headers.set("Origin", originValue); + request.headers.delete("X-Origin"); } // Set PHPSESSID cookie - if (request.headers.get('PHPSESSID')) { + if (request.headers.get("PHPSESSID")) { request.headers.set( - 'Cookie', - `PHPSESSID=${request.headers.get('PHPSESSID')}`, + "Cookie", + `PHPSESSID=${request.headers.get("PHPSESSID")}`, ); } // Set User Agent, if not exists - const userAgent = request.headers.get('User-Agent'); + const userAgent = request.headers.get("User-Agent"); if (!userAgent) { request.headers.set( - 'User-Agent', - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0', + "User-Agent", + "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0", ); } @@ -80,12 +80,12 @@ async function handleRequest( const oResponse = await fetch(request.clone()); // If the server returned a redirect, follow it - const locationValue = oResponse.headers.get('location'); + const locationValue = oResponse.headers.get("location"); if ((oResponse.status === 302 || oResponse.status === 301) && locationValue) { // Server tried to redirect too many times if (iteration > 5) { - return new Response('418 Too many redirects', { + return new Response("418 Too many redirects", { status: 418, }); } @@ -106,36 +106,36 @@ async function handleRequest( const response = new Response(oResponse.body, oResponse); // Set CORS headers - response.headers.set('Access-Control-Allow-Origin', '*'); - response.headers.set('Access-Control-Expose-Headers', '*'); + response.headers.set("Access-Control-Allow-Origin", "*"); + response.headers.set("Access-Control-Expose-Headers", "*"); - const cookiesToSet = response.headers.get('Set-Cookie'); + const cookiesToSet = response.headers.get("Set-Cookie"); // Transfer Set-Cookie to X-Set-Cookie // Normally the Set-Cookie header is not accessible to fetch clients - const setCookieValue = response.headers.get('Set-Cookie'); + const setCookieValue = response.headers.get("Set-Cookie"); if (cookiesToSet && setCookieValue) { - response.headers.set('X-Set-Cookie', setCookieValue); + response.headers.set("X-Set-Cookie", setCookieValue); } // Set PHPSESSID cookie if ( cookiesToSet && - cookiesToSet.includes('PHPSESSID') && - cookiesToSet.includes(';') + cookiesToSet.includes("PHPSESSID") && + cookiesToSet.includes(";") ) { - let phpsessid = cookiesToSet.slice(cookiesToSet.search('PHPSESSID') + 10); - phpsessid = phpsessid.slice(0, phpsessid.search(';')); + let phpsessid = cookiesToSet.slice(cookiesToSet.search("PHPSESSID") + 10); + phpsessid = phpsessid.slice(0, phpsessid.search(";")); - response.headers.set('PHPSESSID', phpsessid); + response.headers.set("PHPSESSID", phpsessid); } // Append to/Add Vary header so browser will cache response correctly - response.headers.append('Vary', 'Origin'); + response.headers.append("Vary", "Origin"); // Add X-Final-Destination header to get the final url - response.headers.set('X-Final-Destination', oResponse.url); + response.headers.set("X-Final-Destination", oResponse.url); return response; } @@ -146,24 +146,24 @@ function handleOptions(request: H3Event) { const headers = request.headers; let response = new Response(null, { headers: { - Allow: 'GET, HEAD, POST, OPTIONS', + Allow: "GET, HEAD, POST, OPTIONS", }, }); if ( - headers.get('Origin') !== null && - headers.get('Access-Control-Request-Method') !== null && - headers.get('Access-Control-Request-Headers') !== null + headers.get("Origin") !== null && + headers.get("Access-Control-Request-Method") !== null && + headers.get("Access-Control-Request-Headers") !== null ) { let accessControlRequestValue = headers.get( - 'Access-Control-Request-Headers', + "Access-Control-Request-Headers", ); response = new Response(null, { headers: { ...corsHeaders, // Allow all future content Request headers to go back to browser // such as Authorization (Bearer) or X-Client-Name-Version - accessControlRequestValue: accessControlRequestValue || '', + "Access-Control-Allow-Headers": accessControlRequestValue || "", }, }); } @@ -174,32 +174,33 @@ function handleOptions(request: H3Event) { export default defineEventHandler(async (event) => { const destination = getQuery(event).destination; - let response = new Response('404 Not Found', { + let response = new Response("404 Not Found", { status: 404, }); let body; try { - body = await readBody(event); - } catch { + body = await readRawBody(event); + } catch (err) { body = null; + console.log(err); } - if (isMethod(event, 'OPTIONS')) { + if (isMethod(event, "OPTIONS")) { // Handle CORS preflight requests response = handleOptions(event); } else if (!destination?.toString()) { - response = new Response('200 OK', { + response = new Response("200 OK", { status: 200, headers: { - Allow: 'GET, HEAD, POST, OPTIONS', - 'Access-Control-Allow-Origin': '*', + Allow: "GET, HEAD, POST, OPTIONS", + "Access-Control-Allow-Origin": "*", }, }); } else if ( - isMethod(event, 'GET') || - isMethod(event, 'HEAD') || - isMethod(event, 'POST') + isMethod(event, "GET") || + isMethod(event, "HEAD") || + isMethod(event, "POST") ) { // Handle request response = await handleRequest({