Merge pull request #20 from movie-web/dev

Simple proxy v2.1.0

LICENSE

@@ -1,21 +0,0 @@
-MIT License
-
-Copyright (c) 2023 movie-web
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.

package.json

@@ -1,7 +1,7 @@
 {
   "name": "simple-proxy",
   "private": true,
-  "version": "2.1.1",
+  "version": "2.1.0",
   "scripts": {
     "prepare": "nitropack prepare",
     "dev": "nitropack dev",
@@ -15,8 +15,8 @@
     "preinstall": "npx only-allow pnpm"
   },
   "dependencies": {
-    "h3": "^1.9.0",
-    "jose": "^5.2.0",
+    "@tsndr/cloudflare-worker-jwt": "^2.3.2",
+    "h3": "^1.8.1",
     "nitropack": "latest"
   },
   "devDependencies": {

pnpm-lock.yaml

@@ -5,12 +5,12 @@ settings:
   excludeLinksFromLockfile: false
 
 dependencies:
+  '@tsndr/cloudflare-worker-jwt':
+    specifier: ^2.3.2
+    version: 2.3.2
   h3:
-    specifier: ^1.9.0
-    version: 1.9.0
-  jose:
-    specifier: ^5.2.0
-    version: 5.2.0
+    specifier: ^1.8.1
+    version: 1.8.1
   nitropack:
     specifier: latest
     version: 2.6.3
@@ -704,6 +704,10 @@ packages:
       rollup: 3.29.1
     dev: false
 
+  /@tsndr/cloudflare-worker-jwt@2.3.2:
+    resolution: {integrity: sha512-g1jSm5olPqKh15kadnj0666YPudibHYGyFyM0URLXSeY5MzNIGkfhFedLgKHq8NCDBMzLUMX7Oz8d+jmQXqBuw==}
+    dev: false
+
   /@types/estree@1.0.1:
     resolution: {integrity: sha512-LG4opVs2ANWZ1TJoKc937iMmNstM/d0ae1vNbnBvBhqCSezgVUOzcLCqbI5elV8Vy6WKwKjaqR+zO9VKirBBCA==}
     dev: false
@@ -1402,10 +1406,6 @@ packages:
     resolution: {integrity: sha512-+uO4+qr7msjNNWKYPHqN/3+Dx3NFkmIzayk2L1MyZQlvgZb/J1A0fo410dpKrN2SnqFjt8n4JL8fDJE0wIgjFQ==}
     dev: false
 
-  /defu@6.1.3:
-    resolution: {integrity: sha512-Vy2wmG3NTkmHNg/kzpuvHhkqeIx3ODWqasgCRbKtbXEN0G+HpEEv9BtJLp7ZG1CZloFaC41Ah3ZFbq7aqCqMeQ==}
-    dev: false
-
   /delegates@1.0.0:
     resolution: {integrity: sha512-bd2L678uiWATM6m5Z1VzNCErI3jiGzt6HGY8OVICs40JQq/HALfbyNJmp0UDakEY4pMMaN0Ly5om/B1VI/+xfQ==}
     dev: false
@@ -1424,10 +1424,6 @@ packages:
     resolution: {integrity: sha512-M1Ob1zPSIvlARiJUkKqvAZ3VAqQY6Jcuth/pBKQ2b1dX/Qx0OnJ8Vux6J2H5PTMQeRzWrrbTu70VxBfv/OPDJA==}
     dev: false
 
-  /destr@2.0.2:
-    resolution: {integrity: sha512-65AlobnZMiCET00KaFFjUefxDX0khFA/E4myqZ7a6Sq1yZtR8+FVIvilVX66vF2uobSumxooYZChiRPCKNqhmg==}
-    dev: false
-
   /destroy@1.2.0:
     resolution: {integrity: sha512-2sJGJTaXIIaR1w4iJSNoN0hnMY7Gpc/n8D4qSCJw8QqFWXf7cuAgnEHxBpweaVcPevC2l3KpjYCx3NypQQgaJg==}
     engines: {node: '>= 0.8', npm: 1.2.8000 || >= 1.4.16}
@@ -2188,15 +2184,15 @@ packages:
       duplexer: 0.1.2
     dev: false
 
-  /h3@1.9.0:
-    resolution: {integrity: sha512-+F3ZqrNV/CFXXfZ2lXBINHi+rM4Xw3CDC5z2CDK3NMPocjonKipGLLDSkrqY9DOrioZNPTIdDMWfQKm//3X2DA==}
+  /h3@1.8.1:
+    resolution: {integrity: sha512-m5rFuu+5bpwBBHqqS0zexjK+Q8dhtFRvO9JXQG0RvSPL6QrIT6vv42vuBM22SLOgGMoZYsHk0y7VPidt9s+nkw==}
     dependencies:
       cookie-es: 1.0.0
-      defu: 6.1.3
-      destr: 2.0.2
-      iron-webcrypto: 1.0.0
+      defu: 6.1.2
+      destr: 2.0.1
+      iron-webcrypto: 0.8.2
       radix3: 1.1.0
-      ufo: 1.3.2
+      ufo: 1.3.0
       uncrypto: 0.1.3
       unenv: 1.7.4
     dev: false
@@ -2338,8 +2334,8 @@ packages:
       - supports-color
     dev: false
 
-  /iron-webcrypto@1.0.0:
-    resolution: {integrity: sha512-anOK1Mktt8U1Xi7fCM3RELTuYbnFikQY5VtrDj7kPgpejV7d43tWKhzgioO0zpkazLEL/j/iayRqnJhrGfqUsg==}
+  /iron-webcrypto@0.8.2:
+    resolution: {integrity: sha512-jGiwmpgTuF19Vt4hn3+AzaVFGpVZt7A1ysd5ivFel2r4aNVFwqaYa6aU6qsF1PM7b+WFivZHz3nipwUOXaOnHg==}
     dev: false
 
   /is-array-buffer@3.0.2:
@@ -2541,10 +2537,6 @@ packages:
     hasBin: true
     dev: false
 
-  /jose@5.2.0:
-    resolution: {integrity: sha512-oW3PCnvyrcm1HMvGTzqjxxfnEs9EoFOFWi2HsEGhlFVOXxTE3K9GKWVMFoFw06yPUqwpvEWic1BmtUZBI/tIjw==}
-    dev: false
-
   /js-yaml@4.1.0:
     resolution: {integrity: sha512-wpxZs9NoxZaJESJGIZTyDEaYpl0FKSA+FB9aJiyemKhMwkxQg63h4T1KJgUGHpTqPDNRcmmYLugrRjJlBtWvRA==}
     hasBin: true
@@ -2623,7 +2615,7 @@ packages:
       consola: 3.2.3
       defu: 6.1.2
       get-port-please: 3.1.1
-      h3: 1.9.0
+      h3: 1.8.1
       http-shutdown: 1.2.2
       jiti: 1.20.0
       mlly: 1.4.2
@@ -2842,7 +2834,7 @@ packages:
       fs-extra: 11.1.1
       globby: 13.2.2
       gzip-size: 7.0.0
-      h3: 1.9.0
+      h3: 1.8.1
       hookable: 5.5.3
       httpxy: 0.1.5
       is-primitive: 3.0.1
@@ -3786,10 +3778,6 @@ packages:
     resolution: {integrity: sha512-bRn3CsoojyNStCZe0BG0Mt4Nr/4KF+rhFlnNXybgqt5pXHNFRlqinSoQaTrGyzE4X8aHplSb+TorH+COin9Yxw==}
     dev: false
 
-  /ufo@1.3.2:
-    resolution: {integrity: sha512-o+ORpgGwaYQXgqGDwd+hkS4PuZ3QnmqMMxRuajK/a38L6fTpcE5GPIfrf+L/KemFzfUpeUQc1rRS1iDBozvnFA==}
-    dev: false
-
   /unbox-primitive@1.0.2:
     resolution: {integrity: sha512-61pPlCD9h51VoreyJ0BReideM3MDKMKnh6+V9L08331ipq6Q8OFXZYiqP6n/tbHx4s5I9uRhcye6BrbkizkBDw==}
     dependencies:
@@ -3902,7 +3890,7 @@ packages:
       anymatch: 3.1.3
       chokidar: 3.5.3
       destr: 2.0.1
-      h3: 1.9.0
+      h3: 1.8.1
       ioredis: 5.3.2
       listhen: 1.5.1
       lru-cache: 10.0.1

src/routes/index.ts

@@ -2,7 +2,7 @@ import { getBodyBuffer } from '@/utils/body';
 import {
   getProxyHeaders,
   getAfterResponseHeaders,
-  getBlacklistedHeaders,
+  cleanupHeadersBeforeProxy,
 } from '@/utils/headers';
 import {
   createTokenIfNeeded,
@@ -39,8 +39,8 @@ export default defineEventHandler(async (event) => {
   const token = await createTokenIfNeeded(event);
 
   // proxy
-  await specificProxyRequest(event, destination, {
-    blacklistedHeaders: getBlacklistedHeaders(),
+  cleanupHeadersBeforeProxy(event);
+  await proxyRequest(event, destination, {
     fetchOptions: {
       redirect: 'follow',
       headers: getProxyHeaders(event.headers),

src/utils/headers.ts

@@ -1,10 +1,4 @@
-const headerMap: Record<string, string> = {
-  'X-Cookie': 'Cookie',
-  'X-Referer': 'Referer',
-  'X-Origin': 'Origin',
-  'X-User-Agent': 'User-Agent',
-  'X-X-Real-Ip': 'X-Real-Ip',
-};
+import { H3Event } from 'h3';
 
 const blacklistedHeaders = [
   'cf-connecting-ip',
@@ -17,7 +11,6 @@ const blacklistedHeaders = [
   'x-forwarded-proto',
   'forwarded',
   'x-real-ip',
-  ...Object.keys(headerMap),
 ];
 
 function copyHeader(
@@ -33,16 +26,20 @@ function copyHeader(
 export function getProxyHeaders(headers: Headers): Headers {
   const output = new Headers();
 
-  // default user agent
+  const headerMap: Record<string, string> = {
+    'X-Cookie': 'Cookie',
+    'X-Referer': 'Referer',
+    'X-Origin': 'Origin',
+  };
+  Object.entries(headerMap).forEach((entry) => {
+    copyHeader(headers, output, entry[0], entry[1]);
+  });
+
   output.set(
     'User-Agent',
     'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0',
   );
 
-  Object.entries(headerMap).forEach((entry) => {
-    copyHeader(headers, output, entry[0], entry[1]);
-  });
-
   return output;
 }
 
@@ -63,6 +60,14 @@ export function getAfterResponseHeaders(
   };
 }
 
-export function getBlacklistedHeaders() {
-  return blacklistedHeaders;
+export function removeHeadersFromEvent(event: H3Event, key: string) {
+  const normalizedKey = key.toLowerCase();
+  if (event.node.req.headers[normalizedKey])
+    delete event.node.req.headers[normalizedKey];
+}
+
+export function cleanupHeadersBeforeProxy(event: H3Event) {
+  blacklistedHeaders.forEach((key) => {
+    removeHeadersFromEvent(event, key);
+  });
 }

src/utils/proxy.ts

@@ -1,84 +0,0 @@
-import {
-  H3Event,
-  Duplex,
-  ProxyOptions,
-  getProxyRequestHeaders,
-  RequestHeaders,
-} from 'h3';
-
-const PayloadMethods = new Set(['PATCH', 'POST', 'PUT', 'DELETE']);
-
-export interface ExtraProxyOptions {
-  blacklistedHeaders?: string[];
-}
-
-function mergeHeaders(
-  defaults: HeadersInit,
-  ...inputs: (HeadersInit | RequestHeaders | undefined)[]
-) {
-  const _inputs = inputs.filter(Boolean) as HeadersInit[];
-  if (_inputs.length === 0) {
-    return defaults;
-  }
-  const merged = new Headers(defaults);
-  for (const input of _inputs) {
-    if (input.entries) {
-      for (const [key, value] of (input.entries as any)()) {
-        if (value !== undefined) {
-          merged.set(key, value);
-        }
-      }
-    } else {
-      for (const [key, value] of Object.entries(input)) {
-        if (value !== undefined) {
-          merged.set(key, value);
-        }
-      }
-    }
-  }
-  return merged;
-}
-
-export async function specificProxyRequest(
-  event: H3Event,
-  target: string,
-  opts: ProxyOptions & ExtraProxyOptions = {},
-) {
-  let body;
-  let duplex: Duplex | undefined;
-  if (PayloadMethods.has(event.method)) {
-    if (opts.streamRequest) {
-      body = getRequestWebStream(event);
-      duplex = 'half';
-    } else {
-      body = await readRawBody(event, false).catch(() => undefined);
-    }
-  }
-
-  const method = opts.fetchOptions?.method || event.method;
-  const oldHeaders = getProxyRequestHeaders(event);
-  opts.blacklistedHeaders?.forEach((header) => {
-    const keys = Object.keys(oldHeaders).filter(
-      (v) => v.toLowerCase() === header.toLowerCase(),
-    );
-    keys.forEach((k) => delete oldHeaders[k]);
-  });
-
-  const fetchHeaders = mergeHeaders(
-    oldHeaders,
-    opts.fetchOptions?.headers,
-    opts.headers,
-  );
-  (fetchHeaders.forEach as any)(console.log);
-
-  return sendProxy(event, target, {
-    ...opts,
-    fetchOptions: {
-      method,
-      body,
-      duplex,
-      ...opts.fetchOptions,
-      headers: fetchHeaders,
-    },
-  });
-}

src/utils/turnstile.ts

@@ -1,5 +1,5 @@
 import { H3Event, EventHandlerRequest } from 'h3';
-import { SignJWT, jwtVerify } from 'jose';
+import jsonwebtoken from '@tsndr/cloudflare-worker-jwt';
 import { getIp } from '@/utils/ip';
 
 const turnstileSecret = process.env.TURNSTILE_SECRET ?? null;
@@ -15,10 +15,13 @@ export function isTurnstileEnabled() {
 
 export async function makeToken(ip: string) {
   if (!jwtSecret) throw new Error('Cannot make token without a secret');
-  return await new SignJWT({ ip })
-    .setProtectedHeader({ alg: 'HS256' })
-    .setExpirationTime('10m')
-    .sign(new TextEncoder().encode(jwtSecret));
+  return await jsonwebtoken.sign(
+    {
+      ip,
+      exp: Math.floor(Date.now() / 1000) + 60 * 10, // 10 Minutes
+    },
+    jwtSecret,
+  );
 }
 
 export function setTokenHeader(
@@ -51,19 +54,13 @@ export async function isAllowedToMakeRequest(
 
   if (token.startsWith(jwtPrefix)) {
     const jwtToken = token.slice(jwtPrefix.length);
-    let jwtPayload: { ip: string } | null = null;
-    try {
-      const jwtResult = await jwtVerify<{ ip: string }>(
-        jwtToken,
-        new TextEncoder().encode(jwtSecret),
-        {
-          algorithms: ['HS256'],
-        },
-      );
-      jwtPayload = jwtResult.payload;
-    } catch {}
-    if (!jwtPayload) return false;
-    if (getIp(event) !== jwtPayload.ip) return false;
+    const isValid = await jsonwebtoken.verify(jwtToken, jwtSecret, {
+      algorithm: 'HS256',
+    });
+    if (!isValid) return false;
+    const jwtBody = jsonwebtoken.decode<{ ip: string }>(jwtToken);
+    if (!jwtBody.payload) return false;
+    if (getIp(event) !== jwtBody.payload.ip) return false;
     return true;
   }