Merge pull request #20 from movie-web/dev

Simple proxy v2.1.0

.dockerignore

@@ -0,0 +1,7 @@
+node_modules
+*.log*
+.nitro
+.cache
+.output
+.env
+dist

.eslintignore

@@ -0,0 +1,3 @@
+dist
+.output
+node-modules

.eslintrc.js

@@ -0,0 +1,50 @@
+module.exports = {
+  env: {
+    browser: true,
+  },
+  extends: [
+    "plugin:@typescript-eslint/recommended",
+    "plugin:prettier/recommended",
+  ],
+  ignorePatterns: ["public/*", "dist/*", "/*.js", "/*.ts"],
+  parser: "@typescript-eslint/parser",
+  parserOptions: {
+    project: "./tsconfig.json",
+    tsconfigRootDir: "./",
+  },
+  settings: {
+    "import/resolver": {
+      typescript: {
+        project: "./tsconfig.json",
+      },
+    },
+  },
+  plugins: ["@typescript-eslint", "import", "prettier"],
+  rules: {
+    "no-underscore-dangle": "off",
+    "@typescript-eslint/no-explicit-any": "off",
+    "no-console": "off",
+    "@typescript-eslint/no-this-alias": "off",
+    "import/prefer-default-export": "off",
+    "@typescript-eslint/no-empty-function": "off",
+    "no-shadow": "off",
+    "@typescript-eslint/no-shadow": ["error"],
+    "no-restricted-syntax": "off",
+    "import/no-unresolved": ["error", { ignore: ["^virtual:"] }],
+    "consistent-return": "off",
+    "no-continue": "off",
+    "no-eval": "off",
+    "no-await-in-loop": "off",
+    "no-nested-ternary": "off",
+    "prefer-destructuring": "off",
+    "@typescript-eslint/no-unused-vars": ["warn", { argsIgnorePattern: "^_" }],
+    "import/extensions": [
+      "error",
+      "ignorePackages",
+      {
+        ts: "never",
+        tsx: "never",
+      },
+    ]
+  },
+}

.eslintrc.json

@@ -1,18 +0,0 @@
-{
-  "env": {
-    "worker": true,
-    "node": true,
-    "es6": true
-  },
-  "parserOptions": {
-    "ecmaVersion": "latest"
-  },
-  "root": true,
-  "extends": ["eslint:recommended", "plugin:prettier/recommended"],
-  "plugins": [],
-  "ignorePatterns": ["dist"],
-  "rules": {
-    "prettier/prettier": "error",
-    "no-undef": "off"
-  }
-}

.github/workflows/build_release.yml

@@ -1,60 +0,0 @@
-name: Build Release
-
-on:
-  push:
-    branches:
-      - master
-
-jobs:
-  build:
-    name: Build
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v2
-
-      - name: Install Node.js
-        uses: actions/setup-node@v1
-        with:
-          node-version: 16
-
-      - name: Install NPM packages
-        run: npm install
-
-      - name: Build project
-        run: npm run build
-
-      - name: Upload production-ready build files
-        uses: actions/upload-artifact@v3
-        with:
-          name: worker.js
-          path: ./dist/worker.js
-
-      - name: Bump version and push tag
-        id: tag_version
-        uses: mathieudutour/github-tag-action@v6.1
-        with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Create Release
-        id: create_release
-        uses: actions/create-release@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          tag_name: ${{ steps.tag_version.outputs.new_tag }}
-          release_name: Simple Proxy Worker
-          draft: false
-          prerelease: false
-
-      - name: Upload Release Asset
-        id: upload-release-asset
-        uses: actions/upload-release-asset@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ steps.create_release.outputs.upload_url }}
-          asset_path: ./dist/worker.js
-          asset_name: worker.js
-          asset_content_type: text/javascript

.github/workflows/cloudflare.yml

@@ -0,0 +1,36 @@
+name: Deploy Worker
+
+# this action is for the "deploy to cloudflare" button
+# repository_dispatch is triggered by CF
+# secrets should also be made by CF
+
+on: ["repository_dispatch"]
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    timeout-minutes: 60
+    steps:
+      - uses: actions/checkout@v3
+        
+      - uses: pnpm/action-setup@v2
+        with:
+          version: latest
+
+      - name: Install Node.js
+        uses: actions/setup-node@v3
+        with:
+          node-version: 18
+          cache: 'pnpm'
+
+      - name: Install packages
+        run: pnpm install --frozen-lockfile
+
+      - name: Build Project
+        run: pnpm build:cloudflare
+
+      - name: Build & Deploy Worker
+        uses: cloudflare/wrangler-action@v3
+        with:
+          apiToken: ${{ secrets.CF_API_TOKEN }}
+          accountId: ${{ secrets.CF_ACCOUNT_ID }}

.github/workflows/linting.yml

@@ -0,0 +1,60 @@
+name: Linting and Testing
+
+on:
+  push:
+    branches:
+      - master
+      - dev
+  pull_request:
+
+jobs:
+  linting:
+    name: Run Linters
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+        
+      - uses: pnpm/action-setup@v2
+        with:
+          version: latest
+
+      - name: Install Node.js
+        uses: actions/setup-node@v3
+        with:
+          node-version: 18
+          cache: 'pnpm'
+
+      - name: Install packages
+        run: pnpm install --frozen-lockfile
+
+      - name: Prepare for linting
+        run: pnpm prepare
+
+      - name: Run ESLint
+        run: pnpm lint
+
+  building:
+    name: Build project
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - uses: pnpm/action-setup@v2
+        with:
+          version: latest
+      
+      - name: Install Node.js
+        uses: actions/setup-node@v3
+        with:
+          node-version: 18
+          cache: 'pnpm'
+      
+      - name: Install pnpm packages
+        run: pnpm install --frozen-lockfile
+
+      - name: Build Project
+        run: pnpm build

.github/workflows/linting_testing.yml

@@ -1,42 +0,0 @@
-name: Linting and Testing
-
-on:
-  push:
-    branches:
-      - master
-      - dev
-  pull_request_target:
-    types: [opened, reopened, synchronize]
-
-jobs:
-  linting:
-    name: Run Linters
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v2
-      
-      - name: Install Node.js
-        uses: actions/setup-node@v1
-        with:
-          node-version: 16
-      
-      - name: Install NPM packages
-        run: npm install
-      
-      - name: Run ESLint Report
-        run: npm run lint:report
-        # continue on error, so it still reports it in the next step
-        continue-on-error: true
-
-      - name: Annotate Code Linting Results
-        uses: ataylorme/eslint-annotate-action@v2
-        with:
-          repo-token: "${{ secrets.GITHUB_TOKEN }}"
-          report-json: "eslint_report.json"
-
-      - name: Build Project
-        run: npm run build
-
-      

.github/workflows/publish.yml

@@ -0,0 +1,55 @@
+name: Docker Publish
+
+on:
+  push:
+    branches:
+      - master
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Setup Docker buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Get version
+        id: package-version
+        uses: martinbeentjes/npm-get-version-action@main
+
+      - name: Log into registry ${{ env.REGISTRY }}
+        uses: docker/login-action@v2
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          flavor: |
+            latest=auto
+          tags: |
+            type=semver,pattern={{version}},value=v${{ steps.package-version.outputs.current-version }}
+
+      - name: Build and push Docker image
+        id: build-and-push
+        uses: docker/build-push-action@v4
+        with:
+          push: true
+          context: .
+          labels: ${{ steps.meta.outputs.labels }}
+          tags: ${{ steps.meta.outputs.tags }}

.github/workflows/release.yml

@@ -0,0 +1,81 @@
+name: Release
+
+on:
+  push:
+    branches:
+      - master
+
+jobs:
+  release:
+    name: Release
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+        
+      - uses: pnpm/action-setup@v2
+        with:
+          version: latest
+
+      - name: Get version
+        id: package-version
+        uses: martinbeentjes/npm-get-version-action@main
+
+      - name: Install packages
+        run: pnpm install --frozen-lockfile
+
+      - name: Build for cloudflare
+        run: pnpm build:cloudflare && cp ./.output/server/index.mjs ./cloudflare.worker.mjs
+
+      - name: Build for AWS
+        run: pnpm build:aws && cd .output/server && zip -r ../../lambda.zip .
+
+      - name: Build for Node
+        run: pnpm build:node && cd .output/server && zip -r ../../nodejs.zip .
+
+      - name: Create Release
+        id: create_release
+        uses: actions/create-release@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          tag_name: v${{ steps.package-version.outputs.current-version }}
+          release_name: Bot v${{ steps.package-version.outputs.current-version }}
+          draft: false
+          prerelease: false
+          body: |
+            Instead of downloading a package, you can also run it in docker:
+            ```sh
+            docker run ghcr.io/movie-web/simple-proxy:${{ steps.package-version.outputs.current-version }}
+            ```
+
+      - name: Upload cloudflare build
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ steps.create_release.outputs.upload_url }}
+          asset_path: ./cloudflare.worker.mjs
+          asset_name: simple-proxy-cloudflare.mjs
+          asset_content_type: text/javascript
+
+      - name: Upload AWS build
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ steps.create_release.outputs.upload_url }}
+          asset_path: ./lambda.zip
+          asset_name: simple-proxy-aws-lambda.zip
+          asset_content_type: application/zip
+
+      - name: Upload Node build
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ steps.create_release.outputs.upload_url }}
+          asset_path: ./nodejs.zip
+          asset_name: simple-proxy-nodejs.zip
+          asset_content_type: application/zip

.gitignore

@@ -1,2 +1,7 @@
 node_modules
-dist
+*.log*
+.nitro
+.cache
+.output
+.env
+dist

.vscode/extensions.json

@@ -1,6 +1,3 @@
 {
-  "recommendations": [
+  "recommendations": ["dbaeumer.vscode-eslint", "editorconfig.editorconfig"]
-    "dbaeumer.vscode-eslint",
-    "editorconfig.editorconfig"
-  ]
 }

Dockerfile

@@ -0,0 +1,20 @@
+FROM node:18-alpine as base
+WORKDIR /app
+
+# Build layer
+FROM base as build
+
+RUN npm i -g pnpm
+COPY pnpm-lock.yaml package.json ./
+RUN pnpm install --frozen-lockfile
+COPY . .
+RUN pnpm build
+
+# Production layer
+FROM base as production
+
+EXPOSE 3000
+ENV NODE_ENV=production
+COPY --from=build /app/.output ./.output
+
+CMD ["node", ".output/server/index.mjs"]

README.md

@@ -1,3 +1,20 @@
-# Cloudflare worker proxy
+# simple-proxy
 
-Simple http proxy in a cloudflare worker.
+Simple reverse proxy to bypass CORS, used by [movie-web](https://movie-web.app).
+Read the docs at https://docs.movie-web.app/proxy
+
+---
+
+### features:
+ - Deployable on many platforms - thanks to nitro
+ - header rewrites - read and write protected headers
+ - bypass CORS - always allows browser to send requests through it
+ - secure it with turnstile - prevent bots from using your proxy
+
+> [!WARNING]
+> Turnstile integration only works properly with cloudflare workers as platform
+
+### supported platforms:
+ - cloudflare workers
+ - AWS lambda
+ - nodejs

nitro.config.ts

@@ -0,0 +1,10 @@
+import { join } from "path";
+
+//https://nitro.unjs.io/config
+export default defineNitroConfig({
+  noPublicDir: true,
+  srcDir: "./src",
+  alias: {
+    "@": join(__dirname, "src")
+  }
+});

package.json

@@ -1,18 +1,31 @@
 {
   "name": "simple-proxy",
   "private": true,
-  "version": "1.0.0",
+  "version": "2.1.0",
   "scripts": {
-    "build": "vite build",
+    "prepare": "nitropack prepare",
-    "lint": "eslint --ext .js src/",
+    "dev": "nitropack dev",
-    "lint:fix": "eslint --fix --ext .js src/",
+    "build": "nitropack build",
-    "lint:report": "eslint --ext .js --output-file eslint_report.json --format json src/"
+    "build:cloudflare": "NITRO_PRESET=cloudflare npm run build",
+    "build:aws": "NITRO_PRESET=aws_lambda npm run build",
+    "build:node": "NITRO_PRESET=node-server npm run build",
+    "start": "node .output/server/index.mjs",
+    "lint": "eslint --ext .ts src/",
+    "lint:fix": "eslint --fix --ext .ts src/",
+    "preinstall": "npx only-allow pnpm"
+  },
+  "dependencies": {
+    "@tsndr/cloudflare-worker-jwt": "^2.3.2",
+    "h3": "^1.8.1",
+    "nitropack": "latest"
   },
   "devDependencies": {
-    "eslint": "^8.30.0",
+    "@typescript-eslint/eslint-plugin": "^6.7.0",
-    "eslint-config-prettier": "^8.5.0",
+    "@typescript-eslint/parser": "^6.7.0",
-    "eslint-plugin-prettier": "^4.2.1",
+    "eslint": "^8.48.0",
-    "vite": "^4.0.0",
+    "eslint-config-airbnb-base": "^15.0.0",
-    "vite-plugin-eslint": "^1.8.1"
+    "eslint-config-prettier": "^9.0.0",
+    "eslint-import-resolver-typescript": "^3.6.0",
+    "eslint-plugin-prettier": "^5.0.0"
   }
 }

src/main.js

@@ -1,173 +0,0 @@
-const corsHeaders = {
-  'Access-Control-Allow-Origin': '*',
-  'Access-Control-Allow-Methods': 'GET,HEAD,POST,OPTIONS',
-  'Access-Control-Max-Age': '86400',
-};
-
-async function handleRequest(oRequest, destination, iteration = 0) {
-  console.log(
-    `PROXYING ${destination}${iteration ? ' ON ITERATION ' + iteration : ''}`,
-  );
-
-  // Create a new mutable request object for the destination
-  const request = new Request(destination, oRequest);
-  request.headers.set('Origin', new URL(destination).origin);
-
-  // TODO - Make cookie handling better. PHPSESSID overwrites all other cookie related headers
-
-  // Add custom X headers from client
-  // These headers are usually forbidden to be set by fetch
-  if (oRequest.headers.has('X-Cookie')) {
-    request.headers.set('Cookie', oRequest.headers.get('X-Cookie'));
-    request.headers.delete('X-Cookie');
-  }
-
-  if (request.headers.has('X-Referer')) {
-    request.headers.set('Referer', request.headers.get('X-Referer'));
-    request.headers.delete('X-Referer');
-  }
-
-  if (request.headers.has('X-Origin')) {
-    request.headers.set('Origin', request.headers.get('X-Origin'));
-    request.headers.delete('X-Origin');
-  }
-
-  // Set PHPSESSID cookie
-  if (request.headers.get('PHPSESSID')) {
-    request.headers.set(
-      'Cookie',
-      `PHPSESSID=${request.headers.get('PHPSESSID')}`,
-    );
-  }
-
-  // Set User Agent, if not exists
-  const useragent = request.headers.get('User-Agent');
-  if (!useragent) {
-    request.headers.set(
-      'User-Agent',
-      'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0',
-    );
-  }
-
-  // Fetch the new resource
-  const oResponse = await fetch(request.clone());
-
-  // If the server returned a redirect, follow it
-  if (
-    (oResponse.status === 302 || oResponse.status === 301) &&
-    oResponse.headers.get('location')
-  ) {
-    // Server tried to redirect too many times
-    if (iteration > 5) {
-      return new Response('418 Too many redirects', {
-        status: 418,
-      });
-    }
-
-    // Handle and return the request for the redirected destination
-    return await handleRequest(
-      request,
-      oResponse.headers.get('location'),
-      iteration + 1,
-    );
-  }
-
-  // Create mutable response using the original response as init
-  const response = new Response(oResponse.body, oResponse);
-
-  // Set CORS headers
-  response.headers.set('Access-Control-Allow-Origin', '*');
-  response.headers.set('Access-Control-Expose-Headers', '*');
-
-  const cookiesToSet = response.headers.get('Set-Cookie');
-
-  // Transfer Set-Cookie to X-Set-Cookie
-  // Normally the Set-Cookie header is not accessible to fetch clients
-  if (cookiesToSet) {
-    response.headers.set('X-Set-Cookie', response.headers.get('Set-Cookie'));
-  }
-
-  // Set PHPSESSID cookie
-  if (
-    cookiesToSet &&
-    cookiesToSet.includes('PHPSESSID') &&
-    cookiesToSet.includes(';')
-  ) {
-    let phpsessid = cookiesToSet.slice(cookiesToSet.search('PHPSESSID') + 10);
-    phpsessid = phpsessid.slice(0, phpsessid.search(';'));
-
-    response.headers.set('PHPSESSID', phpsessid);
-  }
-
-  // Append to/Add Vary header so browser will cache response correctly
-  response.headers.append('Vary', 'Origin');
-
-  // Add X-Final-Destination header to get the final url
-  response.headers.set('X-Final-Destination', oResponse.url);
-
-  return response;
-}
-
-function handleOptions(request) {
-  // Make sure the necessary headers are present
-  // for this to be a valid pre-flight request
-  const headers = request.headers;
-  let response = new Response(null, {
-    headers: {
-      Allow: 'GET, HEAD, POST, OPTIONS',
-    },
-  });
-
-  if (
-    headers.get('Origin') !== null &&
-    headers.get('Access-Control-Request-Method') !== null &&
-    headers.get('Access-Control-Request-Headers') !== null
-  ) {
-    response = new Response(null, {
-      headers: {
-        ...corsHeaders,
-        // Allow all future content Request headers to go back to browser
-        // such as Authorization (Bearer) or X-Client-Name-Version
-        'Access-Control-Allow-Headers': request.headers.get(
-          'Access-Control-Request-Headers',
-        ),
-      },
-    });
-  }
-
-  return response;
-}
-
-addEventListener('fetch', (event) => {
-  const request = event.request;
-  const url = new URL(request.url);
-  const destination = url.searchParams.get('destination');
-
-  console.log(`HTTP ${request.method} - ${request.url}`);
-
-  let response = new Response('404 Not Found', {
-    status: 404,
-  });
-
-  if (request.method === 'OPTIONS') {
-    // Handle CORS preflight requests
-    response = handleOptions(request);
-  } else if (!destination) {
-    response = new Response('200 OK', {
-      status: 200,
-      headers: {
-        Allow: 'GET, HEAD, POST, OPTIONS',
-        'Access-Control-Allow-Origin': '*',
-      },
-    });
-  } else if (
-    request.method === 'GET' ||
-    request.method === 'HEAD' ||
-    request.method === 'POST'
-  ) {
-    // Handle request
-    response = handleRequest(request, destination);
-  }
-
-  event.respondWith(response);
-});

src/routes/index.ts

@@ -0,0 +1,55 @@
+import { getBodyBuffer } from '@/utils/body';
+import {
+  getProxyHeaders,
+  getAfterResponseHeaders,
+  cleanupHeadersBeforeProxy,
+} from '@/utils/headers';
+import {
+  createTokenIfNeeded,
+  isAllowedToMakeRequest,
+  setTokenHeader,
+} from '@/utils/turnstile';
+
+export default defineEventHandler(async (event) => {
+  // handle cors, if applicable
+  if (isPreflightRequest(event)) return handleCors(event, {});
+
+  // parse destination URL
+  const destination = getQuery<{ destination?: string }>(event).destination;
+  if (!destination)
+    return await sendJson({
+      event,
+      status: 200,
+      data: {
+        message: 'Proxy is working as expected',
+      },
+    });
+
+  if (!(await isAllowedToMakeRequest(event)))
+    return await sendJson({
+      event,
+      status: 401,
+      data: {
+        error: 'Invalid or missing token',
+      },
+    });
+
+  // read body
+  const body = await getBodyBuffer(event);
+  const token = await createTokenIfNeeded(event);
+
+  // proxy
+  cleanupHeadersBeforeProxy(event);
+  await proxyRequest(event, destination, {
+    fetchOptions: {
+      redirect: 'follow',
+      headers: getProxyHeaders(event.headers),
+      body,
+    },
+    onResponse(outputEvent, response) {
+      const headers = getAfterResponseHeaders(response.headers, response.url);
+      setResponseHeaders(outputEvent, headers);
+      if (token) setTokenHeader(event, token);
+    },
+  });
+});

src/utils/body.ts

@@ -0,0 +1,13 @@
+import { H3Event } from 'h3';
+
+export function hasBody(event: H3Event) {
+  const method = event.method.toUpperCase();
+  return ['PUT', 'POST', 'PATCH', 'DELETE'].includes(method);
+}
+
+export async function getBodyBuffer(
+  event: H3Event,
+): Promise<Buffer | undefined> {
+  if (!hasBody(event)) return;
+  return await readRawBody(event, false);
+}

src/utils/headers.ts

@@ -0,0 +1,73 @@
+import { H3Event } from 'h3';
+
+const blacklistedHeaders = [
+  'cf-connecting-ip',
+  'cf-worker',
+  'cf-ray',
+  'cf-visitor',
+  'cf-ew-via',
+  'x-forwarded-for',
+  'x-forwarded-host',
+  'x-forwarded-proto',
+  'forwarded',
+  'x-real-ip',
+];
+
+function copyHeader(
+  headers: Headers,
+  outputHeaders: Headers,
+  inputKey: string,
+  outputKey: string,
+) {
+  if (headers.has(inputKey))
+    outputHeaders.set(outputKey, headers.get(inputKey) ?? '');
+}
+
+export function getProxyHeaders(headers: Headers): Headers {
+  const output = new Headers();
+
+  const headerMap: Record<string, string> = {
+    'X-Cookie': 'Cookie',
+    'X-Referer': 'Referer',
+    'X-Origin': 'Origin',
+  };
+  Object.entries(headerMap).forEach((entry) => {
+    copyHeader(headers, output, entry[0], entry[1]);
+  });
+
+  output.set(
+    'User-Agent',
+    'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0',
+  );
+
+  return output;
+}
+
+export function getAfterResponseHeaders(
+  headers: Headers,
+  finalUrl: string,
+): Record<string, string> {
+  const output: Record<string, string> = {};
+
+  if (headers.has('Set-Cookie'))
+    output['X-Set-Cookie'] = headers.get('Set-Cookie') ?? '';
+
+  return {
+    'Access-Control-Allow-Origin': '*',
+    'Access-Control-Expose-Headers': '*',
+    Vary: 'Origin',
+    'X-Final-Destination': finalUrl,
+  };
+}
+
+export function removeHeadersFromEvent(event: H3Event, key: string) {
+  const normalizedKey = key.toLowerCase();
+  if (event.node.req.headers[normalizedKey])
+    delete event.node.req.headers[normalizedKey];
+}
+
+export function cleanupHeadersBeforeProxy(event: H3Event) {
+  blacklistedHeaders.forEach((key) => {
+    removeHeadersFromEvent(event, key);
+  });
+}

src/utils/ip.ts

@@ -0,0 +1,10 @@
+import { EventHandlerRequest, H3Event } from 'h3';
+
+export function getIp(event: H3Event<EventHandlerRequest>) {
+  const value = getHeader(event, 'CF-Connecting-IP');
+  if (!value)
+    throw new Error(
+      'Ip header not found, turnstile only works on cloudflare workers',
+    );
+  return value;
+}

src/utils/sending.ts

@@ -0,0 +1,10 @@
+import { H3Event, EventHandlerRequest } from 'h3';
+
+export async function sendJson(ops: {
+  event: H3Event<EventHandlerRequest>;
+  data: Record<string, any>;
+  status?: number;
+}) {
+  setResponseStatus(ops.event, ops.status ?? 200);
+  await send(ops.event, JSON.stringify(ops.data, null, 2), 'application/json');
+}

src/utils/turnstile.ts

@@ -0,0 +1,87 @@
+import { H3Event, EventHandlerRequest } from 'h3';
+import jsonwebtoken from '@tsndr/cloudflare-worker-jwt';
+import { getIp } from '@/utils/ip';
+
+const turnstileSecret = process.env.TURNSTILE_SECRET ?? null;
+const jwtSecret = process.env.JWT_SECRET ?? null;
+
+const tokenHeader = 'X-Token';
+const jwtPrefix = 'jwt|';
+const turnstilePrefix = 'turnstile|';
+
+export function isTurnstileEnabled() {
+  return !!turnstileSecret && !!jwtSecret;
+}
+
+export async function makeToken(ip: string) {
+  if (!jwtSecret) throw new Error('Cannot make token without a secret');
+  return await jsonwebtoken.sign(
+    {
+      ip,
+      exp: Math.floor(Date.now() / 1000) + 60 * 10, // 10 Minutes
+    },
+    jwtSecret,
+  );
+}
+
+export function setTokenHeader(
+  event: H3Event<EventHandlerRequest>,
+  token: string,
+) {
+  setHeader(event, tokenHeader, token);
+}
+
+export async function createTokenIfNeeded(
+  event: H3Event<EventHandlerRequest>,
+): Promise<null | string> {
+  if (!isTurnstileEnabled()) return null;
+  if (!jwtSecret) return null;
+  const token = event.headers.get(tokenHeader);
+  if (!token) return null;
+  if (!token.startsWith(turnstilePrefix)) return null;
+
+  return await makeToken(getIp(event));
+}
+
+export async function isAllowedToMakeRequest(
+  event: H3Event<EventHandlerRequest>,
+) {
+  if (!isTurnstileEnabled()) return true;
+
+  const token = event.headers.get(tokenHeader);
+  if (!token) return false;
+  if (!jwtSecret || !turnstileSecret) return false;
+
+  if (token.startsWith(jwtPrefix)) {
+    const jwtToken = token.slice(jwtPrefix.length);
+    const isValid = await jsonwebtoken.verify(jwtToken, jwtSecret, {
+      algorithm: 'HS256',
+    });
+    if (!isValid) return false;
+    const jwtBody = jsonwebtoken.decode<{ ip: string }>(jwtToken);
+    if (!jwtBody.payload) return false;
+    if (getIp(event) !== jwtBody.payload.ip) return false;
+    return true;
+  }
+
+  if (token.startsWith(turnstilePrefix)) {
+    const turnstileToken = token.slice(turnstilePrefix.length);
+    const formData = new FormData();
+    formData.append('secret', turnstileSecret);
+    formData.append('response', turnstileToken);
+    formData.append('remoteip', getIp(event));
+
+    const result = await fetch(
+      'https://challenges.cloudflare.com/turnstile/v0/siteverify',
+      {
+        body: formData,
+        method: 'POST',
+      },
+    );
+
+    const outcome: { success: boolean } = await result.json();
+    return outcome.success;
+  }
+
+  return false;
+}

tsconfig.json

@@ -0,0 +1,23 @@
+{
+  "compilerOptions": {
+    "target": "ES2020",
+    "lib": ["dom", "dom.iterable", "esnext"],
+    "allowJs": true,
+    "skipLibCheck": true,
+    "esModuleInterop": true,
+    "allowSyntheticDefaultImports": true,
+    "strict": true,
+    "forceConsistentCasingInFileNames": true,
+    "noFallthroughCasesInSwitch": true,
+    "module": "esnext",
+    "moduleResolution": "node",
+    "resolveJsonModule": true,
+    "isolatedModules": true,
+    "noEmit": true,
+    "baseUrl": "./src",
+    "paths": {
+      "@/*": ["./*"]
+    }
+  },
+  "extends": "./.nitro/types/tsconfig.json"
+}

vite.config.js

@@ -1,16 +0,0 @@
-const path = require('path');
-const { defineConfig } = require('vite');
-const { default: eslint } = require('vite-plugin-eslint');
-
-module.exports = defineConfig({
-  plugins: [eslint()],
-  build: {
-    minify: false,
-    lib: {
-      entry: path.resolve(__dirname, 'src/main.js'),
-      name: 'worker',
-      formats: ['es'],
-      fileName: () => `worker.js`,
-    },
-  },
-});

wrangler.toml

@@ -0,0 +1,4 @@
+name = "simple-proxy"
+main = "./.output/server/index.mjs"
+workers_dev = true
+compatibility_date = "2022-09-10"