Merge pull request #23 from movie-web/dev

Version 2.1.1: Fix support for JWT on non-Cloudflare platforms

.github/workflows/release.yml

@@ -47,7 +47,7 @@ jobs:
           body: |
             Instead of downloading a package, you can also run it in docker:
             ```sh
-            docker run movie-web/simple-proxy:${{ steps.package-version.outputs.current-version }}
+            docker run ghcr.io/movie-web/simple-proxy:${{ steps.package-version.outputs.current-version }}
             ```
 
       - name: Upload cloudflare build

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2023 movie-web
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -1,8 +1,7 @@
 # simple-proxy
 
 Simple reverse proxy to bypass CORS, used by [movie-web](https://movie-web.app).
-
-[![Deploy to Cloudflare Workers](https://deploy.workers.cloudflare.com/button)](https://deploy.workers.cloudflare.com/?url=https://github.com/movie-web/simple-proxy)
+Read the docs at https://docs.movie-web.app/proxy
 
 ---
 
@@ -10,6 +9,10 @@ Simple reverse proxy to bypass CORS, used by [movie-web](https://movie-web.app).
  - Deployable on many platforms - thanks to nitro
  - header rewrites - read and write protected headers
  - bypass CORS - always allows browser to send requests through it
+ - secure it with turnstile - prevent bots from using your proxy
+
+> [!WARNING]
+> Turnstile integration only works properly with cloudflare workers as platform
 
 ### supported platforms:
  - cloudflare workers

package.json

@@ -1,7 +1,7 @@
 {
   "name": "simple-proxy",
   "private": true,
-  "version": "2.0.1",
+  "version": "2.1.1",
   "scripts": {
     "prepare": "nitropack prepare",
     "dev": "nitropack dev",
@@ -15,7 +15,8 @@
     "preinstall": "npx only-allow pnpm"
   },
   "dependencies": {
-    "h3": "^1.8.1",
+    "h3": "^1.9.0",
+    "jose": "^5.2.0",
     "nitropack": "latest"
   },
   "devDependencies": {

pnpm-lock.yaml

@@ -6,8 +6,11 @@ settings:
 
 dependencies:
   h3:
-    specifier: ^1.8.1
-    version: 1.8.1
+    specifier: ^1.9.0
+    version: 1.9.0
+  jose:
+    specifier: ^5.2.0
+    version: 5.2.0
   nitropack:
     specifier: latest
     version: 2.6.3
@@ -283,6 +286,11 @@ packages:
     engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0}
     dev: true
 
+  /@fastify/busboy@2.0.0:
+    resolution: {integrity: sha512-JUFJad5lv7jxj926GPgymrWQxxjPYuJNiNjNMzqT+HiuP6Vl3dk5xzG+8sTX96np0ZAluvaMzPsjhHZ5rNuNQQ==}
+    engines: {node: '>=14'}
+    dev: false
+
   /@humanwhocodes/config-array@0.11.11:
     resolution: {integrity: sha512-N2brEuAadi0CcdeMXUkhbZB84eskAc8MEX1By6qEchoVywSgXPIjou4rYsl0V3Hj0ZnuGycGCjdNgockbzeWNA==}
     engines: {node: '>=10.10.0'}
@@ -488,6 +496,7 @@ packages:
     dependencies:
       is-glob: 4.0.3
       micromatch: 4.0.5
+      napi-wasm: 1.1.0
     dev: false
     bundledDependencies:
       - napi-wasm
@@ -1127,13 +1136,6 @@ packages:
       run-applescript: 5.0.0
     dev: true
 
-  /busboy@1.6.0:
-    resolution: {integrity: sha512-8SFQbg/0hQ9xy3UNTB0YEnsNBbWfhf7RtnzpL7TkBiTBRfrQ9Fxcnz7VJsleJpyp6rVLvXiuORqjlHi5q+PYuA==}
-    engines: {node: '>=10.16.0'}
-    dependencies:
-      streamsearch: 1.1.0
-    dev: false
-
   /c12@1.4.2:
     resolution: {integrity: sha512-3IP/MuamSVRVw8W8+CHWAz9gKN4gd+voF2zm/Ln6D25C2RhytEZ1ABbC8MjKr4BR9rhoV1JQ7jJA158LDiTkLg==}
     dependencies:
@@ -1400,6 +1402,10 @@ packages:
     resolution: {integrity: sha512-+uO4+qr7msjNNWKYPHqN/3+Dx3NFkmIzayk2L1MyZQlvgZb/J1A0fo410dpKrN2SnqFjt8n4JL8fDJE0wIgjFQ==}
     dev: false
 
+  /defu@6.1.3:
+    resolution: {integrity: sha512-Vy2wmG3NTkmHNg/kzpuvHhkqeIx3ODWqasgCRbKtbXEN0G+HpEEv9BtJLp7ZG1CZloFaC41Ah3ZFbq7aqCqMeQ==}
+    dev: false
+
   /delegates@1.0.0:
     resolution: {integrity: sha512-bd2L678uiWATM6m5Z1VzNCErI3jiGzt6HGY8OVICs40JQq/HALfbyNJmp0UDakEY4pMMaN0Ly5om/B1VI/+xfQ==}
     dev: false
@@ -1418,6 +1424,10 @@ packages:
     resolution: {integrity: sha512-M1Ob1zPSIvlARiJUkKqvAZ3VAqQY6Jcuth/pBKQ2b1dX/Qx0OnJ8Vux6J2H5PTMQeRzWrrbTu70VxBfv/OPDJA==}
     dev: false
 
+  /destr@2.0.2:
+    resolution: {integrity: sha512-65AlobnZMiCET00KaFFjUefxDX0khFA/E4myqZ7a6Sq1yZtR8+FVIvilVX66vF2uobSumxooYZChiRPCKNqhmg==}
+    dev: false
+
   /destroy@1.2.0:
     resolution: {integrity: sha512-2sJGJTaXIIaR1w4iJSNoN0hnMY7Gpc/n8D4qSCJw8QqFWXf7cuAgnEHxBpweaVcPevC2l3KpjYCx3NypQQgaJg==}
     engines: {node: '>= 0.8', npm: 1.2.8000 || >= 1.4.16}
@@ -2178,15 +2188,15 @@ packages:
       duplexer: 0.1.2
     dev: false
 
-  /h3@1.8.1:
-    resolution: {integrity: sha512-m5rFuu+5bpwBBHqqS0zexjK+Q8dhtFRvO9JXQG0RvSPL6QrIT6vv42vuBM22SLOgGMoZYsHk0y7VPidt9s+nkw==}
+  /h3@1.9.0:
+    resolution: {integrity: sha512-+F3ZqrNV/CFXXfZ2lXBINHi+rM4Xw3CDC5z2CDK3NMPocjonKipGLLDSkrqY9DOrioZNPTIdDMWfQKm//3X2DA==}
     dependencies:
       cookie-es: 1.0.0
-      defu: 6.1.2
-      destr: 2.0.1
-      iron-webcrypto: 0.8.2
+      defu: 6.1.3
+      destr: 2.0.2
+      iron-webcrypto: 1.0.0
       radix3: 1.1.0
-      ufo: 1.3.0
+      ufo: 1.3.2
       uncrypto: 0.1.3
       unenv: 1.7.4
     dev: false
@@ -2328,8 +2338,8 @@ packages:
       - supports-color
     dev: false
 
-  /iron-webcrypto@0.8.2:
-    resolution: {integrity: sha512-jGiwmpgTuF19Vt4hn3+AzaVFGpVZt7A1ysd5ivFel2r4aNVFwqaYa6aU6qsF1PM7b+WFivZHz3nipwUOXaOnHg==}
+  /iron-webcrypto@1.0.0:
+    resolution: {integrity: sha512-anOK1Mktt8U1Xi7fCM3RELTuYbnFikQY5VtrDj7kPgpejV7d43tWKhzgioO0zpkazLEL/j/iayRqnJhrGfqUsg==}
     dev: false
 
   /is-array-buffer@3.0.2:
@@ -2531,6 +2541,10 @@ packages:
     hasBin: true
     dev: false
 
+  /jose@5.2.0:
+    resolution: {integrity: sha512-oW3PCnvyrcm1HMvGTzqjxxfnEs9EoFOFWi2HsEGhlFVOXxTE3K9GKWVMFoFw06yPUqwpvEWic1BmtUZBI/tIjw==}
+    dev: false
+
   /js-yaml@4.1.0:
     resolution: {integrity: sha512-wpxZs9NoxZaJESJGIZTyDEaYpl0FKSA+FB9aJiyemKhMwkxQg63h4T1KJgUGHpTqPDNRcmmYLugrRjJlBtWvRA==}
     hasBin: true
@@ -2609,7 +2623,7 @@ packages:
       consola: 3.2.3
       defu: 6.1.2
       get-port-please: 3.1.1
-      h3: 1.8.1
+      h3: 1.9.0
       http-shutdown: 1.2.2
       jiti: 1.20.0
       mlly: 1.4.2
@@ -2781,6 +2795,10 @@ packages:
   /ms@2.1.3:
     resolution: {integrity: sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==}
 
+  /napi-wasm@1.1.0:
+    resolution: {integrity: sha512-lHwIAJbmLSjF9VDRm9GoVOy9AGp3aIvkjv+Kvz9h16QR3uSVYH78PNQUnT2U4X53mhlnV2M7wrhibQ3GHicDmg==}
+    dev: false
+
   /natural-compare@1.4.0:
     resolution: {integrity: sha512-OWND8ei3VtNC9h7V60qff3SVobHr996CTwgxubgyQYEpg290h9J0buyECNNJexkFm5sOajh5G116RYA1c8ZMSw==}
     dev: true
@@ -2824,7 +2842,7 @@ packages:
       fs-extra: 11.1.1
       globby: 13.2.2
       gzip-size: 7.0.0
-      h3: 1.8.1
+      h3: 1.9.0
       hookable: 5.5.3
       httpxy: 0.1.5
       is-primitive: 3.0.1
@@ -3063,7 +3081,7 @@ packages:
       fast-glob: 3.3.1
       js-yaml: 4.1.0
       supports-color: 9.4.0
-      undici: 5.24.0
+      undici: 5.27.0
       yargs-parser: 21.1.1
     dev: false
 
@@ -3513,11 +3531,6 @@ packages:
     resolution: {integrity: sha512-f9aPhy8fYBuMN+sNfakZV18U39PbalgjXG3lLB9WkaYTxijru61wb57V9wxxNthXM5Sd88ETBWi29qLAsHO52Q==}
     dev: false
 
-  /streamsearch@1.1.0:
-    resolution: {integrity: sha512-Mcc5wHehp9aXz1ax6bZUyY5afg9u2rv5cqQI3mRrYkGC8rW2hM02jWuwjtL++LS5qinSyhj2QfLyNsuc+VsExg==}
-    engines: {node: '>=10.0.0'}
-    dev: false
-
   /streamx@2.15.1:
     resolution: {integrity: sha512-fQMzy2O/Q47rgwErk/eGeLu/roaFWV0jVsogDmrszM9uIw8L5OA+t+V93MgYlufNptfjmYR1tOMWhei/Eh7TQA==}
     dependencies:
@@ -3773,6 +3786,10 @@ packages:
     resolution: {integrity: sha512-bRn3CsoojyNStCZe0BG0Mt4Nr/4KF+rhFlnNXybgqt5pXHNFRlqinSoQaTrGyzE4X8aHplSb+TorH+COin9Yxw==}
     dev: false
 
+  /ufo@1.3.2:
+    resolution: {integrity: sha512-o+ORpgGwaYQXgqGDwd+hkS4PuZ3QnmqMMxRuajK/a38L6fTpcE5GPIfrf+L/KemFzfUpeUQc1rRS1iDBozvnFA==}
+    dev: false
+
   /unbox-primitive@1.0.2:
     resolution: {integrity: sha512-61pPlCD9h51VoreyJ0BReideM3MDKMKnh6+V9L08331ipq6Q8OFXZYiqP6n/tbHx4s5I9uRhcye6BrbkizkBDw==}
     dependencies:
@@ -3795,11 +3812,11 @@ packages:
       unplugin: 1.4.0
     dev: false
 
-  /undici@5.24.0:
-    resolution: {integrity: sha512-OKlckxBjFl0oXxcj9FU6oB8fDAaiRUq+D8jrFWGmOfI/gIyjk/IeS75LMzgYKUaeHzLUcYvf9bbJGSrUwTfwwQ==}
+  /undici@5.27.0:
+    resolution: {integrity: sha512-l3ydWhlhOJzMVOYkymLykcRRXqbUaQriERtR70B9LzNkZ4bX52Fc8wbTDneMiwo8T+AemZXvXaTx+9o5ROxrXg==}
     engines: {node: '>=14.0'}
     dependencies:
-      busboy: 1.6.0
+      '@fastify/busboy': 2.0.0
     dev: false
 
   /unenv@1.7.4:
@@ -3885,7 +3902,7 @@ packages:
       anymatch: 3.1.3
       chokidar: 3.5.3
       destr: 2.0.1
-      h3: 1.8.1
+      h3: 1.9.0
       ioredis: 5.3.2
       listhen: 1.5.1
       lru-cache: 10.0.1

src/routes/index.ts

@@ -2,8 +2,13 @@ import { getBodyBuffer } from '@/utils/body';
 import {
   getProxyHeaders,
   getAfterResponseHeaders,
-  cleanupHeadersBeforeProxy,
+  getBlacklistedHeaders,
 } from '@/utils/headers';
+import {
+  createTokenIfNeeded,
+  isAllowedToMakeRequest,
+  setTokenHeader,
+} from '@/utils/turnstile';
 
 export default defineEventHandler(async (event) => {
   // handle cors, if applicable
@@ -14,18 +19,28 @@ export default defineEventHandler(async (event) => {
   if (!destination)
     return await sendJson({
       event,
-      status: 400,
+      status: 200,
       data: {
-        error: 'destination query parameter invalid',
+        message: 'Proxy is working as expected',
+      },
+    });
+
+  if (!(await isAllowedToMakeRequest(event)))
+    return await sendJson({
+      event,
+      status: 401,
+      data: {
+        error: 'Invalid or missing token',
       },
     });
 
   // read body
   const body = await getBodyBuffer(event);
+  const token = await createTokenIfNeeded(event);
 
   // proxy
-  cleanupHeadersBeforeProxy(event);
-  await proxyRequest(event, destination, {
+  await specificProxyRequest(event, destination, {
+    blacklistedHeaders: getBlacklistedHeaders(),
     fetchOptions: {
       redirect: 'follow',
       headers: getProxyHeaders(event.headers),
@@ -34,6 +49,7 @@ export default defineEventHandler(async (event) => {
     onResponse(outputEvent, response) {
       const headers = getAfterResponseHeaders(response.headers, response.url);
       setResponseHeaders(outputEvent, headers);
+      if (token) setTokenHeader(event, token);
     },
   });
 });

src/utils/headers.ts

@@ -1,4 +1,10 @@
-import { H3Event } from 'h3';
+const headerMap: Record<string, string> = {
+  'X-Cookie': 'Cookie',
+  'X-Referer': 'Referer',
+  'X-Origin': 'Origin',
+  'X-User-Agent': 'User-Agent',
+  'X-X-Real-Ip': 'X-Real-Ip',
+};
 
 const blacklistedHeaders = [
   'cf-connecting-ip',
@@ -11,6 +17,7 @@ const blacklistedHeaders = [
   'x-forwarded-proto',
   'forwarded',
   'x-real-ip',
+  ...Object.keys(headerMap),
 ];
 
 function copyHeader(
@@ -26,20 +33,16 @@ function copyHeader(
 export function getProxyHeaders(headers: Headers): Headers {
   const output = new Headers();
 
-  const headerMap: Record<string, string> = {
-    'X-Cookie': 'Cookie',
-    'X-Referer': 'Referer',
-    'X-Origin': 'Origin',
-  };
-  Object.entries(headerMap).forEach((entry) => {
-    copyHeader(headers, output, entry[0], entry[1]);
-  });
-
+  // default user agent
   output.set(
     'User-Agent',
     'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0',
   );
 
+  Object.entries(headerMap).forEach((entry) => {
+    copyHeader(headers, output, entry[0], entry[1]);
+  });
+
   return output;
 }
 
@@ -60,14 +63,6 @@ export function getAfterResponseHeaders(
   };
 }
 
-export function removeHeadersFromEvent(event: H3Event, key: string) {
-  const normalizedKey = key.toLowerCase();
-  if (event.node.req.headers[normalizedKey])
-    delete event.node.req.headers[normalizedKey];
-}
-
-export function cleanupHeadersBeforeProxy(event: H3Event) {
-  blacklistedHeaders.forEach((key) => {
-    removeHeadersFromEvent(event, key);
-  });
+export function getBlacklistedHeaders() {
+  return blacklistedHeaders;
 }

src/utils/ip.ts

@@ -0,0 +1,10 @@
+import { EventHandlerRequest, H3Event } from 'h3';
+
+export function getIp(event: H3Event<EventHandlerRequest>) {
+  const value = getHeader(event, 'CF-Connecting-IP');
+  if (!value)
+    throw new Error(
+      'Ip header not found, turnstile only works on cloudflare workers',
+    );
+  return value;
+}

src/utils/proxy.ts

@@ -0,0 +1,84 @@
+import {
+  H3Event,
+  Duplex,
+  ProxyOptions,
+  getProxyRequestHeaders,
+  RequestHeaders,
+} from 'h3';
+
+const PayloadMethods = new Set(['PATCH', 'POST', 'PUT', 'DELETE']);
+
+export interface ExtraProxyOptions {
+  blacklistedHeaders?: string[];
+}
+
+function mergeHeaders(
+  defaults: HeadersInit,
+  ...inputs: (HeadersInit | RequestHeaders | undefined)[]
+) {
+  const _inputs = inputs.filter(Boolean) as HeadersInit[];
+  if (_inputs.length === 0) {
+    return defaults;
+  }
+  const merged = new Headers(defaults);
+  for (const input of _inputs) {
+    if (input.entries) {
+      for (const [key, value] of (input.entries as any)()) {
+        if (value !== undefined) {
+          merged.set(key, value);
+        }
+      }
+    } else {
+      for (const [key, value] of Object.entries(input)) {
+        if (value !== undefined) {
+          merged.set(key, value);
+        }
+      }
+    }
+  }
+  return merged;
+}
+
+export async function specificProxyRequest(
+  event: H3Event,
+  target: string,
+  opts: ProxyOptions & ExtraProxyOptions = {},
+) {
+  let body;
+  let duplex: Duplex | undefined;
+  if (PayloadMethods.has(event.method)) {
+    if (opts.streamRequest) {
+      body = getRequestWebStream(event);
+      duplex = 'half';
+    } else {
+      body = await readRawBody(event, false).catch(() => undefined);
+    }
+  }
+
+  const method = opts.fetchOptions?.method || event.method;
+  const oldHeaders = getProxyRequestHeaders(event);
+  opts.blacklistedHeaders?.forEach((header) => {
+    const keys = Object.keys(oldHeaders).filter(
+      (v) => v.toLowerCase() === header.toLowerCase(),
+    );
+    keys.forEach((k) => delete oldHeaders[k]);
+  });
+
+  const fetchHeaders = mergeHeaders(
+    oldHeaders,
+    opts.fetchOptions?.headers,
+    opts.headers,
+  );
+  (fetchHeaders.forEach as any)(console.log);
+
+  return sendProxy(event, target, {
+    ...opts,
+    fetchOptions: {
+      method,
+      body,
+      duplex,
+      ...opts.fetchOptions,
+      headers: fetchHeaders,
+    },
+  });
+}

src/utils/turnstile.ts

@@ -0,0 +1,90 @@
+import { H3Event, EventHandlerRequest } from 'h3';
+import { SignJWT, jwtVerify } from 'jose';
+import { getIp } from '@/utils/ip';
+
+const turnstileSecret = process.env.TURNSTILE_SECRET ?? null;
+const jwtSecret = process.env.JWT_SECRET ?? null;
+
+const tokenHeader = 'X-Token';
+const jwtPrefix = 'jwt|';
+const turnstilePrefix = 'turnstile|';
+
+export function isTurnstileEnabled() {
+  return !!turnstileSecret && !!jwtSecret;
+}
+
+export async function makeToken(ip: string) {
+  if (!jwtSecret) throw new Error('Cannot make token without a secret');
+  return await new SignJWT({ ip })
+    .setProtectedHeader({ alg: 'HS256' })
+    .setExpirationTime('10m')
+    .sign(new TextEncoder().encode(jwtSecret));
+}
+
+export function setTokenHeader(
+  event: H3Event<EventHandlerRequest>,
+  token: string,
+) {
+  setHeader(event, tokenHeader, token);
+}
+
+export async function createTokenIfNeeded(
+  event: H3Event<EventHandlerRequest>,
+): Promise<null | string> {
+  if (!isTurnstileEnabled()) return null;
+  if (!jwtSecret) return null;
+  const token = event.headers.get(tokenHeader);
+  if (!token) return null;
+  if (!token.startsWith(turnstilePrefix)) return null;
+
+  return await makeToken(getIp(event));
+}
+
+export async function isAllowedToMakeRequest(
+  event: H3Event<EventHandlerRequest>,
+) {
+  if (!isTurnstileEnabled()) return true;
+
+  const token = event.headers.get(tokenHeader);
+  if (!token) return false;
+  if (!jwtSecret || !turnstileSecret) return false;
+
+  if (token.startsWith(jwtPrefix)) {
+    const jwtToken = token.slice(jwtPrefix.length);
+    let jwtPayload: { ip: string } | null = null;
+    try {
+      const jwtResult = await jwtVerify<{ ip: string }>(
+        jwtToken,
+        new TextEncoder().encode(jwtSecret),
+        {
+          algorithms: ['HS256'],
+        },
+      );
+      jwtPayload = jwtResult.payload;
+    } catch {}
+    if (!jwtPayload) return false;
+    if (getIp(event) !== jwtPayload.ip) return false;
+    return true;
+  }
+
+  if (token.startsWith(turnstilePrefix)) {
+    const turnstileToken = token.slice(turnstilePrefix.length);
+    const formData = new FormData();
+    formData.append('secret', turnstileSecret);
+    formData.append('response', turnstileToken);
+    formData.append('remoteip', getIp(event));
+
+    const result = await fetch(
+      'https://challenges.cloudflare.com/turnstile/v0/siteverify',
+      {
+        body: formData,
+        method: 'POST',
+      },
+    );
+
+    const outcome: { success: boolean } = await result.json();
+    return outcome.success;
+  }
+
+  return false;
+}