From 15b438be48411076c2b4417bf4377fc60c3f432b Mon Sep 17 00:00:00 2001 From: mrjvs Date: Sat, 23 Dec 2023 23:25:03 +0100 Subject: [PATCH 1/6] Create LICENSE --- LICENSE | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 LICENSE diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..2c2b7c4 --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2023 movie-web + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. From 8c503269d1d86c54126fa57853f138fc1efd10ca Mon Sep 17 00:00:00 2001 From: mrjvs Date: Thu, 4 Jan 2024 19:54:14 +0100 Subject: [PATCH 2/6] Fixed AWS and NodeJS support --- package.json | 2 +- pnpm-lock.yaml | 14 +++++++------- src/utils/turnstile.ts | 33 ++++++++++++++++++--------------- 3 files changed, 26 insertions(+), 23 deletions(-) diff --git a/package.json b/package.json index c9eac5f..e9c0af7 100644 --- a/package.json +++ b/package.json @@ -15,8 +15,8 @@ "preinstall": "npx only-allow pnpm" }, "dependencies": { - "@tsndr/cloudflare-worker-jwt": "^2.3.2", "h3": "^1.8.1", + "jose": "^5.2.0", "nitropack": "latest" }, "devDependencies": { diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 2c6251a..f18e821 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -5,12 +5,12 @@ settings: excludeLinksFromLockfile: false dependencies: - '@tsndr/cloudflare-worker-jwt': - specifier: ^2.3.2 - version: 2.3.2 h3: specifier: ^1.8.1 version: 1.8.1 + jose: + specifier: ^5.2.0 + version: 5.2.0 nitropack: specifier: latest version: 2.6.3 @@ -704,10 +704,6 @@ packages: rollup: 3.29.1 dev: false - /@tsndr/cloudflare-worker-jwt@2.3.2: - resolution: {integrity: sha512-g1jSm5olPqKh15kadnj0666YPudibHYGyFyM0URLXSeY5MzNIGkfhFedLgKHq8NCDBMzLUMX7Oz8d+jmQXqBuw==} - dev: false - /@types/estree@1.0.1: resolution: {integrity: sha512-LG4opVs2ANWZ1TJoKc937iMmNstM/d0ae1vNbnBvBhqCSezgVUOzcLCqbI5elV8Vy6WKwKjaqR+zO9VKirBBCA==} dev: false @@ -2537,6 +2533,10 @@ packages: hasBin: true dev: false + /jose@5.2.0: + resolution: {integrity: sha512-oW3PCnvyrcm1HMvGTzqjxxfnEs9EoFOFWi2HsEGhlFVOXxTE3K9GKWVMFoFw06yPUqwpvEWic1BmtUZBI/tIjw==} + dev: false + /js-yaml@4.1.0: resolution: {integrity: sha512-wpxZs9NoxZaJESJGIZTyDEaYpl0FKSA+FB9aJiyemKhMwkxQg63h4T1KJgUGHpTqPDNRcmmYLugrRjJlBtWvRA==} hasBin: true diff --git a/src/utils/turnstile.ts b/src/utils/turnstile.ts index 2e4f22e..8209799 100644 --- a/src/utils/turnstile.ts +++ b/src/utils/turnstile.ts @@ -1,5 +1,5 @@ import { H3Event, EventHandlerRequest } from 'h3'; -import jsonwebtoken from '@tsndr/cloudflare-worker-jwt'; +import { SignJWT, jwtVerify } from 'jose'; import { getIp } from '@/utils/ip'; const turnstileSecret = process.env.TURNSTILE_SECRET ?? null; @@ -15,13 +15,10 @@ export function isTurnstileEnabled() { export async function makeToken(ip: string) { if (!jwtSecret) throw new Error('Cannot make token without a secret'); - return await jsonwebtoken.sign( - { - ip, - exp: Math.floor(Date.now() / 1000) + 60 * 10, // 10 Minutes - }, - jwtSecret, - ); + return await new SignJWT({ ip }) + .setProtectedHeader({ alg: 'HS256' }) + .setExpirationTime('10m') + .sign(new TextEncoder().encode(jwtSecret)); } export function setTokenHeader( @@ -54,13 +51,19 @@ export async function isAllowedToMakeRequest( if (token.startsWith(jwtPrefix)) { const jwtToken = token.slice(jwtPrefix.length); - const isValid = await jsonwebtoken.verify(jwtToken, jwtSecret, { - algorithm: 'HS256', - }); - if (!isValid) return false; - const jwtBody = jsonwebtoken.decode<{ ip: string }>(jwtToken); - if (!jwtBody.payload) return false; - if (getIp(event) !== jwtBody.payload.ip) return false; + let jwtPayload: { ip: string } | null = null; + try { + const jwtResult = await jwtVerify<{ ip: string }>( + jwtToken, + new TextEncoder().encode(jwtSecret), + { + algorithms: ['HS256'], + }, + ); + jwtPayload = jwtResult.payload; + } catch {} + if (!jwtPayload) return false; + if (getIp(event) !== jwtPayload.ip) return false; return true; } From 054ea6aa077e011a01f4f8fe145f342d5119dcf4 Mon Sep 17 00:00:00 2001 From: mrjvs Date: Thu, 4 Jan 2024 19:54:24 +0100 Subject: [PATCH 3/6] Support overwriting user agent --- src/utils/headers.ts | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/src/utils/headers.ts b/src/utils/headers.ts index f87c2f6..3130378 100644 --- a/src/utils/headers.ts +++ b/src/utils/headers.ts @@ -26,20 +26,23 @@ function copyHeader( export function getProxyHeaders(headers: Headers): Headers { const output = new Headers(); + // default user-agent + output.set( + 'User-Agent', + 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0', + ); + const headerMap: Record = { 'X-Cookie': 'Cookie', 'X-Referer': 'Referer', 'X-Origin': 'Origin', + 'X-User-Agent': 'User-Agent', + 'X-X-Real-Ip': 'X-Real-Ip', }; Object.entries(headerMap).forEach((entry) => { copyHeader(headers, output, entry[0], entry[1]); }); - output.set( - 'User-Agent', - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0', - ); - return output; } From 882e26fa1b7aca486fe1a6948f201d78d1ec2038 Mon Sep 17 00:00:00 2001 From: mrjvs Date: Thu, 4 Jan 2024 20:16:53 +0100 Subject: [PATCH 4/6] Upgrade h3 --- package.json | 2 +- pnpm-lock.yaml | 38 +++++++++++++++++++++++++------------- src/utils/headers.ts | 3 ++- 3 files changed, 28 insertions(+), 15 deletions(-) diff --git a/package.json b/package.json index e9c0af7..e74629a 100644 --- a/package.json +++ b/package.json @@ -15,7 +15,7 @@ "preinstall": "npx only-allow pnpm" }, "dependencies": { - "h3": "^1.8.1", + "h3": "^1.9.0", "jose": "^5.2.0", "nitropack": "latest" }, diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index f18e821..5d255ba 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -6,8 +6,8 @@ settings: dependencies: h3: - specifier: ^1.8.1 - version: 1.8.1 + specifier: ^1.9.0 + version: 1.9.0 jose: specifier: ^5.2.0 version: 5.2.0 @@ -1402,6 +1402,10 @@ packages: resolution: {integrity: sha512-+uO4+qr7msjNNWKYPHqN/3+Dx3NFkmIzayk2L1MyZQlvgZb/J1A0fo410dpKrN2SnqFjt8n4JL8fDJE0wIgjFQ==} dev: false + /defu@6.1.3: + resolution: {integrity: sha512-Vy2wmG3NTkmHNg/kzpuvHhkqeIx3ODWqasgCRbKtbXEN0G+HpEEv9BtJLp7ZG1CZloFaC41Ah3ZFbq7aqCqMeQ==} + dev: false + /delegates@1.0.0: resolution: {integrity: sha512-bd2L678uiWATM6m5Z1VzNCErI3jiGzt6HGY8OVICs40JQq/HALfbyNJmp0UDakEY4pMMaN0Ly5om/B1VI/+xfQ==} dev: false @@ -1420,6 +1424,10 @@ packages: resolution: {integrity: sha512-M1Ob1zPSIvlARiJUkKqvAZ3VAqQY6Jcuth/pBKQ2b1dX/Qx0OnJ8Vux6J2H5PTMQeRzWrrbTu70VxBfv/OPDJA==} dev: false + /destr@2.0.2: + resolution: {integrity: sha512-65AlobnZMiCET00KaFFjUefxDX0khFA/E4myqZ7a6Sq1yZtR8+FVIvilVX66vF2uobSumxooYZChiRPCKNqhmg==} + dev: false + /destroy@1.2.0: resolution: {integrity: sha512-2sJGJTaXIIaR1w4iJSNoN0hnMY7Gpc/n8D4qSCJw8QqFWXf7cuAgnEHxBpweaVcPevC2l3KpjYCx3NypQQgaJg==} engines: {node: '>= 0.8', npm: 1.2.8000 || >= 1.4.16} @@ -2180,15 +2188,15 @@ packages: duplexer: 0.1.2 dev: false - /h3@1.8.1: - resolution: {integrity: sha512-m5rFuu+5bpwBBHqqS0zexjK+Q8dhtFRvO9JXQG0RvSPL6QrIT6vv42vuBM22SLOgGMoZYsHk0y7VPidt9s+nkw==} + /h3@1.9.0: + resolution: {integrity: sha512-+F3ZqrNV/CFXXfZ2lXBINHi+rM4Xw3CDC5z2CDK3NMPocjonKipGLLDSkrqY9DOrioZNPTIdDMWfQKm//3X2DA==} dependencies: cookie-es: 1.0.0 - defu: 6.1.2 - destr: 2.0.1 - iron-webcrypto: 0.8.2 + defu: 6.1.3 + destr: 2.0.2 + iron-webcrypto: 1.0.0 radix3: 1.1.0 - ufo: 1.3.0 + ufo: 1.3.2 uncrypto: 0.1.3 unenv: 1.7.4 dev: false @@ -2330,8 +2338,8 @@ packages: - supports-color dev: false - /iron-webcrypto@0.8.2: - resolution: {integrity: sha512-jGiwmpgTuF19Vt4hn3+AzaVFGpVZt7A1ysd5ivFel2r4aNVFwqaYa6aU6qsF1PM7b+WFivZHz3nipwUOXaOnHg==} + /iron-webcrypto@1.0.0: + resolution: {integrity: sha512-anOK1Mktt8U1Xi7fCM3RELTuYbnFikQY5VtrDj7kPgpejV7d43tWKhzgioO0zpkazLEL/j/iayRqnJhrGfqUsg==} dev: false /is-array-buffer@3.0.2: @@ -2615,7 +2623,7 @@ packages: consola: 3.2.3 defu: 6.1.2 get-port-please: 3.1.1 - h3: 1.8.1 + h3: 1.9.0 http-shutdown: 1.2.2 jiti: 1.20.0 mlly: 1.4.2 @@ -2834,7 +2842,7 @@ packages: fs-extra: 11.1.1 globby: 13.2.2 gzip-size: 7.0.0 - h3: 1.8.1 + h3: 1.9.0 hookable: 5.5.3 httpxy: 0.1.5 is-primitive: 3.0.1 @@ -3778,6 +3786,10 @@ packages: resolution: {integrity: sha512-bRn3CsoojyNStCZe0BG0Mt4Nr/4KF+rhFlnNXybgqt5pXHNFRlqinSoQaTrGyzE4X8aHplSb+TorH+COin9Yxw==} dev: false + /ufo@1.3.2: + resolution: {integrity: sha512-o+ORpgGwaYQXgqGDwd+hkS4PuZ3QnmqMMxRuajK/a38L6fTpcE5GPIfrf+L/KemFzfUpeUQc1rRS1iDBozvnFA==} + dev: false + /unbox-primitive@1.0.2: resolution: {integrity: sha512-61pPlCD9h51VoreyJ0BReideM3MDKMKnh6+V9L08331ipq6Q8OFXZYiqP6n/tbHx4s5I9uRhcye6BrbkizkBDw==} dependencies: @@ -3890,7 +3902,7 @@ packages: anymatch: 3.1.3 chokidar: 3.5.3 destr: 2.0.1 - h3: 1.8.1 + h3: 1.9.0 ioredis: 5.3.2 listhen: 1.5.1 lru-cache: 10.0.1 diff --git a/src/utils/headers.ts b/src/utils/headers.ts index 3130378..a0d9eb5 100644 --- a/src/utils/headers.ts +++ b/src/utils/headers.ts @@ -11,6 +11,7 @@ const blacklistedHeaders = [ 'x-forwarded-proto', 'forwarded', 'x-real-ip', + 'user-agent', ]; function copyHeader( @@ -26,7 +27,7 @@ function copyHeader( export function getProxyHeaders(headers: Headers): Headers { const output = new Headers(); - // default user-agent + // default user agent output.set( 'User-Agent', 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0', From 3d192e8bb8077ca21397b60dab6054c1fe8cbac6 Mon Sep 17 00:00:00 2001 From: mrjvs Date: Thu, 4 Jan 2024 20:57:54 +0100 Subject: [PATCH 5/6] Do proper proxying --- src/routes/index.ts | 6 ++-- src/utils/headers.ts | 29 ++++++--------- src/utils/proxy.ts | 84 ++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 97 insertions(+), 22 deletions(-) create mode 100644 src/utils/proxy.ts diff --git a/src/routes/index.ts b/src/routes/index.ts index f3e70d4..3f7e059 100644 --- a/src/routes/index.ts +++ b/src/routes/index.ts @@ -2,7 +2,7 @@ import { getBodyBuffer } from '@/utils/body'; import { getProxyHeaders, getAfterResponseHeaders, - cleanupHeadersBeforeProxy, + getBlacklistedHeaders, } from '@/utils/headers'; import { createTokenIfNeeded, @@ -39,8 +39,8 @@ export default defineEventHandler(async (event) => { const token = await createTokenIfNeeded(event); // proxy - cleanupHeadersBeforeProxy(event); - await proxyRequest(event, destination, { + await specificProxyRequest(event, destination, { + blacklistedHeaders: getBlacklistedHeaders(), fetchOptions: { redirect: 'follow', headers: getProxyHeaders(event.headers), diff --git a/src/utils/headers.ts b/src/utils/headers.ts index a0d9eb5..cc6a8a9 100644 --- a/src/utils/headers.ts +++ b/src/utils/headers.ts @@ -1,4 +1,10 @@ -import { H3Event } from 'h3'; +const headerMap: Record = { + 'X-Cookie': 'Cookie', + 'X-Referer': 'Referer', + 'X-Origin': 'Origin', + 'X-User-Agent': 'User-Agent', + 'X-X-Real-Ip': 'X-Real-Ip', +}; const blacklistedHeaders = [ 'cf-connecting-ip', @@ -11,7 +17,7 @@ const blacklistedHeaders = [ 'x-forwarded-proto', 'forwarded', 'x-real-ip', - 'user-agent', + ...Object.keys(headerMap), ]; function copyHeader( @@ -33,13 +39,6 @@ export function getProxyHeaders(headers: Headers): Headers { 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0', ); - const headerMap: Record = { - 'X-Cookie': 'Cookie', - 'X-Referer': 'Referer', - 'X-Origin': 'Origin', - 'X-User-Agent': 'User-Agent', - 'X-X-Real-Ip': 'X-Real-Ip', - }; Object.entries(headerMap).forEach((entry) => { copyHeader(headers, output, entry[0], entry[1]); }); @@ -64,14 +63,6 @@ export function getAfterResponseHeaders( }; } -export function removeHeadersFromEvent(event: H3Event, key: string) { - const normalizedKey = key.toLowerCase(); - if (event.node.req.headers[normalizedKey]) - delete event.node.req.headers[normalizedKey]; -} - -export function cleanupHeadersBeforeProxy(event: H3Event) { - blacklistedHeaders.forEach((key) => { - removeHeadersFromEvent(event, key); - }); +export function getBlacklistedHeaders() { + return blacklistedHeaders; } diff --git a/src/utils/proxy.ts b/src/utils/proxy.ts new file mode 100644 index 0000000..4a312fa --- /dev/null +++ b/src/utils/proxy.ts @@ -0,0 +1,84 @@ +import { + H3Event, + Duplex, + ProxyOptions, + getProxyRequestHeaders, + RequestHeaders, +} from 'h3'; + +const PayloadMethods = new Set(['PATCH', 'POST', 'PUT', 'DELETE']); + +export interface ExtraProxyOptions { + blacklistedHeaders?: string[]; +} + +function mergeHeaders( + defaults: HeadersInit, + ...inputs: (HeadersInit | RequestHeaders | undefined)[] +) { + const _inputs = inputs.filter(Boolean) as HeadersInit[]; + if (_inputs.length === 0) { + return defaults; + } + const merged = new Headers(defaults); + for (const input of _inputs) { + if (input.entries) { + for (const [key, value] of (input.entries as any)()) { + if (value !== undefined) { + merged.set(key, value); + } + } + } else { + for (const [key, value] of Object.entries(input)) { + if (value !== undefined) { + merged.set(key, value); + } + } + } + } + return merged; +} + +export async function specificProxyRequest( + event: H3Event, + target: string, + opts: ProxyOptions & ExtraProxyOptions = {}, +) { + let body; + let duplex: Duplex | undefined; + if (PayloadMethods.has(event.method)) { + if (opts.streamRequest) { + body = getRequestWebStream(event); + duplex = 'half'; + } else { + body = await readRawBody(event, false).catch(() => undefined); + } + } + + const method = opts.fetchOptions?.method || event.method; + const oldHeaders = getProxyRequestHeaders(event); + opts.blacklistedHeaders?.forEach((header) => { + const keys = Object.keys(oldHeaders).filter( + (v) => v.toLowerCase() === header.toLowerCase(), + ); + keys.forEach((k) => delete oldHeaders[k]); + }); + + const fetchHeaders = mergeHeaders( + oldHeaders, + opts.fetchOptions?.headers, + opts.headers, + ); + (fetchHeaders.forEach as any)(console.log); + + return sendProxy(event, target, { + ...opts, + fetchOptions: { + method, + body, + duplex, + ...opts.fetchOptions, + headers: fetchHeaders, + }, + }); +} From d348892158944f8a309cf2fd9bdec7a082767097 Mon Sep 17 00:00:00 2001 From: mrjvs Date: Thu, 4 Jan 2024 21:06:50 +0100 Subject: [PATCH 6/6] bump version --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index e74629a..1f38a9d 100644 --- a/package.json +++ b/package.json @@ -1,7 +1,7 @@ { "name": "simple-proxy", "private": true, - "version": "2.1.0", + "version": "2.1.1", "scripts": { "prepare": "nitropack prepare", "dev": "nitropack dev",