mirror of
https://github.com/d0zingcat/cors-anywhere.git
synced 2026-05-13 15:09:25 +00:00
326 lines
11 KiB
JavaScript
326 lines
11 KiB
JavaScript
// © 2013 Rob W <gwnRob@gmail.com>
|
|
// Released under the MIT license
|
|
|
|
'use strict';
|
|
/* jshint node:true, eqnull:true, sub:true, quotmark:single, unused:true */
|
|
|
|
var httpProxy = require('http-proxy');
|
|
var net = require('net');
|
|
var url = require('url');
|
|
var regexp_tld = require('./regexp-top-level-domain');
|
|
|
|
var help_file = __dirname + '/help.txt';
|
|
var help_text;
|
|
function showUsage(headers, response) {
|
|
headers['content-type'] = 'text/plain';
|
|
if (help_text != null) {
|
|
response.writeHead(200, headers);
|
|
response.end(help_text);
|
|
} else {
|
|
require('fs').readFile(help_file, 'utf8', function(err, data) {
|
|
if (err) {
|
|
console.error(err);
|
|
response.writeHead(500, headers);
|
|
response.end();
|
|
} else {
|
|
help_text = data;
|
|
showUsage(headers, response); // Recursive call, but since data is a string, the recursion will end
|
|
}
|
|
});
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Check whether the specified hostname is valid.
|
|
*
|
|
* @param hostname {string} Host name (excluding port) of requested resource.
|
|
* @return {boolean} Whether the requested resource can be accessed.
|
|
*/
|
|
function isValidHostName(hostname) {
|
|
return !(
|
|
regexp_tld.test(hostname) ||
|
|
net.isIPv4(hostname) ||
|
|
net.isIPv6(hostname)
|
|
);
|
|
}
|
|
|
|
/**
|
|
* Adds CORS headers to the response headers.
|
|
*
|
|
* @param headers {object} Response headers
|
|
* @param request {ServerRequest}
|
|
*/
|
|
function withCORS(headers, request) {
|
|
var origin = request.headers.origin || 'null';
|
|
headers['access-control-allow-origin'] = origin === 'null' ? '*' : origin;
|
|
if (request.headers['access-control-request-method']) {
|
|
headers['access-control-allow-methods'] = request.headers['access-control-request-method'];
|
|
delete request.headers['access-control-request-method'];
|
|
}
|
|
if (request.headers['access-control-request-headers']) {
|
|
headers['access-control-allow-headers'] = request.headers['access-control-request-headers'];
|
|
delete request.headers['access-control-request-headers'];
|
|
}
|
|
|
|
var exposedHeaders = headers['access-control-expose-headers'] || '';
|
|
if (!/,\s*location\s*,/i.test(','+exposedHeaders+',')) exposedHeaders += ',location';
|
|
if (!/,\s*x-request-url\s*,/i.test(','+exposedHeaders+',')) exposedHeaders += ',x-request-url';
|
|
if (exposedHeaders.charAt(0) === ',') exposedHeaders = exposedHeaders.substr(1);
|
|
headers['access-control-expose-headers'] = exposedHeaders;
|
|
|
|
return headers;
|
|
}
|
|
|
|
/**
|
|
* Performs the actual proxy request.
|
|
*
|
|
* @param req {ServerRequest} Incoming http request
|
|
* @param res {ServerResponse} Outgoing (proxied) http request
|
|
* @param proxy {HttpProxy}
|
|
*/
|
|
function proxyRequest(req, res, proxy) {
|
|
var location = req.corsAnywhereRequestState.location;
|
|
|
|
req.url = location.pathAndQueryString;
|
|
// Let the "Host" header be the host part of the path (including port, if specified).
|
|
req.headers.host = location.host;
|
|
|
|
// Start proxying the request
|
|
proxy.proxyRequest(req, res, {
|
|
host: location.hostname,
|
|
port: location.port,
|
|
target: {
|
|
https: location.isHttps
|
|
}
|
|
});
|
|
}
|
|
|
|
|
|
/**
|
|
* "Allow observer to modify headers or abort response"
|
|
* https://github.com/nodejitsu/node-http-proxy/blob/ebbba73e/lib/node-http-proxy/http-proxy.js#L321-L322
|
|
*
|
|
* This method modifies the response headers of the proxied response.
|
|
* If a redirect is detected, the response is not sent to the client,
|
|
* and a new request is initiated.
|
|
*
|
|
* @param req {IncomingMessage} Incoming HTTP request, augmented with property corsAnywhereRequestState
|
|
* @param req.corsAnywhereRequestState {object}
|
|
* @param req.corsAnywhereRequestState.location {object} See parseURL
|
|
* @param req.corsAnywhereRequestState.proxyBaseUrl {string} Base URL of the CORS API endpoint
|
|
* @param req.corsAnywhereRequestState.maxRedirects {number} Maximum number of redirects
|
|
* @param req.corsAnywhereRequestState.redirectCount_ {number} Internally used to count redirects
|
|
* @param res {ServerResponse} Outgoing (proxied) HTTP request
|
|
* @param response {ClientRequest} The
|
|
*
|
|
* @this {HttpProxy}
|
|
*/
|
|
function onProxyResponse(req, res, response) {
|
|
/* jshint validthis:true */
|
|
var proxy = this;
|
|
var requestState = req.corsAnywhereRequestState;
|
|
|
|
var statusCode = response.statusCode;
|
|
// Handle redirects
|
|
if (statusCode === 301 || statusCode === 302 || statusCode === 303 || statusCode === 307 || statusCode === 308) {
|
|
var locationHeader = response.headers['location'];
|
|
if (locationHeader) {
|
|
locationHeader = url.resolve(requestState.location.full_url, locationHeader);
|
|
|
|
if (statusCode === 301 || statusCode === 302 || statusCode === 303) {
|
|
// Exclude 307 & 308, because they are rare, and require preserving the method + request body
|
|
requestState.redirectCount_ = requestState.requestState_ + 1 || 1;
|
|
if (requestState.redirectCount_ <= requestState.maxRedirects) {
|
|
// Handle redirects within the server, because some clients (e.g. Android Stock Browser)
|
|
// cancel redirects.
|
|
// Set header for debugging purposes. Do not try to parse it!
|
|
res.setHeader('X-CORS-Redirect-' + requestState.redirectCount_, statusCode + ' ' + locationHeader);
|
|
|
|
req.method = 'GET';
|
|
requestState.location = parseURL(locationHeader);
|
|
proxyRequest(req, res, proxy);
|
|
// TODO: Is it possible to trigger reverseProxy.end() (from node-http-proxy) without
|
|
// manually emiting the "event" event on req?
|
|
req.emit('end');
|
|
|
|
response.end();
|
|
// The proxyResponse event is wrapped in a try-catch, throwing an error
|
|
// prevents the response from being passed to the client.
|
|
throw new Error('Prevent current response from being passed through.');
|
|
}
|
|
}
|
|
response.headers['location'] = requestState.proxyBaseUrl + '/' + locationHeader;
|
|
}
|
|
}
|
|
withCORS(response.headers, req);
|
|
|
|
// Don't slip through cookies
|
|
delete response.headers['set-cookie'];
|
|
delete response.headers['set-cookie2'];
|
|
|
|
response.headers['x-request-url'] = requestState.location.full_url;
|
|
}
|
|
|
|
|
|
/**
|
|
* @param req_url {string} The requested URL (scheme is optional).
|
|
* @return {object} Strings: full_url, host, hostname, pathAndQueryString
|
|
* Number: port
|
|
* boolean: isHttps
|
|
*/
|
|
function parseURL(req_url) {
|
|
var match = req_url.match(/^(?:(https?:)?\/\/)?(([^\/?]+?)(?::(\d{0,5})(?=[\/?]|$))?)([\/?][\S\s]*|$)/i);
|
|
// ^^^^^^^ ^^^^^^^^ ^^^^^^^ ^^^^^^^^^^^^
|
|
// 1:protocol 3:hostname 4:port 5:path + query string
|
|
// ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
|
// 2:host
|
|
if (!match) {
|
|
return null;
|
|
}
|
|
var isHttps = (match[1] && match[1].toLowerCase()) === 'https:';
|
|
var location = {
|
|
full_url: match[0],
|
|
isHttps: isHttps,
|
|
host: match[2],
|
|
hostname: match[3],
|
|
port: match[4] ? +match[4] : (isHttps ? 443 : 80),
|
|
pathAndQueryString: match[5]
|
|
};
|
|
|
|
if (!match[1]) { // Scheme is omitted.
|
|
location.full_url = (location.port === 443 ? 'https:' : 'http:') + location.full_url.replace(/^(?!\/)/, '//');
|
|
}
|
|
return location;
|
|
}
|
|
|
|
// Request handler factory
|
|
var getHandler = exports.getHandler = function(options) {
|
|
var corsAnywhere = {
|
|
maxRedirects: 5, // Maximum number of redirects to be followed.
|
|
requireHeader: null, // Require a header to be set?
|
|
removeHeaders: [] // Strip these request headers
|
|
};
|
|
if (options) {
|
|
Object.keys(corsAnywhere).forEach(function(option) {
|
|
if (Object.prototype.hasOwnProperty.call(options, option)) {
|
|
corsAnywhere[option] = options[option];
|
|
}
|
|
});
|
|
}
|
|
// Convert corsAnywhere.requireHeader to an array of lowercase header names, or null.
|
|
if (corsAnywhere.requireHeader) {
|
|
if (typeof corsAnywhere.requireHeader === 'string') {
|
|
corsAnywhere.requireHeader = [corsAnywhere.requireHeader];
|
|
} else if (!Array.isArray(corsAnywhere.requireHeader) || corsAnywhere.requireHeader.length === 0) {
|
|
corsAnywhere.requireHeader = null;
|
|
} else {
|
|
corsAnywhere.requireHeader = corsAnywhere.requireHeader.map(function(headerName) {
|
|
return headerName.toLowerCase();
|
|
});
|
|
}
|
|
}
|
|
var hasRequiredHeaders = function(headers) {
|
|
return !corsAnywhere.requireHeader || corsAnywhere.requireHeader.some(function(headerName) {
|
|
return Object.hasOwnProperty.call(headers, headerName);
|
|
});
|
|
};
|
|
|
|
return function(req, res, proxy) {
|
|
var cors_headers = withCORS({}, req);
|
|
if (req.method == 'OPTIONS') {
|
|
// Pre-flight request. Reply successfully:
|
|
res.writeHead(200, cors_headers);
|
|
res.end();
|
|
return;
|
|
}
|
|
|
|
var location = parseURL(req.url.slice(1));
|
|
|
|
if (!location) {
|
|
// Invalid API call. Show how to correctly use the API
|
|
showUsage(cors_headers, res);
|
|
return;
|
|
}
|
|
|
|
if (!hasRequiredHeaders(req.headers)) {
|
|
res.writeHead(400, 'Header required', cors_headers);
|
|
res.end('Missing required request header. Must specify one of: ' + corsAnywhere.requireHeader);
|
|
return;
|
|
}
|
|
|
|
if (location.host === 'iscorsneeded') {
|
|
// Is CORS needed? This path is provided so that API consumers can test whether it's necessary
|
|
// to use CORS. The server's reply is always No, because if they can read it, then CORS headers
|
|
// are not necessary.
|
|
res.writeHead(200, {'Content-Type': 'text/plain'});
|
|
res.end('no');
|
|
return;
|
|
}
|
|
|
|
if (location.port > 65535) {
|
|
// Port is higher than 65535
|
|
res.writeHead(400, 'Invalid port', cors_headers);
|
|
res.end('Port number too large: ' + location.port);
|
|
return;
|
|
}
|
|
|
|
if (isValidHostName(location.hostname)) {
|
|
// Don't even try to proxy invalid hosts (such as /favicon.ico, /robots.txt)
|
|
res.writeHead(404, 'Invalid host', cors_headers);
|
|
res.end('Invalid host: ' + location.hostname);
|
|
return;
|
|
}
|
|
|
|
var isRequestedOverHttps = req.connection.encrypted || /^\s*https/.test(req.headers['x-forwarded-proto']);
|
|
var proxyBaseUrl = (isRequestedOverHttps ? 'https://' : 'http://') + req.headers.host;
|
|
|
|
corsAnywhere.removeHeaders.forEach(function(header) {
|
|
delete req.headers[header];
|
|
});
|
|
|
|
|
|
req.corsAnywhereRequestState = {
|
|
location: location,
|
|
maxRedirects: corsAnywhere.maxRedirects,
|
|
proxyBaseUrl: proxyBaseUrl
|
|
};
|
|
|
|
if (!proxy.hasCorsAnywhereResponseHandler) { // Runs once per HttpProxy instance
|
|
proxy.on('proxyResponse', onProxyResponse);
|
|
proxy.hasCorsAnywhereResponseHandler = true;
|
|
}
|
|
|
|
proxyRequest(req, res, proxy);
|
|
};
|
|
};
|
|
|
|
// Create server with default and given values
|
|
// Creator still needs to call .listen()
|
|
exports.createServer = function createServer(options) {
|
|
if (!options) options = {};
|
|
|
|
// Default options:
|
|
var httpProxyOptions = {
|
|
xforward: {
|
|
enable: true // Append X-Forwarded-* headers
|
|
}
|
|
};
|
|
// Allow user to override defaults and add own options
|
|
if (options.httpProxyOptions) {
|
|
Object.keys(options.httpProxyOptions).forEach(function(option) {
|
|
httpProxyOptions[option] = options.httpProxyOptions[option];
|
|
});
|
|
}
|
|
|
|
var handler = getHandler(options);
|
|
var server = httpProxy.createServer(httpProxyOptions, handler);
|
|
|
|
// When the server fails, just show a 404 instead of Internal server error
|
|
server.proxy.on('proxyError', function(err, req, res) {
|
|
res.writeHead(404, {});
|
|
res.end();
|
|
});
|
|
|
|
return server;
|
|
};
|