forked from mskayyali/nodepad
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathproxy.ts
More file actions
66 lines (53 loc) · 2.33 KB
/
proxy.ts
File metadata and controls
66 lines (53 loc) · 2.33 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
import { NextRequest, NextResponse } from "next/server"
// ── Sliding-window rate limiter ───────────────────────────────────────────────
// Guards /api/fetch-url from being hammered as a public CORS proxy.
// On serverless (Vercel) this is best-effort per-instance; on persistent
// hosts (Render) it is reliable across requests.
const store = new Map<string, number[]>()
function isRateLimited(ip: string, path: string): boolean {
const now = Date.now()
const key = `${ip}:${path}`
const hits = (store.get(key) ?? []).filter(t => now - t < 60_000)
if (hits.length >= 30) return true // 30 URL fetches/min per IP
hits.push(now)
store.set(key, hits)
return false
}
export function proxy(req: NextRequest) {
const { pathname } = req.nextUrl
if (!pathname.startsWith("/api/fetch-url")) {
return NextResponse.next()
}
// Origin check — block requests from other origins.
// Use strict URL parsing rather than substring matching to prevent
// bypasses like https://evil.com?nodepad.space passing the check.
const origin = req.headers.get("origin") ?? ""
const referer = req.headers.get("referer") ?? ""
const host = (req.headers.get("host") ?? "").split(":")[0] // strip port
function strictHostMatch(headerValue: string): boolean {
try { return new URL(headerValue).hostname === host } catch { return false }
}
const isLocalhost = strictHostMatch(origin || referer)
? ["localhost", "127.0.0.1"].includes(new URL(origin || referer).hostname)
: (origin + referer).includes("localhost")
const isSameOrigin = strictHostMatch(origin) || strictHostMatch(referer)
if (origin && !isLocalhost && !isSameOrigin) {
return new NextResponse(JSON.stringify({ error: "Forbidden" }), {
status: 403,
headers: { "Content-Type": "application/json" },
})
}
const ip = req.headers.get("x-forwarded-for")?.split(",")[0].trim()
?? req.headers.get("x-real-ip")
?? "unknown"
if (isRateLimited(ip, pathname)) {
return new NextResponse(JSON.stringify({ error: "Rate limit exceeded." }), {
status: 429,
headers: { "Content-Type": "application/json", "Retry-After": "60" },
})
}
return NextResponse.next()
}
export const config = {
matcher: ["/api/fetch-url"],
}