npm - @dytsou/calendar-build - Versions diffs - 2.0.0 → 2.1.0 - Mend

@dytsou/calendar-build 2.0.0 → 2.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@dytsou/calendar-build",
-  "version": "2.0.0",
+  "version": "2.1.0",
   "description": "Build script for calendar HTML from template and environment variables",
   "main": "scripts/build.js",
   "bin": {
@@ -8,8 +8,12 @@
   },
   "files": [
     "scripts/build.js",
+    "scripts/encrypt-urls.js",
+    "worker.js",
+    "wrangler.toml.example",
     "index.html.template",
-    "README.md"
+    "README.md",
+    "LICENSE"
   ],
   "keywords": [
     "calendar",

package/scripts/encrypt-urls.js ADDED Viewed

@@ -0,0 +1,76 @@
+#!/usr/bin/env node
+/**
+ * Helper script to encrypt calendar URLs
+ * Usage: node encrypt-urls.js <url1> <url2> ...
+ * Or set CALENDAR_URL in .env and run: node encrypt-urls.js
+ */
+const fs = require('fs');
+const path = require('path');
+const Fernet = require('fernet');
+// Read .env file
+const envPath = path.join(__dirname, '..', '.env');
+let encryptionKey = '';
+let calendarUrls = [];
+if (fs.existsSync(envPath)) {
+  const envContent = fs.readFileSync(envPath, 'utf-8');
+  const envLines = envContent.split('\n');
+  for (const line of envLines) {
+    if (line.startsWith('ENCRYPTION_KEY=')) {
+      encryptionKey = line.substring('ENCRYPTION_KEY='.length).trim();
+    } else if (line.startsWith('CALENDAR_URL=')) {
+      const value = line.substring('CALENDAR_URL='.length).trim();
+      calendarUrls = value
+        .split(',')
+        .map(s => s.trim())
+        .filter(s => s);
+    }
+  }
+}
+// Get URLs from command line arguments if provided
+const args = process.argv.slice(2);
+if (args.length > 0) {
+  calendarUrls = args;
+}
+if (calendarUrls.length === 0) {
+  console.error('Error: No calendar URLs provided');
+  console.error('Usage: node encrypt-urls.js <url1> <url2> ...');
+  console.error('Or set CALENDAR_URL in .env file');
+  process.exit(1);
+}
+if (!encryptionKey) {
+  console.error('Error: ENCRYPTION_KEY not found in .env file');
+  console.error('Please set ENCRYPTION_KEY in .env file');
+  process.exit(1);
+}
+try {
+  const secret = new Fernet.Secret(encryptionKey);
+  const token = new Fernet.Token({
+    secret: secret,
+    ttl: 0, // No expiration
+  });
+  const encryptedUrls = calendarUrls.map(url => {
+    return token.encode(url);
+  });
+  console.log('\n📋 Encrypted URLs:\n');
+  console.log('CALENDAR_URL_ENCRYPTED=' + encryptedUrls.join(','));
+  console.log('\nOr individually:');
+  encryptedUrls.forEach((encrypted, index) => {
+    console.log(`# URL ${index + 1}: ${encrypted}`);
+  });
+  console.log('\n✅ Copy the encrypted URLs to your .env file\n');
+} catch (error) {
+  console.error('Error encrypting URLs:', error.message);
+  process.exit(1);
+}

package/worker.js ADDED Viewed

@@ -0,0 +1,762 @@
+/**
+ * Cloudflare Worker to decrypt fernet:// URLs and proxy to open-web-calendar
+ *
+ * This worker:
+ * 1. Reads CALENDAR_URL from Cloudflare Worker secrets (comma-separated)
+ * 2. Decrypts fernet:// URLs using Fernet encryption (ENCRYPTION_METHOD is hardcoded to 'fernet')
+ * 3. Forwards the request to open-web-calendar with decrypted URLs
+ * 4. Returns the calendar HTML
+ *
+ * Configuration:
+ * - ENCRYPTION_METHOD: Hardcoded to 'fernet' (not configurable)
+ * - ENCRYPTION_KEY: Required Cloudflare Worker secret (for decrypting fernet:// URLs)
+ * - CALENDAR_URL: Required Cloudflare Worker secret (comma-separated, can be plain or fernet:// encrypted)
+ *
+ * Usage:
+ * 1. Set CALENDAR_URL secret: wrangler secret put CALENDAR_URL
+ * 2. Set ENCRYPTION_KEY secret: wrangler secret put ENCRYPTION_KEY
+ * 3. Deploy: wrangler deploy
+ */
+// Import Fernet library - we'll need to bundle this for Workers
+// For now, we'll implement a basic Fernet decoder using Web Crypto API
+/**
+ * Decode base64url string
+ */
+function base64UrlDecode(str) {
+  // Convert base64url to base64
+  let base64 = str.replace(/-/g, '+').replace(/_/g, '/');
+  // Add padding if needed
+  while (base64.length % 4) {
+    base64 += '=';
+  }
+  // Decode
+  const binaryString = atob(base64);
+  const bytes = new Uint8Array(binaryString.length);
+  for (let i = 0; i < binaryString.length; i++) {
+    bytes[i] = binaryString.charCodeAt(i);
+  }
+  return bytes;
+}
+/**
+ * Decode Fernet token
+ * Fernet token format: Version (1 byte) + Timestamp (8 bytes) + IV (16 bytes) + Ciphertext + HMAC (32 bytes)
+ */
+async function decryptFernetToken(token, secretKey) {
+  try {
+    // Decode the token
+    const tokenBytes = base64UrlDecode(token);
+    if (tokenBytes.length < 57) { // Minimum: 1 + 8 + 16 + 0 + 32 = 57 bytes
+      throw new Error('Invalid Fernet token: too short');
+    }
+    // Extract components
+    const version = tokenBytes[0];
+    if (version !== 0x80) {
+      throw new Error('Invalid Fernet token: unsupported version');
+    }
+    const timestamp = tokenBytes.slice(1, 9);
+    const iv = tokenBytes.slice(9, 25);
+    const hmac = tokenBytes.slice(-32);
+    const ciphertext = tokenBytes.slice(25, -32);
+    // Derive signing key and encryption key from secret
+    // Fernet secret is base64url-encoded 32-byte key
+    // The library splits it directly: first 16 bytes = signing key, last 16 bytes = encryption key
+    // NO SHA256 hashing is used!
+    let secretBytes;
+    try {
+      secretBytes = base64UrlDecode(secretKey);
+      if (secretBytes.length !== 32) {
+        throw new Error(`Invalid secret key length: ${secretBytes.length}, expected 32`);
+      }
+    } catch (error) {
+      throw new Error(`Failed to decode secret key: ${error.message}`);
+    }
+    // Fernet splits the 32-byte secret directly:
+    // Signing key: first 16 bytes (128 bits)
+    // Encryption key: last 16 bytes (128 bits)
+    const signingKey = secretBytes.slice(0, 16);
+    const encryptionKey = secretBytes.slice(16, 32);
+    // Verify HMAC
+    // HMAC message is: version (1 byte) + timestamp (8 bytes) + IV (16 bytes) + ciphertext
+    const message = tokenBytes.slice(0, -32);
+    const hmacKey = await crypto.subtle.importKey(
+      'raw',
+      signingKey,
+      { name: 'HMAC', hash: 'SHA-256' },
+      false,
+      ['sign', 'verify']
+    );
+    const computedHmac = await crypto.subtle.sign('HMAC', hmacKey, message);
+    const computedHmacBytes = new Uint8Array(computedHmac);
+    // Constant-time comparison
+    let hmacValid = true;
+    if (computedHmacBytes.length !== hmac.length) {
+      hmacValid = false;
+    } else {
+      for (let i = 0; i < 32; i++) {
+        if (computedHmacBytes[i] !== hmac[i]) {
+          hmacValid = false;
+        }
+      }
+    }
+    if (!hmacValid) {
+      throw new Error('Invalid Fernet token: HMAC verification failed');
+    }
+    // Decrypt using AES-128-CBC
+    const cryptoKey = await crypto.subtle.importKey(
+      'raw',
+      encryptionKey,
+      { name: 'AES-CBC' },
+      false,
+      ['decrypt']
+    );
+    const decrypted = await crypto.subtle.decrypt(
+      { name: 'AES-CBC', iv: iv },
+      cryptoKey,
+      ciphertext
+    );
+    // Decode the decrypted message (PKCS7 padding will be removed automatically)
+    const decoder = new TextDecoder();
+    return decoder.decode(decrypted);
+  } catch (error) {
+    throw new Error(`Fernet decryption failed: ${error.message}`);
+  }
+}
+/**
+ * Decrypt a fernet:// URL
+ */
+async function decryptFernetUrl(fernetUrl, secretKey) {
+  // Remove fernet:// prefix
+  const token = fernetUrl.startsWith('fernet://')
+    ? fernetUrl.substring(9)
+    : fernetUrl;
+  return await decryptFernetToken(token, secretKey);
+}
+/**
+ * Inject console filtering script into HTML to block calendar info logs
+ */
+function injectConsoleFilter(html) {
+  const consoleFilterScript = `
+<script>
+(function() {
+  const originalLog = console.log;
+  const originalInfo = console.info;
+  function containsCalendarInfo(args) {
+    const message = args.map(arg => {
+      if (typeof arg === 'string') {
+        return arg;
+      } else if (arg && typeof arg === 'object') {
+        try {
+          return JSON.stringify(arg);
+        } catch (e) {
+          return String(arg);
+        }
+      }
+      return String(arg);
+    }).join(' ');
+    if (message.includes('Calendar Info:') ||
+        message.includes('calendars:') ||
+        message.includes('calendar_index:') ||
+        message.includes('url_index:')) {
+      return true;
+    }
+    for (const arg of args) {
+      if (arg && typeof arg === 'object') {
+        const keys = Object.keys(arg);
+        if (keys.includes('calendars') ||
+            keys.includes('calendar_index') ||
+            keys.includes('url_index') ||
+            (arg.calendars && Array.isArray(arg.calendars))) {
+          return true;
+        }
+      }
+    }
+    return false;
+  }
+  console.log = function(...args) {
+    if (containsCalendarInfo(args)) {
+      return; // Don't log calendar info
+    }
+    originalLog.apply(console, args);
+  };
+  console.info = function(...args) {
+    if (containsCalendarInfo(args)) {
+      return; // Don't log calendar info
+    }
+    originalInfo.apply(console, args);
+  };
+})();
+</script>`;
+  // Inject the script right after <head> or at the beginning of <body>
+  if (html.includes('</head>')) {
+    return html.replace('</head>', consoleFilterScript + '</head>');
+  } else if (html.includes('<body')) {
+    const bodyMatch = html.match(/<body[^>]*>/);
+    if (bodyMatch) {
+      return html.replace(bodyMatch[0], bodyMatch[0] + consoleFilterScript);
+    }
+  }
+  // Fallback: inject at the very beginning
+  return consoleFilterScript + html;
+}
+/**
+ * Normalize date to ISO string for comparison
+ */
+function normalizeDate(dateValue) {
+  if (!dateValue) return null;
+  if (typeof dateValue === 'string') {
+    // Parse and return ISO string
+    const date = new Date(dateValue);
+    return isNaN(date.getTime()) ? null : date.toISOString();
+  }
+  if (dateValue instanceof Date) {
+    return dateValue.toISOString();
+  }
+  // Try to convert to date
+  const date = new Date(dateValue);
+  return isNaN(date.getTime()) ? null : date.toISOString();
+}
+/**
+ * Extract event time fields (handles various field name formats)
+ */
+function getEventTime(event, field) {
+  // Try common field name variations (including iCal and calendar.js formats)
+  const variations = {
+    start: ['start', 'startDate', 'start_time', 'startTime', 'dtstart', 'start_date', 'dateStart', 'date_start'],
+    end: ['end', 'endDate', 'end_time', 'endTime', 'dtend', 'end_date', 'dateEnd', 'date_end']
+  };
+  const fieldNames = variations[field] || [field];
+  for (const name of fieldNames) {
+    if (event[name] !== undefined && event[name] !== null) {
+      return event[name];
+    }
+  }
+  return null;
+}
+/**
+ * Extract event title (handles various field name formats)
+ */
+function getEventTitle(event) {
+  return event.title || event.summary || event.name || '';
+}
+/**
+ * Extract event description (handles various field name formats)
+ */
+function getEventDescription(event) {
+  return event.description || event.desc || '';
+}
+/**
+ * Extract calendar identifier (handles various field name formats)
+ */
+function getCalendarId(event) {
+  return event.calendar || event.calendarId || event.calendar_id || event.source || 'default';
+}
+/**
+ * Merge consecutive events within the same calendar
+ * Events are consecutive if event1.end === event2.start (exact match)
+ */
+function mergeConsecutiveEvents(events) {
+  if (!Array.isArray(events) || events.length === 0) {
+    return events;
+  }
+  // Group events by calendar identifier
+  const eventsByCalendar = {};
+  for (const event of events) {
+    const calendarId = getCalendarId(event);
+    if (!eventsByCalendar[calendarId]) {
+      eventsByCalendar[calendarId] = [];
+    }
+    eventsByCalendar[calendarId].push(event);
+  }
+  const mergedEvents = [];
+  // Process each calendar group separately
+  for (const calendarId in eventsByCalendar) {
+    const calendarEvents = eventsByCalendar[calendarId];
+    // Sort events by start time
+    calendarEvents.sort((a, b) => {
+      const startA = getEventTime(a, 'start');
+      const startB = getEventTime(b, 'start');
+      if (!startA || !startB) return 0;
+      return new Date(startA) - new Date(startB);
+    });
+    // Merge consecutive events
+    let currentMerge = null;
+    for (let i = 0; i < calendarEvents.length; i++) {
+      const event = calendarEvents[i];
+      const startTime = getEventTime(event, 'start');
+      const endTime = getEventTime(event, 'end');
+      if (!startTime || !endTime) {
+        // If event is missing time info, add as-is
+        if (currentMerge) {
+          mergedEvents.push(currentMerge);
+          currentMerge = null;
+        }
+        mergedEvents.push(event);
+        continue;
+      }
+      if (currentMerge === null) {
+        // Start a new merge group
+        currentMerge = { ...event };
+      } else {
+        // Check if this event is consecutive to the current merge
+        const currentEndTime = getEventTime(currentMerge, 'end');
+        // Normalize dates for comparison (handle different date formats)
+        const normalizedEndTime = normalizeDate(currentEndTime);
+        const normalizedStartTime = normalizeDate(startTime);
+        if (normalizedEndTime && normalizedStartTime && normalizedEndTime === normalizedStartTime) {
+          // Merge: combine titles and extend end time
+          const currentTitle = getEventTitle(currentMerge);
+          const eventTitle = getEventTitle(event);
+          const combinedTitle = currentTitle && eventTitle
+            ? `${currentTitle} + ${eventTitle}`
+            : currentTitle || eventTitle;
+          // Update title field (try common variations)
+          if (currentMerge.title !== undefined) currentMerge.title = combinedTitle;
+          if (currentMerge.summary !== undefined) currentMerge.summary = combinedTitle;
+          if (currentMerge.name !== undefined) currentMerge.name = combinedTitle;
+          if (!currentMerge.title && !currentMerge.summary && !currentMerge.name) {
+            currentMerge.title = combinedTitle;
+          }
+          // Combine descriptions
+          const currentDesc = getEventDescription(currentMerge);
+          const eventDesc = getEventDescription(event);
+          if (currentDesc || eventDesc) {
+            const combinedDesc = currentDesc && eventDesc
+              ? `${currentDesc}\n\n${eventDesc}`
+              : currentDesc || eventDesc;
+            if (currentMerge.description !== undefined) currentMerge.description = combinedDesc;
+            if (currentMerge.desc !== undefined) currentMerge.desc = combinedDesc;
+            if (!currentMerge.description && !currentMerge.desc) {
+              currentMerge.description = combinedDesc;
+            }
+          }
+          // Update end time - preserve original field name format
+          const originalEndField = getEventTime(currentMerge, 'end') !== null
+            ? (currentMerge.end !== undefined ? 'end' :
+               currentMerge.endDate !== undefined ? 'endDate' :
+               currentMerge.end_time !== undefined ? 'end_time' :
+               currentMerge.endTime !== undefined ? 'endTime' :
+               currentMerge.dtend !== undefined ? 'dtend' :
+               currentMerge.end_date !== undefined ? 'end_date' :
+               currentMerge.dateEnd !== undefined ? 'dateEnd' :
+               currentMerge.date_end !== undefined ? 'date_end' : 'end')
+            : 'end';
+          // Update all possible end time fields to ensure compatibility
+          if (currentMerge.end !== undefined) currentMerge.end = endTime;
+          if (currentMerge.endDate !== undefined) currentMerge.endDate = endTime;
+          if (currentMerge.end_time !== undefined) currentMerge.end_time = endTime;
+          if (currentMerge.endTime !== undefined) currentMerge.endTime = endTime;
+          if (currentMerge.dtend !== undefined) currentMerge.dtend = endTime;
+          if (currentMerge.end_date !== undefined) currentMerge.end_date = endTime;
+          if (currentMerge.dateEnd !== undefined) currentMerge.dateEnd = endTime;
+          if (currentMerge.date_end !== undefined) currentMerge.date_end = endTime;
+          if (!currentMerge.end && !currentMerge.endDate && !currentMerge.end_time &&
+              !currentMerge.endTime && !currentMerge.dtend && !currentMerge.end_date &&
+              !currentMerge.dateEnd && !currentMerge.date_end) {
+            currentMerge.end = endTime;
+          }
+        } else {
+          // Not consecutive, save current merge and start new one
+          mergedEvents.push(currentMerge);
+          currentMerge = { ...event };
+        }
+      }
+    }
+    // Add the last merge group if any
+    if (currentMerge !== null) {
+      mergedEvents.push(currentMerge);
+    }
+  }
+  return mergedEvents;
+}
+/**
+ * Process calendar events JSON and merge consecutive events
+ */
+function processCalendarEventsJson(jsonData) {
+  if (Array.isArray(jsonData)) {
+    // Format: [{event1}, {event2}, ...]
+    return mergeConsecutiveEvents(jsonData);
+  } else if (jsonData && typeof jsonData === 'object') {
+    // Check for nested structures
+    if (Array.isArray(jsonData.events)) {
+      // Format: {events: [...], ...}
+      return {
+        ...jsonData,
+        events: mergeConsecutiveEvents(jsonData.events)
+      };
+    } else if (Array.isArray(jsonData.calendars)) {
+      // Format: {calendars: [{events: [...]}, ...], ...}
+      return {
+        ...jsonData,
+        calendars: jsonData.calendars.map(calendar => {
+          if (Array.isArray(calendar.events)) {
+            return {
+              ...calendar,
+              events: mergeConsecutiveEvents(calendar.events)
+            };
+          }
+          return calendar;
+        })
+      };
+    } else if (Array.isArray(jsonData.data)) {
+      // Format: {data: [...], ...}
+      return {
+        ...jsonData,
+        data: mergeConsecutiveEvents(jsonData.data)
+      };
+    } else if (Array.isArray(jsonData.items)) {
+      // Format: {items: [...], ...}
+      return {
+        ...jsonData,
+        items: mergeConsecutiveEvents(jsonData.items)
+      };
+    }
+    // Unknown structure, try to find any array of events
+    for (const key in jsonData) {
+      if (Array.isArray(jsonData[key]) && jsonData[key].length > 0) {
+        // Check if it looks like events (has time fields)
+        const firstItem = jsonData[key][0];
+        if (firstItem && typeof firstItem === 'object') {
+          const hasTimeField = getEventTime(firstItem, 'start') !== null ||
+                              getEventTime(firstItem, 'end') !== null;
+          if (hasTimeField) {
+            return {
+              ...jsonData,
+              [key]: mergeConsecutiveEvents(jsonData[key])
+            };
+          }
+        }
+      }
+    }
+  }
+  // Unknown format, return as-is
+  return jsonData;
+}
+/**
+ * Sanitize response body to hide calendar URLs in error messages
+ * Only sanitizes HTML and JSON responses to avoid breaking JavaScript code
+ */
+async function sanitizeResponse(response, pathname) {
+  const contentType = response.headers.get('content-type') || '';
+  // Only sanitize HTML and JSON responses (error messages)
+  // Skip JavaScript files to avoid breaking code
+  if (!contentType.includes('text/html') &&
+      !contentType.includes('application/json')) {
+    // For non-HTML/JSON responses (including JavaScript), just add CORS header and return
+    const responseHeaders = new Headers(response.headers);
+    responseHeaders.set('Access-Control-Allow-Origin', '*');
+    return new Response(response.body, {
+      status: response.status,
+      statusText: response.statusText,
+      headers: responseHeaders,
+    });
+  }
+  const body = await response.text();
+  let sanitizedBody = body;
+  // For JSON responses, check if it's a calendar events endpoint
+  if (contentType.includes('application/json')) {
+    // Check for calendar events endpoints - open-web-calendar uses /calendar.json
+    // Also check for any .json file that might contain calendar events
+    const isCalendarEventsEndpoint = pathname === '/calendar.events.json' ||
+                                     pathname === '/calendar.json' ||
+                                     pathname.endsWith('.events.json') ||
+                                     pathname.endsWith('.json');
+    if (isCalendarEventsEndpoint) {
+      try {
+        const jsonData = JSON.parse(body);
+        const processedData = processCalendarEventsJson(jsonData);
+        sanitizedBody = JSON.stringify(processedData);
+      } catch (error) {
+        // If JSON parsing fails, continue with original body
+        console.error('Failed to parse calendar events JSON:', error);
+      }
+    }
+  }
+  // For HTML responses, inject console filtering
+  if (contentType.includes('text/html')) {
+    sanitizedBody = injectConsoleFilter(sanitizedBody);
+  }
+  // Patterns to detect and sanitize calendar URLs
+  // Only match complete URLs, not code fragments
+  const urlPatterns = [
+    /https?:\/\/[^\s"']+\.ics/gi,
+    /https?:\/\/calendar\.google\.com\/calendar\/ical\/[^\s"']+/gi,
+    // Only match %40 when it's part of a URL (followed by domain-like pattern)
+    /%40[a-zA-Z0-9._-]+\.[a-zA-Z]{2,}[^\s"']*/gi,
+  ];
+  urlPatterns.forEach(pattern => {
+    sanitizedBody = sanitizedBody.replace(pattern, '[Calendar URL hidden]');
+  });
+  const responseHeaders = new Headers(response.headers);
+  responseHeaders.set('Access-Control-Allow-Origin', '*');
+  return new Response(sanitizedBody, {
+    status: response.status,
+    statusText: response.statusText,
+    headers: responseHeaders,
+  });
+}
+export default {
+  async fetch(request, env) {
+    try {
+      const url = new URL(request.url);
+      // ENCRYPTION_METHOD is hardcoded to 'fernet'
+      const ENCRYPTION_METHOD = 'fernet';
+      const encryptionKey = env.ENCRYPTION_KEY;
+      const calendarUrlSecret = env.CALENDAR_URL; // Read from Cloudflare Worker secret
+      if (!calendarUrlSecret) {
+        return new Response('CALENDAR_URL not configured in Cloudflare Worker secrets', {
+          status: 500,
+          headers: { 'Content-Type': 'text/plain' }
+        });
+      }
+      // Parse calendar URLs from secret (comma-separated, can be plain or fernet://)
+      const calendarUrlsFromSecret = calendarUrlSecret
+        .split(',')
+        .map(s => s.trim())
+        .filter(s => s);
+      // Use calendar URLs from secret (they may be fernet:// encrypted or plain)
+      const calendarUrls = calendarUrlsFromSecret;
+      // Check if any of the URLs are fernet:// encrypted
+      const hasFernetUrls = calendarUrls.some(url => url.startsWith('fernet://'));
+      // If we have fernet:// URLs, we need ENCRYPTION_KEY
+      if (hasFernetUrls && !encryptionKey) {
+        return new Response('ENCRYPTION_KEY not configured (required for fernet:// URLs)', {
+          status: 500,
+          headers: { 'Content-Type': 'text/plain' }
+        });
+      }
+      // Get the pathname to determine request type
+      const pathname = url.pathname;
+      // Check if this is the main calendar page request
+      const isMainCalendarPage = pathname === '/' ||
+                                  pathname === '/calendar.html' ||
+                                  pathname.endsWith('/calendar.html') ||
+                                  pathname === '';
+      // Check if this is an API endpoint that needs calendar URLs
+      // This includes /srcdoc, /calendar.events.json, /calendar.json, etc.
+      const isApiEndpoint = pathname === '/srcdoc' ||
+                            pathname.startsWith('/srcdoc') ||
+                            pathname === '/calendar.events.json' ||
+                            pathname === '/calendar.json' ||
+                            pathname.endsWith('.events.json') ||
+                            pathname.endsWith('.json');
+      // For API endpoints like /srcdoc, always use calendar URLs from secret
+      if (isApiEndpoint) {
+        // Build the target URL
+        const targetUrl = new URL(`https://open-web-calendar.hosted.quelltext.eu${pathname}`);
+        // Copy all query parameters except 'url'
+        for (const [key, value] of url.searchParams.entries()) {
+          if (key !== 'url') {
+            targetUrl.searchParams.append(key, value);
+          }
+        }
+        // Decrypt and add calendar URLs from secret
+        // ENCRYPTION_METHOD is hardcoded to 'fernet'
+        const decryptedUrls = [];
+        for (const urlParam of calendarUrls) {
+          if (urlParam.startsWith('fernet://')) {
+            if (!encryptionKey) {
+              return new Response('ENCRYPTION_KEY not configured (required for fernet:// URLs)', {
+                status: 500,
+                headers: { 'Content-Type': 'text/plain' }
+              });
+            }
+            try {
+              const decrypted = await decryptFernetUrl(urlParam, encryptionKey);
+              decryptedUrls.push(decrypted);
+            } catch (error) {
+              return new Response(`Failed to decrypt calendar URL: ${error.message}`, {
+                status: 500,
+                headers: { 'Content-Type': 'text/plain' }
+              });
+            }
+          } else {
+            // Plain URL, use as-is
+            decryptedUrls.push(urlParam);
+          }
+        }
+        // Add decrypted URLs
+        for (const decryptedUrl of decryptedUrls) {
+          targetUrl.searchParams.append('url', decryptedUrl);
+        }
+        // Forward all headers from the original request
+        const requestHeaders = new Headers();
+        request.headers.forEach((value, key) => {
+          if (key.toLowerCase() !== 'host' && key.toLowerCase() !== 'cf-ray' && key.toLowerCase() !== 'cf-connecting-ip') {
+            requestHeaders.set(key, value);
+          }
+        });
+        const response = await fetch(targetUrl.toString(), {
+          headers: requestHeaders,
+        });
+        // Sanitize response to hide calendar URLs in error messages
+        // Pass pathname for calendar events processing
+        return await sanitizeResponse(response, pathname);
+      }
+      // Handle main calendar page requests - always add calendar URLs from secret
+      if (isMainCalendarPage) {
+        // Decrypt calendar URLs from secret
+        // ENCRYPTION_METHOD is hardcoded to 'fernet'
+        const decryptedUrls = [];
+        for (const urlParam of calendarUrls) {
+          if (urlParam.startsWith('fernet://')) {
+            if (!encryptionKey) {
+              return new Response('ENCRYPTION_KEY not configured (required for fernet:// URLs)', {
+                status: 500,
+                headers: { 'Content-Type': 'text/plain' }
+              });
+            }
+            try {
+              const decrypted = await decryptFernetUrl(urlParam, encryptionKey);
+              decryptedUrls.push(decrypted);
+            } catch (error) {
+              return new Response(`Failed to decrypt calendar URL: ${error.message}`, {
+                status: 500,
+                headers: { 'Content-Type': 'text/plain' }
+              });
+            }
+          } else {
+            // Plain URL, use as-is
+            decryptedUrls.push(urlParam);
+          }
+        }
+        // Build the open-web-calendar URL with decrypted URLs
+        const calendarUrl = new URL('https://open-web-calendar.hosted.quelltext.eu/calendar.html');
+        // Copy all query parameters except 'url' (calendar URLs come from secret)
+        for (const [key, value] of url.searchParams.entries()) {
+          if (key !== 'url') {
+            calendarUrl.searchParams.append(key, value);
+          }
+        }
+        // Add decrypted URLs from secret
+        for (const decryptedUrl of decryptedUrls) {
+          calendarUrl.searchParams.append('url', decryptedUrl);
+        }
+        // Fetch from open-web-calendar
+        const response = await fetch(calendarUrl.toString(), {
+          headers: {
+            'User-Agent': request.headers.get('User-Agent') || 'Cloudflare-Worker',
+          },
+        });
+        // Sanitize response to hide calendar URLs in error messages
+        // Pass pathname for calendar events processing
+        return await sanitizeResponse(response, pathname);
+      }
+      // For all other requests (static resources, etc.), proxy directly
+      let targetPath = pathname;
+      if (pathname === '/' || pathname === '') {
+        targetPath = '/calendar.html';
+      }
+      const targetUrl = new URL(`https://open-web-calendar.hosted.quelltext.eu${targetPath}${url.search}`);
+      // Forward all headers from the original request
+      const requestHeaders = new Headers();
+      request.headers.forEach((value, key) => {
+        // Skip certain headers that shouldn't be forwarded
+        if (key.toLowerCase() !== 'host' && key.toLowerCase() !== 'cf-ray' && key.toLowerCase() !== 'cf-connecting-ip') {
+          requestHeaders.set(key, value);
+        }
+      });
+      const response = await fetch(targetUrl.toString(), {
+        headers: requestHeaders,
+      });
+      // Sanitize response to hide calendar URLs in error messages
+      // Pass pathname for calendar events processing
+      return await sanitizeResponse(response, pathname);
+    } catch (error) {
+      return new Response(`Error: ${error.message}`, {
+        status: 500,
+        headers: { 'Content-Type': 'text/plain' }
+      });
+    }
+  },
+};

package/wrangler.toml.example ADDED Viewed

@@ -0,0 +1,34 @@
+name = "calendar-proxy"
+main = "worker.js"
+compatibility_date = "2025-12-28"
+# Environment variables (secrets should be set via wrangler secret put)
+# ENCRYPTION_KEY should be set as a secret: wrangler secret put ENCRYPTION_KEY
+#
+# Custom domain routes can be configured via:
+# 1. Cloudflare Dashboard: Workers & Pages > Your Worker > Settings > Triggers > Routes
+# 2. Wrangler CLI: wrangler routes add <pattern> --env production
+# 3. Or add routes here for your environment:
+#    routes = [
+#      { pattern = "your-domain.com", custom_domain = true }
+#    ]
+[env.production]
+name = "calendar-proxy"
+# Add your custom domain routes here if needed
+# routes = [
+#   { pattern = "your-domain.com", custom_domain = true }
+# ]
+[env.development]
+name = "calendar-proxy-dev"
+[observability]
+[observability.logs]
+enabled = true
+head_sampling_rate = 1
+invocation_logs = false
+[observability.traces]
+enabled = false
+head_sampling_rate = 1