@govtechsg/oobee 0.10.83 → 0.10.85

package/src/proxyService.ts

@@ -29,6 +29,8 @@ export interface ProxyInfo {
   // optional global credentials to embed (URL-encoded)
   username?: string;
   password?: string;
+  // optional include-only list of domain patterns (from INCLUDE_PROXY env)
+  includeList?: string[];
 }
 
 export interface ProxySettings {
@@ -329,7 +331,7 @@ function parseWindowsRegistry(): ProxyInfo | null {
   if (enabledManual && v.ProxyServer) {
     const s = v.ProxyServer.trim();
     if (s.includes('=')) {
-      for (const part of s.split(';')) {
+      for (const part of s.split(/[,;]/)) {
         const [proto, addr] = part.split('=');
         if (!proto || !addr) continue;
         const p = proto.trim().toLowerCase();
@@ -359,14 +361,104 @@ function parseWindowsRegistry(): ProxyInfo | null {
 
 export function getProxyInfo(): ProxyInfo | null {
   const plat = os.platform();
-  if (plat === 'win32') return parseEnvProxyCommon() || parseWindowsRegistry();
-  if (plat === 'darwin') return parseEnvProxyCommon() || parseMacScutil();
-  return parseEnvProxyCommon(); // Linux/others
+  let info: ProxyInfo | null;
+  if (plat === 'win32') info = parseEnvProxyCommon() || parseWindowsRegistry();
+  else if (plat === 'darwin') info = parseEnvProxyCommon() || parseMacScutil();
+  else info = parseEnvProxyCommon(); // Linux/others
+
+  // Apply INCLUDE_PROXY env: semicolon-separated domain globs that SHOULD use the proxy
+  const includeProxy = process.env.INCLUDE_PROXY;
+  if (includeProxy && info) {
+    const patterns = includeProxy
+      .split(/[,;]/)
+      .map(s => s.trim())
+      .filter(Boolean);
+    if (patterns.length > 0) {
+      // INCLUDE_PROXY and NO_PROXY are mutually exclusive; INCLUDE_PROXY takes precedence
+      const noProxy = process.env.NO_PROXY || process.env.no_proxy;
+      if (noProxy || info.bypassList) {
+        console.warn(
+          'INCLUDE_PROXY is set — ignoring NO_PROXY / bypass list. ' +
+          'These two settings cannot be mixed; INCLUDE_PROXY takes precedence.',
+        );
+        info.bypassList = undefined;
+      }
+      info.includeList = patterns;
+    }
+  }
+
+  return info;
+}
+
+/**
+ * Convert a glob-style domain pattern (e.g. *.example.com) to a regex source string.
+ */
+function domainPatternToRegex(pattern: string): string {
+  // Escape dots, replace * with [^.]* or .* depending on position
+  // *.example.com → match any subdomain of example.com
+  let escaped = pattern
+    .replace(/[.+^${}()|[\]\\]/g, '\\$&') // escape regex specials except *
+    .replace(/\*/g, '.*'); // convert glob * to regex .*
+  return `^${escaped}$`;
+}
+
+/**
+ * Build a PAC script that routes only includeList domains through the given proxy,
+ * and returns DIRECT for everything else.
+ */
+function buildIncludeOnlyPac(proxyServer: string, includeList: string[]): string {
+  // proxyServer is like "http://host:port" or "socks5://host:port"
+  let pacProxy: string;
+  if (proxyServer.startsWith('socks5://')) {
+    pacProxy = `SOCKS5 ${proxyServer.replace('socks5://', '')}`;
+  } else if (proxyServer.startsWith('socks://') || proxyServer.startsWith('socks4://')) {
+    pacProxy = `SOCKS ${proxyServer.replace(/^socks[4]?:\/\//, '')}`;
+  } else {
+    // http:// or https:// → PROXY host:port
+    pacProxy = `PROXY ${proxyServer.replace(/^https?:\/\//, '')}`;
+  }
+
+  // Build JS conditions using shExpMatch (built-in PAC function that supports glob patterns)
+  const conditions = includeList
+    .map(pattern => `shExpMatch(host, ${JSON.stringify(pattern)})`)
+    .join(' || ');
+
+  const pac = [
+    'function FindProxyForURL(url, host) {',
+    `  if (${conditions}) {`,
+    `    return ${JSON.stringify(pacProxy)};`,
+    '  }',
+    '  return "DIRECT";',
+    '}',
+  ].join('\n');
+
+  return pac;
 }
 
 export function proxyInfoToResolution(info: ProxyInfo | null): ProxyResolution {
   if (!info) return { kind: 'none' };
 
+  // If INCLUDE_PROXY is set, generate a PAC that only proxies the listed domains
+  if (info.includeList && info.includeList.length > 0) {
+    // Determine the proxy server string
+    let proxyServer: string | undefined;
+    if (info.http) proxyServer = `http://${info.http}`;
+    else if (info.https) proxyServer = `http://${info.https}`;
+    else if (info.socks) proxyServer = `socks5://${info.socks}`;
+
+    if (proxyServer) {
+      // If credentials exist, embed them for the manual proxy auth
+      // PAC scripts themselves don't carry auth, but Playwright's proxy option can
+      // We use PAC for routing, and if creds are needed, Playwright will prompt or
+      // we set them via the proxy option. Unfortunately Playwright doesn't allow
+      // proxy.username with a PAC, so we embed in the launch arg and rely on
+      // Chromium's built-in auth handler for proxy auth challenges.
+      const pac = buildIncludeOnlyPac(proxyServer, info.includeList);
+      const pacDataUrl = `data:application/x-ns-proxy-autoconfig;base64,${Buffer.from(pac).toString('base64')}`;
+      return { kind: 'pac', pacUrl: pacDataUrl, bypass: info.bypassList };
+    }
+  }
+
   // Prefer manual proxies first (these work with Playwright's proxy option)
   if (info.http) {
     return { kind: 'manual', settings: {

package/src/utils.ts

@@ -4,6 +4,7 @@ import os from 'os';
 import fs from 'fs-extra';
 import axe, { Rule } from 'axe-core';
 import { v4 as uuidv4 } from 'uuid';
+import { getDomain } from 'tldts';
 import constants, {
   BrowserTypes,
   destinationPath,
@@ -1078,14 +1079,25 @@ export const randomThreeDigitNumberString = () => {
 };
 
 export const isFollowStrategy = (link1: string, link2: string, rule: string): boolean => {
-  const parsedLink1 = new URL(link1);
-  const parsedLink2 = new URL(link2);
-  if (rule === 'same-domain') {
-    const link1Domain = parsedLink1.hostname.split('.').slice(-2).join('.');
-    const link2Domain = parsedLink2.hostname.split('.').slice(-2).join('.');
-    return link1Domain === link2Domain;
+  try {
+    const parsedLink1 = new URL(link1);
+    const parsedLink2 = new URL(link2);
+    if (rule === 'all') {
+      return true;
+    }
+    if (rule === 'same-origin') {
+      return parsedLink1.origin === parsedLink2.origin;
+    }
+    if (rule === 'same-domain') {
+      const link1Domain = getDomain(parsedLink1.hostname, { allowPrivateDomains: true }) || parsedLink1.hostname;
+      const link2Domain = getDomain(parsedLink2.hostname, { allowPrivateDomains: true }) || parsedLink2.hostname;
+      return link1Domain.toLowerCase() === link2Domain.toLowerCase();
+    }
+    // default: same-hostname
+    return parsedLink1.hostname === parsedLink2.hostname;
+  } catch {
+    return false;
   }
-  return parsedLink1.hostname === parsedLink2.hostname;
 };
 
 export const retryFunction = async <T>(func: () => Promise<T>, maxAttempt: number): Promise<T> => {