@nuxt/scripts 0.13.2 → 1.0.0-beta.2

package/dist/runtime/server/proxy-handler.js

@@ -0,0 +1,230 @@
+import { defineEventHandler, getHeaders, getRequestIP, readBody, getQuery, setResponseHeader, createError } from "h3";
+import { useRuntimeConfig } from "#imports";
+import { useStorage, useNitroApp } from "nitropack/runtime";
+import { hash } from "ohash";
+import { rewriteScriptUrls } from "../utils/pure.js";
+import {
+  FINGERPRINT_HEADERS,
+  IP_HEADERS,
+  SENSITIVE_HEADERS,
+  anonymizeIP,
+  normalizeLanguage,
+  normalizeUserAgent,
+  stripPayloadFingerprinting
+} from "./utils/privacy.js";
+function stripQueryFingerprinting(query) {
+  const stripped = stripPayloadFingerprinting(query);
+  const params = new URLSearchParams();
+  for (const [key, value] of Object.entries(stripped)) {
+    if (value !== void 0 && value !== null) {
+      params.set(key, String(value));
+    }
+  }
+  return params.toString();
+}
+export default defineEventHandler(async (event) => {
+  const config = useRuntimeConfig();
+  const nitro = useNitroApp();
+  const proxyConfig = config["nuxt-scripts-proxy"];
+  if (!proxyConfig) {
+    throw createError({
+      statusCode: 500,
+      statusMessage: "First-party proxy not configured"
+    });
+  }
+  const { routes, privacy, cacheTtl = 3600, debug = import.meta.dev } = proxyConfig;
+  const path = event.path;
+  const log = debug ? (message, ...args) => {
+    console.debug(message, ...args);
+  } : () => {
+  };
+  let targetBase;
+  let matchedPrefix;
+  const sortedRoutes = Object.entries(routes).sort((a, b) => b[0].length - a[0].length);
+  for (const [routePattern, target] of sortedRoutes) {
+    const prefix = routePattern.replace(/\/\*\*$/, "");
+    if (path.startsWith(prefix)) {
+      targetBase = target.replace(/\/\*\*$/, "");
+      matchedPrefix = prefix;
+      log("[proxy] Matched:", prefix, "->", targetBase);
+      break;
+    }
+  }
+  if (!targetBase || !matchedPrefix) {
+    log("[proxy] No match for path:", path);
+    throw createError({
+      statusCode: 404,
+      statusMessage: "No proxy route matched",
+      message: `No proxy target found for path: ${path}`
+    });
+  }
+  let targetPath = path.slice(matchedPrefix.length);
+  if (targetPath && !targetPath.startsWith("/")) {
+    targetPath = "/" + targetPath;
+  }
+  let targetUrl = targetBase + targetPath;
+  if (privacy === "anonymize") {
+    const query = getQuery(event);
+    if (Object.keys(query).length > 0) {
+      const strippedQuery = stripQueryFingerprinting(query);
+      const basePath = targetUrl.split("?")[0] || targetUrl;
+      targetUrl = strippedQuery ? `${basePath}?${strippedQuery}` : basePath;
+    }
+  }
+  const originalHeaders = getHeaders(event);
+  const headers = {};
+  if (privacy === "proxy") {
+    for (const [key, value] of Object.entries(originalHeaders)) {
+      if (!value) continue;
+      if (SENSITIVE_HEADERS.includes(key.toLowerCase())) continue;
+      headers[key] = value;
+    }
+  } else {
+    for (const [key, value] of Object.entries(originalHeaders)) {
+      if (!value)
+        continue;
+      const lowerKey = key.toLowerCase();
+      if (IP_HEADERS.includes(lowerKey))
+        continue;
+      if (SENSITIVE_HEADERS.includes(lowerKey))
+        continue;
+      if (lowerKey === "content-length")
+        continue;
+      if (lowerKey === "user-agent") {
+        headers[key] = normalizeUserAgent(value);
+      } else if (lowerKey === "accept-language") {
+        headers[key] = normalizeLanguage(value);
+      } else if (lowerKey === "sec-ch-ua" || lowerKey === "sec-ch-ua-full-version-list") {
+        headers[key] = value.replace(/;v="(\d+)\.[^"]*"/g, ';v="$1"');
+      } else if (FINGERPRINT_HEADERS.includes(lowerKey)) {
+        headers[key] = value;
+      } else {
+        headers[key] = value;
+      }
+    }
+    const clientIP = getRequestIP(event, { xForwardedFor: true });
+    if (clientIP) {
+      headers["x-forwarded-for"] = anonymizeIP(clientIP);
+    }
+  }
+  let body;
+  let rawBody;
+  const contentType = originalHeaders["content-type"] || "";
+  const method = event.method?.toUpperCase();
+  const originalQuery = getQuery(event);
+  if (method === "POST" || method === "PUT" || method === "PATCH") {
+    rawBody = await readBody(event);
+    if (privacy === "anonymize" && rawBody) {
+      if (typeof rawBody === "object") {
+        body = stripPayloadFingerprinting(rawBody);
+      } else if (typeof rawBody === "string") {
+        if (rawBody.startsWith("{") || rawBody.startsWith("[")) {
+          let parsed = null;
+          try {
+            parsed = JSON.parse(rawBody);
+          } catch {
+          }
+          if (parsed && typeof parsed === "object") {
+            body = stripPayloadFingerprinting(parsed);
+          } else {
+            body = rawBody;
+          }
+        } else if (contentType.includes("application/x-www-form-urlencoded")) {
+          const params = new URLSearchParams(rawBody);
+          const obj = {};
+          params.forEach((value, key) => {
+            obj[key] = value;
+          });
+          const stripped = stripPayloadFingerprinting(obj);
+          const stringified = {};
+          for (const [k, v] of Object.entries(stripped)) {
+            if (v === void 0 || v === null) continue;
+            stringified[k] = typeof v === "string" ? v : JSON.stringify(v);
+          }
+          body = new URLSearchParams(stringified).toString();
+        } else {
+          body = rawBody;
+        }
+      } else {
+        body = rawBody;
+      }
+    } else {
+      body = rawBody;
+    }
+  }
+  await nitro.hooks.callHook("nuxt-scripts:proxy", {
+    timestamp: Date.now(),
+    path: event.path,
+    targetUrl,
+    method: method || "GET",
+    privacy,
+    original: {
+      headers: { ...originalHeaders },
+      query: originalQuery,
+      body: rawBody ?? null
+    },
+    stripped: {
+      headers,
+      query: privacy === "anonymize" ? stripPayloadFingerprinting(originalQuery) : originalQuery,
+      body: body ?? null
+    }
+  });
+  log("[proxy] Fetching:", targetUrl);
+  const controller = new AbortController();
+  const timeoutId = setTimeout(() => controller.abort(), 15e3);
+  let response;
+  try {
+    response = await fetch(targetUrl, {
+      method: method || "GET",
+      headers,
+      body: body ? typeof body === "string" ? body : JSON.stringify(body) : void 0,
+      credentials: "omit",
+      // Don't send cookies to third parties
+      signal: controller.signal
+    });
+  } catch (err) {
+    clearTimeout(timeoutId);
+    log("[proxy] Fetch error:", err instanceof Error ? err.message : err);
+    if (path.includes("/collect") || path.includes("/tr") || path.includes("/events")) {
+      event.node.res.statusCode = 204;
+      return "";
+    }
+    const isTimeout = err instanceof Error && (err.message.includes("aborted") || err.message.includes("timeout"));
+    throw createError({
+      statusCode: isTimeout ? 504 : 502,
+      statusMessage: isTimeout ? "Upstream timeout" : "Bad Gateway",
+      message: "Failed to reach upstream"
+    });
+  }
+  clearTimeout(timeoutId);
+  log("[proxy] Response:", response.status, response.statusText);
+  const skipHeaders = ["set-cookie", "transfer-encoding", "content-encoding", "content-length"];
+  response.headers.forEach((value, key) => {
+    if (!skipHeaders.includes(key.toLowerCase())) {
+      setResponseHeader(event, key, value);
+    }
+  });
+  event.node.res.statusCode = response.status;
+  event.node.res.statusMessage = response.statusText;
+  const responseContentType = response.headers.get("content-type") || "";
+  const isTextContent = responseContentType.includes("text") || responseContentType.includes("javascript") || responseContentType.includes("json");
+  if (isTextContent) {
+    let content = await response.text();
+    if (responseContentType.includes("javascript") && proxyConfig?.rewrites?.length) {
+      const cacheKey = `nuxt-scripts:proxy:${hash(targetUrl + JSON.stringify(proxyConfig.rewrites))}`;
+      const storage = useStorage("cache");
+      const cached = await storage.getItem(cacheKey);
+      if (cached && typeof cached === "string") {
+        log("[proxy] Serving rewritten script from cache");
+        content = cached;
+      } else {
+        content = rewriteScriptUrls(content, proxyConfig.rewrites);
+        await storage.setItem(cacheKey, content, { ttl: cacheTtl });
+        log("[proxy] Rewrote URLs in JavaScript response and cached");
+      }
+      setResponseHeader(event, "cache-control", `public, max-age=${cacheTtl}, stale-while-revalidate=${cacheTtl * 2}`);
+    }
+    return content;
+  }
+  return Buffer.from(await response.arrayBuffer());
+});

package/dist/runtime/server/sw-handler.d.ts

@@ -0,0 +1,2 @@
+declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<string>>;
+export default _default;

package/dist/runtime/server/sw-handler.js

@@ -0,0 +1,25 @@
+import { defineEventHandler, setResponseHeader } from "h3";
+import { useRuntimeConfig } from "#imports";
+import { parseURL } from "ufo";
+export default defineEventHandler(async (event) => {
+  const config = useRuntimeConfig(event);
+  const proxyConfig = config["nuxt-scripts-proxy"];
+  const swTemplate = config["nuxt-scripts"]?.swTemplate || "";
+  const routes = proxyConfig?.routes || {};
+  const rules = Object.entries(routes).map(([localPath, proxy]) => {
+    const url = parseURL(proxy.replace(/\*\*$/, ""));
+    if (!url.host) return null;
+    return {
+      pattern: url.host,
+      pathPrefix: url.pathname || "",
+      target: localPath.replace(/\/\*\*$/, "")
+    };
+  }).filter(Boolean);
+  const swCode = `const INTERCEPT_RULES = ${JSON.stringify(rules)};
+
+${swTemplate}`;
+  setResponseHeader(event, "Content-Type", "application/javascript");
+  setResponseHeader(event, "Service-Worker-Allowed", "/");
+  setResponseHeader(event, "Cache-Control", "no-cache");
+  return swCode;
+});

package/dist/runtime/server/utils/privacy.d.ts

@@ -0,0 +1,97 @@
+/**
+ * Headers that reveal user IP address - stripped in proxy mode,
+ * anonymized in anonymize mode.
+ */
+export declare const IP_HEADERS: string[];
+/**
+ * Headers that enable fingerprinting - normalized in anonymize mode.
+ */
+export declare const FINGERPRINT_HEADERS: string[];
+/**
+ * Sensitive headers that should never be forwarded to third parties.
+ */
+export declare const SENSITIVE_HEADERS: string[];
+/**
+ * Payload parameters relevant to privacy.
+ *
+ * Note: userId and userData are intentionally NOT modified by stripPayloadFingerprinting.
+ * Analytics services require user identifiers (cid, uid, fbp, etc.) and user data (ud, email)
+ * to function correctly. These are listed here for documentation and param-detection tests only.
+ * The privacy model anonymizes device/browser fingerprinting while preserving user-level analytics IDs.
+ */
+export declare const STRIP_PARAMS: {
+    ip: string[];
+    userId: string[];
+    userData: string[];
+    screen: string[];
+    hardware: string[];
+    platform: string[];
+    version: string[];
+    browserVersion: string[];
+    browserData: string[];
+    location: string[];
+    canvas: string[];
+    deviceInfo: string[];
+};
+/**
+ * Parameters that should be normalized (not stripped).
+ */
+export declare const NORMALIZE_PARAMS: {
+    language: string[];
+    userAgent: string[];
+};
+/**
+ * Anonymize an IP address by zeroing trailing segments.
+ */
+export declare function anonymizeIP(ip: string): string;
+/**
+ * Normalize User-Agent to browser family and major version only.
+ */
+export declare function normalizeUserAgent(ua: string): string;
+/**
+ * Normalize Accept-Language to primary language tag (preserving country).
+ * "en-US,en;q=0.9,fr;q=0.8" → "en-US"
+ */
+export declare function normalizeLanguage(lang: string): string;
+/**
+ * Generalize screen resolution to 3 coarse device-class buckets (mobile / tablet / desktop).
+ * Handles both combined "WxH" strings and individual dimension values (sh, sw).
+ *
+ * When `dimension` is specified, uses the correct bucket for that axis:
+ *   - 'width': [1920, 768, 360]
+ *   - 'height': [1080, 1024, 640]
+ * Without `dimension`, individual values use width thresholds (backward-compatible).
+ */
+export declare function generalizeScreen(value: unknown, dimension?: 'width' | 'height'): string | number;
+/**
+ * Generalize hardware concurrency / device memory to common bucket.
+ */
+export declare function generalizeHardware(value: unknown): number;
+/**
+ * Generalize a version string to major version, preserving the original format.
+ * "6.17.0" → "6.0.0", "143.0.7499.4" → "143.0.0.0"
+ */
+export declare function generalizeVersion(value: unknown): string;
+/**
+ * Generalize browser version list to major versions, preserving segment count.
+ * Handles Snapchat d_bvs format: [,{"brand":"Chrome","version":"143.0.7499.4"}...]
+ * Handles GA uafvl format: HeadlessChrome;143.0.7499.4|Chromium;143.0.7499.4|...
+ */
+export declare function generalizeBrowserVersions(value: unknown): string;
+/**
+ * Generalize timezone to reduce precision.
+ * IANA names → UTC offset string, numeric offsets → bucketed to 3-hour intervals.
+ */
+export declare function generalizeTimezone(value: unknown): string | number;
+/**
+ * Anonymize a combined device-info string (e.g. X/Twitter `dv` param).
+ * Parses the delimited string and generalizes fingerprinting components
+ * (timezone, language, screen dimensions) while keeping low-entropy values.
+ */
+export declare function anonymizeDeviceInfo(value: string): string;
+/**
+ * Recursively anonymize fingerprinting data in payload.
+ * Fields are generalized or normalized rather than stripped, so endpoints
+ * still receive valid data with reduced fingerprinting precision.
+ */
+export declare function stripPayloadFingerprinting(payload: Record<string, unknown>): Record<string, unknown>;

package/dist/runtime/server/utils/privacy.js

@@ -0,0 +1,268 @@
+export const IP_HEADERS = [
+  "x-forwarded-for",
+  "x-real-ip",
+  "forwarded",
+  "cf-connecting-ip",
+  "true-client-ip",
+  "x-client-ip",
+  "x-cluster-client-ip"
+];
+export const FINGERPRINT_HEADERS = [
+  "user-agent",
+  "accept-language",
+  "accept-encoding",
+  "sec-ch-ua",
+  "sec-ch-ua-platform",
+  "sec-ch-ua-mobile",
+  "sec-ch-ua-full-version-list"
+];
+export const SENSITIVE_HEADERS = [
+  "cookie",
+  "authorization",
+  "proxy-authorization",
+  "x-csrf-token",
+  "www-authenticate"
+];
+export const STRIP_PARAMS = {
+  // IP addresses — anonymized to subnet
+  ip: ["uip", "ip", "client_ip_address", "ip_address", "user_ip", "ipaddress", "context.ip"],
+  // User identifiers — intentionally preserved for analytics functionality
+  userId: ["uid", "user_id", "userid", "external_id", "cid", "_gid", "fbp", "fbc", "sid", "session_id", "sessionid", "pl_id", "p_user_id", "uuid", "anonymousid", "twclid", "u_c1", "u_sclid", "u_scsid"],
+  // User data (PII) — intentionally preserved; hashed by analytics SDKs before sending
+  userData: ["ud", "user_data", "userdata", "email", "phone", "traits.email", "traits.phone"],
+  // Screen/Hardware — generalized to common buckets
+  screen: ["sr", "vp", "sd", "screen", "viewport", "colordepth", "pixelratio", "sh", "sw"],
+  // Hardware capabilities — generalized to common buckets
+  hardware: ["hardwareconcurrency", "devicememory", "cpu", "mem"],
+  // Platform identifiers — low entropy, kept as-is (e.g. "Linux", "x86")
+  platform: ["plat", "platform", "d_a", "d_ot"],
+  // Version strings — generalized to major version only (d_os = Snapchat OS version, uapv = GA platform version)
+  version: ["d_os", "uapv"],
+  // Browser version lists — generalized to major versions (d_bvs = Snapchat, uafvl = GA Client Hints)
+  browserVersion: ["d_bvs", "uafvl"],
+  // Browser data lists — replaced with empty value
+  browserData: ["plugins", "fonts"],
+  // Location/Timezone — generalized
+  location: ["tz", "timezone", "timezoneoffset"],
+  // Canvas/WebGL/Audio fingerprints — replaced with empty value (pure fingerprints, no analytics value)
+  canvas: ["canvas", "webgl", "audiofingerprint"],
+  // Combined device fingerprinting (X/Twitter dv param contains: timezone, locale, vendor, platform, screen, etc.)
+  deviceInfo: ["dv", "device_info", "deviceinfo"]
+};
+export const NORMALIZE_PARAMS = {
+  language: ["ul", "lang", "language", "languages"],
+  userAgent: ["ua", "useragent", "user_agent", "client_user_agent", "context.useragent"]
+};
+export function anonymizeIP(ip) {
+  if (ip.includes(":")) {
+    return ip.split(":").slice(0, 3).join(":") + "::";
+  }
+  const parts = ip.split(".");
+  if (parts.length === 4) {
+    parts[3] = "0";
+    return parts.join(".");
+  }
+  return ip;
+}
+export function normalizeUserAgent(ua) {
+  const tokens = [
+    ["Edg/", "Edge"],
+    ["OPR/", "Opera"],
+    ["Opera/", "Opera"],
+    ["Firefox/", "Firefox"],
+    ["Chrome/", "Chrome"],
+    ["Safari/", "Safari"]
+  ];
+  for (const [pattern, family] of tokens) {
+    const idx = ua.indexOf(pattern);
+    if (idx !== -1) {
+      const versionStart = idx + pattern.length;
+      const majorVersion = ua.slice(versionStart).match(/^(\d+)/)?.[1];
+      if (majorVersion)
+        return `Mozilla/5.0 (compatible; ${family}/${majorVersion}.0)`;
+    }
+  }
+  return "Mozilla/5.0 (compatible)";
+}
+export function normalizeLanguage(lang) {
+  return lang.split(",")[0]?.split(";")[0]?.trim() || "en";
+}
+const SCREEN_BUCKETS = {
+  desktop: { w: 1920, h: 1080 },
+  tablet: { w: 768, h: 1024 },
+  mobile: { w: 360, h: 640 }
+};
+function getDeviceClass(width) {
+  if (width >= 1200) return "desktop";
+  if (width >= 700) return "tablet";
+  return "mobile";
+}
+export function generalizeScreen(value, dimension) {
+  if (typeof value === "string" && value.includes("x")) {
+    const width = Number.parseInt(value.split("x")[0] || "0");
+    const cls = getDeviceClass(width);
+    return `${SCREEN_BUCKETS[cls].w}x${SCREEN_BUCKETS[cls].h}`;
+  }
+  const num = typeof value === "number" ? value : Number(value);
+  if (!Number.isNaN(num)) {
+    const cls = getDeviceClass(num);
+    const bucketed = dimension === "height" ? SCREEN_BUCKETS[cls].h : SCREEN_BUCKETS[cls].w;
+    return typeof value === "number" ? bucketed : String(bucketed);
+  }
+  return "1920x1080";
+}
+export function generalizeHardware(value) {
+  const num = typeof value === "number" ? value : Number(value);
+  if (Number.isNaN(num)) return 4;
+  if (num >= 16) return 16;
+  if (num >= 8) return 8;
+  if (num >= 4) return 4;
+  return 2;
+}
+export function generalizeVersion(value) {
+  if (typeof value !== "string") return String(value);
+  const match = value.match(/^(\d+)(([.\-_])\d+)*/);
+  if (!match) return String(value);
+  const major = match[1];
+  const sep = match[3] || ".";
+  const segmentCount = value.split(/[.\-_]/).length;
+  return major + (sep + "0").repeat(segmentCount - 1);
+}
+export function generalizeBrowserVersions(value) {
+  if (typeof value !== "string") return String(value);
+  const zeroSegments = (ver) => {
+    const parts = ver.split(".");
+    return parts[0] + parts.slice(1).map(() => ".0").join("");
+  };
+  if (value.includes('"version"'))
+    return value.replace(/("version"\s*:\s*")(\d+(?:\.\d+)*)/g, (_, prefix, ver) => prefix + zeroSegments(ver));
+  if (value.includes(";"))
+    return value.replace(/;(\d+(?:\.\d+)*)/g, (_, ver) => ";" + zeroSegments(ver));
+  return value;
+}
+export function generalizeTimezone(value) {
+  if (typeof value === "number") {
+    return Math.round(value / 180) * 180;
+  }
+  if (typeof value === "string") {
+    return "UTC";
+  }
+  return 0;
+}
+export function anonymizeDeviceInfo(value) {
+  const sep = value.includes("|") ? "|" : "&";
+  const parts = value.split(sep);
+  if (parts.length < 4) return value;
+  const result = [...parts];
+  for (let i = 0; i < parts.length; i++) {
+    const part = parts[i];
+    if (part.includes("/") && /^[A-Z]/.test(part)) {
+      result[i] = String(generalizeTimezone(part));
+      continue;
+    }
+    if (/^[a-z]{2}(?:-[a-z]{2,})?$/i.test(part)) {
+      result[i] = normalizeLanguage(part);
+      continue;
+    }
+    const num = Number(part);
+    if (!Number.isNaN(num) && num >= 300 && num <= 1e4) {
+      const nextNum = Number(parts[i + 1]);
+      if (!Number.isNaN(nextNum) && nextNum >= 300 && nextNum <= 1e4) {
+        const cls = getDeviceClass(num);
+        result[i] = String(SCREEN_BUCKETS[cls].w);
+        result[i + 1] = String(SCREEN_BUCKETS[cls].h);
+        i++;
+        continue;
+      }
+      result[i] = String(generalizeScreen(num));
+      continue;
+    }
+    if (!Number.isNaN(num) && num < -60) {
+      result[i] = String(generalizeTimezone(num));
+    }
+  }
+  return result.join(sep);
+}
+export function stripPayloadFingerprinting(payload) {
+  const result = {};
+  let deviceClass;
+  for (const [key, value] of Object.entries(payload)) {
+    if (key.toLowerCase() === "sw") {
+      const num = typeof value === "number" ? value : Number(value);
+      if (!Number.isNaN(num)) deviceClass = getDeviceClass(num);
+    }
+  }
+  for (const [key, value] of Object.entries(payload)) {
+    const lowerKey = key.toLowerCase();
+    const isLanguageParam = NORMALIZE_PARAMS.language.some((p) => lowerKey === p.toLowerCase());
+    const isUserAgentParam = NORMALIZE_PARAMS.userAgent.some((p) => lowerKey === p.toLowerCase());
+    if ((isLanguageParam || isUserAgentParam) && typeof value === "string") {
+      result[key] = isLanguageParam ? normalizeLanguage(value) : normalizeUserAgent(value);
+      continue;
+    }
+    const matchesParam = (key2, params) => {
+      const lk = key2.toLowerCase();
+      return params.some((p) => {
+        const lp = p.toLowerCase();
+        return lk === lp || lk.startsWith(lp + "[");
+      });
+    };
+    if (matchesParam(key, STRIP_PARAMS.ip) && typeof value === "string") {
+      result[key] = anonymizeIP(value);
+      continue;
+    }
+    if (matchesParam(key, STRIP_PARAMS.screen)) {
+      if (["sd", "colordepth", "pixelratio"].includes(lowerKey)) {
+        result[key] = value;
+      } else if (lowerKey === "sh" && deviceClass) {
+        const paired = SCREEN_BUCKETS[deviceClass].h;
+        result[key] = typeof value === "number" ? paired : String(paired);
+      } else {
+        result[key] = generalizeScreen(value, lowerKey === "sw" ? "width" : lowerKey === "sh" ? "height" : void 0);
+      }
+      continue;
+    }
+    if (matchesParam(key, STRIP_PARAMS.hardware)) {
+      result[key] = generalizeHardware(value);
+      continue;
+    }
+    if (matchesParam(key, STRIP_PARAMS.version)) {
+      result[key] = generalizeVersion(value);
+      continue;
+    }
+    if (matchesParam(key, STRIP_PARAMS.browserVersion)) {
+      result[key] = generalizeBrowserVersions(value);
+      continue;
+    }
+    if (matchesParam(key, STRIP_PARAMS.location)) {
+      result[key] = generalizeTimezone(value);
+      continue;
+    }
+    if (matchesParam(key, STRIP_PARAMS.browserData)) {
+      result[key] = Array.isArray(value) ? [] : "";
+      continue;
+    }
+    if (matchesParam(key, STRIP_PARAMS.canvas)) {
+      result[key] = typeof value === "number" ? 0 : typeof value === "object" ? {} : "";
+      continue;
+    }
+    if (matchesParam(key, STRIP_PARAMS.deviceInfo)) {
+      result[key] = typeof value === "string" ? anonymizeDeviceInfo(value) : "";
+      continue;
+    }
+    if (matchesParam(key, STRIP_PARAMS.platform)) {
+      result[key] = value;
+      continue;
+    }
+    if (Array.isArray(value)) {
+      result[key] = value.map(
+        (item) => typeof item === "object" && item !== null ? stripPayloadFingerprinting(item) : item
+      );
+    } else if (typeof value === "object" && value !== null) {
+      result[key] = stripPayloadFingerprinting(value);
+    } else {
+      result[key] = value;
+    }
+  }
+  return result;
+}

package/dist/runtime/server/x-embed-image.d.ts

@@ -0,0 +1,2 @@
+declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<any>>;
+export default _default;

package/dist/runtime/server/x-embed-image.js

@@ -0,0 +1,53 @@
+import { createError, defineEventHandler, getQuery, setHeader } from "h3";
+import { $fetch } from "ofetch";
+export default defineEventHandler(async (event) => {
+  const query = getQuery(event);
+  const url = query.url;
+  if (!url) {
+    throw createError({
+      statusCode: 400,
+      statusMessage: "Image URL is required"
+    });
+  }
+  let parsedUrl;
+  try {
+    parsedUrl = new URL(url);
+  } catch {
+    throw createError({
+      statusCode: 400,
+      statusMessage: "Invalid image URL"
+    });
+  }
+  if (parsedUrl.protocol !== "http:" && parsedUrl.protocol !== "https:") {
+    throw createError({
+      statusCode: 400,
+      statusMessage: "Invalid URL scheme"
+    });
+  }
+  const allowedDomains = [
+    "pbs.twimg.com",
+    "abs.twimg.com",
+    "video.twimg.com"
+  ];
+  if (!allowedDomains.includes(parsedUrl.hostname)) {
+    throw createError({
+      statusCode: 403,
+      statusMessage: "Domain not allowed"
+    });
+  }
+  const response = await $fetch.raw(url, {
+    timeout: 5e3,
+    headers: {
+      "Accept": "image/webp,image/jpeg,image/png,image/*,*/*;q=0.8",
+      "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36"
+    }
+  }).catch((error) => {
+    throw createError({
+      statusCode: error.statusCode || 500,
+      statusMessage: error.statusMessage || "Failed to fetch image"
+    });
+  });
+  setHeader(event, "Content-Type", response.headers.get("content-type") || "image/jpeg");
+  setHeader(event, "Cache-Control", "public, max-age=3600, s-maxage=3600");
+  return response._data;
+});