@nuxt/scripts 1.0.0-rc.5 → 1.0.0-rc.7

package/dist/runtime/components/GoogleMaps/ScriptGoogleMapsOverlayView.vue.d.ts

@@ -1,16 +1,29 @@
-type OverlayAnchor = 'center' | 'top-left' | 'top-center' | 'top-right' | 'bottom-left' | 'bottom-center' | 'bottom-right' | 'left-center' | 'right-center';
-type OverlayPane = 'mapPane' | 'overlayLayer' | 'markerLayer' | 'overlayMouseTarget' | 'floatPane';
-type __VLS_Props = {
+import type { ShallowRef } from 'vue';
+export type ScriptGoogleMapsOverlayAnchor = 'center' | 'top-left' | 'top-center' | 'top-right' | 'bottom-left' | 'bottom-center' | 'bottom-right' | 'left-center' | 'right-center';
+export type ScriptGoogleMapsOverlayPane = 'mapPane' | 'overlayLayer' | 'markerLayer' | 'overlayMouseTarget' | 'floatPane';
+export interface ScriptGoogleMapsOverlayViewProps {
     /**
      * Geographic position for the overlay. Falls back to parent marker position if omitted.
+     *
+     * Accepts either a plain `LatLngLiteral` (`{ lat, lng }`) or a
+     * `google.maps.LatLng` instance.
      * @see https://developers.google.com/maps/documentation/javascript/reference/overlay-view#OverlayView
      */
-    position?: google.maps.LatLngLiteral;
+    position?: google.maps.LatLng | google.maps.LatLngLiteral;
+    /**
+     * Initial open state for the uncontrolled mode (when `v-model:open` is not
+     * bound). When omitted, the overlay opens on mount, matching v0 behaviour.
+     *
+     * Has no effect when `v-model:open` is used; pass an initial value to the
+     * bound ref instead.
+     * @default true
+     */
+    defaultOpen?: boolean;
     /**
      * Anchor point of the overlay relative to its position.
      * @default 'bottom-center'
      */
-    anchor?: OverlayAnchor;
+    anchor?: ScriptGoogleMapsOverlayAnchor;
     /**
      * Pixel offset from the anchor position.
      */
@@ -23,7 +36,7 @@ type __VLS_Props = {
      * @default 'floatPane'
      * @see https://developers.google.com/maps/documentation/javascript/reference/overlay-view#MapPanes
      */
-    pane?: OverlayPane;
+    pane?: ScriptGoogleMapsOverlayPane;
     /**
      * CSS z-index for the overlay element.
      */
@@ -45,31 +58,39 @@ type __VLS_Props = {
      * @default true
      */
     hideWhenClustered?: boolean;
-};
-type __VLS_Slots = {
+}
+export interface ScriptGoogleMapsOverlayViewEmits {
+    /** Event handler called when the open state of the overlay view changes. */
+    'update:open': [value: boolean];
+}
+export interface ScriptGoogleMapsOverlayViewSlots {
     default?: () => any;
-};
-type __VLS_ModelProps = {
-    'open'?: boolean;
-};
-type __VLS_PublicProps = __VLS_Props & __VLS_ModelProps;
-declare const __VLS_base: import("vue").DefineComponent<__VLS_PublicProps, {
-    overlay: import("vue").ShallowRef<google.maps.OverlayView | undefined>;
-    dataState: import("vue").ComputedRef<"open" | "closed">;
-}, {}, {}, {}, import("vue").ComponentOptionsMixin, import("vue").ComponentOptionsMixin, {
-    "update:open": (value: boolean) => any;
-}, string, import("vue").PublicProps, Readonly<__VLS_PublicProps> & Readonly<{
-    "onUpdate:open"?: ((value: boolean) => any) | undefined;
-}>, {
-    anchor: OverlayAnchor;
-    pane: OverlayPane;
-    blockMapInteraction: boolean;
-    panOnOpen: boolean | number;
-    hideWhenClustered: boolean;
-}, {}, {}, {}, string, import("vue").ComponentProvideOptions, false, {}, any>;
-declare const __VLS_export: __VLS_WithSlots<typeof __VLS_base, __VLS_Slots>;
+}
+export interface ScriptGoogleMapsOverlayViewExpose {
+    /** The underlying `OverlayView` instance. */
+    overlayView: ShallowRef<google.maps.OverlayView | undefined>;
+    /**
+     * The underlying `OverlayView` instance.
+     *
+     * @deprecated Use `overlayView` instead. The `overlay` alias will be
+     * removed in a future major version.
+     * @see https://scripts.nuxt.com/docs/migration-guide/v0-to-v1
+     */
+    overlay: ShallowRef<google.maps.OverlayView | undefined>;
+    /** The current data-state of the overlay, either 'open' or 'closed'. */
+    dataState: Readonly<ShallowRef<'open' | 'closed'>>;
+}
 declare const _default: typeof __VLS_export;
 export default _default;
+declare const __VLS_export: __VLS_WithSlots<import("vue").DefineComponent<ScriptGoogleMapsOverlayViewProps & {
+    open?: boolean;
+}, ScriptGoogleMapsOverlayViewExpose, {}, {}, {}, import("vue").ComponentOptionsMixin, import("vue").ComponentOptionsMixin, {
+    "update:open": (value: boolean) => any;
+}, string, import("vue").PublicProps, Readonly<ScriptGoogleMapsOverlayViewProps & {
+    open?: boolean;
+}> & Readonly<{
+    "onUpdate:open"?: ((value: boolean) => any) | undefined;
+}>, {}, {}, {}, {}, string, import("vue").ComponentProvideOptions, false, {}, any>, ScriptGoogleMapsOverlayViewSlots>;
 type __VLS_WithSlots<T, S> = T & {
     new (): {
         $slots: S;

package/dist/runtime/components/GoogleMaps/useGoogleMapsResource.d.ts

@@ -25,6 +25,56 @@ export interface GoogleMapsResourceContext {
     map: google.maps.Map;
     mapsApi: typeof google.maps;
 }
+/**
+ * Normalizes a `LatLng | LatLngLiteral` value into a plain `LatLngLiteral`.
+ *
+ * Google's `LatLng` exposes coordinates via `.lat()`/`.lng()` methods, while
+ * `LatLngLiteral` exposes them as plain `lat`/`lng` numeric properties. The
+ * runtime distinguishes them by checking whether `.lat` is callable; this is
+ * preferred over `instanceof google.maps.LatLng` because mocked APIs in tests
+ * return plain objects rather than real `LatLng` instances.
+ */
+export declare function normalizeLatLng(p: google.maps.LatLng | google.maps.LatLngLiteral): google.maps.LatLngLiteral;
+/**
+ * Defines a deprecated property alias on an exposed object. Reading the alias
+ * returns the value of the canonical key and emits a one-shot
+ * `console.warn` (so repeated reads don't spam the console).
+ *
+ * Used to provide backward-compatible renames on `defineExpose` payloads
+ * without breaking existing template-ref consumers. Call sites should wrap
+ * this in `if (import.meta.dev)` so production builds skip the getter
+ * entirely and the alias stays a plain data property.
+ */
+export declare function defineDeprecatedAlias<T extends object, K extends keyof T>(target: T, alias: string, canonicalKey: K, message: string): T;
+/**
+ * Emits dev-mode deprecation warnings for the legacy top-level `center` and
+ * `zoom` props on `<ScriptGoogleMaps>`. Both props still work, but new code
+ * should pass them via `mapOptions` instead.
+ *
+ * Returns the number of warnings emitted (useful for tests).
+ */
+export declare function warnDeprecatedTopLevelMapProps(props: {
+    center?: unknown;
+    zoom?: unknown;
+}): number;
+/**
+ * Wait until the Google Maps API and a Map instance are both available.
+ *
+ * Triggers script loading via `load()` if not already loaded. Uses an
+ * immediate watcher (matching `importLibrary`'s pattern) to avoid the race
+ * where `load()` resolves synchronously: a non-immediate watcher would miss
+ * the change and the promise would hang forever.
+ *
+ * Rejects if `status` enters an `'error'` state before both refs are populated.
+ * Runs the watcher inside a detached effect scope so it is safe to call from
+ * any context (component setup, exposed methods, tests).
+ */
+export declare function waitForMapsReady({ mapsApi, map, status, load, }: {
+    mapsApi: ShallowRef<typeof google.maps | undefined>;
+    map: ShallowRef<google.maps.Map | undefined>;
+    status: Ref<string>;
+    load: () => Promise<unknown> | unknown;
+}): Promise<void>;
 /**
  * Composable for safely managing Google Maps resource lifecycle.
  *

package/dist/runtime/components/GoogleMaps/useGoogleMapsResource.js

@@ -1,5 +1,5 @@
 import { whenever } from "@vueuse/core";
-import { inject, onUnmounted, ref, shallowRef } from "vue";
+import { effectScope, inject, onUnmounted, ref, shallowRef, watch } from "vue";
 export const MAP_INJECTION_KEY = Symbol("map");
 export const MARKER_INJECTION_KEY = Symbol("marker");
 export function bindGoogleMapsEvents(instance, emit, config) {
@@ -10,6 +10,81 @@ export function bindGoogleMapsEvents(instance, emit, config) {
     instance.addListener(event, (payload) => emit(event, payload));
   });
 }
+export function normalizeLatLng(p) {
+  if (typeof p.lat === "function") {
+    const ll = p;
+    return { lat: ll.lat(), lng: ll.lng() };
+  }
+  return { lat: p.lat, lng: p.lng };
+}
+export function defineDeprecatedAlias(target, alias, canonicalKey, message) {
+  let warned = false;
+  Object.defineProperty(target, alias, {
+    get() {
+      if (!warned) {
+        warned = true;
+        console.warn(message);
+      }
+      return target[canonicalKey];
+    },
+    enumerable: true,
+    configurable: true
+  });
+  return target;
+}
+export function warnDeprecatedTopLevelMapProps(props) {
+  let warned = 0;
+  if (props.center !== void 0) {
+    warned++;
+    console.warn(
+      '[nuxt-scripts] <ScriptGoogleMaps> prop "center" is deprecated; use `:map-options="{ center: ... }"` instead. See https://scripts.nuxt.com/docs/migration-guide/v0-to-v1'
+    );
+  }
+  if (props.zoom !== void 0) {
+    warned++;
+    console.warn(
+      '[nuxt-scripts] <ScriptGoogleMaps> prop "zoom" is deprecated; use `:map-options="{ zoom: ... }"` instead. See https://scripts.nuxt.com/docs/migration-guide/v0-to-v1'
+    );
+  }
+  return warned;
+}
+export async function waitForMapsReady({
+  mapsApi,
+  map,
+  status,
+  load
+}) {
+  if (mapsApi.value && map.value)
+    return;
+  if (status.value === "error")
+    throw new Error("Google Maps script failed to load");
+  await load();
+  if (mapsApi.value && map.value)
+    return;
+  if (status.value === "error")
+    throw new Error("Google Maps script failed to load");
+  const scope = effectScope(true);
+  try {
+    await new Promise((resolve, reject) => {
+      scope.run(() => {
+        watch(
+          [mapsApi, map, status],
+          ([api, m, s]) => {
+            if (api && m) {
+              resolve();
+              return;
+            }
+            if (s === "error")
+              reject(new Error("Google Maps script failed to load"));
+          },
+          { immediate: true }
+        );
+      });
+    });
+  } finally {
+    scope.stop();
+  }
+}
 export function useGoogleMapsResource({
   ready,
   create,

package/dist/runtime/server/bluesky-embed.js

@@ -1,7 +1,8 @@
 import { createError, defineEventHandler, getQuery, setHeader } from "h3";
 import { $fetch } from "ofetch";
+import { withSigning } from "./utils/withSigning.js";
 const BSKY_POST_URL_RE = /^https:\/\/bsky\.app\/profile\/([^/]+)\/post\/([^/?]+)$/;
-export default defineEventHandler(async (event) => {
+export default withSigning(defineEventHandler(async (event) => {
   const query = getQuery(event);
   const postUrl = query.url;
   if (!postUrl) {
@@ -56,4 +57,4 @@ export default defineEventHandler(async (event) => {
   setHeader(event, "Content-Type", "application/json");
   setHeader(event, "Cache-Control", "public, max-age=600, s-maxage=600");
   return post;
-});
+}));

package/dist/runtime/server/google-maps-geocode-proxy.js

@@ -2,7 +2,8 @@ import { useRuntimeConfig } from "#imports";
 import { createError, defineEventHandler, getQuery, setHeader } from "h3";
 import { $fetch } from "ofetch";
 import { withQuery } from "ufo";
-export default defineEventHandler(async (event) => {
+import { withSigning } from "./utils/withSigning.js";
+export default withSigning(defineEventHandler(async (event) => {
   const runtimeConfig = useRuntimeConfig();
   const privateConfig = runtimeConfig["nuxt-scripts"]?.googleMapsGeocodeProxy;
   const apiKey = privateConfig?.apiKey;
@@ -31,4 +32,4 @@ export default defineEventHandler(async (event) => {
   setHeader(event, "Content-Type", "application/json");
   setHeader(event, "Cache-Control", "public, max-age=86400, s-maxage=86400");
   return data;
-});
+}));

package/dist/runtime/server/google-static-maps-proxy.js

@@ -2,7 +2,8 @@ import { useRuntimeConfig } from "#imports";
 import { createError, defineEventHandler, getQuery, setHeader } from "h3";
 import { $fetch } from "ofetch";
 import { withQuery } from "ufo";
-export default defineEventHandler(async (event) => {
+import { withSigning } from "./utils/withSigning.js";
+export default withSigning(defineEventHandler(async (event) => {
   const runtimeConfig = useRuntimeConfig();
   const publicConfig = runtimeConfig.public["nuxt-scripts"]?.googleStaticMapsProxy;
   const privateConfig = runtimeConfig["nuxt-scripts"]?.googleStaticMapsProxy;
@@ -40,4 +41,4 @@ export default defineEventHandler(async (event) => {
   setHeader(event, "Cache-Control", `public, max-age=${cacheMaxAge}, s-maxage=${cacheMaxAge}`);
   setHeader(event, "Vary", "Accept-Encoding");
   return response._data;
-});
+}));

package/dist/runtime/server/gravatar-proxy.js

@@ -2,7 +2,8 @@ import { useRuntimeConfig } from "#imports";
 import { createError, defineEventHandler, getQuery, setHeader } from "h3";
 import { $fetch } from "ofetch";
 import { withQuery } from "ufo";
-export default defineEventHandler(async (event) => {
+import { withSigning } from "./utils/withSigning.js";
+export default withSigning(defineEventHandler(async (event) => {
   const runtimeConfig = useRuntimeConfig();
   const proxyConfig = runtimeConfig.public["nuxt-scripts"]?.gravatarProxy;
   const query = getQuery(event);
@@ -43,4 +44,4 @@ export default defineEventHandler(async (event) => {
   setHeader(event, "Cache-Control", `public, max-age=${cacheMaxAge}, s-maxage=${cacheMaxAge}`);
   setHeader(event, "Vary", "Accept-Encoding");
   return response._data;
-});
+}));

package/dist/runtime/server/instagram-embed.js

@@ -1,6 +1,7 @@
 import { createError, defineEventHandler, getQuery, setHeader } from "h3";
 import { $fetch } from "ofetch";
 import { ELEMENT_NODE, parse, renderSync, TEXT_NODE, walkSync } from "ultrahtml";
+import { withSigning } from "./utils/withSigning.js";
 export const RSRC_RE = /url\(\/rsrc\.php([^)]+)\)/g;
 export const AMP_RE = /&/g;
 export const SCONTENT_RE = /https:\/\/scontent[^"'\s),]+\.cdninstagram\.com[^"'\s),]+/g;
@@ -124,7 +125,7 @@ function extractBlock(css, openBrace) {
   }
   return null;
 }
-export default defineEventHandler(async (event) => {
+export default withSigning(defineEventHandler(async (event) => {
   const handlerPath = event.path?.split("?")[0] || "";
   const prefix = handlerPath.replace(EMBED_INSTAGRAM_SUFFIX_RE, "") || "/_scripts";
   const query = getQuery(event);
@@ -229,4 +230,4 @@ ${combinedCss}</style>${bodyHtml}</div>`;
   setHeader(event, "Content-Type", "text/html");
   setHeader(event, "Cache-Control", "public, max-age=600, s-maxage=600");
   return result;
-});
+}));

package/dist/runtime/server/utils/image-proxy.js

@@ -1,5 +1,6 @@
 import { createError, defineEventHandler, getQuery, setHeader } from "h3";
 import { $fetch } from "ofetch";
+import { withSigning } from "./withSigning.js";
 const AMP_RE = /&/g;
 export function createImageProxyHandler(config) {
   const {
@@ -10,7 +11,7 @@ export function createImageProxyHandler(config) {
     followRedirects = true,
     decodeAmpersands = false
   } = config;
-  return defineEventHandler(async (event) => {
+  return withSigning(defineEventHandler(async (event) => {
     const query = getQuery(event);
     let url = query.url;
     if (decodeAmpersands && url)
@@ -66,5 +67,5 @@ export function createImageProxyHandler(config) {
     setHeader(event, "Content-Type", response.headers.get("content-type") || contentType);
     setHeader(event, "Cache-Control", `public, max-age=${cacheMaxAge}, s-maxage=${cacheMaxAge}`);
     return response._data;
-  });
+  }));
 }

package/dist/runtime/server/utils/sign.d.ts

@@ -0,0 +1,109 @@
+/**
+ * HMAC URL signing for proxy endpoints.
+ *
+ * ## Why
+ *
+ * Proxy endpoints like `/_scripts/proxy/google-static-maps` inject a server-side
+ * API key and forward requests to third-party services. Without signing, anyone
+ * can call these endpoints with arbitrary parameters and burn the site owner's
+ * API quota. Signing ensures only URLs generated server-side (during SSR/prerender
+ * or via the `/_scripts/sign` endpoint) are accepted.
+ *
+ * ## How
+ *
+ * 1. The module stores a deterministic secret in `runtimeConfig.nuxt-scripts.proxySecret`
+ *    (env: `NUXT_SCRIPTS_PROXY_SECRET`).
+ * 2. URLs are canonicalized (sort query keys, strip `sig`) and signed with HMAC-SHA256.
+ * 3. The first 16 hex chars (64 bits) of the digest is appended as `?sig=<hex>`.
+ * 4. Endpoints wrapped with `withSigning()` verify the sig against the current request.
+ *
+ * A 64-bit signature is enough to defeat brute force for this threat model
+ * (a billion guesses gives a ~5% hit rate at 2^64). Longer signatures bloat
+ * prerendered HTML for no practical gain.
+ */
+import type { H3Event } from 'h3';
+/** Query param name for the signature. Chosen to be unlikely to collide with upstream APIs. */
+export declare const SIG_PARAM = "sig";
+/** Length of the hex signature (16 chars = 64 bits). */
+export declare const SIG_LENGTH = 16;
+/**
+ * Canonicalize a query object into a deterministic string suitable for HMAC input.
+ *
+ * Rules:
+ * - The `sig` param is stripped (it can't sign itself).
+ * - `undefined` and `null` values are skipped (mirrors `ufo.withQuery`).
+ * - Keys are sorted alphabetically so order-independent reconstruction works.
+ * - Arrays expand to repeated keys (e.g. `markers=a&markers=b`), matching how
+ *   `ufo.withQuery` serializes array-valued params.
+ * - Objects are JSON-stringified (rare, but consistent with `ufo.withQuery`).
+ * - Encoding uses `encodeURIComponent` for both keys and values so the canonical
+ *   form matches what shows up on the wire.
+ *
+ * The resulting string is stable across server/client and different JS runtimes
+ * because it does not depend on `URLSearchParams` insertion order.
+ */
+export declare function canonicalizeQuery(query: Record<string, unknown>): string;
+/**
+ * Sign a path + query using HMAC-SHA256 and return the 16-char hex digest.
+ *
+ * The HMAC input is `${path}?${canonicalQuery}` so that the same query signed
+ * against a different endpoint yields a different signature (prevents cross-
+ * endpoint signature reuse).
+ *
+ * `path` should be the URL path without query string (e.g. `/_scripts/proxy/google-static-maps`).
+ * Callers should not include origin / host since the signing contract is path-relative.
+ */
+export declare function signProxyUrl(path: string, query: Record<string, unknown>, secret: string): string;
+/**
+ * Build a fully-formed signed URL (path + query + sig).
+ *
+ * This is the primary helper for code paths that need to emit a proxy URL
+ * (SSR components, server-side URL rewriters like instagram-embed).
+ */
+export declare function buildSignedProxyUrl(path: string, query: Record<string, unknown>, secret: string): string;
+/** Query param name for the page token. */
+export declare const PAGE_TOKEN_PARAM = "_pt";
+/** Query param name for the page token timestamp. */
+export declare const PAGE_TOKEN_TS_PARAM = "_ts";
+/** Default max age for page tokens in seconds (1 hour). */
+export declare const PAGE_TOKEN_MAX_AGE = 3600;
+/**
+ * Generate a page token that authorizes client-side proxy requests.
+ *
+ * Embedded in the SSR payload so the browser can attach it to reactive proxy
+ * URL updates without needing a `/sign` round-trip. The token is scoped to
+ * a timestamp and expires after `PAGE_TOKEN_MAX_AGE` seconds.
+ *
+ * Construction: first 16 hex chars of `HMAC(secret, "proxy-access:<timestamp>")`.
+ */
+export declare function generateProxyToken(secret: string, timestamp: number): string;
+/**
+ * Verify a page token against the current time.
+ *
+ * Returns `true` if the token matches the HMAC for the given timestamp AND
+ * the timestamp is within `maxAge` seconds of `now`.
+ */
+export declare function verifyProxyToken(token: string, timestamp: number, secret: string, maxAge?: number, now?: number): boolean;
+/**
+ * Verify a request against either a URL signature or a page token.
+ *
+ * Two verification modes, checked in order:
+ *
+ * 1. **URL signature** (`sig` param): the exact URL was signed server-side
+ *    during SSR/prerender. Locked to the specific path + query params.
+ *
+ * 2. **Page token** (`_pt` + `_ts` params): the client received a short-lived
+ *    token during SSR and is making a reactive proxy request with new params.
+ *    Valid for any params on the target path, but expires after `maxAge`.
+ *
+ * Returns `false` if neither mode validates.
+ */
+export declare function verifyProxyRequest(event: H3Event, secret: string, maxAge?: number): boolean;
+/**
+ * Constant-time string comparison.
+ *
+ * Both inputs are expected to be equal-length hex strings. The loop runs over
+ * the longer length so an early-exit on length mismatch doesn't leak the
+ * expected length (though both are fixed at `SIG_LENGTH` in practice).
+ */
+export declare function constantTimeEqual(a: string, b: string): boolean;

package/dist/runtime/server/utils/sign.js

@@ -0,0 +1,88 @@
+import { createHmac } from "node:crypto";
+import { getQuery } from "h3";
+export const SIG_PARAM = "sig";
+export const SIG_LENGTH = 16;
+export function canonicalizeQuery(query) {
+  const keys = Object.keys(query).filter((k) => k !== SIG_PARAM && query[k] !== void 0 && query[k] !== null).sort();
+  const parts = [];
+  for (const key of keys) {
+    const value = query[key];
+    const encodedKey = encodeURIComponent(key);
+    if (Array.isArray(value)) {
+      for (const item of value) {
+        if (item === void 0 || item === null)
+          continue;
+        parts.push(`${encodedKey}=${encodeURIComponent(serializeValue(item))}`);
+      }
+    } else {
+      parts.push(`${encodedKey}=${encodeURIComponent(serializeValue(value))}`);
+    }
+  }
+  return parts.join("&");
+}
+function serializeValue(value) {
+  if (typeof value === "string")
+    return value;
+  if (typeof value === "object")
+    return JSON.stringify(value);
+  return String(value);
+}
+export function signProxyUrl(path, query, secret) {
+  const canonical = canonicalizeQuery(query);
+  const input = canonical ? `${path}?${canonical}` : path;
+  return createHmac("sha256", secret).update(input).digest("hex").slice(0, SIG_LENGTH);
+}
+export function buildSignedProxyUrl(path, query, secret) {
+  const sig = signProxyUrl(path, query, secret);
+  const canonical = canonicalizeQuery(query);
+  const queryString = canonical ? `${canonical}&${SIG_PARAM}=${sig}` : `${SIG_PARAM}=${sig}`;
+  return `${path}?${queryString}`;
+}
+export const PAGE_TOKEN_PARAM = "_pt";
+export const PAGE_TOKEN_TS_PARAM = "_ts";
+export const PAGE_TOKEN_MAX_AGE = 3600;
+export function generateProxyToken(secret, timestamp) {
+  return createHmac("sha256", secret).update(`proxy-access:${timestamp}`).digest("hex").slice(0, SIG_LENGTH);
+}
+export function verifyProxyToken(token, timestamp, secret, maxAge = PAGE_TOKEN_MAX_AGE, now = Math.floor(Date.now() / 1e3)) {
+  if (!token || !secret || typeof timestamp !== "number")
+    return false;
+  if (token.length !== SIG_LENGTH)
+    return false;
+  const age = now - timestamp;
+  if (age > maxAge || age < -60)
+    return false;
+  const expected = generateProxyToken(secret, timestamp);
+  return constantTimeEqual(expected, token);
+}
+export function verifyProxyRequest(event, secret, maxAge) {
+  if (!secret)
+    return false;
+  const query = getQuery(event);
+  const rawSig = query[SIG_PARAM];
+  const sig = Array.isArray(rawSig) ? rawSig[0] : rawSig;
+  if (typeof sig === "string" && sig.length === SIG_LENGTH) {
+    const path = (event.path || "").split("?")[0] || "";
+    const expected = signProxyUrl(path, query, secret);
+    if (constantTimeEqual(expected, sig))
+      return true;
+  }
+  const rawToken = query[PAGE_TOKEN_PARAM];
+  const rawTs = query[PAGE_TOKEN_TS_PARAM];
+  const token = Array.isArray(rawToken) ? rawToken[0] : rawToken;
+  const ts = Array.isArray(rawTs) ? rawTs[0] : rawTs;
+  if (typeof token === "string" && ts !== void 0) {
+    const timestamp = Number(ts);
+    if (!Number.isNaN(timestamp))
+      return verifyProxyToken(token, timestamp, secret, maxAge);
+  }
+  return false;
+}
+export function constantTimeEqual(a, b) {
+  if (a.length !== b.length)
+    return false;
+  let diff = 0;
+  for (let i = 0; i < a.length; i++)
+    diff |= a.charCodeAt(i) ^ b.charCodeAt(i);
+  return diff === 0;
+}

package/dist/runtime/server/utils/withSigning.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Middleware wrapper that enforces HMAC signature verification on a proxy handler.
+ *
+ * Usage:
+ * ```ts
+ * export default withSigning(defineEventHandler(async (event) => {
+ *   // ... handler logic
+ * }))
+ * ```
+ *
+ * Behavior:
+ * - Reads `runtimeConfig.nuxt-scripts.proxySecret` (server-only).
+ * - If no secret is configured: passes through (signing not yet enabled).
+ *   This allows shipping handler wiring before components emit signed URLs.
+ *   Once `NUXT_SCRIPTS_PROXY_SECRET` is set, verification is enforced.
+ * - If a secret IS configured and the request's signature is invalid: 403.
+ * - Otherwise, delegates to the wrapped handler.
+ *
+ * The outer wrapper runs before any handler logic, so unauthorized requests
+ * never reach the upstream fetch and cannot consume API quota.
+ */
+import type { EventHandler, EventHandlerRequest, EventHandlerResponse } from 'h3';
+export declare function withSigning<Req extends EventHandlerRequest = EventHandlerRequest, Res extends EventHandlerResponse = EventHandlerResponse>(handler: EventHandler<Req, Res>): EventHandler<Req, Res>;

package/dist/runtime/server/utils/withSigning.js

@@ -0,0 +1,18 @@
+import { createError, defineEventHandler } from "h3";
+import { verifyProxyRequest } from "./sign.js";
+export function withSigning(handler) {
+  return defineEventHandler(async (event) => {
+    const { useRuntimeConfig } = await import("#imports");
+    const runtimeConfig = useRuntimeConfig(event);
+    const secret = runtimeConfig["nuxt-scripts"]?.proxySecret;
+    if (!secret)
+      return handler(event);
+    if (!verifyProxyRequest(event, secret)) {
+      throw createError({
+        statusCode: 403,
+        statusMessage: "Invalid signature"
+      });
+    }
+    return handler(event);
+  });
+}

package/dist/runtime/server/x-embed.js

@@ -1,7 +1,8 @@
 import { createError, defineEventHandler, getQuery, setHeader } from "h3";
 import { $fetch } from "ofetch";
+import { withSigning } from "./utils/withSigning.js";
 const TWEET_ID_RE = /^\d+$/;
-export default defineEventHandler(async (event) => {
+export default withSigning(defineEventHandler(async (event) => {
   const query = getQuery(event);
   const tweetId = query.id;
   if (!tweetId || !TWEET_ID_RE.test(tweetId)) {
@@ -29,4 +30,4 @@ export default defineEventHandler(async (event) => {
   setHeader(event, "Content-Type", "application/json");
   setHeader(event, "Cache-Control", "public, max-age=600, s-maxage=600");
   return tweetData;
-});
+}));

package/dist/runtime/types.d.ts

@@ -235,7 +235,7 @@ export type BuiltInRegistryScriptKey = 'bingUet' | 'blueskyEmbed' | 'carbonAds'
  * Includes both built-in and augmented keys.
  */
 export type RegistryScriptKey = Exclude<keyof ScriptRegistry, `${string}-npm`>;
-type RegistryConfigInput<T> = [T] extends [true] ? Record<string, never> : T;
+type RegistryConfigInput<T> = 0 extends 1 & T ? Record<string, any> : [T] extends [true] ? Record<string, never> : T;
 export type NuxtConfigScriptRegistryEntry<T> = true | false | 'mock' | (RegistryConfigInput<T> & {
     trigger?: NuxtUseScriptOptionsSerializable['trigger'] | false;
     proxy?: boolean;
@@ -268,6 +268,14 @@ export interface RegistryScriptServerHandler {
     route: string;
     handler: string;
     middleware?: boolean;
+    /**
+     * Whether this handler verifies HMAC signatures via `withSigning()`.
+     *
+     * When any enabled script registers a handler with `requiresSigning: true`,
+     * the module enforces that `NUXT_SCRIPTS_PROXY_SECRET` is set in production,
+     * and the `/_scripts/sign` endpoint will accept this route as a signable path.
+     */
+    requiresSigning?: boolean;
 }
 /**
  * Declares what optimization modes a script supports and what's active by default.