@nuxt/scripts 1.0.0-rc.6 → 1.0.0-rc.7

package/dist/module.mjs

@@ -1,4 +1,5 @@
-import { existsSync, readdirSync, readFileSync } from 'node:fs';
+import { createHash, randomBytes } from 'node:crypto';
+import { existsSync, readFileSync, appendFileSync, writeFileSync, readdirSync } from 'node:fs';
 import { useNuxt, addDevServerHandler, extendRouteRules, tryUseNuxt, createResolver, extendViteConfig, logger as logger$1, useLogger, addTypeTemplate, defineNuxtModule, addPluginTemplate, addServerHandler, addImports, addComponentsDir, addTemplate, hasNuxtModule, addBuildPlugin } from '@nuxt/kit';
 import { defu } from 'defu';
 import { join, resolve } from 'pathe';
@@ -12,7 +13,6 @@ import { isCI, provider } from 'std-env';
 import { parseAndWalk, ScopeTracker, walk, ScopeTrackerFunction, ScopeTrackerIdentifier, ScopeTrackerFunctionParam, ScopeTrackerVariable } from 'oxc-walker';
 import { createUnplugin } from 'unplugin';
 import { pathToFileURL } from 'node:url';
-import { createHash } from 'node:crypto';
 import fsp from 'node:fs/promises';
 import { colors } from 'consola/utils';
 import MagicString from 'magic-string';
@@ -1373,6 +1373,42 @@ function fixSelfClosingScriptComponents(nuxt) {
 }
 const UPPER_RE = /([A-Z])/g;
 const toScreamingSnake = (s) => s.replace(UPPER_RE, "_$1").toUpperCase();
+const PROXY_SECRET_ENV_KEY = "NUXT_SCRIPTS_PROXY_SECRET";
+const PROXY_SECRET_ENV_LINE_RE = /^NUXT_SCRIPTS_PROXY_SECRET=/m;
+const PROXY_SECRET_ENV_VALUE_RE = /^NUXT_SCRIPTS_PROXY_SECRET=(.+)$/m;
+function resolveProxySecret(rootDir, isDev, configSecret, autoGenerate = true) {
+  if (configSecret)
+    return { secret: configSecret, ephemeral: false, source: "config" };
+  const envSecret = process.env[PROXY_SECRET_ENV_KEY];
+  if (envSecret)
+    return { secret: envSecret, ephemeral: false, source: "env" };
+  if (!isDev || !autoGenerate)
+    return void 0;
+  const secret = randomBytes(32).toString("hex");
+  const envPath = resolve(rootDir, ".env");
+  const line = `${PROXY_SECRET_ENV_KEY}=${secret}
+`;
+  try {
+    if (existsSync(envPath)) {
+      const contents = readFileSync(envPath, "utf-8");
+      if (PROXY_SECRET_ENV_LINE_RE.test(contents)) {
+        const match = contents.match(PROXY_SECRET_ENV_VALUE_RE);
+        if (match?.[1])
+          return { secret: match[1].trim(), ephemeral: false, source: "dotenv-generated" };
+      }
+      appendFileSync(envPath, contents.endsWith("\n") ? line : `
+${line}`);
+    } else {
+      writeFileSync(envPath, `# Generated by @nuxt/scripts
+${line}`);
+    }
+    process.env[PROXY_SECRET_ENV_KEY] = secret;
+    return { secret, ephemeral: false, source: "dotenv-generated" };
+  } catch {
+    process.env[PROXY_SECRET_ENV_KEY] = secret;
+    return { secret, ephemeral: true, source: "memory-generated" };
+  }
+}
 function isProxyDisabled(registryKey, registry2, runtimeConfig) {
   const entry = registry2?.[registryKey];
   if (!entry)
@@ -1684,12 +1720,12 @@ They will load directly from third-party servers.`
         if (totalDomains > 0 && nuxt.options.dev) {
           logger.success(`Proxy mode enabled for ${registryKeys.length} script(s), ${totalDomains} domain(s) proxied (privacy: ${privacyLabel})`);
         }
-        const staticPresets = ["static", "github-pages", "cloudflare-pages-static", "netlify-static", "azure-static", "firebase-static"];
-        const preset = process.env.NITRO_PRESET || "";
-        if (staticPresets.includes(preset)) {
+        const proxyStaticPresets = ["static", "github-pages", "cloudflare-pages-static", "netlify-static", "azure-static", "firebase-static"];
+        const proxyPreset = process.env.NITRO_PRESET || "";
+        if (proxyStaticPresets.includes(proxyPreset)) {
           logger.warn(
-            `Proxy collection endpoints require a server runtime (detected: ${preset || "static"}).
-Scripts will be bundled, but collection requests will not be proxied.
+            `Proxy collection endpoints require a server runtime (detected: ${proxyPreset || "static"}).
+Scripts will be bundled, but collection requests will not be proxied and URL signing will be unavailable.
 Options: configure platform rewrites, switch to server-rendered mode, or disable with proxy: false.`
           );
         }
@@ -1736,6 +1772,7 @@ Options: configure platform rewrites, switch to server-rendered mode, or disable
     });
     const scriptsPrefix = config.prefix || "/_scripts";
     const enabledEndpoints = {};
+    let anyHandlerRequiresSigning = false;
     for (const script of scripts) {
       if (!script.serverHandlers?.length || !script.registryKey)
         continue;
@@ -1744,11 +1781,14 @@ Options: configure platform rewrites, switch to server-rendered mode, or disable
         continue;
       enabledEndpoints[script.registryKey] = true;
       for (const handler of script.serverHandlers) {
+        const resolvedRoute = handler.route.replace("/_scripts", scriptsPrefix);
         addServerHandler({
-          route: handler.route.replace("/_scripts", scriptsPrefix),
+          route: resolvedRoute,
           handler: handler.handler,
           middleware: handler.middleware
         });
+        if (handler.requiresSigning)
+          anyHandlerRequiresSigning = true;
       }
       if (script.registryKey === "gravatar") {
         const gravatarConfig = config.registry?.gravatar?.[0] || {};
@@ -1768,7 +1808,38 @@ Options: configure platform rewrites, switch to server-rendered mode, or disable
       { endpoints: enabledEndpoints },
       nuxt.options.runtimeConfig.public["nuxt-scripts"]
     );
+    const staticPresets = ["static", "github-pages", "cloudflare-pages-static", "netlify-static", "azure-static", "firebase-static"];
+    const nitroPreset = process.env.NITRO_PRESET || "";
+    const isStaticTarget = staticPresets.includes(nitroPreset);
+    const isSpa = nuxt.options.ssr === false;
+    if (anyHandlerRequiresSigning && (isSpa || isStaticTarget)) {
+      logger.warn(
+        `[security] URL signing requires a server runtime${isStaticTarget ? ` (detected preset: ${nitroPreset})` : " (ssr: false)"}.
+  Proxy endpoints will work without signature verification.
+  To enable signing, deploy with a server-rendered target or configure platform-level rewrites.`
+      );
+    } else if (anyHandlerRequiresSigning) {
+      const proxySecretResolved = resolveProxySecret(
+        nuxt.options.rootDir,
+        !!nuxt.options.dev,
+        config.security?.secret,
+        config.security?.autoGenerateSecret !== false
+      );
+      if (proxySecretResolved?.source === "dotenv-generated")
+        logger.info(`[security] Generated ${PROXY_SECRET_ENV_KEY} in .env for signed proxy URLs.`);
+      else if (proxySecretResolved?.source === "memory-generated")
+        logger.warn(`[security] Generated an in-memory ${PROXY_SECRET_ENV_KEY} (could not write .env). Signed URLs will break across restarts.`);
+      if (proxySecretResolved?.secret) {
+        nuxt.options.runtimeConfig["nuxt-scripts"].proxySecret = proxySecretResolved.secret;
+      } else if (!nuxt.options.dev) {
+        logger.warn(
+          `[security] ${PROXY_SECRET_ENV_KEY} is not set. Proxy endpoints will pass requests through without signature verification.
+  Generate one with: npx @nuxt/scripts generate-secret
+  Then set the env var: ${PROXY_SECRET_ENV_KEY}=<secret>`
+        );
+      }
+    }
   }
 });
 
-export { applyAutoInject, module$1 as default, isProxyDisabled };
+export { applyAutoInject, module$1 as default, isProxyDisabled, resolveProxySecret };

package/dist/registry.mjs

@@ -554,8 +554,8 @@ async function registry(resolve) {
       envDefaults: { apiKey: "" },
       category: "content",
       serverHandlers: [
-        { route: "/_scripts/proxy/google-static-maps", handler: "./runtime/server/google-static-maps-proxy" },
-        { route: "/_scripts/proxy/google-maps-geocode", handler: "./runtime/server/google-maps-geocode-proxy" }
+        { route: "/_scripts/proxy/google-static-maps", handler: "./runtime/server/google-static-maps-proxy", requiresSigning: true },
+        { route: "/_scripts/proxy/google-maps-geocode", handler: "./runtime/server/google-maps-geocode-proxy", requiresSigning: true }
       ]
     }),
     def("blueskyEmbed", {
@@ -564,8 +564,8 @@ async function registry(resolve) {
       label: "Bluesky Embed",
       category: "content",
       serverHandlers: [
-        { route: "/_scripts/embed/bluesky", handler: "./runtime/server/bluesky-embed" },
-        { route: "/_scripts/embed/bluesky-image", handler: "./runtime/server/bluesky-embed-image" }
+        { route: "/_scripts/embed/bluesky", handler: "./runtime/server/bluesky-embed", requiresSigning: true },
+        { route: "/_scripts/embed/bluesky-image", handler: "./runtime/server/bluesky-embed-image", requiresSigning: true }
       ]
     }),
     def("instagramEmbed", {
@@ -574,9 +574,9 @@ async function registry(resolve) {
       label: "Instagram Embed",
       category: "content",
       serverHandlers: [
-        { route: "/_scripts/embed/instagram", handler: "./runtime/server/instagram-embed" },
-        { route: "/_scripts/embed/instagram-image", handler: "./runtime/server/instagram-embed-image" },
-        { route: "/_scripts/embed/instagram-asset", handler: "./runtime/server/instagram-embed-asset" }
+        { route: "/_scripts/embed/instagram", handler: "./runtime/server/instagram-embed", requiresSigning: true },
+        { route: "/_scripts/embed/instagram-image", handler: "./runtime/server/instagram-embed-image", requiresSigning: true },
+        { route: "/_scripts/embed/instagram-asset", handler: "./runtime/server/instagram-embed-asset", requiresSigning: true }
       ]
     }),
     def("xEmbed", {
@@ -585,8 +585,8 @@ async function registry(resolve) {
       label: "X Embed",
       category: "content",
       serverHandlers: [
-        { route: "/_scripts/embed/x", handler: "./runtime/server/x-embed" },
-        { route: "/_scripts/embed/x-image", handler: "./runtime/server/x-embed-image" }
+        { route: "/_scripts/embed/x", handler: "./runtime/server/x-embed", requiresSigning: true },
+        { route: "/_scripts/embed/x-image", handler: "./runtime/server/x-embed-image", requiresSigning: true }
       ]
     }),
     // support
@@ -690,7 +690,7 @@ async function registry(resolve) {
         privacy: PRIVACY_IP_ONLY
       },
       serverHandlers: [
-        { route: "/_scripts/proxy/gravatar", handler: "./runtime/server/gravatar-proxy" }
+        { route: "/_scripts/proxy/gravatar", handler: "./runtime/server/gravatar-proxy", requiresSigning: true }
       ]
     })
   ]);

package/dist/runtime/server/bluesky-embed.js

@@ -1,7 +1,8 @@
 import { createError, defineEventHandler, getQuery, setHeader } from "h3";
 import { $fetch } from "ofetch";
+import { withSigning } from "./utils/withSigning.js";
 const BSKY_POST_URL_RE = /^https:\/\/bsky\.app\/profile\/([^/]+)\/post\/([^/?]+)$/;
-export default defineEventHandler(async (event) => {
+export default withSigning(defineEventHandler(async (event) => {
   const query = getQuery(event);
   const postUrl = query.url;
   if (!postUrl) {
@@ -56,4 +57,4 @@ export default defineEventHandler(async (event) => {
   setHeader(event, "Content-Type", "application/json");
   setHeader(event, "Cache-Control", "public, max-age=600, s-maxage=600");
   return post;
-});
+}));

package/dist/runtime/server/google-maps-geocode-proxy.js

@@ -2,7 +2,8 @@ import { useRuntimeConfig } from "#imports";
 import { createError, defineEventHandler, getQuery, setHeader } from "h3";
 import { $fetch } from "ofetch";
 import { withQuery } from "ufo";
-export default defineEventHandler(async (event) => {
+import { withSigning } from "./utils/withSigning.js";
+export default withSigning(defineEventHandler(async (event) => {
   const runtimeConfig = useRuntimeConfig();
   const privateConfig = runtimeConfig["nuxt-scripts"]?.googleMapsGeocodeProxy;
   const apiKey = privateConfig?.apiKey;
@@ -31,4 +32,4 @@ export default defineEventHandler(async (event) => {
   setHeader(event, "Content-Type", "application/json");
   setHeader(event, "Cache-Control", "public, max-age=86400, s-maxage=86400");
   return data;
-});
+}));

package/dist/runtime/server/google-static-maps-proxy.js

@@ -2,7 +2,8 @@ import { useRuntimeConfig } from "#imports";
 import { createError, defineEventHandler, getQuery, setHeader } from "h3";
 import { $fetch } from "ofetch";
 import { withQuery } from "ufo";
-export default defineEventHandler(async (event) => {
+import { withSigning } from "./utils/withSigning.js";
+export default withSigning(defineEventHandler(async (event) => {
   const runtimeConfig = useRuntimeConfig();
   const publicConfig = runtimeConfig.public["nuxt-scripts"]?.googleStaticMapsProxy;
   const privateConfig = runtimeConfig["nuxt-scripts"]?.googleStaticMapsProxy;
@@ -40,4 +41,4 @@ export default defineEventHandler(async (event) => {
   setHeader(event, "Cache-Control", `public, max-age=${cacheMaxAge}, s-maxage=${cacheMaxAge}`);
   setHeader(event, "Vary", "Accept-Encoding");
   return response._data;
-});
+}));

package/dist/runtime/server/gravatar-proxy.js

@@ -2,7 +2,8 @@ import { useRuntimeConfig } from "#imports";
 import { createError, defineEventHandler, getQuery, setHeader } from "h3";
 import { $fetch } from "ofetch";
 import { withQuery } from "ufo";
-export default defineEventHandler(async (event) => {
+import { withSigning } from "./utils/withSigning.js";
+export default withSigning(defineEventHandler(async (event) => {
   const runtimeConfig = useRuntimeConfig();
   const proxyConfig = runtimeConfig.public["nuxt-scripts"]?.gravatarProxy;
   const query = getQuery(event);
@@ -43,4 +44,4 @@ export default defineEventHandler(async (event) => {
   setHeader(event, "Cache-Control", `public, max-age=${cacheMaxAge}, s-maxage=${cacheMaxAge}`);
   setHeader(event, "Vary", "Accept-Encoding");
   return response._data;
-});
+}));

package/dist/runtime/server/instagram-embed.js

@@ -1,6 +1,7 @@
 import { createError, defineEventHandler, getQuery, setHeader } from "h3";
 import { $fetch } from "ofetch";
 import { ELEMENT_NODE, parse, renderSync, TEXT_NODE, walkSync } from "ultrahtml";
+import { withSigning } from "./utils/withSigning.js";
 export const RSRC_RE = /url\(\/rsrc\.php([^)]+)\)/g;
 export const AMP_RE = /&/g;
 export const SCONTENT_RE = /https:\/\/scontent[^"'\s),]+\.cdninstagram\.com[^"'\s),]+/g;
@@ -124,7 +125,7 @@ function extractBlock(css, openBrace) {
   }
   return null;
 }
-export default defineEventHandler(async (event) => {
+export default withSigning(defineEventHandler(async (event) => {
   const handlerPath = event.path?.split("?")[0] || "";
   const prefix = handlerPath.replace(EMBED_INSTAGRAM_SUFFIX_RE, "") || "/_scripts";
   const query = getQuery(event);
@@ -229,4 +230,4 @@ ${combinedCss}</style>${bodyHtml}</div>`;
   setHeader(event, "Content-Type", "text/html");
   setHeader(event, "Cache-Control", "public, max-age=600, s-maxage=600");
   return result;
-});
+}));

package/dist/runtime/server/utils/image-proxy.js

@@ -1,5 +1,6 @@
 import { createError, defineEventHandler, getQuery, setHeader } from "h3";
 import { $fetch } from "ofetch";
+import { withSigning } from "./withSigning.js";
 const AMP_RE = /&/g;
 export function createImageProxyHandler(config) {
   const {
@@ -10,7 +11,7 @@ export function createImageProxyHandler(config) {
     followRedirects = true,
     decodeAmpersands = false
   } = config;
-  return defineEventHandler(async (event) => {
+  return withSigning(defineEventHandler(async (event) => {
     const query = getQuery(event);
     let url = query.url;
     if (decodeAmpersands && url)
@@ -66,5 +67,5 @@ export function createImageProxyHandler(config) {
     setHeader(event, "Content-Type", response.headers.get("content-type") || contentType);
     setHeader(event, "Cache-Control", `public, max-age=${cacheMaxAge}, s-maxage=${cacheMaxAge}`);
     return response._data;
-  });
+  }));
 }

package/dist/runtime/server/utils/sign.d.ts

@@ -0,0 +1,109 @@
+/**
+ * HMAC URL signing for proxy endpoints.
+ *
+ * ## Why
+ *
+ * Proxy endpoints like `/_scripts/proxy/google-static-maps` inject a server-side
+ * API key and forward requests to third-party services. Without signing, anyone
+ * can call these endpoints with arbitrary parameters and burn the site owner's
+ * API quota. Signing ensures only URLs generated server-side (during SSR/prerender
+ * or via the `/_scripts/sign` endpoint) are accepted.
+ *
+ * ## How
+ *
+ * 1. The module stores a deterministic secret in `runtimeConfig.nuxt-scripts.proxySecret`
+ *    (env: `NUXT_SCRIPTS_PROXY_SECRET`).
+ * 2. URLs are canonicalized (sort query keys, strip `sig`) and signed with HMAC-SHA256.
+ * 3. The first 16 hex chars (64 bits) of the digest is appended as `?sig=<hex>`.
+ * 4. Endpoints wrapped with `withSigning()` verify the sig against the current request.
+ *
+ * A 64-bit signature is enough to defeat brute force for this threat model
+ * (a billion guesses gives a ~5% hit rate at 2^64). Longer signatures bloat
+ * prerendered HTML for no practical gain.
+ */
+import type { H3Event } from 'h3';
+/** Query param name for the signature. Chosen to be unlikely to collide with upstream APIs. */
+export declare const SIG_PARAM = "sig";
+/** Length of the hex signature (16 chars = 64 bits). */
+export declare const SIG_LENGTH = 16;
+/**
+ * Canonicalize a query object into a deterministic string suitable for HMAC input.
+ *
+ * Rules:
+ * - The `sig` param is stripped (it can't sign itself).
+ * - `undefined` and `null` values are skipped (mirrors `ufo.withQuery`).
+ * - Keys are sorted alphabetically so order-independent reconstruction works.
+ * - Arrays expand to repeated keys (e.g. `markers=a&markers=b`), matching how
+ *   `ufo.withQuery` serializes array-valued params.
+ * - Objects are JSON-stringified (rare, but consistent with `ufo.withQuery`).
+ * - Encoding uses `encodeURIComponent` for both keys and values so the canonical
+ *   form matches what shows up on the wire.
+ *
+ * The resulting string is stable across server/client and different JS runtimes
+ * because it does not depend on `URLSearchParams` insertion order.
+ */
+export declare function canonicalizeQuery(query: Record<string, unknown>): string;
+/**
+ * Sign a path + query using HMAC-SHA256 and return the 16-char hex digest.
+ *
+ * The HMAC input is `${path}?${canonicalQuery}` so that the same query signed
+ * against a different endpoint yields a different signature (prevents cross-
+ * endpoint signature reuse).
+ *
+ * `path` should be the URL path without query string (e.g. `/_scripts/proxy/google-static-maps`).
+ * Callers should not include origin / host since the signing contract is path-relative.
+ */
+export declare function signProxyUrl(path: string, query: Record<string, unknown>, secret: string): string;
+/**
+ * Build a fully-formed signed URL (path + query + sig).
+ *
+ * This is the primary helper for code paths that need to emit a proxy URL
+ * (SSR components, server-side URL rewriters like instagram-embed).
+ */
+export declare function buildSignedProxyUrl(path: string, query: Record<string, unknown>, secret: string): string;
+/** Query param name for the page token. */
+export declare const PAGE_TOKEN_PARAM = "_pt";
+/** Query param name for the page token timestamp. */
+export declare const PAGE_TOKEN_TS_PARAM = "_ts";
+/** Default max age for page tokens in seconds (1 hour). */
+export declare const PAGE_TOKEN_MAX_AGE = 3600;
+/**
+ * Generate a page token that authorizes client-side proxy requests.
+ *
+ * Embedded in the SSR payload so the browser can attach it to reactive proxy
+ * URL updates without needing a `/sign` round-trip. The token is scoped to
+ * a timestamp and expires after `PAGE_TOKEN_MAX_AGE` seconds.
+ *
+ * Construction: first 16 hex chars of `HMAC(secret, "proxy-access:<timestamp>")`.
+ */
+export declare function generateProxyToken(secret: string, timestamp: number): string;
+/**
+ * Verify a page token against the current time.
+ *
+ * Returns `true` if the token matches the HMAC for the given timestamp AND
+ * the timestamp is within `maxAge` seconds of `now`.
+ */
+export declare function verifyProxyToken(token: string, timestamp: number, secret: string, maxAge?: number, now?: number): boolean;
+/**
+ * Verify a request against either a URL signature or a page token.
+ *
+ * Two verification modes, checked in order:
+ *
+ * 1. **URL signature** (`sig` param): the exact URL was signed server-side
+ *    during SSR/prerender. Locked to the specific path + query params.
+ *
+ * 2. **Page token** (`_pt` + `_ts` params): the client received a short-lived
+ *    token during SSR and is making a reactive proxy request with new params.
+ *    Valid for any params on the target path, but expires after `maxAge`.
+ *
+ * Returns `false` if neither mode validates.
+ */
+export declare function verifyProxyRequest(event: H3Event, secret: string, maxAge?: number): boolean;
+/**
+ * Constant-time string comparison.
+ *
+ * Both inputs are expected to be equal-length hex strings. The loop runs over
+ * the longer length so an early-exit on length mismatch doesn't leak the
+ * expected length (though both are fixed at `SIG_LENGTH` in practice).
+ */
+export declare function constantTimeEqual(a: string, b: string): boolean;

package/dist/runtime/server/utils/sign.js

@@ -0,0 +1,88 @@
+import { createHmac } from "node:crypto";
+import { getQuery } from "h3";
+export const SIG_PARAM = "sig";
+export const SIG_LENGTH = 16;
+export function canonicalizeQuery(query) {
+  const keys = Object.keys(query).filter((k) => k !== SIG_PARAM && query[k] !== void 0 && query[k] !== null).sort();
+  const parts = [];
+  for (const key of keys) {
+    const value = query[key];
+    const encodedKey = encodeURIComponent(key);
+    if (Array.isArray(value)) {
+      for (const item of value) {
+        if (item === void 0 || item === null)
+          continue;
+        parts.push(`${encodedKey}=${encodeURIComponent(serializeValue(item))}`);
+      }
+    } else {
+      parts.push(`${encodedKey}=${encodeURIComponent(serializeValue(value))}`);
+    }
+  }
+  return parts.join("&");
+}
+function serializeValue(value) {
+  if (typeof value === "string")
+    return value;
+  if (typeof value === "object")
+    return JSON.stringify(value);
+  return String(value);
+}
+export function signProxyUrl(path, query, secret) {
+  const canonical = canonicalizeQuery(query);
+  const input = canonical ? `${path}?${canonical}` : path;
+  return createHmac("sha256", secret).update(input).digest("hex").slice(0, SIG_LENGTH);
+}
+export function buildSignedProxyUrl(path, query, secret) {
+  const sig = signProxyUrl(path, query, secret);
+  const canonical = canonicalizeQuery(query);
+  const queryString = canonical ? `${canonical}&${SIG_PARAM}=${sig}` : `${SIG_PARAM}=${sig}`;
+  return `${path}?${queryString}`;
+}
+export const PAGE_TOKEN_PARAM = "_pt";
+export const PAGE_TOKEN_TS_PARAM = "_ts";
+export const PAGE_TOKEN_MAX_AGE = 3600;
+export function generateProxyToken(secret, timestamp) {
+  return createHmac("sha256", secret).update(`proxy-access:${timestamp}`).digest("hex").slice(0, SIG_LENGTH);
+}
+export function verifyProxyToken(token, timestamp, secret, maxAge = PAGE_TOKEN_MAX_AGE, now = Math.floor(Date.now() / 1e3)) {
+  if (!token || !secret || typeof timestamp !== "number")
+    return false;
+  if (token.length !== SIG_LENGTH)
+    return false;
+  const age = now - timestamp;
+  if (age > maxAge || age < -60)
+    return false;
+  const expected = generateProxyToken(secret, timestamp);
+  return constantTimeEqual(expected, token);
+}
+export function verifyProxyRequest(event, secret, maxAge) {
+  if (!secret)
+    return false;
+  const query = getQuery(event);
+  const rawSig = query[SIG_PARAM];
+  const sig = Array.isArray(rawSig) ? rawSig[0] : rawSig;
+  if (typeof sig === "string" && sig.length === SIG_LENGTH) {
+    const path = (event.path || "").split("?")[0] || "";
+    const expected = signProxyUrl(path, query, secret);
+    if (constantTimeEqual(expected, sig))
+      return true;
+  }
+  const rawToken = query[PAGE_TOKEN_PARAM];
+  const rawTs = query[PAGE_TOKEN_TS_PARAM];
+  const token = Array.isArray(rawToken) ? rawToken[0] : rawToken;
+  const ts = Array.isArray(rawTs) ? rawTs[0] : rawTs;
+  if (typeof token === "string" && ts !== void 0) {
+    const timestamp = Number(ts);
+    if (!Number.isNaN(timestamp))
+      return verifyProxyToken(token, timestamp, secret, maxAge);
+  }
+  return false;
+}
+export function constantTimeEqual(a, b) {
+  if (a.length !== b.length)
+    return false;
+  let diff = 0;
+  for (let i = 0; i < a.length; i++)
+    diff |= a.charCodeAt(i) ^ b.charCodeAt(i);
+  return diff === 0;
+}

package/dist/runtime/server/utils/withSigning.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Middleware wrapper that enforces HMAC signature verification on a proxy handler.
+ *
+ * Usage:
+ * ```ts
+ * export default withSigning(defineEventHandler(async (event) => {
+ *   // ... handler logic
+ * }))
+ * ```
+ *
+ * Behavior:
+ * - Reads `runtimeConfig.nuxt-scripts.proxySecret` (server-only).
+ * - If no secret is configured: passes through (signing not yet enabled).
+ *   This allows shipping handler wiring before components emit signed URLs.
+ *   Once `NUXT_SCRIPTS_PROXY_SECRET` is set, verification is enforced.
+ * - If a secret IS configured and the request's signature is invalid: 403.
+ * - Otherwise, delegates to the wrapped handler.
+ *
+ * The outer wrapper runs before any handler logic, so unauthorized requests
+ * never reach the upstream fetch and cannot consume API quota.
+ */
+import type { EventHandler, EventHandlerRequest, EventHandlerResponse } from 'h3';
+export declare function withSigning<Req extends EventHandlerRequest = EventHandlerRequest, Res extends EventHandlerResponse = EventHandlerResponse>(handler: EventHandler<Req, Res>): EventHandler<Req, Res>;

package/dist/runtime/server/utils/withSigning.js

@@ -0,0 +1,18 @@
+import { createError, defineEventHandler } from "h3";
+import { verifyProxyRequest } from "./sign.js";
+export function withSigning(handler) {
+  return defineEventHandler(async (event) => {
+    const { useRuntimeConfig } = await import("#imports");
+    const runtimeConfig = useRuntimeConfig(event);
+    const secret = runtimeConfig["nuxt-scripts"]?.proxySecret;
+    if (!secret)
+      return handler(event);
+    if (!verifyProxyRequest(event, secret)) {
+      throw createError({
+        statusCode: 403,
+        statusMessage: "Invalid signature"
+      });
+    }
+    return handler(event);
+  });
+}

package/dist/runtime/server/x-embed.js

@@ -1,7 +1,8 @@
 import { createError, defineEventHandler, getQuery, setHeader } from "h3";
 import { $fetch } from "ofetch";
+import { withSigning } from "./utils/withSigning.js";
 const TWEET_ID_RE = /^\d+$/;
-export default defineEventHandler(async (event) => {
+export default withSigning(defineEventHandler(async (event) => {
   const query = getQuery(event);
   const tweetId = query.id;
   if (!tweetId || !TWEET_ID_RE.test(tweetId)) {
@@ -29,4 +30,4 @@ export default defineEventHandler(async (event) => {
   setHeader(event, "Content-Type", "application/json");
   setHeader(event, "Cache-Control", "public, max-age=600, s-maxage=600");
   return tweetData;
-});
+}));

package/dist/runtime/types.d.ts

@@ -235,7 +235,7 @@ export type BuiltInRegistryScriptKey = 'bingUet' | 'blueskyEmbed' | 'carbonAds'
  * Includes both built-in and augmented keys.
  */
 export type RegistryScriptKey = Exclude<keyof ScriptRegistry, `${string}-npm`>;
-type RegistryConfigInput<T> = [T] extends [true] ? Record<string, never> : T;
+type RegistryConfigInput<T> = 0 extends 1 & T ? Record<string, any> : [T] extends [true] ? Record<string, never> : T;
 export type NuxtConfigScriptRegistryEntry<T> = true | false | 'mock' | (RegistryConfigInput<T> & {
     trigger?: NuxtUseScriptOptionsSerializable['trigger'] | false;
     proxy?: boolean;
@@ -268,6 +268,14 @@ export interface RegistryScriptServerHandler {
     route: string;
     handler: string;
     middleware?: boolean;
+    /**
+     * Whether this handler verifies HMAC signatures via `withSigning()`.
+     *
+     * When any enabled script registers a handler with `requiresSigning: true`,
+     * the module enforces that `NUXT_SCRIPTS_PROXY_SECRET` is set in production,
+     * and the `/_scripts/sign` endpoint will accept this route as a signable path.
+     */
+    requiresSigning?: boolean;
 }
 /**
  * Declares what optimization modes a script supports and what's active by default.

package/dist/types.d.mts

@@ -6,6 +6,6 @@ declare module '@nuxt/schema' {
 
 export { type FirstPartyPrivacy } from '../dist/runtime/types.js'
 
-export { type applyAutoInject, default, type isProxyDisabled } from './module.mjs'
+export { type applyAutoInject, default, type isProxyDisabled, type resolveProxySecret } from './module.mjs'
 
-export { type ModuleHooks, type ModuleOptions } from './module.mjs'
+export { type ModuleHooks, type ModuleOptions, type ResolvedProxySecret } from './module.mjs'

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@nuxt/scripts",
   "type": "module",
-  "version": "1.0.0-rc.6",
+  "version": "1.0.0-rc.7",
   "description": "Load third-party scripts with better performance, privacy and DX in Nuxt Apps.",
   "author": {
     "name": "Harlan Wilton",
@@ -45,7 +45,11 @@
       ]
     }
   },
+  "bin": {
+    "nuxt-scripts": "./bin/cli.mjs"
+  },
   "files": [
+    "bin",
     "dist"
   ],
   "build": {

package/dist/devtools-client/_nuxt/builds/meta/640f0a39-e659-4a31-8b8d-adbd9af52f1e.json

@@ -1 +0,0 @@
-{"id":"640f0a39-e659-4a31-8b8d-adbd9af52f1e","timestamp":1775787703990,"prerendered":[]}