@nuxt/scripts 1.0.0-rc.6 → 1.0.0-rc.8

package/dist/runtime/server/instagram-embed.js

@@ -1,40 +1,11 @@
 import { createError, defineEventHandler, getQuery, setHeader } from "h3";
 import { $fetch } from "ofetch";
 import { ELEMENT_NODE, parse, renderSync, TEXT_NODE, walkSync } from "ultrahtml";
-export const RSRC_RE = /url\(\/rsrc\.php([^)]+)\)/g;
-export const AMP_RE = /&/g;
-export const SCONTENT_RE = /https:\/\/scontent[^"'\s),]+\.cdninstagram\.com[^"'\s),]+/g;
-export const STATIC_CDN_RE = /https:\/\/static\.cdninstagram\.com[^"'\s),]+/g;
-export const LOOKASIDE_RE = /https:\/\/lookaside\.instagram\.com[^"'\s),]+/g;
-export const INSTAGRAM_IMAGE_HOSTS = ["scontent.cdninstagram.com", "lookaside.instagram.com"];
-export const INSTAGRAM_ASSET_HOST = "static.cdninstagram.com";
-const CHARSET_RE = /@charset\s[^;]+;/gi;
-const IMPORT_RE = /@import\s[^;]+;/gi;
-const WHITESPACE_RE = /\s/;
+import { rewriteUrl, rewriteUrlsInText, RSRC_RE, scopeCss } from "./utils/instagram-embed.js";
+import { withSigning } from "./utils/withSigning.js";
+export { proxyAssetUrl, proxyImageUrl, rewriteUrl, rewriteUrlsInText, scopeCss } from "./utils/instagram-embed.js";
 const EMBED_INSTAGRAM_SUFFIX_RE = /\/embed\/instagram$/;
-const AT_RULE_NAME_RE = /@([\w-]+)/;
-const MULTI_SPACE_RE = /\s+/g;
 const SRCSET_SPLIT_RE = /\s+/;
-export function proxyImageUrl(url, prefix = "/_scripts") {
-  return `${prefix}/embed/instagram-image?url=${encodeURIComponent(url.replace(AMP_RE, "&"))}`;
-}
-export function proxyAssetUrl(url, prefix = "/_scripts") {
-  return `${prefix}/embed/instagram-asset?url=${encodeURIComponent(url.replace(AMP_RE, "&"))}`;
-}
-export function rewriteUrl(url, prefix = "/_scripts") {
-  try {
-    const parsed = new URL(url);
-    if (parsed.hostname === INSTAGRAM_ASSET_HOST)
-      return proxyAssetUrl(url, prefix);
-    if (INSTAGRAM_IMAGE_HOSTS.some((h) => parsed.hostname === h || parsed.hostname.endsWith(`.cdninstagram.com`)))
-      return proxyImageUrl(url, prefix);
-  } catch {
-  }
-  return url;
-}
-export function rewriteUrlsInText(text, prefix = "/_scripts") {
-  return text.replace(SCONTENT_RE, (m) => proxyImageUrl(m, prefix)).replace(STATIC_CDN_RE, (m) => proxyAssetUrl(m, prefix)).replace(LOOKASIDE_RE, (m) => proxyImageUrl(m, prefix));
-}
 function removeNode(node) {
   node.type = TEXT_NODE;
   node.value = "";
@@ -42,89 +13,7 @@ function removeNode(node) {
   node.attributes = {};
   node.children = [];
 }
-export function scopeCss(css, scopeSelector) {
-  let result = css.replace(CHARSET_RE, "");
-  result = result.replace(IMPORT_RE, "");
-  return processRules(result, scopeSelector);
-}
-function processRules(css, scopeSelector) {
-  const output = [];
-  let i = 0;
-  while (i < css.length) {
-    while (i < css.length && WHITESPACE_RE.test(css[i])) i++;
-    if (i >= css.length)
-      break;
-    if (css[i] === "@") {
-      const atRule = extractAtRule(css, i);
-      if (atRule) {
-        const atName = atRule.content.match(AT_RULE_NAME_RE)?.[1]?.toLowerCase();
-        if (atName === "media" || atName === "supports" || atName === "layer") {
-          const braceStart = atRule.content.indexOf("{");
-          const innerCss = atRule.content.slice(braceStart + 1, -1);
-          const scopedInner = processRules(innerCss, scopeSelector);
-          output.push(`${atRule.content.slice(0, braceStart + 1) + scopedInner}}`);
-        } else if (atName === "keyframes" || atName === "-webkit-keyframes" || atName === "font-face") {
-          output.push(atRule.content);
-        }
-        i = atRule.end;
-        continue;
-      }
-    }
-    const bracePos = css.indexOf("{", i);
-    if (bracePos === -1)
-      break;
-    const selector = css.slice(i, bracePos).trim();
-    const block = extractBlock(css, bracePos);
-    if (!block)
-      break;
-    i = block.end;
-    if (!selector)
-      continue;
-    const selectors = selector.split(",").map((s) => s.trim());
-    const filteredSelectors = selectors.filter((s) => {
-      const normalized = s.replace(MULTI_SPACE_RE, " ").trim().toLowerCase();
-      return normalized !== ":root" && normalized !== "html" && normalized !== "body" && !normalized.startsWith(":root ") && !normalized.startsWith("html ") && !normalized.startsWith("body ") && normalized !== "html, body";
-    });
-    if (filteredSelectors.length === 0)
-      continue;
-    const scopedSelectors = filteredSelectors.map((s) => {
-      return `${scopeSelector} ${s}`;
-    });
-    output.push(`${scopedSelectors.join(", ")} ${block.content}`);
-  }
-  return output.join("\n");
-}
-function extractAtRule(css, start) {
-  const bracePos = css.indexOf("{", start);
-  const semiPos = css.indexOf(";", start);
-  if (semiPos !== -1 && (bracePos === -1 || semiPos < bracePos)) {
-    return { content: css.slice(start, semiPos + 1), end: semiPos + 1 };
-  }
-  if (bracePos === -1)
-    return null;
-  const block = extractBlock(css, bracePos);
-  if (!block)
-    return null;
-  return {
-    content: css.slice(start, bracePos) + block.content,
-    end: block.end
-  };
-}
-function extractBlock(css, openBrace) {
-  let depth = 0;
-  for (let j = openBrace; j < css.length; j++) {
-    if (css[j] === "{") {
-      depth++;
-    } else if (css[j] === "}") {
-      depth--;
-      if (depth === 0) {
-        return { content: css.slice(openBrace, j + 1), end: j + 1 };
-      }
-    }
-  }
-  return null;
-}
-export default defineEventHandler(async (event) => {
+export default withSigning(defineEventHandler(async (event) => {
   const handlerPath = event.path?.split("?")[0] || "";
   const prefix = handlerPath.replace(EMBED_INSTAGRAM_SUFFIX_RE, "") || "/_scripts";
   const query = getQuery(event);
@@ -229,4 +118,4 @@ ${combinedCss}</style>${bodyHtml}</div>`;
   setHeader(event, "Content-Type", "text/html");
   setHeader(event, "Cache-Control", "public, max-age=600, s-maxage=600");
   return result;
-});
+}));

package/dist/runtime/server/proxy-handler.js

@@ -1,6 +1,5 @@
-import { useRuntimeConfig } from "#imports";
 import { createError, defineEventHandler, getHeaders, getQuery, getRequestIP, getRequestWebStream, readBody, setResponseHeader } from "h3";
-import { useNitroApp } from "nitropack/runtime";
+import { useNitroApp, useRuntimeConfig } from "nitropack/runtime";
 import {
   anonymizeIP,
   mergePrivacy,

package/dist/runtime/server/utils/image-proxy.js

@@ -1,5 +1,6 @@
 import { createError, defineEventHandler, getQuery, setHeader } from "h3";
 import { $fetch } from "ofetch";
+import { withSigning } from "./withSigning.js";
 const AMP_RE = /&/g;
 export function createImageProxyHandler(config) {
   const {
@@ -10,7 +11,7 @@ export function createImageProxyHandler(config) {
     followRedirects = true,
     decodeAmpersands = false
   } = config;
-  return defineEventHandler(async (event) => {
+  return withSigning(defineEventHandler(async (event) => {
     const query = getQuery(event);
     let url = query.url;
     if (decodeAmpersands && url)
@@ -66,5 +67,5 @@ export function createImageProxyHandler(config) {
     setHeader(event, "Content-Type", response.headers.get("content-type") || contentType);
     setHeader(event, "Cache-Control", `public, max-age=${cacheMaxAge}, s-maxage=${cacheMaxAge}`);
     return response._data;
-  });
+  }));
 }

package/dist/runtime/server/utils/instagram-embed.d.ts

@@ -0,0 +1,16 @@
+export declare const RSRC_RE: RegExp;
+export declare const AMP_RE: RegExp;
+export declare const SCONTENT_RE: RegExp;
+export declare const STATIC_CDN_RE: RegExp;
+export declare const LOOKASIDE_RE: RegExp;
+export declare const INSTAGRAM_IMAGE_HOSTS: string[];
+export declare const INSTAGRAM_ASSET_HOST = "static.cdninstagram.com";
+export declare function proxyImageUrl(url: string, prefix?: string): string;
+export declare function proxyAssetUrl(url: string, prefix?: string): string;
+export declare function rewriteUrl(url: string, prefix?: string): string;
+export declare function rewriteUrlsInText(text: string, prefix?: string): string;
+/**
+ * Scope CSS rules under a parent selector and strip global/page-level rules.
+ * Removes :root, html, body selectors and @charset/@import at-rules.
+ */
+export declare function scopeCss(css: string, scopeSelector: string): string;

package/dist/runtime/server/utils/instagram-embed.js

@@ -0,0 +1,152 @@
+export const RSRC_RE = /url\(\/rsrc\.php([^)]+)\)/g;
+export const AMP_RE = /&/g;
+export const SCONTENT_RE = /https:\/\/scontent[^"'\s),]+\.cdninstagram\.com[^"'\s),]+/g;
+export const STATIC_CDN_RE = /https:\/\/static\.cdninstagram\.com[^"'\s),]+/g;
+export const LOOKASIDE_RE = /https:\/\/lookaside\.instagram\.com[^"'\s),]+/g;
+export const INSTAGRAM_IMAGE_HOSTS = ["scontent.cdninstagram.com", "lookaside.instagram.com"];
+export const INSTAGRAM_ASSET_HOST = "static.cdninstagram.com";
+const CHARSET_RE = /@charset\s[^;]+;/gi;
+const IMPORT_RE = /@import\s[^;]+;/gi;
+const WHITESPACE_RE = /\s/;
+const AT_RULE_NAME_RE = /@([\w-]+)/;
+const MULTI_SPACE_RE = /\s+/g;
+export function proxyImageUrl(url, prefix = "/_scripts") {
+  return `${prefix}/embed/instagram-image?url=${encodeURIComponent(url.replace(AMP_RE, "&"))}`;
+}
+export function proxyAssetUrl(url, prefix = "/_scripts") {
+  return `${prefix}/embed/instagram-asset?url=${encodeURIComponent(url.replace(AMP_RE, "&"))}`;
+}
+export function rewriteUrl(url, prefix = "/_scripts") {
+  try {
+    const parsed = new URL(url);
+    if (parsed.hostname === INSTAGRAM_ASSET_HOST)
+      return proxyAssetUrl(url, prefix);
+    if (INSTAGRAM_IMAGE_HOSTS.some((h) => parsed.hostname === h || parsed.hostname.endsWith(`.cdninstagram.com`)))
+      return proxyImageUrl(url, prefix);
+  } catch {
+  }
+  return url;
+}
+export function rewriteUrlsInText(text, prefix = "/_scripts") {
+  return text.replace(SCONTENT_RE, (m) => proxyImageUrl(m, prefix)).replace(STATIC_CDN_RE, (m) => proxyAssetUrl(m, prefix)).replace(LOOKASIDE_RE, (m) => proxyImageUrl(m, prefix));
+}
+export function scopeCss(css, scopeSelector) {
+  let result = css.replace(CHARSET_RE, "");
+  result = result.replace(IMPORT_RE, "");
+  return processRules(result, scopeSelector);
+}
+function processRules(css, scopeSelector) {
+  const output = [];
+  let i = 0;
+  while (i < css.length) {
+    while (i < css.length && WHITESPACE_RE.test(css[i])) i++;
+    if (i >= css.length)
+      break;
+    if (css[i] === "@") {
+      const atRule = extractAtRule(css, i);
+      if (atRule) {
+        const atName = atRule.content.match(AT_RULE_NAME_RE)?.[1]?.toLowerCase();
+        if (atName === "media" || atName === "supports" || atName === "layer") {
+          const braceStart = atRule.content.indexOf("{");
+          if (braceStart === -1) {
+            output.push(atRule.content);
+          } else {
+            const innerCss = atRule.content.slice(braceStart + 1, -1);
+            const scopedInner = processRules(innerCss, scopeSelector);
+            output.push(`${atRule.content.slice(0, braceStart + 1)}${scopedInner}}`);
+          }
+        } else if (atName === "keyframes" || atName === "-webkit-keyframes" || atName === "font-face") {
+          output.push(atRule.content);
+        }
+        i = atRule.end;
+        continue;
+      }
+    }
+    const bracePos = css.indexOf("{", i);
+    if (bracePos === -1)
+      break;
+    const selector = css.slice(i, bracePos).trim();
+    const block = extractBlock(css, bracePos);
+    if (!block)
+      break;
+    i = block.end;
+    if (!selector)
+      continue;
+    const selectors = splitTopLevel(selector, ",").map((s) => s.trim());
+    const filteredSelectors = selectors.filter((s) => {
+      const normalized = s.replace(MULTI_SPACE_RE, " ").trim().toLowerCase();
+      return normalized !== ":root" && normalized !== "html" && normalized !== "body" && !normalized.startsWith(":root ") && !normalized.startsWith("html ") && !normalized.startsWith("body ") && normalized !== "html, body";
+    });
+    if (filteredSelectors.length === 0)
+      continue;
+    const scopedSelectors = filteredSelectors.map((s) => `${scopeSelector} ${s}`);
+    output.push(`${scopedSelectors.join(", ")} ${block.content}`);
+  }
+  return output.join("\n");
+}
+function extractAtRule(css, start) {
+  const bracePos = css.indexOf("{", start);
+  const semiPos = css.indexOf(";", start);
+  if (semiPos !== -1 && (bracePos === -1 || semiPos < bracePos)) {
+    return { content: css.slice(start, semiPos + 1), end: semiPos + 1 };
+  }
+  if (bracePos === -1)
+    return null;
+  const block = extractBlock(css, bracePos);
+  if (!block)
+    return null;
+  return {
+    content: css.slice(start, bracePos) + block.content,
+    end: block.end
+  };
+}
+function splitTopLevel(input, separator) {
+  const parts = [];
+  let depth = 0;
+  let quote = null;
+  let start = 0;
+  for (let i = 0; i < input.length; i++) {
+    const ch = input[i];
+    if (quote) {
+      if (ch === "\\") {
+        i++;
+        continue;
+      }
+      if (ch === quote)
+        quote = null;
+      continue;
+    }
+    if (ch === '"' || ch === "'") {
+      quote = ch;
+      continue;
+    }
+    if (ch === "(" || ch === "[") {
+      depth++;
+      continue;
+    }
+    if (ch === ")" || ch === "]") {
+      depth--;
+      continue;
+    }
+    if (ch === separator && depth === 0) {
+      parts.push(input.slice(start, i));
+      start = i + 1;
+    }
+  }
+  parts.push(input.slice(start));
+  return parts;
+}
+function extractBlock(css, openBrace) {
+  let depth = 0;
+  for (let j = openBrace; j < css.length; j++) {
+    if (css[j] === "{") {
+      depth++;
+    } else if (css[j] === "}") {
+      depth--;
+      if (depth === 0) {
+        return { content: css.slice(openBrace, j + 1), end: j + 1 };
+      }
+    }
+  }
+  return null;
+}

package/dist/runtime/server/utils/sign.d.ts

@@ -0,0 +1,109 @@
+/**
+ * HMAC URL signing for proxy endpoints.
+ *
+ * ## Why
+ *
+ * Proxy endpoints like `/_scripts/proxy/google-static-maps` inject a server-side
+ * API key and forward requests to third-party services. Without signing, anyone
+ * can call these endpoints with arbitrary parameters and burn the site owner's
+ * API quota. Signing ensures only URLs generated server-side (during SSR/prerender
+ * or via the `/_scripts/sign` endpoint) are accepted.
+ *
+ * ## How
+ *
+ * 1. The module stores a deterministic secret in `runtimeConfig.nuxt-scripts.proxySecret`
+ *    (env: `NUXT_SCRIPTS_PROXY_SECRET`).
+ * 2. URLs are canonicalized (sort query keys, strip `sig`) and signed with HMAC-SHA256.
+ * 3. The first 16 hex chars (64 bits) of the digest is appended as `?sig=<hex>`.
+ * 4. Endpoints wrapped with `withSigning()` verify the sig against the current request.
+ *
+ * A 64-bit signature is enough to defeat brute force for this threat model
+ * (a billion guesses gives a ~5% hit rate at 2^64). Longer signatures bloat
+ * prerendered HTML for no practical gain.
+ */
+import type { H3Event } from 'h3';
+/** Query param name for the signature. Chosen to be unlikely to collide with upstream APIs. */
+export declare const SIG_PARAM = "sig";
+/** Length of the hex signature (16 chars = 64 bits). */
+export declare const SIG_LENGTH = 16;
+/**
+ * Canonicalize a query object into a deterministic string suitable for HMAC input.
+ *
+ * Rules:
+ * - The `sig` param is stripped (it can't sign itself).
+ * - `undefined` and `null` values are skipped (mirrors `ufo.withQuery`).
+ * - Keys are sorted alphabetically so order-independent reconstruction works.
+ * - Arrays expand to repeated keys (e.g. `markers=a&markers=b`), matching how
+ *   `ufo.withQuery` serializes array-valued params.
+ * - Objects are JSON-stringified (rare, but consistent with `ufo.withQuery`).
+ * - Encoding uses `encodeURIComponent` for both keys and values so the canonical
+ *   form matches what shows up on the wire.
+ *
+ * The resulting string is stable across server/client and different JS runtimes
+ * because it does not depend on `URLSearchParams` insertion order.
+ */
+export declare function canonicalizeQuery(query: Record<string, unknown>): string;
+/**
+ * Sign a path + query using HMAC-SHA256 and return the 16-char hex digest.
+ *
+ * The HMAC input is `${path}?${canonicalQuery}` so that the same query signed
+ * against a different endpoint yields a different signature (prevents cross-
+ * endpoint signature reuse).
+ *
+ * `path` should be the URL path without query string (e.g. `/_scripts/proxy/google-static-maps`).
+ * Callers should not include origin / host since the signing contract is path-relative.
+ */
+export declare function signProxyUrl(path: string, query: Record<string, unknown>, secret: string): string;
+/**
+ * Build a fully-formed signed URL (path + query + sig).
+ *
+ * This is the primary helper for code paths that need to emit a proxy URL
+ * (SSR components, server-side URL rewriters like instagram-embed).
+ */
+export declare function buildSignedProxyUrl(path: string, query: Record<string, unknown>, secret: string): string;
+/** Query param name for the page token. */
+export declare const PAGE_TOKEN_PARAM = "_pt";
+/** Query param name for the page token timestamp. */
+export declare const PAGE_TOKEN_TS_PARAM = "_ts";
+/** Default max age for page tokens in seconds (1 hour). */
+export declare const PAGE_TOKEN_MAX_AGE = 3600;
+/**
+ * Generate a page token that authorizes client-side proxy requests.
+ *
+ * Embedded in the SSR payload so the browser can attach it to reactive proxy
+ * URL updates without needing a `/sign` round-trip. The token is scoped to
+ * a timestamp and expires after `PAGE_TOKEN_MAX_AGE` seconds.
+ *
+ * Construction: first 16 hex chars of `HMAC(secret, "proxy-access:<timestamp>")`.
+ */
+export declare function generateProxyToken(secret: string, timestamp: number): string;
+/**
+ * Verify a page token against the current time.
+ *
+ * Returns `true` if the token matches the HMAC for the given timestamp AND
+ * the timestamp is within `maxAge` seconds of `now`.
+ */
+export declare function verifyProxyToken(token: string, timestamp: number, secret: string, maxAge?: number, now?: number): boolean;
+/**
+ * Verify a request against either a URL signature or a page token.
+ *
+ * Two verification modes, checked in order:
+ *
+ * 1. **URL signature** (`sig` param): the exact URL was signed server-side
+ *    during SSR/prerender. Locked to the specific path + query params.
+ *
+ * 2. **Page token** (`_pt` + `_ts` params): the client received a short-lived
+ *    token during SSR and is making a reactive proxy request with new params.
+ *    Valid for any params on the target path, but expires after `maxAge`.
+ *
+ * Returns `false` if neither mode validates.
+ */
+export declare function verifyProxyRequest(event: H3Event, secret: string, maxAge?: number): boolean;
+/**
+ * Constant-time string comparison.
+ *
+ * Both inputs are expected to be equal-length hex strings. The loop runs over
+ * the longer length so an early-exit on length mismatch doesn't leak the
+ * expected length (though both are fixed at `SIG_LENGTH` in practice).
+ */
+export declare function constantTimeEqual(a: string, b: string): boolean;

package/dist/runtime/server/utils/sign.js

@@ -0,0 +1,88 @@
+import { createHmac } from "node:crypto";
+import { getQuery } from "h3";
+export const SIG_PARAM = "sig";
+export const SIG_LENGTH = 16;
+export function canonicalizeQuery(query) {
+  const keys = Object.keys(query).filter((k) => k !== SIG_PARAM && query[k] !== void 0 && query[k] !== null).sort();
+  const parts = [];
+  for (const key of keys) {
+    const value = query[key];
+    const encodedKey = encodeURIComponent(key);
+    if (Array.isArray(value)) {
+      for (const item of value) {
+        if (item === void 0 || item === null)
+          continue;
+        parts.push(`${encodedKey}=${encodeURIComponent(serializeValue(item))}`);
+      }
+    } else {
+      parts.push(`${encodedKey}=${encodeURIComponent(serializeValue(value))}`);
+    }
+  }
+  return parts.join("&");
+}
+function serializeValue(value) {
+  if (typeof value === "string")
+    return value;
+  if (typeof value === "object")
+    return JSON.stringify(value);
+  return String(value);
+}
+export function signProxyUrl(path, query, secret) {
+  const canonical = canonicalizeQuery(query);
+  const input = canonical ? `${path}?${canonical}` : path;
+  return createHmac("sha256", secret).update(input).digest("hex").slice(0, SIG_LENGTH);
+}
+export function buildSignedProxyUrl(path, query, secret) {
+  const sig = signProxyUrl(path, query, secret);
+  const canonical = canonicalizeQuery(query);
+  const queryString = canonical ? `${canonical}&${SIG_PARAM}=${sig}` : `${SIG_PARAM}=${sig}`;
+  return `${path}?${queryString}`;
+}
+export const PAGE_TOKEN_PARAM = "_pt";
+export const PAGE_TOKEN_TS_PARAM = "_ts";
+export const PAGE_TOKEN_MAX_AGE = 3600;
+export function generateProxyToken(secret, timestamp) {
+  return createHmac("sha256", secret).update(`proxy-access:${timestamp}`).digest("hex").slice(0, SIG_LENGTH);
+}
+export function verifyProxyToken(token, timestamp, secret, maxAge = PAGE_TOKEN_MAX_AGE, now = Math.floor(Date.now() / 1e3)) {
+  if (!token || !secret || typeof timestamp !== "number")
+    return false;
+  if (token.length !== SIG_LENGTH)
+    return false;
+  const age = now - timestamp;
+  if (age > maxAge || age < -60)
+    return false;
+  const expected = generateProxyToken(secret, timestamp);
+  return constantTimeEqual(expected, token);
+}
+export function verifyProxyRequest(event, secret, maxAge) {
+  if (!secret)
+    return false;
+  const query = getQuery(event);
+  const rawSig = query[SIG_PARAM];
+  const sig = Array.isArray(rawSig) ? rawSig[0] : rawSig;
+  if (typeof sig === "string" && sig.length === SIG_LENGTH) {
+    const path = (event.path || "").split("?")[0] || "";
+    const expected = signProxyUrl(path, query, secret);
+    if (constantTimeEqual(expected, sig))
+      return true;
+  }
+  const rawToken = query[PAGE_TOKEN_PARAM];
+  const rawTs = query[PAGE_TOKEN_TS_PARAM];
+  const token = Array.isArray(rawToken) ? rawToken[0] : rawToken;
+  const ts = Array.isArray(rawTs) ? rawTs[0] : rawTs;
+  if (typeof token === "string" && ts !== void 0) {
+    const timestamp = Number(ts);
+    if (!Number.isNaN(timestamp))
+      return verifyProxyToken(token, timestamp, secret, maxAge);
+  }
+  return false;
+}
+export function constantTimeEqual(a, b) {
+  if (a.length !== b.length)
+    return false;
+  let diff = 0;
+  for (let i = 0; i < a.length; i++)
+    diff |= a.charCodeAt(i) ^ b.charCodeAt(i);
+  return diff === 0;
+}

package/dist/runtime/server/utils/withSigning.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Middleware wrapper that enforces HMAC signature verification on a proxy handler.
+ *
+ * Usage:
+ * ```ts
+ * export default withSigning(defineEventHandler(async (event) => {
+ *   // ... handler logic
+ * }))
+ * ```
+ *
+ * Behavior:
+ * - Reads `runtimeConfig.nuxt-scripts.proxySecret` (server-only).
+ * - If no secret is configured: passes through (signing not yet enabled).
+ *   This allows shipping handler wiring before components emit signed URLs.
+ *   Once `NUXT_SCRIPTS_PROXY_SECRET` is set, verification is enforced.
+ * - If a secret IS configured and the request's signature is invalid: 403.
+ * - Otherwise, delegates to the wrapped handler.
+ *
+ * The outer wrapper runs before any handler logic, so unauthorized requests
+ * never reach the upstream fetch and cannot consume API quota.
+ */
+import type { EventHandler, EventHandlerRequest, EventHandlerResponse } from 'h3';
+export declare function withSigning<Req extends EventHandlerRequest = EventHandlerRequest, Res extends EventHandlerResponse = EventHandlerResponse>(handler: EventHandler<Req, Res>): EventHandler<Req, Res>;

package/dist/runtime/server/utils/withSigning.js

@@ -0,0 +1,18 @@
+import { createError, defineEventHandler } from "h3";
+import { useRuntimeConfig } from "nitropack/runtime";
+import { verifyProxyRequest } from "./sign.js";
+export function withSigning(handler) {
+  return defineEventHandler(async (event) => {
+    const runtimeConfig = useRuntimeConfig(event);
+    const secret = runtimeConfig["nuxt-scripts"]?.proxySecret;
+    if (!secret)
+      return handler(event);
+    if (!verifyProxyRequest(event, secret)) {
+      throw createError({
+        statusCode: 403,
+        statusMessage: "Invalid signature"
+      });
+    }
+    return handler(event);
+  });
+}

package/dist/runtime/server/x-embed.js

@@ -1,7 +1,8 @@
 import { createError, defineEventHandler, getQuery, setHeader } from "h3";
 import { $fetch } from "ofetch";
+import { withSigning } from "./utils/withSigning.js";
 const TWEET_ID_RE = /^\d+$/;
-export default defineEventHandler(async (event) => {
+export default withSigning(defineEventHandler(async (event) => {
   const query = getQuery(event);
   const tweetId = query.id;
   if (!tweetId || !TWEET_ID_RE.test(tweetId)) {
@@ -29,4 +30,4 @@ export default defineEventHandler(async (event) => {
   setHeader(event, "Content-Type", "application/json");
   setHeader(event, "Cache-Control", "public, max-age=600, s-maxage=600");
   return tweetData;
-});
+}));

package/dist/runtime/types.d.ts

@@ -235,7 +235,7 @@ export type BuiltInRegistryScriptKey = 'bingUet' | 'blueskyEmbed' | 'carbonAds'
  * Includes both built-in and augmented keys.
  */
 export type RegistryScriptKey = Exclude<keyof ScriptRegistry, `${string}-npm`>;
-type RegistryConfigInput<T> = [T] extends [true] ? Record<string, never> : T;
+type RegistryConfigInput<T> = 0 extends 1 & T ? Record<string, any> : [T] extends [true] ? Record<string, never> : T;
 export type NuxtConfigScriptRegistryEntry<T> = true | false | 'mock' | (RegistryConfigInput<T> & {
     trigger?: NuxtUseScriptOptionsSerializable['trigger'] | false;
     proxy?: boolean;
@@ -268,6 +268,14 @@ export interface RegistryScriptServerHandler {
     route: string;
     handler: string;
     middleware?: boolean;
+    /**
+     * Whether this handler verifies HMAC signatures via `withSigning()`.
+     *
+     * When any enabled script registers a handler with `requiresSigning: true`,
+     * the module enforces that `NUXT_SCRIPTS_PROXY_SECRET` is set in production,
+     * and the `/_scripts/sign` endpoint will accept this route as a signable path.
+     */
+    requiresSigning?: boolean;
 }
 /**
  * Declares what optimization modes a script supports and what's active by default.

package/dist/types.d.mts

@@ -6,6 +6,6 @@ declare module '@nuxt/schema' {
 
 export { type FirstPartyPrivacy } from '../dist/runtime/types.js'
 
-export { type applyAutoInject, default, type isProxyDisabled } from './module.mjs'
+export { type applyAutoInject, default, type isProxyDisabled, type resolveProxySecret } from './module.mjs'
 
-export { type ModuleHooks, type ModuleOptions } from './module.mjs'
+export { type ModuleHooks, type ModuleOptions, type ResolvedProxySecret } from './module.mjs'

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@nuxt/scripts",
   "type": "module",
-  "version": "1.0.0-rc.6",
+  "version": "1.0.0-rc.8",
   "description": "Load third-party scripts with better performance, privacy and DX in Nuxt Apps.",
   "author": {
     "name": "Harlan Wilton",
@@ -45,7 +45,11 @@
       ]
     }
   },
+  "bin": {
+    "nuxt-scripts": "./bin/cli.mjs"
+  },
   "files": [
+    "bin",
     "dist"
   ],
   "build": {
@@ -108,7 +112,7 @@
     "magic-string": "^0.30.21",
     "ofetch": "^1.5.1",
     "ohash": "^2.0.11",
-    "oxc-parser": "^0.124.0",
+    "oxc-parser": "^0.125.0",
     "oxc-walker": "^0.7.0",
     "pathe": "^2.0.3",
     "pkg-types": "^2.3.0",

package/dist/devtools-client/_nuxt/builds/meta/640f0a39-e659-4a31-8b8d-adbd9af52f1e.json

@@ -1 +0,0 @@
-{"id":"640f0a39-e659-4a31-8b8d-adbd9af52f1e","timestamp":1775787703990,"prerendered":[]}