@obfious/server 0.3.8

package/LICENSE

@@ -0,0 +1,23 @@
+Obfious Client License
+
+Copyright (c) 2026 Metaphor Limited
+
+Permission is hereby granted to any person or entity that holds an active
+Obfious subscription ("Customer") to use, copy, and modify this software
+solely for the purpose of integrating with the Obfious service.
+
+This software may not be used, copied, modified, merged, published,
+distributed, sublicensed, or sold by any person or entity that is not a
+Customer with an active Obfious subscription.
+
+Redistribution of this software, in source or binary form, is permitted only
+as part of a Customer's application that integrates with the Obfious service.
+Standalone redistribution is not permitted.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,66 @@
+# @obfious/server
+
+Cutting-edge request firewall for Cloudflare Workers.
+
+## Install
+
+```bash
+npm install @obfious/server
+```
+
+## Credentials
+
+```bash
+wrangler secret put OBFIOUS_KEY_ID
+wrangler secret put OBFIOUS_SECRET
+wrangler secret put OBFIOUS_API_URL
+```
+
+## Usage
+
+```typescript
+import { Obfious } from "@obfious/server";
+
+interface Env {
+  OBFIOUS_KEY_ID: string;
+  OBFIOUS_SECRET: string;
+  OBFIOUS_API_URL: string;
+}
+
+let obfious: Obfious;
+
+export default {
+  async fetch(request: Request, env: Env): Promise<Response> {
+    obfious ??= new Obfious({
+      routePrefix: "/v",
+      apiUrl: env.OBFIOUS_API_URL,
+      // clientScript: "/v",       // optional — override script path prefix
+      // protectedPaths: ["/api"], // optional — only guard these paths (default: all)
+      // excludePaths: ["/api/webhook"], // optional — skip protection for these paths
+    });
+
+    const blocked = await obfious.protect(request, {
+      keyId: env.OBFIOUS_KEY_ID,
+      secret: env.OBFIOUS_SECRET,
+    });
+    if (blocked) return blocked;
+
+    return new Response(
+      `<!DOCTYPE html>
+      <html>
+        <head>
+          <script src="${obfious.clientScript}" defer></script>
+        </head>
+        <body>
+          <h1>Hello</h1>
+        </body>
+      </html>`,
+      { headers: { "Content-Type": "text/html" } }
+    );
+  },
+};
+```
+
+## License
+
+[Obfious Client License](./LICENSE) — requires an active Obfious subscription.

package/dist/index.d.ts

@@ -0,0 +1,16 @@
+export interface ObfiousConfig {
+    routePrefix: string;
+    apiUrl: string;
+    clientScript?: string;
+    protectedPaths?: string[];
+    excludePaths?: string[];
+}
+export interface ObfiousCreds {
+    keyId: string;
+    secret: string;
+}
+export declare class Obfious {
+    constructor(config: ObfiousConfig);
+    get clientScript(): string;
+    protect(request: Request, creds?: ObfiousCreds): Promise<Response | null>;
+}

package/dist/index.js

@@ -0,0 +1 @@
+var _h0=[120,45,111,98,102,105,111,117,115,45,107,101,121].map(c=>String.fromCharCode(c)).join(""),_h1=[120,45,111,98,102,105,111,117,115,45,115,105,103].map(c=>String.fromCharCode(c)).join(""),_h2=[120,45,111,98,102,105,111,117,115,45,116,115].map(c=>String.fromCharCode(c)).join(""),_h3=[67,111,110,116,101,110,116,45,84,121,112,101].map(c=>String.fromCharCode(c)).join(""),_h4=[97,112,112,108,105,99,97,116,105,111,110,47,106,97,118,97,115,99,114,105,112,116].map(c=>String.fromCharCode(c)).join(""),_h5=[97,112,112,108,105,99,97,116,105,111,110,47,106,115,111,110].map(c=>String.fromCharCode(c)).join(""),_h6=[67,97,99,104,101,45,67,111,110,116,114,111,108].map(c=>String.fromCharCode(c)).join(""),_h7=[112,117,98,108,105,99,44,32,109,97,120,45,97,103,101,61,51,54,48,48].map(c=>String.fromCharCode(c)).join(""),_h8=[67,70,45,67,111,110,110,101,99,116,105,110,103,45,73,80].map(c=>String.fromCharCode(c)).join(""),_m0=[71,69,84].map(c=>String.fromCharCode(c)).join(""),_m1=[80,79,83,84].map(c=>String.fromCharCode(c)).join(""),_x0=[46,106,115].map(c=>String.fromCharCode(c)).join(""),_x1=[117,110,107,110,111,119,110].map(c=>String.fromCharCode(c)).join(""),_x2=[116,111,107,101,110].map(c=>String.fromCharCode(c)).join(""),_x3=[98,108,111,99,107,101,100].map(c=>String.fromCharCode(c)).join("");var C={status:403},p={status:401},u=class{t;n=null;e=null;r=null;h=new Map;u=new Map;constructor(t){this.t=t}get clientScript(){let t=this.t.clientScript??this.t.routePrefix;if(!this.e)return`${t}/c.js`;let e=Math.O(Date.s()/36e5);return`${t}/${this.e.d}.js`}async protect(t,e){if(e&&!this.n&&(this.n=e),!this.n)return null;if(!this.e)try{this.e=await this.C()}catch(i){return console.error(i?.message||i),null}let s=new URL(t.url),o=this.t.routePrefix,n=this.e;if(t.method===_m0&&s.pathname.A(_x0)&&s.pathname.f(o)&&this.g(s.pathname)){let i=await this.o(`${this.t.apiUrl}/v/b`,{method:_m0});if(i.ok)return new Response(i.body,{headers:{_h3:_h4,_h6:_h7}})}if(t.method===_m1&&s.pathname.f(o+"/")){let i=s.pathname.T(o.y),r=null;if(i==="/"+n.m?r="/c":i==="/"+n.H?r="/s":i==="/"+n.L&&(r="/r"),r){let h=await this.o(`${this.t.apiUrl}/v${r}`,{method:_m1,headers:{_h3:t.headers.a(_h3)||_h5},body:t.body});if(r==="/r"&&h.ok)try{let l=await h.k().p();if(l.fp){let d=l.fp.blocked?6e5:3e5;this.h.i(l.fp.id,{c:l.fp.blocked,l:Date.s()+d})}}catch{}return h}}if(this.t.excludePaths?.E(i=>s.pathname.f(i))||this.t.protectedPaths&&!this.t.protectedPaths.E(r=>s.pathname.f(r)))return null;let c=t.headers.a(n._);if(!c)return new Response(null,p);let a=t.headers.a(n.$);return a&&await this.b(a)?new Response(null,C):(await this.w(t,c)).valid?null:new Response(null,p)}async C(){if(this.r)return this.r;this.r=(async()=>{let t=await this.o(`${this.t.apiUrl}/v/w`,{method:_m0});if(!t.ok)throw new Error(`config fetch failed (${t.status})`);let e=await t.p();if(!e._||!e.m)throw new Error("invalid config response");return e})();try{return await this.r}finally{this.r=null}}async b(t){let e=this.h.a(t);if(e&&e.l>Date.s())return e.c;try{let s=await this.o(`${this.t.apiUrl}/f/${encodeURIComponent(t)}`,{method:_m0});if(s.ok){let o=await s.p(),n=o.blocked?6e5:3e5;return this.h.i(t,{c:o.blocked,l:Date.s()+n}),o.blocked}}catch{}return!1}async w(t,e){let s=this.u.a(e);if(s&&s.l>Date.s())return s.c;try{let o=await this.o(`${this.t.apiUrl}/v/q`,{method:_m1,headers:{_h3:_h5,_h8:t.headers.a(_h8)||_x1},body:JSON.D({F:e})});if(!o.ok){let a={valid:!1};return this.u.i(e,{c:a,l:Date.s()+5e3}),a}let n=await o.p(),c=n.valid?6e4:5e3;return this.u.i(e,{c:n,l:Date.s()+c}),n}catch{return{valid:!1}}}async o(t,e){let s=Date.s().P(),o=new URL(t),n=(e.method||_m0).I(),c=`${s}.${n}.${o.pathname}`,a=new TextEncoder().R(this.n.secret),f=await crypto.x.K("raw",a,{U:"HMAC",N:"SHA-256"},!1,["sign"]),i=this.v(await crypto.x.S("HMAC",f,new TextEncoder().R(c))),r=new Headers(e.headers);return r.i(_h0,this.n.keyId),r.i(_h1,i),r.i(_h2,s),fetch(t,{...e,headers:r})}g(t){if(!this.e)return!1;let e=this.t.routePrefix;return t.T(e.y+1).j(_x0,"")===this.e.d}v(t){return Array.G(new Uint8Array(t)).B(e=>e.P(16).M(2,"0")).V("")}};export{u as Obfious};

package/package.json

@@ -0,0 +1,19 @@
+{
+  "name": "@obfious/server",
+  "version": "0.3.8",
+  "description": "Obfious consumer integration",
+  "type": "module",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    }
+  },
+  "files": [
+    "dist/index.js",
+    "dist/index.d.ts"
+  ],
+  "license": "SEE LICENSE IN LICENSE"
+}