npm - @paywalls-net/filter - Versions diffs - 1.3.6 → 1.3.7 - Mend

@paywalls-net/filter 1.3.6 → 1.3.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/package.json +1 -1
package/src/index.js +22 -2

package/package.json CHANGED Viewed

@@ -3,7 +3,7 @@
   "description": "Client SDK for integrating paywalls.net bot filtering and authorization services into your server or CDN.",
   "author": "paywalls.net",
   "license": "MIT",
-  "version": "1.3.6",
+  "version": "1.3.7",
   "publishConfig": {
     "access": "public"
   },

package/src/index.js CHANGED Viewed

@@ -113,9 +113,17 @@ async function proxyVAIRequest(cfg, request) {
             forwardHeaders['X-Original-Host'] = headers['host'];
         }
+        // Forward browser Origin via custom header for CORS evaluation (§5).
+        // Using X-Forwarded-Origin because wrangler dev mangles the standard
+        // Origin header with port-stacking when proxying between local workers.
+        const browserOrigin = headers['origin'] || null;
+        if (browserOrigin) {
+            forwardHeaders['X-Forwarded-Origin'] = browserOrigin;
+        }
         // Forward request to cloud-api
         const response = await fetch(`${cfg.paywallsAPIHost}${cloudApiPath}`, {
-            method: 'GET',
+            method: request.method || 'GET',
             headers: forwardHeaders
         });
@@ -123,7 +131,19 @@ async function proxyVAIRequest(cfg, request) {
             console.error(`VAI proxy error: ${response.status} ${response.statusText}`);
         }
-        return response;
+        // Build response, fixing CORS headers that wrangler dev may mangle.
+        // The cloud-api sets Access-Control-Allow-Origin to the browser's origin
+        // (via X-Forwarded-Origin), but wrangler can corrupt the value on the
+        // return path too.  Re-stamp it with the captured browser origin.
+        const responseHeaders = new Headers(response.headers);
+        if (browserOrigin && responseHeaders.has('Access-Control-Allow-Origin')) {
+            responseHeaders.set('Access-Control-Allow-Origin', browserOrigin);
+        }
+        return new Response(response.body, {
+            status: response.status,
+            statusText: response.statusText,
+            headers: responseHeaders
+        });
     } catch (err) {
         console.error(`Error proxying VAI request: ${err.message}`);
         return new Response('Internal Server Error', { status: 500 });