@paywalls-net/filter 1.3.7 → 1.3.9

package/package.json

@@ -3,7 +3,7 @@
   "description": "Client SDK for integrating paywalls.net bot filtering and authorization services into your server or CDN.",
   "author": "paywalls.net",
   "license": "MIT",
-  "version": "1.3.7",
+  "version": "1.3.9",
   "publishConfig": {
     "access": "public"
   },

package/src/index.js

@@ -78,9 +78,65 @@ function isVAIRequest(request, vaiPath = '/pw') {
 }
 
 /**
- * Proxy VAI requests to the cloud-api service.
- * Proxies the entire request path without endpoint-specific logic,
- * allowing new VAI endpoints to work automatically.
+ * Clean 1:1 header forwarding map for operational proxy headers (§7.2).
+ * Each entry: { src: string (lowercase incoming), dest: string (outgoing) }
+ * Headers with fallback logic or multi-source derivation are handled separately.
+ */
+const PROXY_HEADER_MAP = [
+    { src: 'host',                          dest: 'X-Original-Host'                  }, // publisher hostname for domain binding
+    { src: 'origin',                        dest: 'X-Forwarded-Origin'               }, // relay for CORS evaluation (§5, §7.2)
+    { src: 'access-control-request-method', dest: 'Access-Control-Request-Method'    }, // preflight (§5.4)
+    { src: 'access-control-request-headers',dest: 'Access-Control-Request-Headers'   }, // preflight (§5.4)
+    { src: 'cookie',                        dest: 'Cookie'                           }, // session/identity context
+];
+
+/**
+ * Maps browser signal sources → X-PW-* forwarding headers (§5.2).
+ * Each entry: { from: 'headers'|'cf', src: string, dest: string }
+ *   from:'headers' — read from incoming request headers (lowercase)
+ *   from:'cf'      — read from request.cf property
+ */
+const SIGNAL_HEADER_MAP = [
+    // Bundle A: Sec-Fetch (3 pts)
+    { from: 'headers', src: 'sec-fetch-dest',  dest: 'X-PW-Sec-Fetch-Dest'  },
+    { from: 'headers', src: 'sec-fetch-mode',  dest: 'X-PW-Sec-Fetch-Mode'  },
+    { from: 'headers', src: 'sec-fetch-site',  dest: 'X-PW-Sec-Fetch-Site'  },
+    // Bundle B: Accept (2 pts)
+    { from: 'headers', src: 'accept',          dest: 'X-PW-Accept'          },
+    { from: 'headers', src: 'accept-language', dest: 'X-PW-Accept-Language' },
+    { from: 'headers', src: 'accept-encoding', dest: 'X-PW-Accept-Encoding' },
+    // Bundle C: Client Hints (2 pts)
+    { from: 'headers', src: 'sec-ch-ua',       dest: 'X-PW-Sec-CH-UA'       },
+    // Bundle D: CF infrastructure (1 pt) — only valid at first-hop CF Worker
+    { from: 'cf',      src: 'tlsVersion',      dest: 'X-PW-TLS-Version'     },
+    { from: 'cf',      src: 'httpProtocol',    dest: 'X-PW-HTTP-Protocol'   },
+    { from: 'cf',      src: 'asn',             dest: 'X-PW-ASN'             },
+];
+
+/**
+ * Proxy VAI requests to the cloud-api service (Spec §7).
+ * 
+ * Transparent passthrough: cloud-api is authoritative for CORS, domain auth,
+ * and security headers.  This proxy must NOT inject or modify CORS headers.
+ * 
+ * Header forwarding (§7.2):
+ *  - X-Forwarded-Origin: browser Origin (Cloudflare Workers control the
+ *    outbound Origin header, so we relay via a custom header)
+ *  - X-Original-Host: publisher hostname for domain binding
+ *  - Access-Control-Request-Method/Headers: for preflight evaluation
+ *  - Cookie: for session/identity context
+ *  - User-Agent, X-Forwarded-For: standard proxy headers
+ *  - Authorization: publisher API key (§7.4)
+ * 
+ * Human-confidence signal forwarding (§5.2):
+ *  Driven by SIGNAL_HEADER_MAP — each entry specifies a source ('headers' or 'cf')
+ *  and property name to read, and the X-PW-* destination header to write.
+ *  Simple passthrough: present values forwarded, absent values omitted.
+ * 
+ * Response passthrough (§7.3):
+ *  All response headers from cloud-api are returned unchanged — including
+ *  Access-Control-*, Vary, Cache-Control.  The proxy never injects or
+ *  re-stamps CORS headers.
  * 
  * @param {Object} cfg - Configuration object with paywallsAPIHost and paywallsAPIKey
  * @param {Request} request - The incoming request
@@ -96,31 +152,36 @@ async function proxyVAIRequest(cfg, request) {
         // Get all request headers
         const headers = getAllHeaders(request);
         
-        // Build forwarding headers
+        // Build forwarding headers — include everything cloud-api needs
+        // for CORS evaluation, domain auth, and request context.
         const forwardHeaders = {
             'User-Agent': headers['user-agent'] || sdkUserAgent,
             'Authorization': `Bearer ${cfg.paywallsAPIKey}`
         };
         
-        // Add forwarding headers if available
+        // Client IP forwarding — dual-source, so handled explicitly
         if (headers['x-forwarded-for']) {
             forwardHeaders['X-Forwarded-For'] = headers['x-forwarded-for'];
         } else if (headers['cf-connecting-ip']) {
             forwardHeaders['X-Forwarded-For'] = headers['cf-connecting-ip'];
         }
-        
-        if (headers['host']) {
-            forwardHeaders['X-Original-Host'] = headers['host'];
+
+        // Clean 1:1 operational header forwarding (§7.2)
+        for (const { src, dest } of PROXY_HEADER_MAP) {
+            if (headers[src]) forwardHeaders[dest] = headers[src];
         }
-        
-        // Forward browser Origin via custom header for CORS evaluation (§5).
-        // Using X-Forwarded-Origin because wrangler dev mangles the standard
-        // Origin header with port-stacking when proxying between local workers.
-        const browserOrigin = headers['origin'] || null;
-        if (browserOrigin) {
-            forwardHeaders['X-Forwarded-Origin'] = browserOrigin;
+
+        // Forward browser-provenance signals as X-PW-* headers (§5.2).
+        // Simple passthrough: forward whatever is present, no cross-request state.
+        const cf = request.cf || {};
+        const sources = { headers, cf };
+        for (const { from, src, dest } of SIGNAL_HEADER_MAP) {
+            const value = sources[from][src];
+            if (value != null && value !== '') {
+                forwardHeaders[dest] = String(value);
+            }
         }
-        
+
         // Forward request to cloud-api
         const response = await fetch(`${cfg.paywallsAPIHost}${cloudApiPath}`, {
             method: request.method || 'GET',
@@ -131,18 +192,12 @@ async function proxyVAIRequest(cfg, request) {
             console.error(`VAI proxy error: ${response.status} ${response.statusText}`);
         }
         
-        // Build response, fixing CORS headers that wrangler dev may mangle.
-        // The cloud-api sets Access-Control-Allow-Origin to the browser's origin
-        // (via X-Forwarded-Origin), but wrangler can corrupt the value on the
-        // return path too.  Re-stamp it with the captured browser origin.
-        const responseHeaders = new Headers(response.headers);
-        if (browserOrigin && responseHeaders.has('Access-Control-Allow-Origin')) {
-            responseHeaders.set('Access-Control-Allow-Origin', browserOrigin);
-        }
+        // Transparent passthrough (§7.3): return cloud-api response unchanged.
+        // Cloud-api is authoritative for CORS headers — do not re-stamp or inject.
         return new Response(response.body, {
             status: response.status,
             statusText: response.statusText,
-            headers: responseHeaders
+            headers: response.headers
         });
     } catch (err) {
         console.error(`Error proxying VAI request: ${err.message}`);

package/src/user-agent-classification.js

@@ -142,6 +142,8 @@ export async function classifyUserAgent(cfg, userAgent) {
     const result = {
         browser,
         os,
+        purpose: 'other',
+        purpose_mode: ['other'],
         vat: 'HUMAN',
         act: 'ACT-2',  // Unmatched UA with detected browser — medium confidence
     };