Limit usefulness to just isomorphic-git requests

Author: billiegoose

README.md

@@ -1,105 +1,11 @@
-# cors-buster
-When you need a file, but the headers ain't good, who you gonna call? CORS Buster!
+# git-cors-proxy
 
 ## What is this?
 
-This is the software running on https://cors-buster-tbgktfqyku.now.sh, a free
-service for AJAX users struggling to work around the fact that many websites
-do not implement CORS headers, even for static content.
+This is the software running on https://git-cors-proxy.now.sh, a free
+service for users of isomorphic-git so you can clone and push repos in the browser.
 
-## What it does
-
-Say you tried to do this AJAX call and got this lovely error:
-
-```
-window.fetch('http://nodejs.org/dist/v6.10.2/node-v6.10.2-linux-x64.tar.gz')
-
-Fetch API cannot load http://nodejs.org/dist/v6.10.2/node-v6.10.2-linux-x64.tar.gz. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://example.org' is therefore not allowed access. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
-Uncaught (in promise) TypeError: Failed to fetch
-```
-
-You can do this instead, and now there's no error:
-
-```
-window.fetch('https://cors-buster-tbgktfqyku.now.sh/nodejs.org/dist/v6.10.2/node-v6.10.2-linux-x64.tar.gz')
-```
-
-## Is this safe?
-
-CORS is designed to prevent a 3rd party (Eve) from doing evil things to Alice
-using her browser to make HTTP requests to Bob, essentially impersonating Alice.
-Browsers prevent JavaScript from making this kind of Cross-Origin AJAX Request
-by default. But if this server is making the request *on behalf* of your
-JavaScript, there is no way we could be impersonating Alice. Alice is safe.
-Bob was never protected in the first place. Eve has better things to do with
-her time.
-
-## But I need to POST/PUT/etc with data?
-
-That works too! Just make an OPTIONS/POST/PUT/DELETE/etc request and it will be forwarded.
-If you can only make GET requests, you can provide a `method` query parameter and
-the server will make it that kind of request instead.
-
-## Supported headers
-
-If there's a way to whitelist ALL headers, let me know. The one's I've explicitly added
-so far are:
-
-#### Request Headers:
-
-- accept-encoding
-- accept-language
-- accept
-- access-control-allow-origin
-- authorization
-- cache-control
-- connection
-- content-length
-- content-type
-- dnt
-- pragma
-- range
-- referer
-- user-agent
-- x-http-method-override
-- x-requested-with
-
-#### Response Headers:
-
-- accept-ranges
-- age
-- cache-control
-- content-length
-- content-language
-- content-type
-- date
-- etag
-- expires
-- last-modified
-- pragma
-- server
-- transfer-encoding
-- vary
-- x-github-request-id
-
-## That is nice, I want to run my own server
-
-Sure thing, just do:
-
-```
-git clone https://github.com/wmhilton/cors-buster
-cd cors-buster
-npm install
-PORT=80 npm start
-```
-
-## No, I meant I want to deploy it to zeit.now.sh
-
-Even easier, just do:
-
-```
-now wmhilton/cors-buster
-```
+It is derived from https://github.com/wmhilton/cors-buster with added restrictions to prevent abuse.
 
 ## License
 

allow-request.js

@@ -0,0 +1,21 @@
+const url = require('url')
+
+function isPreflight (req, u) {
+  return req.method === 'OPTIONS'
+}
+
+function isInfoRefs (req, u) {
+  return req.method === 'GET' && u.pathname.endsWith('/info/refs') && (u.query.service === 'git-upload-pack' || u.query.service === 'git-receive-pack')
+}
+
+function isPull (req, u) {
+  return req.method === 'POST' && req.headers['content-type'] === 'application/x-git-upload-pack-request' && u.pathname.endsWith('git-upload-pack')
+}
+
+function isPush (req, u) {
+  return req.method === 'POST' && req.headers['content-type'] === 'application/x-git-receive-pack-request' && u.pathname.endsWith('git-receive-pack')
+}
+
+module.exports = function allow (req, u) {
+  return (isPreflight(req, u) || isInfoRefs(req, u) || isPull(req, u) || isPush(req, u))
+}

index.js

@@ -2,6 +2,7 @@
 const url = require('url')
 const pkg = require('./package.json')
 const {send} = require('micro')
+const origin = process.env.ALLOW_ORIGIN
 const allowHeaders = [
   'accept-encoding',
   'accept-language',
@@ -37,18 +38,19 @@ const exposeHeaders = [
   'vary',
   'x-github-request-id',
 ]
-const cors = require('./micro-cors.js')({allowHeaders, exposeHeaders})
 const fetch = require('node-fetch')
+const cors = require('./micro-cors.js')({allowHeaders, exposeHeaders, origin})
+const allow = require('./allow-request.js')
 
 async function service (req, res) {
-  let p = url.parse(req.url, true).path
-  let parts = p.match(/\/([^\/]*)\/(.*)/)
-  if (parts === null) {
+  let u = url.parse(req.url, true)
+
+  if (u.pathname === '/') {
     res.setHeader('content-type', 'text/html')
     let html = `<!DOCTYPE html>
     <html>
-      <title>cors-buster</title>
-      <h1>CORS Buster! 👻&#x20E0;</h1>
+      <title>@isomorphic-git/cors-proxy</title>
+      <h1>@isomorphic-git/cors-proxy</h1>
       <h2>See docs: <a href="https://npmjs.org/package/${pkg.name}">https://npmjs.org/package/${pkg.name}</a></h2>
       <h2>Authenticity</h2>
       This is a publicly available service. As such you may wonder if it is safe to trust.
@@ -58,42 +60,25 @@ async function service (req, res) {
       The cloud hosting provider keeps log of all requests. That log is public and available on this page: <a href="/_logs">/_logs</a>.
       It records the URL, origin IP, referer, and user-agent. None of the sensitive HTTP headers (including those used for
       HTTP Basic Auth and HTTP Token auth) are ever logged.
-      <h2>Request API</h2>
-      ${process.env.NOW_URL}/domain/path?query
-      <ul>
-        <li>domain - the destination host</li>
-        <li>path - the rest of the URL</li>
-        <li>query - optional query parameters</li>
-      </ul>
-      Example: ${process.env.NOW_URL}/github.com/wmhilton/cors-buster?service=git-upload-pack
-      <h2>Supported Protocols</h2>
-      In order to protect users who might send their usernames and passwords through the proxy,
-      all requests must be made using HTTPS. Plain old HTTP is insecure and therefore not allowed.
-      This proxy cannot be used to make requests to HTTP-only sites.
-      <h2>Supported HTTP Methods</h2>
-      <ul>
-        <li>All - OPTIONS, GET, POST, PUT, DELETE, etc</li>
-      </ul>
-      <h2>Supported Query Parameters</h2>
-      <ul>
-        <li>All URL query parameters are passed on as-is to the destination address.</li>
-      </ul>
-      <h2>Supported Headers</h2>
-      <ul>
-        ${allowHeaders.map(x => `<li>${x}</li>`).join('\n')}
-      </ul>
     </html>
     `
     return send(res, 400, html)
   }
 
+  if (!allow(req, u)) {
+    // Don't waste my precious bandwidth
+    return send(res, 403, '')
+  }
+
   let headers = {}
   for (let h of allowHeaders) {
     if (req.headers[h]) {
       headers[h] = req.headers[h]
     }
   }
 
+  let p = u.path
+  let parts = p.match(/\/([^\/]*)\/(.*)/)
   let pathdomain = parts[1]
   let remainingpath = parts[2]
   console.log(`https://${pathdomain}/${remainingpath}`)