rantii/proxy.py at main

 #!/usr/bin/env python3
 """
 @fileoverview CORS proxy server for Rantii
 @author retoor <retoor@molodetz.nl>
 """
 import os
 import asyncio
 import mimetypes
 import posixpath
 from urllib.parse import urlparse, unquote
 from aiohttp import web, ClientSession
 API_BASE = 'https://dr.molodetz.nl/api/'
 ROOT_DIR = os.path.dirname(os.path.abspath(__file__))
 PORT = 8101
 def add_cors_headers(response):
     response.headers['Access-Control-Allow-Origin'] = '*'
     response.headers['Access-Control-Allow-Methods'] = 'GET, POST, DELETE, OPTIONS'
     response.headers['Access-Control-Allow-Headers'] = 'Content-Type'
     return response
 def is_path_safe(path):
     normalized = posixpath.normpath(path)
     if '..' in normalized:
         return False
     full_path = os.path.abspath(os.path.join(ROOT_DIR, normalized.lstrip('/')))
     return full_path.startswith(ROOT_DIR)
 async def handle_options(request):
     return add_cors_headers(web.Response(status=200))
 async def proxy_request(request, method, max_retries=10, retry_delay=2):
     path = request.path[5:]
     parsed = urlparse(path)
     clean_path = posixpath.normpath(parsed.path).lstrip('/')
     if '..' in clean_path:
         response = web.json_response({'success': False, 'error': 'Invalid path'}, status=400)
         return add_cors_headers(response)
     url = API_BASE + clean_path
     if request.query_string:
         url += '?' + request.query_string
     body = None
     if method in ('POST', 'DELETE'):
         body = await request.read()
     headers = {}
     if 'Content-Type' in request.headers:
         headers['Content-Type'] = request.headers['Content-Type']
     for attempt in range(max_retries):
         try:
             async with ClientSession() as session:
                 async with session.request(method, url, data=body, headers=headers) as resp:
                     data = await resp.read()
                     response = web.Response(
                         body=data,
                         status=resp.status,
                         content_type=resp.content_type
                     )
                     return add_cors_headers(response)
         except Exception:
             if attempt < max_retries - 1:
                 await asyncio.sleep(retry_delay)
     response = web.json_response({'success': False, 'error': 'Connection failed'}, status=503)
     return add_cors_headers(response)
 ALLOWED_IMAGE_HOSTS = [
     'img.devrant.com',
     'avatars.devrant.com',
     'img.youtube.com',
     'i.ytimg.com',
 ]
 async def handle_image_proxy(request):
     url = request.query.get('url')
     if not url:
         return add_cors_headers(web.Response(status=400, text='Missing url parameter'))
     try:
         parsed = urlparse(url)
         if parsed.hostname not in ALLOWED_IMAGE_HOSTS:
             return add_cors_headers(web.Response(status=403, text='Host not allowed'))
     except Exception:
         return add_cors_headers(web.Response(status=400, text='Invalid URL'))
     for attempt in range(3):
         try:
             async with ClientSession() as session:
                 async with session.get(url) as resp:
                     if resp.status != 200:
                         return add_cors_headers(web.Response(status=resp.status))
                     data = await resp.read()
                     content_type = resp.content_type or 'image/png'
                     response = web.Response(body=data, content_type=content_type)
                     response.headers['Cache-Control'] = 'public, max-age=86400'
                     return add_cors_headers(response)
         except Exception:
             if attempt < 2:
                 await asyncio.sleep(1)
     return add_cors_headers(web.Response(status=503, text='Failed to fetch image'))
 async def handle_api_get(request):
     if request.path == '/api/proxy-image':
         return await handle_image_proxy(request)
     return await proxy_request(request, 'GET')
 async def handle_api_post(request):
     return await proxy_request(request, 'POST')
 async def handle_api_delete(request):
     return await proxy_request(request, 'DELETE')
 async def handle_static(request):
     path = request.path
     if path == '/' or path.startswith('/?'):
         path = '/index.html'
     path = unquote(path).lstrip('/')
     if not is_path_safe(path):
         return add_cors_headers(web.Response(status=403, text='Forbidden'))
     full_path = os.path.join(ROOT_DIR, path)
     if os.path.isdir(full_path):
         full_path = os.path.join(full_path, 'index.html')
     if not os.path.isfile(full_path):
         return add_cors_headers(web.Response(status=404, text='Not Found'))
     content_type, _ = mimetypes.guess_type(full_path)
     if content_type is None:
         content_type = 'application/octet-stream'
     with open(full_path, 'rb') as f:
         data = f.read()
     response = web.Response(body=data, content_type=content_type)
     return add_cors_headers(response)
 def create_app():
     app = web.Application()
     app.router.add_route('OPTIONS', '/{path:.*}', handle_options)
     app.router.add_get('/api/{path:.*}', handle_api_get)
     app.router.add_post('/api/{path:.*}', handle_api_post)
     app.router.add_delete('/api/{path:.*}', handle_api_delete)
     app.router.add_get('/{path:.*}', handle_static)
     app.router.add_get('/', handle_static)
     return app
 if __name__ == '__main__':
     print(f'Server running at http://localhost:{PORT}')
     print('API proxy at /api/*')
     app = create_app()
     web.run_app(app, host='localhost', port=PORT, print=None)