Press n or j to go to the next uncovered block, b, p or k for the previous block.
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 | 48x 48x 48x 48x 48x 48x 48x 31x 26x 24x 22x 22x 22x 22x 22x 22x 22x 6x 22x 22x 22x 22x 22x 22x 22x 22x 22x 22x 4x 4x 4x 18x 18x 3x 3x 15x 15x 15x 15x 2x 2x 2x 2x 2x 2x 2x 2x 2x 4x 4x 4x 4x 4x 10x 4x 4x 4x 4x 4x 4x 1x 1x 3x 2x 2x 2x 2x 4x 4x 2x 2x 48x 47x 1x 40x 40x 28x 28x 28x 28x 28x 28x 28x 28x 28x 4x 28x 28x 12x 12x 5x 5x 3x 3x 3x 3x 3x 3x 1x 1x 3x 3x 2x 9x 31x 9x 9x 6x 6x 25x | import { Region } from './region'
import { APP_INCLUDED_CREDENTIALS_FLAG, SIGNALS_KEY } from '../../shared/const'
import { IdentificationRequestFailedError, SignalsNotAvailableError } from '../errors'
import { getHeaderOrThrow, getIp, hasContentType } from '../utils/headers'
import { findCookie } from '../cookies'
import { copyRequest, getCrossOriginUrl } from '../utils/request'
import { handleTampering } from './tampering'
import { TypedEnv } from '../types'
import { getFpRegion, getIngressBaseHost, getRoutePrefix, getRulesetId, getSecretKey } from '../env'
import {
EdgeRequest,
EdgeResponse,
ParsedIncomingRequest,
SendBody,
SendResponse,
SendResult,
} from './identificationClientTypes'
import { getIpType } from '../utils/ip'
/**
* Client for communicating with the identification service.
* Handles region-based URL resolution, request formatting, and response processing.
*/
export class IdentificationClient {
private readonly url: URL
/**
* Creates a new IdentificationClient instance.
* @param region - The region for URL resolution (e.g., 'us', 'eu')
* @param baseUrl - Base URL hostname for the identification service, e.g. "api.fpjs.io"
* @param apiKey - API key for authentication with the identification service
* @param routePrefix - Path prefix for worker requests.
* @param rulesetId - If of ruleset that will be evaluated by the identification service.
*/
constructor(
region: Region,
baseUrl: string,
private readonly apiKey: string,
private readonly routePrefix: string,
private readonly rulesetId?: string
) {
const resolvedUrl = IdentificationClient.resolveUrl(region, baseUrl)
console.debug('Resolved identification URL:', resolvedUrl)
this.url = new URL(resolvedUrl)
}
static fromEnv(env: TypedEnv) {
return new this(
getFpRegion(env),
getIngressBaseHost(env),
getSecretKey(env),
getRoutePrefix(env),
getRulesetId(env)
)
}
/**
* Sends fingerprint data to the identification service and returns the response with agent data.
*
* This method:
* 1. Sends the data to the POST /send
* 2. Returns the agent data along with any Set-Cookie headers received from the identification
*
* @param clientRequest - The incoming client request containing fingerprint data and headers
* @param signals - Fingerprint signals extracted from the request
* @param clientCookie - The optional client cookie to send along with the fingerprint data
* @returns Promise resolving to SendResult containing agent data and cookie headers
* @throws {SignalsNotAvailableError} When fingerprint signals are missing from the request
* @throws {IdentificationRequestFailedError} When the identification service request fails or returns invalid data
*/
async send(clientRequest: Request, signals: string, clientCookie?: string): Promise<SendResult> {
const clientIP = await getIp(clientRequest.headers)
const clientHost = getHeaderOrThrow(clientRequest.headers, 'host')
const clientUserAgent = getHeaderOrThrow(clientRequest.headers, 'user-agent')
const headers = new Headers()
headers.set('Content-Type', 'application/json')
headers.set('Authorization', `Bearer ${this.apiKey}`)
const clientHeaders = new Headers(clientRequest.headers)
clientHeaders.delete('cookie')
const sendBody: SendBody = {
client_ip: clientIP,
client_host: clientHost,
client_user_agent: clientUserAgent,
fingerprint_data: signals,
...(this.rulesetId ? { ruleset_context: { ruleset_id: this.rulesetId } } : {}),
}
if (clientCookie) {
sendBody.client_cookie = clientCookie
}
const clientHeadersEntries = Array.from(clientHeaders.entries())
Eif (clientHeadersEntries.length) {
sendBody.client_headers = Object.fromEntries(clientHeadersEntries)
}
const requestUrl = new URL(this.url)
requestUrl.pathname = '/v4/send'
const identificationRequest = new Request(requestUrl, {
method: 'POST',
headers: headers,
body: JSON.stringify(sendBody),
})
console.debug(`Sending identification request to ${requestUrl}`, identificationRequest)
const identificationResponse = await fetch(identificationRequest)
console.debug(
`Received identification response for ${requestUrl} request with status:`,
identificationResponse.status
)
if (!identificationResponse.ok) {
const errorText = await identificationResponse.text()
console.error(`Identification request failed with status: ${identificationResponse.status}`, errorText)
throw new IdentificationRequestFailedError(errorText, identificationResponse.status)
}
const identificationDataValidation = SendResponse.safeParse(await identificationResponse.json())
if (!identificationDataValidation.success) {
console.error(`Identification response data is invalid:`, identificationDataValidation.error)
throw new IdentificationRequestFailedError(
`Identification response data is invalid: ${identificationDataValidation.error.message}`,
identificationResponse.status
)
}
const identificationData = identificationDataValidation.data
console.debug(`Identification response data:`, identificationData)
await handleTampering(identificationData.event, clientRequest)
return {
setCookieHeaders: identificationData.set_cookie_headers,
agentData: identificationData.agent_data,
ruleAction: identificationData.rule_action,
event: identificationData.event,
}
}
/**
* Handles the browser cache request by modifying the client request and forwarding it to the configured ingress URL.
*
* @param {Request} clientRequest - The original request from the client.
* @return {Promise<Response>} - A promise that resolves to the response from the forwarded request.
*/
async browserCache(clientRequest: Request): Promise<Response> {
const clientRequestUrl = new URL(clientRequest.url)
// Remove the route prefix from the path
const path = clientRequestUrl.pathname.replace(`/${this.routePrefix}`, '')
const ingressUrl = new URL(path, this.url)
ingressUrl.search = clientRequestUrl.search
const headers = new Headers(clientRequest.headers)
headers.delete('cookie')
const request = copyRequest({ request: clientRequest, init: { headers }, url: ingressUrl })
console.debug(`Sending browser cache request to ${ingressUrl}`, request)
// eslint-disable-next-line @typescript-eslint/consistent-type-assertions
return fetch(request as unknown as Request<unknown, IncomingRequestCfProperties>)
}
/**
* Sends a request to the HTTP Edge API and returns parsed EdgeResponse.
*
* @param {Request} clientRequest The incoming client request containing headers, URL, and method information.
* @return {Promise<EdgeResponse>} A promise that resolves to the processed and validated edge response data.
* @throws {Error} If the edge request fails or if the response contains invalid data.
*/
async edge(clientRequest: Request): Promise<EdgeResponse> {
const clientIP = await getIp(clientRequest.headers)
const ipType = getIpType(clientIP)
const clientRequestHeaders = new Headers(clientRequest.headers)
// In dev environment, we need to explicitly set the host header with the request url, otherwise ingress request will fail
// It's because vite sets the host header to localhost IP, so it becomes different from the actual request url
Iif (import.meta.env.MODE == 'dev') {
clientRequestHeaders.set('host', new URL(clientRequest.url).host)
}
const edgeRequest: EdgeRequest = {
headers: Array.from(clientRequestHeaders.entries()).map(([name, value]) => ({ name, value })),
url: clientRequest.url,
ipv4_address: ipType === 'ipv4' ? clientIP : undefined,
ipv6_address: ipType === 'ipv6' ? clientIP : undefined,
method: clientRequest.method,
}
const ingressUrl = new URL(this.url)
ingressUrl.pathname = '/v4/edge'
const request = new Request(ingressUrl, {
body: JSON.stringify(edgeRequest),
method: 'POST',
headers: {
'Content-Type': 'application/json',
Authorization: `Bearer ${this.apiKey}`,
},
})
console.debug(`Sending edge request to ${ingressUrl}`, edgeRequest)
const response = await fetch(request)
if (!response.ok) {
const text = await response.text().catch(() => '')
throw new Error(`Edge request failed with status: ${response.status} with: ${text}`)
}
const json = await response.json()
const parsedData = EdgeResponse.safeParse(json)
Iif (!parsedData.success) {
console.error('Invalid edge response data', parsedData.error, parsedData.data)
throw new Error('Invalid edge response data')
}
console.debug('Edge response data:', parsedData.data)
return parsedData.data
}
/**
* Safely executes the edge method and handles any errors that may occur during execution.
* Logs an error message and returns undefined if the edge method fails.
*
* @param {Request} clientRequest - The request object to pass to the edge method.
* @return {Promise<EdgeResponse | undefined>} A promise that resolves to the edge response
* if the request is successful, or undefined if an error occurs.
*/
async safeEdge(clientRequest: Request): Promise<EdgeResponse | undefined> {
try {
return await this.edge(clientRequest)
} catch (error) {
console.error('Failed to get edge response:', error)
return undefined
}
}
/**
* Resolves the full identification service URL based on the region and host.
*
* For the 'us' region, uses the host directly without a regional prefix.
* For all other regions, prefixes the host with the region name.
*
* @param region - The target region (e.g., 'us', 'eu', 'ap')
* @param host - The base host name for the identification service
* @returns The complete HTTPS URL for the identification service
*
* @example
* resolveUrl('us', 'api.example.com') // returns 'https://api.example.com'
* resolveUrl('eu', 'api.example.com') // returns 'https://eu.api.example.com'
*/
private static resolveUrl(region: Region, host: string) {
switch (region) {
case 'us':
return `https://${host}`
default:
return `https://${region}.${host}`
}
}
/**
* Parses an incoming request to extract signals, while returning a modified iteration of the request with signals removed.
*
* @param {Request} request The incoming HTTP request to be processed.
* @return {Promise<{ParsedIncomingRequest}>} A promise that resolves with data parsed from the incoming request
* @throws {SignalsNotAvailableError} If signals are not found in the request headers or body.
*/
static async parseIncomingRequest(request: Request): Promise<ParsedIncomingRequest> {
// First, try to find signals in headers
const signals = request.headers.get(SIGNALS_KEY)
if (signals) {
const requestHeaders = new Headers(request.headers)
requestHeaders.delete(SIGNALS_KEY)
// Extract the include credentials flag, if present, from the signals value
const appIncludedCredentials = signals.startsWith(APP_INCLUDED_CREDENTIALS_FLAG)
const parsedSignals = appIncludedCredentials ? signals.substring(1) : signals
console.debug('Found signals in headers:', parsedSignals)
const isCrossOriginRequest = getCrossOriginUrl(request) != null
// Remove cookies when the app did not tell the browser to include them
// but request instrumentation overrode that preference
const removeCookies = !appIncludedCredentials && isCrossOriginRequest
const cookie = request.headers.get('Cookie')
if (removeCookies) {
// The cookie would not have been sent without instrumentation so
// don't forward the cookie to the origin
requestHeaders.delete('Cookie')
}
const clientCookie = findClientCookie(cookie)
return {
clientCookie,
signals: parsedSignals,
removeCookies,
originRequest: copyRequest({
request,
init: {
headers: requestHeaders,
},
}),
}
}
try {
// Otherwise, try to find signals in the request body
if (hasContentType(request.headers, 'application/x-www-form-urlencoded', 'multipart/form-data')) {
const multipartForm = hasContentType(request.headers, 'multipart/form-data')
const data = multipartForm
? await request.clone().formData()
: new URLSearchParams(await request.clone().text())
const signals = data.get(SIGNALS_KEY)
Eif (typeof signals === 'string') {
console.debug('Found signals in request body:', signals)
data.delete(SIGNALS_KEY)
const requestHeaders = new Headers(request.headers)
if (multipartForm) {
// When modifying FormData for multipart/form-data, we also need to remove the old Content-Type header. Otherwise, the boundary will be different and the request will fail.
// The new content type will be set automatically when constructing the new request.
requestHeaders.delete('content-type')
console.debug('Removed content-type header from request')
}
// Native form submissions cannot have instrumentation-forced cookies in the request
// that override the applications preferences and as a result, cookies don't need
// to be removed.
const removeCookies = false
return {
clientCookie: findClientCookie(request.headers.get('Cookie')),
signals,
removeCookies,
originRequest: copyRequest({
request,
init: {
body: data,
headers: requestHeaders,
},
}),
}
}
}
} catch (error) {
console.error('Error parsing incoming request:', error)
}
throw new SignalsNotAvailableError()
}
}
function findClientCookie(cookie: string | null): string | undefined {
if (cookie) {
// Try to find _iidt cookie
const iidtMatch = findCookie(cookie, '_iidt')
if (iidtMatch) {
console.debug('Found _iidt cookie', iidtMatch)
return iidtMatch
}
}
return undefined
}
|