From 5b829065ad024dd2eca4f8c9e26c11053d46b9c3 Mon Sep 17 00:00:00 2001 From: Josh Heng Date: Mon, 27 Sep 2021 00:44:20 +0100 Subject: [PATCH] fix: Fix lookmovie security bug by passing PHPSESSID cookie & user agent --- src/lib/scraper/lookmovie.js | 21 +++++++++++++++------ worker.js | 16 ++++++++++++++++ 2 files changed, 31 insertions(+), 6 deletions(-) diff --git a/src/lib/scraper/lookmovie.js b/src/lib/scraper/lookmovie.js index f7afb07e..3ddc3c32 100644 --- a/src/lib/scraper/lookmovie.js +++ b/src/lib/scraper/lookmovie.js @@ -2,6 +2,7 @@ import Fuse from 'fuse.js' import JSON5 from 'json5' const BASE_URL = `${process.env.REACT_APP_CORS_PROXY_URL}https://lookmovie.io`; +let phpsessid; async function findContent(searchTerm, type) { const searchUrl = `${BASE_URL}/${type}s/search/?q=${encodeURIComponent(searchTerm)}`; @@ -88,7 +89,9 @@ async function getVideoUrl(config) { } async function getEpisodeSubs (config) { - return await fetch(`${BASE_URL}/api/v1/shows/episode-subtitles/?id_episode=${config.id}`).then(res => res.json()); + return await fetch(`${BASE_URL}/api/v1/shows/episode-subtitles/?id_episode=${config.id}`, { + headers: { phpsessid }, + }).then(res => res.json()); } async function getAccessInfo(config) { @@ -100,7 +103,9 @@ async function getAccessInfo(config) { url = `${BASE_URL}/api/v1/security/show-access?slug=${config.slug}&token=&step=2`; } - const data = await fetch(url).then((d) => d.json()); + const data = await fetch(url, { + headers: { phpsessid }, + }).then((d) => d.json()); const token = data?.data?.accessToken; const subtitles = data?.data?.subtitles; @@ -112,7 +117,9 @@ async function getAccessInfo(config) { async function getEpisodes(slug) { const url = `${BASE_URL}/shows/view/${slug}`; - const pageReq = await fetch(url).then((d) => d.text()); + const pageReq = await fetch(url, { + headers: { phpsessid }, + }).then((d) => d.text()); const data = JSON5.parse("{" + pageReq @@ -139,11 +146,13 @@ async function getEpisodes(slug) { async function getStreamUrl(slug, type, season, episode) { const url = `${BASE_URL}/${type}s/view/${slug}`; - const pageReq = await fetch(url).then((d) => d.text()); + const pageRes = await fetch(url); + phpsessid = pageRes.headers.get('phpsessid'); + const pageResText = await pageRes.text(); const data = JSON5.parse("{" + - pageReq - .slice(pageReq.indexOf(`${type}_storage`)) + pageResText + .slice(pageResText.indexOf(`${type}_storage`)) .split("};")[0] .split("= {")[1] .trim() + diff --git a/worker.js b/worker.js index fe1774fb..689d7a47 100644 --- a/worker.js +++ b/worker.js @@ -20,6 +20,14 @@ async function handleRequest(request, destinationUrl, iteration = 0) { request = new Request(destinationUrl, request); request.headers.set("Origin", new URL(destinationUrl).origin); + // Set PHPSESSID cookie + if (request.headers.get('PHPSESSID')) { + request.headers.set('Cookie', `PHPSESSID=${request.headers.get('PHPSESSID')};`); + } + + // Set User Agent + request.headers.set('User-Agent', ' Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0'); + let response = await fetch(request); if ((response.status === 302 || response.status === 301) && response.headers.get('location')) { @@ -40,6 +48,14 @@ async function handleRequest(request, destinationUrl, iteration = 0) { // Set CORS headers response.headers.set("Access-Control-Allow-Origin", '*'); + // Get and set PHPSESSID cookie + const cookies = response.headers.get('Set-Cookie'); + if (cookies && cookies.includes('PHPSESSID') && cookies.includes(';')) { + let phpsessid = cookies.slice(cookies.search('PHPSESSID') + 10); + phpsessid = phpsessid.slice(0, phpsessid.search(';')); + response.headers.set('PHPSESSID', phpsessid); + } + // Append to/Add Vary header so browser will cache response correctly response.headers.append("Vary", "Origin");