yiekheng
b993de43bc
- Resume scroll position only when arriving via 继续阅读 (?resume=1).
Plain chapter-list / drawer clicks now actively scroll to top on mount.
- Progress format extended to {chapter, page, ratio} for within-page
precision; legacy bare-number and {chapter, page} still read correctly.
- Tappable skeleton logo (sunflower outline, spins) while a page loads;
tap force-fetches a fresh signed URL.
- Viewport-priority image loading: second IntersectionObserver at margin 0
marks truly-visible pages, drives <img fetchpriority="high"> and fires
immediate single-page fetches that cut the batch queue.
- Bounded image cache: unmount previous chapter's <img> elements when
currentPage > 5 into the new chapter; placeholders stay for layout.
One AbortController per live chapter; unmount aborts in-flight batches.
- Hashed chapter IDs on the wire via hashids; DB PKs unchanged.
- Origin/Referer allowlist + rate limiting on all /api/* routes via a
withGuards(opts, handler) wrapper (eliminates 6-line boilerplate x5).
- robots.txt allows Googlebot/Bingbot/Slurp/DuckDuckBot/Baiduspider/
YandexBot only; disallows /api/ for all UAs.
- Extract pure helpers for future TDD: lib/scroll-ratio.ts (calcScrollRatio,
scrollOffsetFromRatio), lib/progress.ts (parseProgress + injectable
StorageLike), lib/rate-limit.ts (optional { now, store, ipOf } deps),
lib/api-guards.ts.
- New env keys: HASHIDS_SALT, ALLOWED_ORIGINS (wired into docker-compose).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
38 lines
1.0 KiB
TypeScript
38 lines
1.0 KiB
TypeScript
const DEFAULT_ORIGINS = [
|
|
"http://localhost:3000",
|
|
"http://localhost:3001",
|
|
"http://10.8.0.2:3000",
|
|
];
|
|
|
|
function allowedOrigins(): string[] {
|
|
const env = process.env.ALLOWED_ORIGINS;
|
|
if (!env) return DEFAULT_ORIGINS;
|
|
return env
|
|
.split(",")
|
|
.map((s) => s.trim())
|
|
.filter(Boolean);
|
|
}
|
|
|
|
export function checkOrigin(request: Request): Response | null {
|
|
const allowed = allowedOrigins();
|
|
const origin = request.headers.get("origin");
|
|
if (origin) {
|
|
return allowed.includes(origin)
|
|
? null
|
|
: Response.json({ error: "Forbidden" }, { status: 403 });
|
|
}
|
|
const referer = request.headers.get("referer");
|
|
if (referer) {
|
|
try {
|
|
const url = new URL(referer);
|
|
const base = `${url.protocol}//${url.host}`;
|
|
return allowed.includes(base)
|
|
? null
|
|
: Response.json({ error: "Forbidden" }, { status: 403 });
|
|
} catch {
|
|
return Response.json({ error: "Forbidden" }, { status: 403 });
|
|
}
|
|
}
|
|
return Response.json({ error: "Forbidden" }, { status: 403 });
|
|
}
|