npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

camomile

v1.0.1

Published

Node.js HTTP image proxy to route images through SSL

Downloads

88

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

remcohaszingremcohaszingwooormwooormkmckkmck

Keywords

camocamomilenodeproxysecuritysslunified

Readme

camomile

Build Coverage Downloads Sponsors Backers Chat

camomile is a Node.js HTTP proxy to route images through SSL, compatible with unified plugins, to safely embed user content on the web.

Contents

What is this?

This is a Node.js HTTP proxy to route images through SSL, integrable in any Node.js server such as Express, Koa, Fastify, or Next.js.

camomile works together with rehype-github-image, which does the following at build time:

  1. find all insecure HTTP image URLs in content
  2. generate HMAC signature of each URL
  3. replace the URL with a signed URL containing the encoded URL and HMAC

When a user visits your app and views the content:

  1. their browser requests the URLs going to your server
  2. camomile validates the HMAC, decodes the URL, requests the content from the origin server without sensitive headers, and streams it to the client

When should I use this?

Use this when you want to embed user content on the web in a safe way. Sometimes user content is served over HTTP, which is not secure:

An HTTPS page that includes content fetched using cleartext HTTP is called a mixed content page. Pages like this are only partially encrypted, leaving the unencrypted content accessible to sniffers and man-in-the-middle attackers.

MDN

This also prevents information about your users leaking to other servers.

Install

This package is ESM only. In Node.js (version 18+), install with npm:

npm install camomile

Use

import process from 'node:process'
import {Camomile} from 'camomile'

const secret = process.env.CAMOMILE_SECRET

if (!secret) throw new Error('Missing `CAMOMILE_SECRET` in environment')

const server = new Camomile({secret})

server.listen({host: '127.0.0.1', port: 1080})

API

This package exports the identifier Camomile. It exports the TypeScript type Options. There is no default export.

new Camomile(options)

Create a new camomile server with options.

Parameters
  • options (Options, required) — configuration
Returns

Server.

Options

Configuration (TypeScript type).

Fields
  • maxSize (number, default: 100 * 1024 * 1024) — max size in bytes per resource to download; a 413 is sent if the resource is larger than the maximum size
  • secret (string, required) — HMAC key to decrypt the URLs and used by rehype-github-image
  • serverName (string, default: 'camomile') — server name sent in Via

Examples

Example: integrate camomile into Express

import process from 'node:process'
import {Camomile} from 'camomile'
import express from 'express'

const secret = process.env.CAMOMILE_SECRET
if (!secret) throw new Error('Missing `CAMOMILE_SECRET` in environment')

const uploadApp = express()
const camomile = new Camomile({secret})
uploadApp.all('*', camomile.handle.bind(camomile))

const host = '127.0.0.1'
const port = 1080
const app = express()
app.use('/uploads', uploadApp)
app.listen(port, host)

console.log('Listening on `http://' + host + ':' + port + '/uploads/`')

Example: integrate camomile into Koa

import process from 'node:process'
import {Camomile} from 'camomile'
import Koa from 'koa'

const secret = process.env.CAMOMILE_SECRET
if (!secret) throw new Error('Missing `CAMOMILE_SECRET` in environment')
const camomile = new Camomile({secret})

const port = 1080
const app = new Koa()

app.use(function (ctx, next) {
  if (/^\/files\/.+/.test(ctx.path.toLowerCase())) {
    return camomile.handle(ctx.req, ctx.res)
  }

  return next()
})

app.listen(port)

Example: integrate camomile into Fastify

import process from 'node:process'
import {Camomile} from 'camomile'
import createFastify from 'fastify'

const secret = process.env.CAMOMILE_SECRET
if (!secret) throw new Error('Missing `CAMOMILE_SECRET` in environment')

const fastify = createFastify({logger: true})
const camomile = new Camomile({secret})

/**
 * Add `content-type` so fastify forewards without a parser to the leave body untouched.
 *
 * @see https://www.fastify.io/docs/latest/Reference/ContentTypeParser/
 */
fastify.addContentTypeParser(
  'application/offset+octet-stream',
  function (request, payload, done) {
    done(null)
  }
)

/**
 * Use camomile to handle preparation and filehandling requests.
 * `.raw` gets the raw Node HTTP request and response objects.
 *
 * @see https://www.fastify.io/docs/latest/Reference/Request/
 * @see https://www.fastify.io/docs/latest/Reference/Reply/#raw
 */
fastify.all('/files', function (request, response) {
  camomile.handle(request.raw, response.raw)
})
fastify.all('/files/*', function (request, response) {
  camomile.handle(request.raw, response.raw)
})

fastify.listen({port: 3000}, function (error) {
  if (error) {
    fastify.log.error(error)
    process.exit(1)
  }
})

Example: integrate camomile into Next.js

Attach the camomile server handler to a Next.js route handler in an optional catch-all route file

/pages/api/upload/[[...file]].ts

import process from 'node:process'
import {Camomile} from 'camomile'
import type {NextApiRequest, NextApiResponse} from 'next'

const secret = process.env.CAMOMILE_SECRET
if (!secret) throw new Error('Missing `CAMOMILE_SECRET` in environment')

/**
 * Important: this tells Next.js not to parse the body, as camomile requires
 * @see https://nextjs.org/docs/api-routes/request-helpers
 */
export const config = {api: {bodyParser: false}}

const camomile = new Camomile({secret})

export default async function handler(
  request: NextApiRequest,
  response: NextApiResponse
) {
  return camomile.handle(request, response)
}

Compatibility

Projects maintained by the unified collective are compatible with maintained versions of Node.js.

When we cut a new major release, we drop support for unmaintained versions of Node. This means we try to keep the current release line, camomile@^1, compatible with Node.js 18.

Contribute

See contributing.md in rehypejs/.github for ways to get started. See support.md for ways to get help.

This project has a code of conduct. By interacting with this repository, organization, or community you agree to abide by its terms.

For info on how to submit a security report, see our security policy.

Acknowledgments

In 2010 GitHub introduced camo, a similar server in CoffeeScript, which is now deprecated and in public archive. This project is a spiritual successor to camo.

A lot of inspiration was also taken from go-camo, which is a modern and maintained image proxy in Go.

Thanks to @kytta for the npm package name camomile!

License

MIT © Merlijn Vos