api/handshake.js

const fetch = require('node-fetch');
const { encrypt, decrypt } = require('../lib/crypto');

const KEY = "jb%!SZfM%AwwS7JmdM!";
const VERSION = "1.0.9";
const FLAVOUR = "neoRed";

module.exports = async (req, res) => {
    // Enable CORS
    res.setHeader('Access-Control-Allow-Origin', '*');
    res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
    res.setHeader('Access-Control-Allow-Headers', 'Content-Type');

    if (req.method === 'OPTIONS') {
        return res.status(200).end();
    }

    try {
        const { wifi, lan } = req.query;
        if (!wifi || !lan) {
            return res.status(400).json({ error: "Missing wifi or lan parameters" });
        }

        // 1. Prepare Authentication Payload
        const payload = `wifi=${wifi}&lan=${lan}&code=NAN&mobile=NAN&isMobile=false`;
        const encryptedE = encrypt(payload, KEY);

        // 2. Prepare Security Headers
        const headers = {
            "wifi": encrypt(wifi, KEY),
            "lan": encrypt(lan, KEY),
            "version": encrypt(VERSION, KEY),
            "flavour": encrypt(FLAVOUR, KEY),
            "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36",
            "Content-Type": "application/x-www-form-urlencoded"
        };

        // 3. Call the Middleware
        const targetUrl = `http://918197185.com/api/v2-d/api.php?tag=UniTV_MAC`;
        const response = await fetch(targetUrl, {
            method: 'POST',
            headers: headers,
            body: `e=${encodeURIComponent(encryptedE)}`
        });

        const encryptedText = await response.text();
        
        // 4. Decrypt the response (UniTV returns Salted__ Base64)
        let decryptedData;
        try {
            const decryptedBody = decrypt(encryptedText.trim(), KEY);
            decryptedData = JSON.parse(decryptedBody);
        } catch (decError) {
            console.error("Decryption Failed:", decError);
            return res.status(500).json({ 
                error: "Decryption failed", 
                raw: encryptedText,
                msg: decError.message 
            });
        }

        // 5. Return the dynamic credentials to Roku
        return res.status(200).json(decryptedData);

    } catch (error) {
        console.error("Handshake Error:", error);
        return res.status(500).json({ error: error.message });
    }
};