Update server/server.js

server/server.js

@@ -6,6 +6,7 @@ import { Server as SocketIOServer } from 'socket.io';
 import path from 'path';
 import { fileURLToPath } from 'url';
 import axios from 'axios';
+import { PassThrough } from 'stream';
 import {
   searchUniversal,
   getSong,
@@ -21,7 +22,6 @@ const app = express();
 app.use(cors());
 app.use(express.json());
 
-// --- small utils ---
 function short(v, n = 400) {
   try {
     const s = typeof v === 'string' ? v : JSON.stringify(v);
@@ -34,7 +34,7 @@ function log(...args) {
   console.log(new Date().toISOString(), ...args);
 }
 
-// ---------- Room state ----------
+// ---------- Room state (same as before) ----------
 const rooms = new Map();
 function ensureRoom(roomId) {
   if (!rooms.has(roomId)) {
@@ -70,6 +70,8 @@ function membersPayload(room) {
     isHost: id === room.hostId
   }));
 }
+
+// helpers used by socket handlers later
 function broadcastMembers(roomId) {
   const room = rooms.get(roomId);
   if (!room) return;
@@ -110,7 +112,7 @@ function findUserByName(room, targetNameRaw) {
   return null;
 }
 
-// Health check
+// Health
 app.get('/healthz', (_req, res) => res.send('OK'));
 
 // ---------- JioSaavn proxies ----------
@@ -153,7 +155,7 @@ app.get('/api/lyrics', async (req, res) => {
   } catch (e) { log('/api/lyrics error', e?.message || short(e?.response?.data)); res.status(500).json({ error: e.message }); }
 });
 
-// ---------- YouTube search (optional) ----------
+// ---------- YouTube search ----------
 app.get('/api/ytsearch', async (req, res) => {
   try {
     const key = process.env.YT_API_KEY;
@@ -227,18 +229,19 @@ app.get('/api/yt/source', async (req, res) => {
 });
 
 /*
-  NEW: /api/yt/proxy
-  - Proxies the raw GoogleVideo (redirector) URL so browser won't hit CORS issues.
-  - Supports Range header (seeking).
-  - Validates host by default (only googlevideo.com).
-  - Usage: <video src="/api/yt/proxy?url=<ENCODED_REDIRECTOR_URL>">
+  Robust /api/yt/proxy implementation
+  - Proxies only allowed hosts (default: googlevideo.com)
+  - Forwards Range header
+  - Sets a user-agent and referer to reduce upstream blocking
+  - Peeks first chunk and rejects HTML/text responses (common when link expired)
+  - Forwards content-type, content-length, content-range, accept-ranges, cache-control, etag, last-modified
 */
 function isAllowedProxyHost(urlStr) {
   try {
     const u = new URL(urlStr);
     const host = u.hostname.toLowerCase();
-    // default allow only googlevideo redirector hosts; expand list if you use others
-    return host.endsWith('googlevideo.com') || host === 'redirector.googlevideo.com';
+    // allow googlevideo redirector hosts (expand as needed)
+    return host.endsWith('googlevideo.com') || host.endsWith('redirector.googlevideo.com');
   } catch {
     return false;
   }
@@ -250,53 +253,145 @@ app.get('/api/yt/proxy', async (req, res) => {
     if (!raw) return res.status(400).json({ error: 'Missing url' });
 
     if (!isAllowedProxyHost(raw)) {
-      // If you need to proxy other hosts, update isAllowedProxyHost accordingly.
       return res.status(400).json({ error: 'Proxy to this host is not allowed by server policy' });
     }
 
-    // Preserve Range header for partial content requests (seeking)
+    // Forward client's Range if present
     const rangeHeader = req.headers.range || null;
-    const headers = {};
-    if (rangeHeader) headers.Range = rangeHeader;
+    const requestHeaders = {
+      // make upstream think this is a real browser request
+      'User-Agent': req.headers['user-agent'] || 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)',
+      'Accept': 'video/*,*/*;q=0.9',
+      'Referer': 'https://www.youtube.com/',
+      // pass Range if client requested it (seek)
+      ...(rangeHeader ? { Range: rangeHeader } : {})
+    };
 
     log('/api/yt/proxy fetching remote', short(raw, 200), 'Range:', rangeHeader ? rangeHeader.slice(0,120) : 'none');
 
-    // Use axios to stream remote response; allow non-2xx so we can forward status
     const resp = await axios.get(raw, {
       responseType: 'stream',
       timeout: 20000,
-      headers,
+      headers: requestHeaders,
+      maxRedirects: 5,
       validateStatus: () => true
     });
 
-    // Forward key headers from remote to client (if present)
-    const hopByHop = new Set([
-      'transfer-encoding', 'connection', 'keep-alive', 'proxy-authenticate', 'proxy-authorization',
-      'te', 'trailer', 'upgrade'
-    ]);
-    const forwardable = ['content-type','content-length','content-range','accept-ranges','cache-control','last-modified','etag'];
+    // If remote responded with an error status, try to capture a small snippet and return 502
+    if (resp.status >= 400) {
+      let snippet = '';
+      try {
+        // try to read a short snippet from the stream (if any)
+        const streamReader = resp.data;
+        const chunk = await new Promise((resolve) => {
+          let done = false;
+          const onData = (c) => { if (!done) { done = true; cleanup(); resolve(c); } };
+          const onEnd = () => { if (!done) { done = true; cleanup(); resolve(null); } };
+          const onErr = () => { if (!done) { done = true; cleanup(); resolve(null); } };
+          const cleanup = () => { streamReader.removeListener('data', onData); streamReader.removeListener('end', onEnd); streamReader.removeListener('error', onErr); };
+          streamReader.once('data', onData);
+          streamReader.once('end', onEnd);
+          streamReader.once('error', onErr);
+        });
+        if (chunk) snippet = chunk.toString('utf8', 0, 800);
+      } catch (xx) { /* ignore */ }
+      log('/api/yt/proxy remote returned error status', resp.status, 'snippet:', short(snippet, 400));
+      return res.status(502).json({ error: 'Remote returned error', status: resp.status, snippet: short(snippet, 800) });
+    }
+
+    // If content-type looks like html/text/json, the signed URL probably expired or upstream blocked — reject.
+    const ct = String(resp.headers['content-type'] || '').toLowerCase();
+    if (ct.includes('text/html') || ct.includes('application/json') || ct.includes('text/plain')) {
+      // read a small snippet from stream to give debug info then abort
+      let snippet = '';
+      try {
+        const streamReader = resp.data;
+        const chunk = await new Promise((resolve) => {
+          let done = false;
+          const onData = (c) => { if (!done) { done = true; cleanup(); resolve(c); } };
+          const onEnd = () => { if (!done) { done = true; cleanup(); resolve(null); } };
+          const onErr = () => { if (!done) { done = true; cleanup(); resolve(null); } };
+          const cleanup = () => { streamReader.removeListener('data', onData); streamReader.removeListener('end', onEnd); streamReader.removeListener('error', onErr); };
+          streamReader.once('data', onData);
+          streamReader.once('end', onEnd);
+          streamReader.once('error', onErr);
+        });
+        if (chunk) snippet = chunk.toString('utf8', 0, 1600);
+      } catch (xx) {}
+      log('/api/yt/proxy remote returned text/html or json; rejecting. ct=', ct, 'snippet=', short(snippet, 800));
+      return res.status(502).json({ error: 'Remote returned unexpected content-type', contentType: ct, snippet: short(snippet, 800) });
+    }
+
+    // Now we will peek first data chunk to ensure we didn't get HTML disguised as video,
+    // then pass the full stream to client via PassThrough.
+    const remoteStream = resp.data; // Readable
+    const pass = new PassThrough();
+
+    let firstChunkChecked = false;
+    let firstChunkBuffer = null;
+    const onRemoteData = (chunk) => {
+      if (!firstChunkChecked) {
+        firstChunkChecked = true;
+        firstChunkBuffer = chunk;
+        const s = chunk.toString('utf8', 0, Math.min(chunk.length, 1024)).trim();
+        // if snippet looks like HTML or JSON, abort (remote probably returned an error page)
+        if (s.startsWith('<!doctype') || s.startsWith('<html') || s.startsWith('{') || s.includes('<html') || s.includes('Sign in to')) {
+          // drain remote and return 502
+          try { remoteStream.pause(); } catch {}
+          const snippet = s.slice(0, 1600);
+          log('/api/yt/proxy detected HTML/JSON in first chunk; aborting. snippet:', short(snippet, 800));
+          // cleanup listeners
+          remoteStream.removeListener('data', onRemoteData);
+          remoteStream.removeAllListeners();
+          pass.end(); // end passthrough
+          // respond with 502 and snippet
+          return res.status(502).json({ error: 'Remote returned non-media content (HTML/JSON)', snippet: short(snippet, 1000) });
+        } else {
+          // write the first chunk into pass and then pipe remainder
+          pass.write(chunk);
+          // allow rest of remote stream to be piped into pass
+          remoteStream.pipe(pass, { end: true });
+          // remove this listener (since we piped)
+          remoteStream.removeListener('data', onRemoteData);
+        }
+      }
+    };
 
+    // attach the onRemoteData listener
+    remoteStream.on('data', onRemoteData);
+
+    // Forward key headers from remote to client
+    const forwardable = ['content-type','content-length','content-range','accept-ranges','cache-control','last-modified','etag'];
     forwardable.forEach(h => {
       const v = resp.headers[h];
       if (v !== undefined) res.setHeader(h, v);
     });
 
-    // Ensure CORS header (app.use(cors()) covers most routes but for streamed responses set explicitly)
+    // Set explicit CORS
     res.setHeader('Access-Control-Allow-Origin', '*');
-    // allow range requests from browsers
     res.setHeader('Access-Control-Allow-Headers', 'Range,Accept,Content-Type');
-    // reflect remote status (206 if partial, 200 if full)
+    // set status (206 if partial content)
     res.status(resp.status);
 
-    // Pipe the remote stream to the response
-    resp.data.pipe(res);
+    // If remote hasn't emitted any data yet (rare), pipe anyway (the onRemoteData handles first chunk)
+    // finally pipe the pass-through to the client response
+    pass.pipe(res);
 
-    // error handling on the stream
-    resp.data.on('error', (err) => {
+    // handle remote stream errors
+    remoteStream.on('error', (err) => {
       log('/api/yt/proxy remote stream error:', err?.message || String(err));
-      // if response not ended yet, try to send an error
-      try { if (!res.headersSent) res.status(502).json({ error: 'Remote stream error', detail: err?.message || String(err) }); } catch {}
+      try {
+        if (!res.headersSent) res.status(502).json({ error: 'Remote stream error', detail: err?.message || String(err) });
+        else res.destroy(err);
+      } catch {}
+    });
+
+    // handle pass errors
+    pass.on('error', (err) => {
+      log('/api/yt/proxy pass error:', err?.message || String(err));
+      try { if (!res.headersSent) res.status(502).json({ error: 'PassThrough error', detail: err?.message || String(err) }); } catch {}
     });
+
   } catch (e) {
     log('/api/yt/proxy unexpected error:', e?.response?.status ?? e?.message ?? String(e));
     const detail = e?.response?.data ?? e?.message ?? String(e);
@@ -304,7 +399,10 @@ app.get('/api/yt/proxy', async (req, res) => {
   }
 });
 
-// ---------- Lobby ----------
+// ---------- Lobby / static / Socket.IO ----------
+// (The rest of your server remains the same — socket handlers, static client, etc.)
+// For completeness, include the socket setup and handlers (copied from your previous file).
+
 app.get('/api/rooms', (_req, res) => {
   const data = [...rooms.values()]
     .filter(r => r.users.size > 0)
@@ -318,17 +416,16 @@ app.get('/api/rooms', (_req, res) => {
 });
 app.get('/api/ping', (_req, res) => res.json({ ok: true }));
 
-// ---------- Static client ----------
 const clientDir = path.resolve(__dirname, '../client/dist');
 app.use(express.static(clientDir));
 app.get('*', (_req, res) => res.sendFile(path.join(clientDir, 'index.html')));
 
-// ---------- Socket.IO ----------
 const server = http.createServer(app);
 const io = new SocketIOServer(server, {
   cors: { origin: '*', methods: ['GET', 'POST'] }
 });
 
+// Socket handlers (unchanged logic) — simplified copy from your previous code:
 io.on('connection', (socket) => {
   let joinedRoom = null;
 
@@ -372,11 +469,6 @@ io.on('connection', (socket) => {
     socket.to(roomId).emit('chat_message', { name, text, at: Date.now() });
   });
 
-  // song_request, song_request_action, set_track, play/pause/seek/ended, admin_command, sync_request...
-  // (The rest of your socket handlers are unchanged — keep them exactly as before.)
-  // For brevity in this snippet, the same socket handlers from your previous file are used:
-  // copy/paste the rest of the socket handlers here (or keep this file from my previous response).
-  // ---------- START socket handlers ----------
   socket.on('song_request', ({ roomId, requester, query }) => {
     const room = rooms.get(roomId);
     if (!room) return;
@@ -531,7 +623,6 @@ io.on('connection', (socket) => {
   });
 });
 
-// start server
 const PORT = process.env.PORT || 3000;
 server.listen(PORT, () => {
   log(`Server running on port ${PORT}`);