Update server/server.js

server/server.js

@@ -1,3 +1,7 @@
+// server/server.js
+// Complete server using Vidfly-only YouTube resolution + robust Range-aware proxy to bypass CORS,
+// plus JioSaavn endpoints, YouTube v3 search, lobby, and full Socket.IO sync.
+
 import express from 'express';
 import http from 'http';
 import cors from 'cors';
@@ -19,7 +23,7 @@ const __dirname = path.dirname(__filename);
 
 const app = express();
 
-// CORS for API endpoints (the client is same origin; this also helps external embeds)
+// Broad CORS for API routes (static assets are same-origin)
 app.use(cors({ origin: '*', credentials: true }));
 app.use(express.json());
 
@@ -30,35 +34,45 @@ const vidflyCache = new NodeCache({ stdTTL: 300, checkperiod: 60 });
 app.get('/healthz', (_req, res) => res.send('OK'));
 
 // ---------------- Media proxy (Range-aware, CORS-safe) ----------------
-// Use this for all Vidfly media URLs to bypass CORS.
+// Always route browser playback through this to bypass CORS on googlevideo.com.
+// Supports Range for seeking, forwards useful headers, sets permissive CORS on response.
+app.options('/api/proxy', (_req, res) => {
+  res.setHeader('Access-Control-Allow-Origin', '*');
+  res.setHeader('Access-Control-Allow-Headers', 'Range, Content-Type, Accept, Accept-Encoding, Accept-Language');
+  res.setHeader('Access-Control-Allow-Methods', 'GET, HEAD, OPTIONS');
+  res.setHeader('Access-Control-Allow-Credentials', 'true');
+  res.status(204).end();
+});
+
 app.get('/api/proxy', async (req, res) => {
   const target = req.query.url;
   if (!target) return res.status(400).send('Missing url');
 
   try {
-    // Forward Range and basic headers for streaming/seeking
+    // Forward Range and some common headers that CDNs sometimes care about
     const headers = {};
     if (req.headers.range) headers.Range = req.headers.range;
-    if (req.headers['user-agent']) headers['User-Agent'] = req.headers['user-agent'];
-    if (req.headers['accept']) headers['Accept'] = req.headers['accept'];
+    headers['User-Agent'] = req.headers['user-agent'] || 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 Chrome/116 Safari/537.36';
+    headers['Accept'] = req.headers['accept'] || '*/*';
     if (req.headers['accept-encoding']) headers['Accept-Encoding'] = req.headers['accept-encoding'];
     if (req.headers['accept-language']) headers['Accept-Language'] = req.headers['accept-language'];
-    // Some CDNs check Referer; set a generic one if not present
-    headers.Referer = req.headers.referer || 'https://www.youtube.com/';
+    headers['Referer'] = req.headers.referer || 'https://www.youtube.com/';
 
     const upstream = await axios.get(target, {
       responseType: 'stream',
       headers,
-      // We need to forward non-200 statuses for partial content
+      // Important: allow 206/416/etc to pass through
       validateStatus: () => true,
       maxRedirects: 5
     });
 
-    // CORS headers for the proxied response (so <video> can consume it)
+    // Set permissive CORS on the proxied response
     res.setHeader('Access-Control-Allow-Origin', '*');
     res.setHeader('Access-Control-Allow-Credentials', 'true');
+    // Expose content-range so browsers can read seek info if needed
+    res.setHeader('Access-Control-Expose-Headers', 'Content-Range, Accept-Ranges');
 
-    // Mirror status and key headers (content-range enables seeking)
+    // Mirror status and key headers necessary for media playback/seek
     res.status(upstream.status);
     const passthroughHeaders = [
       'content-type',
@@ -77,14 +91,17 @@ app.get('/api/proxy', async (req, res) => {
       if (v) res.setHeader(h, v);
     }
 
+    // Pipe body
     upstream.data.pipe(res);
   } catch (e) {
+    // Avoid leaking internal details
     res.status(502).send('Proxy fetch failed');
   }
 });
 
-// ---------------- YouTube via Vidfly (no yt-dlp) ----------------
+// ---------------- YouTube via Vidfly (yt-dlp removed) ----------------
 // GET /api/yt/source?url=<watchURL or 11-char ID>
+// Returns direct stream URL from Vidfly; client will auto-route via /api/proxy if CORS blocks direct.
 app.get('/api/yt/source', async (req, res) => {
   try {
     const raw = (req.query.url || '').trim();
@@ -96,11 +113,10 @@ app.get('/api/yt/source', async (req, res) => {
       watchUrl = `https://www.youtube.com/watch?v=${raw}`;
     }
 
-    // Cache
+    // Cache Vidfly results
     const cacheKey = `vidfly:${watchUrl}`;
     let info = vidflyCache.get(cacheKey);
     if (!info) {
-      // Vidfly API
       const resp = await axios.get('https://api.vidfly.ai/api/media/youtube/download', {
         params: { url: watchUrl },
         timeout: 20000
@@ -109,8 +125,8 @@ app.get('/api/yt/source', async (req, res) => {
       vidflyCache.set(cacheKey, info);
     }
 
-    // Parse Vidfly shape you provided:
-    // { code: 0, data: { cover, duration, title?, items: [ { ext, type, height, label, url, ... }, ... ] } }
+    // Expected shape:
+    // { code: 0, data: { title?, cover, duration, items: [ { ext, type, height, label, url, ... }, ... ] } }
     if (info?.code !== 0 || !info?.data?.items?.length) {
       return res.status(502).json({ error: 'Vidfly: No playable stream' });
     }
@@ -118,12 +134,12 @@ app.get('/api/yt/source', async (req, res) => {
     const data = info.data;
     const items = Array.isArray(data.items) ? data.items : [];
 
-    // Prefer video_with_audio mp4 with highest height
+    // Prefer 'video_with_audio' mp4 with highest height
     const muxed = items
       .filter(i => i?.type === 'video_with_audio' && i?.ext === 'mp4' && i?.url)
       .sort((a, b) => (b.height || 0) - (a.height || 0))[0];
 
-    // Fallback: best "audio" (if provided)
+    // Fallback: best audio (if provided)
     const bestAudio = items
       .filter(i => i?.type === 'audio' && i?.url)
       .sort((a, b) => {
@@ -137,7 +153,7 @@ app.get('/api/yt/source', async (req, res) => {
       return res.status(502).json({ error: 'Vidfly: No playable stream url' });
     }
 
-    // Return the raw URL (client will route via /api/proxy automatically on error)
+    // Return raw URL; client will use direct src and auto-switch to /api/proxy on CORS error
     return res.json({
       url: chosen.url,
       title: data.title || watchUrl,
@@ -152,7 +168,7 @@ app.get('/api/yt/source', async (req, res) => {
 });
 
 // ---------------- YouTube search (Data API v3) ----------------
-// Set env YT_API_KEY to enable
+// Enable by setting env YT_API_KEY
 app.get('/api/ytsearch', async (req, res) => {
   try {
     const key = process.env.YT_API_KEY;
@@ -267,12 +283,11 @@ function membersPayload(room) {
 function broadcastMembers(roomId) {
   const room = rooms.get(roomId);
   if (!room) return;
-  const members = membersPayload(room);
-  io.to(roomId).emit('members', { members, roomName: room.name || room.id });
+  io.to(roomId).emit('members', { members: membersPayload(room), roomName: room.name || room.id });
 }
 
 function requireHostOrCohost(room, socketId) {
-  const u = room.users.get(socket.id);
+  const u = room.users.get(socketId);
   return (socketId === room.hostId) || (u && u.role === 'cohost');
 }
 
@@ -381,8 +396,7 @@ io.on('connection', (socket) => {
   socket.on('song_request_action', ({ roomId, action, track }) => {
     const room = rooms.get(roomId);
     if (!room) return;
-    const actor = room.users.get(socket.id);
-    if (!actor || !(socket.id === room.hostId || actor.role === 'cohost')) return;
+    if (!requireHostOrCohost(room, socket.id)) return;
     if ((action === 'accept' || action === 'queue') && track) {
       const t = {
         url: track.url,
@@ -409,8 +423,7 @@ io.on('connection', (socket) => {
 
   socket.on('set_track', ({ roomId, track }) => {
     const room = rooms.get(roomId);
-    const actor = room.users.get(socket.id);
-    if (!room || !(socket.id === room.hostId || actor?.role === 'cohost')) return;
+    if (!room || !requireHostOrCohost(room, socket.id)) return;
     const thumb = track.thumb || normalizeThumb(track.meta || {});
     room.track = { ...track, thumb };
     room.isPlaying = false;
@@ -423,8 +436,7 @@ io.on('connection', (socket) => {
 
   socket.on('play', ({ roomId }) => {
     const room = rooms.get(roomId);
-    const actor = room.users.get(socket.id);
-    if (!room || !(socket.id === room.hostId || actor?.role === 'cohost')) return;
+    if (!room || !requireHostOrCohost(room, socket.id)) return;
     room.isPlaying = true;
     room.anchorAt = Date.now();
     io.to(roomId).emit('play', { anchor: room.anchor, anchorAt: room.anchorAt });
@@ -432,8 +444,7 @@ io.on('connection', (socket) => {
 
   socket.on('pause', ({ roomId }) => {
     const room = rooms.get(roomId);
-    const actor = room.users.get(socket.id);
-    if (!room || !(socket.id === room.hostId || actor?.role === 'cohost')) return;
+    if (!room || !requireHostOrCohost(room, socket.id)) return;
     const elapsed = Math.max(0, Date.now() - room.anchorAt) / 1000;
     if (room.isPlaying) room.anchor += elapsed;
     room.isPlaying = false;
@@ -443,8 +454,7 @@ io.on('connection', (socket) => {
 
   socket.on('seek', ({ roomId, to }) => {
     const room = rooms.get(roomId);
-    const actor = room.users.get(socket.id);
-    if (!room || !(socket.id === room.hostId || actor?.role === 'cohost')) return;
+    if (!room || !requireHostOrCohost(room, socket.id)) return;
     room.anchor = to;
     room.anchorAt = Date.now();
     io.to(roomId).emit('seek', { anchor: room.anchor, anchorAt: room.anchorAt, isPlaying: room.isPlaying });
@@ -452,8 +462,7 @@ io.on('connection', (socket) => {
 
   socket.on('ended', ({ roomId }) => {
     const room = rooms.get(roomId);
-    const actor = room.users.get(socket.id);
-    if (!room || !(socket.id === room.hostId || actor?.role === 'cohost')) return;
+    if (!room || !requireHostOrCohost(room, socket.id)) return;
     const next = room.queue.shift();
     if (next) {
       const thumb = next.thumb || normalizeThumb(next.meta || {});