cookie-share.user.js v0.0.1

README.md

@@ -1,13 +1,9 @@
-# Cookie-share Chrome/Edge/Firefox Extension
-
-## All users before v0.1.5 please urgently update and modify your CF worker code and password. The old version accidentally deleted the authentication code, cookies can be accessed through the `/admin/list-cookies` API
-
-**Security Measures:**
-- **Choose a complex project name**
-- **Disable the built-in workers.dev domain and use a custom domain**
+# Cookie-share Chrome/Edge/Firefox Extension/Tampermonkey Script
 
 *Note: For learning and communication purposes only. Strictly prohibited for commercial use. Please delete within 24 hours and do not share on social platforms. If this project is useful to you, please give it a star. It really helps me a lot, thank you!*
 
+**Please check [issues](https://github.com/fangyuan99/cookie-share/issues) | [discussions](https://github.com/fangyuan99/cookie-share/discussions) first if you have any questions**
+
 [English](./README.md) | [简体中文](./README_CN.md) | [Update Log](./update.md)
 
 ---
@@ -94,6 +90,8 @@ Tested websites:
 - Don't hardcode `ADMIN_PASSWORD` in code, always use environment variables
 - Regularly review stored data, delete unnecessary cookie data
 - Consider setting expiration times for cookie data to reduce the risk of storing sensitive information long-term
+- Use `PATH_SECRET` in worker configuration to prevent brute force attacks
+- Choose complex project names and disable the built-in workers.dev domain
 
 ## Backend (Cloudflare Worker)
 
@@ -105,30 +103,28 @@ Note: Add `X-Admin-Password: yourpassword`
 
 Example:
 
-`/admin/list-cookies`
+`/{PATH_SECRET}/admin/list-cookies`
 
 ```sh
-curl --location --request GET 'https://your-worker-name.your-subdomain.workers.dev/admin/list-cookies' \
+curl --location --request GET 'https://your-worker-name.your-subdomain.workers.dev/{PATH_SECRET}/admin/list-cookies' \
 --header 'X-Admin-Password: yourpassword'
 ```
 
-`/admin/delete`
+`/{PATH_SECRET}/admin/delete`
 
 ```sh
-curl --location --request DELETE 'https://your-worker-name.your-subdomain.workers.dev/admin/delete?key={yourid}' \
+curl --location --request DELETE 'https://your-worker-name.your-subdomain.workers.dev/{PATH_SECRET}/admin/delete?key={yourid}' \
 --header 'X-Admin-Password: yourpassword'
 ```
 
-- `POST /send-cookies`: Store cookies associated with unique ID
-- `GET /receive-cookies`: Retrieve cookies for given ID
-- `GET /admin/list-cookies`: List all stored cookie IDs and URLs
-- `POST /admin/create`: Create new data entry
-- `GET /admin/read`: Read data for given key
-- `PUT /admin/update`: Update data for given key
-- `DELETE /admin/delete`: Delete data for given key
-- `DELETE /admin/delete-all`: Delete all stored data
-- `GET /admin/list`: List all stored data
-- `GET /admin`: Access admin management page
+Available endpoints:
+- `POST /{PATH_SECRET}/send-cookies`: Store cookies associated with unique ID
+- `GET /{PATH_SECRET}/admin`: Access admin management page
+- `GET /{PATH_SECRET}/admin/list-cookies`: List all stored cookie IDs and URLs
+- `GET /{PATH_SECRET}/admin/list-cookies-by-host`: List cookies filtered by hostname
+- `DELETE /{PATH_SECRET}/admin/delete`: Delete data for given key
+- `PUT /{PATH_SECRET}/admin/update`: Update data for given key
+- `OPTIONS /{PATH_SECRET}/`: Handle CORS preflight requests
 
 The admin management page provides a user-friendly interface for managing cookies and other data stored in the Worker. It includes features for viewing all stored cookies, creating new cookie entries, updating existing cookies, and deleting individual cookies or all stored data.
 

README_CN.md

@@ -1,14 +1,9 @@
-# Cookie-share Chrome/Edge/Firefox 扩展 
-
-
-## 请所有v0.1.5之前的用户紧急更新并修改CF worker代码以及密码，旧版本不小心删除了鉴权的代码，可以通过 `/admin/list-cookies` 接口访问到cookie
-
-**安全措施:**
-- **将项目名称取的复杂一些**
-- **禁用自带的 workers.dev 域名，使用自定义域名**
+# Cookie-share Chrome/Edge/Firefox 扩展/油猴脚本
 
 *注：仅供学习交流，严禁用于商业用途，请于24小时内删除，禁止在社交平台传播。如果本项目对你有用麻烦点个 star 这对我很有帮助，谢谢！*
 
+**有问题请先看 [issues](https://github.com/fangyuan99/cookie-share/issues) | [discussions](https://github.com/fangyuan99/cookie-share/discussions)**
+
 [English](./README.md) | [简体中文](./README_CN.md) | [Update Log](./update.md)
 
 ---
@@ -94,6 +89,8 @@ Cookie-share 是一个 Chrome/Edge/Firefox 扩展 (同时也有 Tampermonkey 脚
 - 不要在代码中硬编码 `ADMIN_PASSWORD`，始终使用环境变量。
 - 定期审查存储的数据，删除不再需要的 cookie 数据。
 - 考虑为 cookie 数据设置过期时间，以减少长期存储敏感信息的风险。
+- 使用 `PATH_SECRET` 在 worker 配置中防止暴力破解攻击。
+- 将项目名称设置得复杂一些，并禁用自带的 workers.dev 域名。
 
 ## 后端（Cloudflare Worker）
 
@@ -105,30 +102,28 @@ Cookie-share 是一个 Chrome/Edge/Firefox 扩展 (同时也有 Tampermonkey 脚
 
 示例:
 
-`/admin/list-cookies`
+`/{PATH_SECRET}/admin/list-cookies`
 
 ```sh
-curl --location --request GET 'https://your-worker-name.your-subdomain.workers.dev/admin/list-cookies' \
+curl --location --request GET 'https://your-worker-name.your-subdomain.workers.dev/{PATH_SECRET}/admin/list-cookies' \
 --header 'X-Admin-Password: yourpassword'
 ```
 
-`/admin/delete`
+`/{PATH_SECRET}/admin/delete`
 
 ```sh
-curl --location --request DELETE 'https://your-worker-name.your-subdomain.workers.dev/admin/delete?key={yourid}' \
+curl --location --request DELETE 'https://your-worker-name.your-subdomain.workers.dev/{PATH_SECRET}/admin/delete?key={yourid}' \
 --header 'X-Admin-Password: yourpassword'
 ```
 
-- `POST /send-cookies`: 存储与唯一 ID 关联的 cookies
-- `GET /receive-cookies`: 检索给定 ID 的 cookies
-- `GET /admin/list-cookies`: 列出所有存储的 cookie ID 和 URL
-- `POST /admin/create`: 创建新的数据条目
-- `GET /admin/read`: 读取给定键的数据
-- `PUT /admin/update`: 更新给定键的数据
-- `DELETE /admin/delete`: 删除给定键的数据
-- `DELETE /admin/delete-all`: 删除所有存储的数据
-- `GET /admin/list`: 列出所有存储的数据
-- `GET /admin`: 访问管理员管理页面
+可用的端点：
+- `POST /{PATH_SECRET}/send-cookies`: 存储与唯一 ID 关联的 cookies
+- `GET /{PATH_SECRET}/admin`: 访问管理员管理页面
+- `GET /{PATH_SECRET}/admin/list-cookies`: 列出所有存储的 cookie ID 和 URL
+- `GET /{PATH_SECRET}/admin/list-cookies-by-host`: 按主机名筛选并列出 cookies
+- `DELETE /{PATH_SECRET}/admin/delete`: 删除给定键的数据
+- `PUT /{PATH_SECRET}/admin/update`: 更新给定键的数据
+- `OPTIONS /{PATH_SECRET}/`: 处理 CORS 预检请求
 
 管理员管理页面提供了一个用户友好的界面，用于管理 Worker 中存储的 cookies 和其他数据。它包括查看所有存储的 cookies、创建新的 cookie 条目、更新现有的 cookies 以及删除单个 cookies 或所有存储的数据等功能。
 

_worker.js

@@ -32,13 +32,13 @@ function isValidId(id) {
 
 // 定义路由表
 const routes = {
-  "POST:/send-cookies": handleSendCookies,
-  "GET:/admin": handleAdminPage,
-  "GET:/admin/list-cookies": handleListCookies,
-  "GET:/admin/list-cookies-by-host": handleListCookiesByHost,
-  "DELETE:/admin/delete": handleDelete,
-  "PUT:/admin/update": handleUpdate,
-  "OPTIONS:/": handleCorsPreflightRequest,
+  [`POST:/${PATH_SECRET}/send-cookies`]: handleSendCookies,
+  [`GET:/${PATH_SECRET}/admin`]: handleAdminPage,
+  [`GET:/${PATH_SECRET}/admin/list-cookies`]: handleListCookies,
+  [`GET:/${PATH_SECRET}/admin/list-cookies-by-host`]: handleListCookiesByHost,
+  [`DELETE:/${PATH_SECRET}/admin/delete`]: handleDelete,
+  [`PUT:/${PATH_SECRET}/admin/update`]: handleUpdate,
+  [`OPTIONS:/${PATH_SECRET}/`]: handleCorsPreflightRequest,
 };
 
 async function handleAdminPage(request) {
@@ -166,7 +166,7 @@ async function handleAdminPage(request) {
     </div>
   
     <script>
-      const API_BASE = '';
+      const API_BASE = '/${PATH_SECRET}';
       let adminPassword = '';
   
       document.addEventListener('DOMContentLoaded', () => {
@@ -206,7 +206,7 @@ async function handleAdminPage(request) {
       }
   
       async function loadCookies() {
-        const response = await fetch('/admin/list-cookies', {
+        const response = await fetch(API_BASE + '/admin/list-cookies', {
           method: 'GET',
           headers: {
             'Content-Type': 'application/json',
@@ -248,7 +248,7 @@ async function handleAdminPage(request) {
           return;
         }
   
-        const response = await fetch('/send-cookies', {
+        const response = await fetch(API_BASE + '/send-cookies', {
           method: 'POST',
           headers: { 
             'Content-Type': 'application/json',
@@ -277,7 +277,7 @@ async function handleAdminPage(request) {
           return;
         }
   
-        const response = await fetch('/admin/update', {
+        const response = await fetch(API_BASE + '/admin/update', {
           method: 'PUT',
           headers: { 'Content-Type': 'application/json', 'X-Admin-Password': adminPassword },
           body: JSON.stringify({ key, value, url })
@@ -295,7 +295,7 @@ async function handleAdminPage(request) {
         event.preventDefault();
         const key = document.getElementById('deleteId').value;
   
-        const response = await fetch('/admin/delete?key='+encodeURIComponent(key), {
+        const response = await fetch(API_BASE + '/admin/delete?key='+encodeURIComponent(key), {
           method: 'DELETE',
           headers: { 
             'Content-Type': 'application/json', 
@@ -314,7 +314,7 @@ async function handleAdminPage(request) {
       async function deleteCookieById(id) {
         if (!confirm('确定要删除 ID 为'+id+' 的 Cookie 吗？')) return;
   
-        const response = await fetch('/admin/delete?key='+encodeURIComponent(id), {
+        const response = await fetch(API_BASE + '/admin/delete?key='+encodeURIComponent(id), {
           method: 'DELETE',
           headers: { 
             'Content-Type': 'application/json', 
@@ -346,22 +346,27 @@ async function handleRequest(request) {
   const path = url.pathname;
   const method = request.method;
 
+  // 检查路径是否包含正确的 PATH_SECRET
+  if (!path.startsWith(`/${PATH_SECRET}/`)) {
+    return createJsonResponse(404, { success: false, message: "Not Found" });
+  }
+
   // 处理 OPTIONS 请求
   if (method === "OPTIONS") {
     return handleCorsPreflightRequest();
   }
 
   // 对所有 /admin 开头的路径进行密码校验
-  if (path.startsWith("/admin/")) {
+  if (path.includes("/admin/")) {
     const authResponse = verifyAdminPassword(request);
     if (authResponse) return authResponse;
   }
 
   // 处理动态路由
-  if (path.startsWith("/receive-cookies/")) {
+  if (path.includes("/receive-cookies/")) {
     return handleReceiveCookies(request, path);
   }
-  if (path.startsWith("/admin/list-cookies-by-host/")) {
+  if (path.includes("/admin/list-cookies-by-host/")) {
     return handleListCookiesByHost(request, path);
   }