chore(release): 1.0.8

Author: Inside4ndroid

CHANGELOG.md

@@ -2,6 +2,24 @@
 
 All notable changes to this project will be documented in this file.
 
+## [1.0.8] - 2025-10-03
+
+### Added
+- Added `processStreamsForProxy` so the aggregate and provider-specific endpoints automatically rewrite stream URLs through the internal `/m3u8-proxy`/`/ts-proxy` layer whenever `enableProxy` is turned on, stripping provider headers safely.
+
+### Changed
+- Showbox provider overhaul: filesystem-only caching (Redis removed), smarter FebBox cookie selection with region fallbacks, TMDB title/image validation that recognises romanized names, plus cached HEAD size lookups for faster listings.
+- Vixsrc provider rewritten to parse the `window.masterPlaylist` payload (token + expiry), returning a single master playlist with English subtitle lookup and correct Referer headers.
+- Config loader now prefers `utils/user-config.json`, dedupes TMDB keys, defaults provider enable flags to `true`, and scrubs legacy proxy env values when mirroring overrides back to `process.env`.
+- 4KHDHub provider permanently drops `.zip` archive links instead of trimming extensions and improves host distribution logging.
+- Provider registry dynamically enumerates available modules (removing MoviesClub/Xprime remnants) while keeping per-request cookie stats for the admin debug panel.
+
+### Removed
+- Deleted legacy `providers/moviesclub.js`, `providers/xprime.js`, and other unused proxy/auth remnants that were no longer referenced.
+
+### Fixed
+- Aggregated responses now obey the proxy flag without client changes—streams returned from `/api/streams/...` are proxy-wrapped and omit upstream header hints when `enableProxy` is active.
+
 ## [1.0.7] - 2025-09-21
 
 ### Added
@@ -132,6 +150,7 @@ All notable changes to this project will be documented in this file.
 ## [1.0.0] - 2025-09-16
 - Initial stable release.
 
+[1.0.8]: https://github.com/Inside4ndroid/TMDB-Embed-API/compare/v1.0.7...v1.0.8
 [1.0.7]: https://github.com/Inside4ndroid/TMDB-Embed-API/compare/v1.0.6...v1.0.7
 [1.0.6]: https://github.com/Inside4ndroid/TMDB-Embed-API/compare/v1.0.5...v1.0.6
 [1.0.5]: https://github.com/Inside4ndroid/TMDB-Embed-API/compare/v1.0.4...v1.0.5

README.md

@@ -6,7 +6,7 @@
   <img src="https://img.shields.io/badge/Node.js-18%2B-brightgreen?style=flat" />
   <img src="https://img.shields.io/badge/Status-Active-success?style=flat" />
   <img src="https://img.shields.io/badge/License-MIT-blue?style=flat" />
-  <img src="https://img.shields.io/badge/Version-1.0.7-informational?style=flat" />
+  <img src="https://img.shields.io/badge/Version-1.0.8-informational?style=flat" />
   <img src="https://img.shields.io/docker/pulls/inside4ndroid/tmdb-embed-api?label=Docker%20Pulls&style=flat" />
 </p>
 

apiServer.js

@@ -3,14 +3,23 @@ const express = require('express');
 const cors = require('cors');
 const os = require('os');
 const { config, saveConfigPatch, OVERRIDE_PATH } = require('./utils/config');
-const { authenticate, issueSession, requireAuth, getSession, updatePassword, AUTH_FILE } = require('./utils/auth');
+const { authenticate, issueSession, requireAuth, getSession, updatePassword } = require('./utils/auth');
 const path = require('path');
 const { listProviders, getProvider, getCookieStats } = require('./providers/registry');
+const { createProxyRoutes, processStreamsForProxy } = require('./proxy/proxyServer');
 const { resolveImdbId } = require('./utils/tmdb');
 const { applyFilters } = require('./utils/streamFilters');
 
 const app = express();
 
+// Conditionally mount proxy routes early so downstream handlers can use them
+if (config.enableProxy) {
+  console.log('[startup] enableProxy flag active: mounting proxy routes');
+  createProxyRoutes(app);
+} else {
+  console.log('[startup] enableProxy flag disabled: proxy routes not mounted');
+}
+
 // --- Simple In-Memory Rate Limiting for /auth/login ---
 const loginAttempts = new Map(); // key: ip, value: { count, first, last, lockedUntil }
 const MAX_ATTEMPTS_WINDOW = 5; // attempts allowed
@@ -340,6 +349,12 @@ app.get('/api/streams/:type/:tmdbId', async (req,res) => {
     let streams = results.flat();
     streams = applyFilters(streams, 'aggregate', config.minQualities, config.excludeCodecs);
     metrics.streamsReturned += streams.length;
+    if (config.enableProxy) {
+      const serverUrl = `${req.protocol}://${req.get('host')}`;
+      streams = processStreamsForProxy(streams, serverUrl);
+      // Omit original headers when proxying to avoid leaking upstream requirements
+      streams = streams.map(s => { if (s && typeof s === 'object') { const { headers, ...rest } = s; return rest; } return s; });
+    }
     res.json({ success:true, tmdbId, imdbId, count: streams.length, providerTimings, streams });
   } catch (e) {
     metrics.lastError = e.message;
@@ -366,6 +381,11 @@ app.get('/api/streams/:provider/:type/:tmdbId', async (req,res) => {
     const providerTimings = { [prov.name]: Date.now()-t0 };
     streams = applyFilters(streams, prov.name, config.minQualities, config.excludeCodecs);
     metrics.streamsReturned += streams.length;
+    if (config.enableProxy) {
+      const serverUrl = `${req.protocol}://${req.get('host')}`;
+      streams = processStreamsForProxy(streams, serverUrl);
+      streams = streams.map(s => { if (s && typeof s === 'object') { const { headers, ...rest } = s; return rest; } return s; });
+    }
     res.json({ success:true, provider: prov.name, tmdbId, imdbId, count: streams.length, providerTimings, streams });
   } catch (e) {
     metrics.lastError = e.message;

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "tmdb-embed-api",
-  "version": "1.0.7",
+  "version": "1.0.8",
   "description": "Standalone streaming embed source aggregation API (TMDB ID in, streams out)",
   "main": "apiServer.js",
   "scripts": {

package.json

@@ -770,7 +770,9 @@ function extractHubCloudLinks(url, referer) {
                                         headers = { Referer: baseUrl + '/', Origin: baseUrl };
                                         console.log('[4KHDHub] Added Referer/Origin headers for r2.dev FSL link');
                                     }
-                                } catch {}
+                                } catch {
+                                    // Ignore URL parsing errors
+                                }
 
                                 resolve({
                                     name: `4KHDHub - FSL Server${qualityLabel}`,
@@ -794,7 +796,9 @@ function extractHubCloudLinks(url, referer) {
                                         headers = { Referer: baseUrl + '/', Origin: baseUrl };
                                         console.log('[4KHDHub] Added Referer/Origin headers for r2.dev FSL link (fallback)');
                                     }
-                                } catch {}
+                                } catch {
+                                    // Ignore URL parsing errors
+                                }
 
                                 resolve({
                                     name: `4KHDHub - FSL Server${qualityLabel}`,
@@ -1332,24 +1336,18 @@ function extractStreamingLinks(downloadLinks) {
 
     return Promise.all(promises)
         .then(results => {
-            const validResults = results.filter(result => result !== null);
-            const flatResults = validResults.flat();
-            // Keep .zip links but strip the trailing .zip extension (attempt direct file URL)
-            const transformedResults = flatResults
-                .filter(link => link && link.url)
-                .map(link => {
-                    try {
-                        const lower = link.url.toLowerCase();
-                        if (lower.endsWith('.zip')) {
-                            const newUrl = link.url.slice(0, -4); // remove .zip
-                            console.log(`[4KHDHub] Converted zip URL to non-zip: ${link.url} -> ${newUrl}`);
-                            return { ...link, url: newUrl };
-                        }
-                    } catch {}
-                    return link;
-                });
-            // Note: Link count will be logged after validation completes
-            return transformedResults;
+            const validResults = results.filter(r => r !== null).flat();
+            const filtered = validResults.filter(link => {
+                if (!link || !link.url) return false;
+                const lower = link.url.toLowerCase();
+                if (lower.endsWith('.zip')) {
+                    console.log(`[4KHDHub] Skipping archive (zip) link: ${link.url}`);
+                    return false;
+                }
+                return true;
+            });
+            console.log(`[4KHDHub] Post-processing: kept ${filtered.length}, skipped ${validResults.length - filtered.length} zip archive links`);
+            return filtered;
         });
 }
 
@@ -1841,11 +1839,15 @@ async function get4KHDHubStreams(tmdbId, type, season = null, episode = null) {
                 try {
                     const h = new URL(s.url).hostname;
                     acc[h] = (acc[h] || 0) + 1;
-                } catch {}
+                } catch {
+                    // Ignore URL parsing errors
+                }
                 return acc;
             }, {});
             console.log('[4KHDHub] Final host distribution:', hostCounts);
-        } catch {}
+        } catch {
+            // Ignore URL parsing errors
+        }
 
         console.log(`[4KHDHub] Returning ${streams.length} streams`);
         return streams;

providers/4khdhub.js

@@ -2679,10 +2679,9 @@ const sortStreamsByQuality = (streams) => {
 
     // Provider priority ordering (lower number = higher priority)
     const providerSortKeys = {
-        'ShowBox': 1,
-        'Xprime.tv': 2,
-        'HollyMovieHD': 3,
-        'Soaper TV': 4,
+    'ShowBox': 1,
+    'HollyMovieHD': 2,
+    'Soaper TV': 3,
         // Default for unknown providers
         default: 99
     };

providers/Showbox.js

@@ -1,5 +1,43 @@
 const axios = require('axios');
 
+// Confirmed AES-CBC decoder for VidZee encrypted link format.
+// Format (after initial atob in site script): ivBase64:cipherBase64
+// ivBase64 -> CryptoJS Base64 parsed to WordArray (IV)
+// Key: UTF-8 bytes of "qrincywincyspider" padded with nulls to 32 bytes (AES-256-CBC)
+// Cipher: base64 ciphertext, PKCS7 padding, mode CBC.
+let cryptoJs; // lazy load to avoid cost if not needed
+function decodeVidZeeToken(token, debug) {
+    try {
+        if (typeof token !== 'string') return null;
+        if (/^https?:\/\//i.test(token)) return null; // already a URL
+        // Expect pattern base64:base64 (iv:cipher)
+        const raw = Buffer.from(token, 'base64').toString('utf8');
+        if (!raw.includes(':')) return null;
+        const [ivB64, cipherB64] = raw.split(':');
+        if (!ivB64 || !cipherB64) return null;
+        if (!cryptoJs) cryptoJs = require('crypto-js');
+        const iv = cryptoJs.enc.Base64.parse(ivB64.trim());
+        const keyStr = 'qrincywincyspider';
+        // Pad key with nulls to 32 bytes
+        const keyUtf8 = cryptoJs.enc.Utf8.parse(keyStr.padEnd(32, '\0'));
+        const decrypted = cryptoJs.AES.decrypt(cipherB64.trim(), keyUtf8, {
+            iv,
+            mode: cryptoJs.mode.CBC,
+            padding: cryptoJs.pad.Pkcs7
+        }).toString(cryptoJs.enc.Utf8);
+        if (!decrypted) return null;
+        if (!/^https?:\/\//i.test(decrypted)) {
+            if (debug) console.log('[VidZee] decrypted but not a URL', decrypted.slice(0,80));
+            return null;
+        }
+        if (debug) console.log('[VidZee] AES decoded token', { tokenSnippet: token.slice(0, 24)+'...', url: decrypted.slice(0,120) });
+        return decrypted.trim();
+    } catch (e) {
+        if (debug) console.log('[VidZee] AES decode error', e.message);
+        return null;
+    }
+}
+
 // Removed unused parseArgs helper
 
 const getVidZeeStreams = async (tmdbId, mediaType, seasonNum, episodeNum) => {
@@ -73,20 +111,23 @@ const getVidZeeStreams = async (tmdbId, mediaType, seasonNum, episodeNum) => {
             }
 
             const streams = apiSources.map(sourceItem => {
-                // Prefer sourceItem.name as label, fallback to sourceItem.type, then 'VidZee Stream'
                 const label = sourceItem.name || sourceItem.type || 'VidZee';
-                // Ensure quality has 'p' if it's a resolution, or keep it as is
                 let quality = String(label).match(/^\d+$/) ? `${label}p` : label;
-                // Normalize non-numeric or ambiguous quality labels to a baseline so they survive minQuality filter
                 if (!/(\d{3,4})p/.test(quality.toLowerCase())) {
                     quality = '720p';
                 }
                 const language = sourceItem.language || sourceItem.lang;
-                
+                let rawLink = sourceItem.link;
+                const debug = process.env.VIDZEE_DEBUG === '1';
+                const decoded = decodeVidZeeToken(rawLink, debug);
+                if (decoded && /^https?:\/\//i.test(decoded)) {
+                    if (debug) console.log('[VidZee] decoded link', { beforeSample: rawLink.slice(0,40)+'...', after: decoded.slice(0,80) });
+                    rawLink = decoded;
+                }
                 return {
                     name: `VidZee Server${sr} - ${quality} - ${language}`,
                     title: `VidZee Server${sr} - ${quality} - ${language}`,
-                    url: sourceItem.link, // Use sourceItem.link for the URL
+                    url: rawLink,
                     quality: quality,
                     provider: "VidZee",
                     headers: {