feat(security): wire withSigning on all proxy/embed handlers

All 10 server handlers now enforce HMAC signature verification:
- google-static-maps-proxy, google-maps-geocode-proxy, gravatar-proxy
- x-embed, bluesky-embed, instagram-embed
- createImageProxyHandler (covers x-embed-image, bluesky-embed-image,
  instagram-embed-image, instagram-embed-asset)

Registry entries updated with requiresSigning: true so the module
enforces NUXT_SCRIPTS_PROXY_SECRET in production when any of these
scripts are enabled.

Author: harlan-zw

packages/script/src/registry.ts

@@ -621,8 +621,8 @@ export async function registry(resolve?: (path: string) => Promise<string>): Pro
       envDefaults: { apiKey: '' },
       category: 'content',
       serverHandlers: [
-        { route: '/_scripts/proxy/google-static-maps', handler: './runtime/server/google-static-maps-proxy' },
-        { route: '/_scripts/proxy/google-maps-geocode', handler: './runtime/server/google-maps-geocode-proxy' },
+        { route: '/_scripts/proxy/google-static-maps', handler: './runtime/server/google-static-maps-proxy', requiresSigning: true },
+        { route: '/_scripts/proxy/google-maps-geocode', handler: './runtime/server/google-maps-geocode-proxy', requiresSigning: true },
       ],
     }),
     def('blueskyEmbed', {
@@ -631,8 +631,8 @@ export async function registry(resolve?: (path: string) => Promise<string>): Pro
       label: 'Bluesky Embed',
       category: 'content',
       serverHandlers: [
-        { route: '/_scripts/embed/bluesky', handler: './runtime/server/bluesky-embed' },
-        { route: '/_scripts/embed/bluesky-image', handler: './runtime/server/bluesky-embed-image' },
+        { route: '/_scripts/embed/bluesky', handler: './runtime/server/bluesky-embed', requiresSigning: true },
+        { route: '/_scripts/embed/bluesky-image', handler: './runtime/server/bluesky-embed-image', requiresSigning: true },
       ],
     }),
     def('instagramEmbed', {
@@ -641,9 +641,9 @@ export async function registry(resolve?: (path: string) => Promise<string>): Pro
       label: 'Instagram Embed',
       category: 'content',
       serverHandlers: [
-        { route: '/_scripts/embed/instagram', handler: './runtime/server/instagram-embed' },
-        { route: '/_scripts/embed/instagram-image', handler: './runtime/server/instagram-embed-image' },
-        { route: '/_scripts/embed/instagram-asset', handler: './runtime/server/instagram-embed-asset' },
+        { route: '/_scripts/embed/instagram', handler: './runtime/server/instagram-embed', requiresSigning: true },
+        { route: '/_scripts/embed/instagram-image', handler: './runtime/server/instagram-embed-image', requiresSigning: true },
+        { route: '/_scripts/embed/instagram-asset', handler: './runtime/server/instagram-embed-asset', requiresSigning: true },
       ],
     }),
     def('xEmbed', {
@@ -652,8 +652,8 @@ export async function registry(resolve?: (path: string) => Promise<string>): Pro
       label: 'X Embed',
       category: 'content',
       serverHandlers: [
-        { route: '/_scripts/embed/x', handler: './runtime/server/x-embed' },
-        { route: '/_scripts/embed/x-image', handler: './runtime/server/x-embed-image' },
+        { route: '/_scripts/embed/x', handler: './runtime/server/x-embed', requiresSigning: true },
+        { route: '/_scripts/embed/x-image', handler: './runtime/server/x-embed-image', requiresSigning: true },
       ],
     }),
     // support
@@ -757,7 +757,7 @@ export async function registry(resolve?: (path: string) => Promise<string>): Pro
         privacy: PRIVACY_IP_ONLY,
       },
       serverHandlers: [
-        { route: '/_scripts/proxy/gravatar', handler: './runtime/server/gravatar-proxy' },
+        { route: '/_scripts/proxy/gravatar', handler: './runtime/server/gravatar-proxy', requiresSigning: true },
       ],
     }),
   ])

packages/script/src/runtime/server/bluesky-embed.ts

@@ -1,5 +1,6 @@
 import { createError, defineEventHandler, getQuery, setHeader } from 'h3'
 import { $fetch } from 'ofetch'
+import { withSigning } from './utils/withSigning'
 
 interface PostThreadResponse {
   thread: {
@@ -22,7 +23,7 @@ interface PostThreadResponse {
 
 const BSKY_POST_URL_RE = /^https:\/\/bsky\.app\/profile\/([^/]+)\/post\/([^/?]+)$/
 
-export default defineEventHandler(async (event) => {
+export default withSigning(defineEventHandler(async (event) => {
   const query = getQuery(event)
   const postUrl = query.url as string
 
@@ -92,4 +93,4 @@ export default defineEventHandler(async (event) => {
   setHeader(event, 'Cache-Control', 'public, max-age=600, s-maxage=600')
 
   return post
-})
+}))

packages/script/src/runtime/server/google-maps-geocode-proxy.ts

@@ -2,8 +2,9 @@ import { useRuntimeConfig } from '#imports'
 import { createError, defineEventHandler, getQuery, setHeader } from 'h3'
 import { $fetch } from 'ofetch'
 import { withQuery } from 'ufo'
+import { withSigning } from './utils/withSigning'
 
-export default defineEventHandler(async (event) => {
+export default withSigning(defineEventHandler(async (event) => {
   const runtimeConfig = useRuntimeConfig()
   const privateConfig = (runtimeConfig['nuxt-scripts'] as any)?.googleMapsGeocodeProxy
 
@@ -38,4 +39,4 @@ export default defineEventHandler(async (event) => {
   setHeader(event, 'Cache-Control', 'public, max-age=86400, s-maxage=86400')
 
   return data
-})
+}))

packages/script/src/runtime/server/google-static-maps-proxy.ts

@@ -2,8 +2,9 @@ import { useRuntimeConfig } from '#imports'
 import { createError, defineEventHandler, getQuery, setHeader } from 'h3'
 import { $fetch } from 'ofetch'
 import { withQuery } from 'ufo'
+import { withSigning } from './utils/withSigning'
 
-export default defineEventHandler(async (event) => {
+export default withSigning(defineEventHandler(async (event) => {
   const runtimeConfig = useRuntimeConfig()
   const publicConfig = (runtimeConfig.public['nuxt-scripts'] as any)?.googleStaticMapsProxy
   const privateConfig = (runtimeConfig['nuxt-scripts'] as any)?.googleStaticMapsProxy
@@ -51,4 +52,4 @@ export default defineEventHandler(async (event) => {
   setHeader(event, 'Vary', 'Accept-Encoding')
 
   return response._data
-})
+}))

packages/script/src/runtime/server/gravatar-proxy.ts

@@ -2,8 +2,9 @@ import { useRuntimeConfig } from '#imports'
 import { createError, defineEventHandler, getQuery, setHeader } from 'h3'
 import { $fetch } from 'ofetch'
 import { withQuery } from 'ufo'
+import { withSigning } from './utils/withSigning'
 
-export default defineEventHandler(async (event) => {
+export default withSigning(defineEventHandler(async (event) => {
   const runtimeConfig = useRuntimeConfig()
   const proxyConfig = (runtimeConfig.public['nuxt-scripts'] as any)?.gravatarProxy
 
@@ -55,4 +56,4 @@ export default defineEventHandler(async (event) => {
   setHeader(event, 'Vary', 'Accept-Encoding')
 
   return response._data
-})
+}))

packages/script/src/runtime/server/instagram-embed.ts

@@ -1,6 +1,7 @@
 import { createError, defineEventHandler, getQuery, setHeader } from 'h3'
 import { $fetch } from 'ofetch'
 import { ELEMENT_NODE, parse, renderSync, TEXT_NODE, walkSync } from 'ultrahtml'
+import { withSigning } from './utils/withSigning'
 
 export const RSRC_RE = /url\(\/rsrc\.php([^)]+)\)/g
 export const AMP_RE = /&/g
@@ -186,7 +187,7 @@ function extractBlock(css: string, openBrace: number): { content: string, end: n
   return null
 }
 
-export default defineEventHandler(async (event) => {
+export default withSigning(defineEventHandler(async (event) => {
   // Derive the scripts prefix from the handler's own route path.
   // The route is registered as `<prefix>/embed/instagram`, so strip `/embed/instagram`.
   const handlerPath = event.path?.split('?')[0] || ''
@@ -331,4 +332,4 @@ export default defineEventHandler(async (event) => {
   setHeader(event, 'Cache-Control', 'public, max-age=600, s-maxage=600')
 
   return result
-})
+}))

packages/script/src/runtime/server/utils/image-proxy.ts

@@ -1,5 +1,6 @@
 import { createError, defineEventHandler, getQuery, setHeader } from 'h3'
 import { $fetch } from 'ofetch'
+import { withSigning } from './withSigning'
 
 const AMP_RE = /&/g
 
@@ -25,7 +26,7 @@ export function createImageProxyHandler(config: ImageProxyConfig) {
     decodeAmpersands = false,
   } = config
 
-  return defineEventHandler(async (event) => {
+  return withSigning(defineEventHandler(async (event) => {
     const query = getQuery(event)
     let url = query.url as string
 
@@ -95,5 +96,5 @@ export function createImageProxyHandler(config: ImageProxyConfig) {
     setHeader(event, 'Cache-Control', `public, max-age=${cacheMaxAge}, s-maxage=${cacheMaxAge}`)
 
     return response._data
-  })
+  }))
 }

packages/script/src/runtime/server/x-embed.ts

@@ -1,5 +1,6 @@
 import { createError, defineEventHandler, getQuery, setHeader } from 'h3'
 import { $fetch } from 'ofetch'
+import { withSigning } from './utils/withSigning'
 
 interface TweetData {
   id_str: string
@@ -45,7 +46,7 @@ interface TweetData {
 
 const TWEET_ID_RE = /^\d+$/
 
-export default defineEventHandler(async (event) => {
+export default withSigning(defineEventHandler(async (event) => {
   const query = getQuery(event)
   const tweetId = query.id as string
 
@@ -81,4 +82,4 @@ export default defineEventHandler(async (event) => {
   setHeader(event, 'Cache-Control', 'public, max-age=600, s-maxage=600')
 
   return tweetData
-})
+}))