Continuing the discussion from Suggestion: proxy calls to private-per-user-per-notebook whitelisted urls:
In the meantime glitch.com has reasonable rate limits, and since a project can have private configuration, but can still be forked easily, it should be a matter of seconds to set up a custom CORS proxy.
I’d be happy to create a template project (I’ve been meaning to do it for a while), but I’d like to know the restrictions that should be applicable:
- origin: limitable to own notebooks (via origin header; each Observable user has their own worker subdomain)
- authenticated: limit by secret (define tokens, to be passed via a header, header is removed before proxying)
It gets a bit more complicated for target paths, with three possible, but very different implementations:
- host pass-through: client must provide full path including host. Possible filters: prefix, regex
- path pass-through: restricted to a single domain, client must provide path without host. Possible filters: prefix, regex
- inventory: fixed mapping of routes to target URLs, where the client can only request a predetermined route. Possible filters: secret
An example for 2. would be this very basic proxy for api.observablehq.com: https://glitch.com/edit/#!/observablehq-api?path=index.js:1:0
Did I cover everything? Or did I miss something?