1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
//! `IpApiResolver`: derive the exit-IP country via a proxied HTTP probe.
use std::time::Duration;
use async_trait::async_trait;
use zendriver_stealth::geo::{Country, GeoResolver};
/// Resolves the apparent country by querying an IP-geolocation service
/// (default `http://ip-api.com/json` — **plaintext**; the proxy operator can
/// tamper with the response in transit, so override [`Self::endpoint`] to an
/// HTTPS service if response integrity matters for your threat model)
/// through the browser's proxy. Opt-in via `BrowserBuilder::geo_auto`;
/// endpoint overridable; swap the whole thing out with a custom
/// [`GeoResolver`].
pub struct IpApiResolver {
endpoint: String,
proxy: Option<String>,
proxy_auth: Option<(String, String)>,
timeout: Duration,
}
impl Default for IpApiResolver {
fn default() -> Self {
Self::new()
}
}
impl IpApiResolver {
/// A resolver hitting `http://ip-api.com/json` directly (no proxy), with
/// a 5-second timeout. Chain [`Self::endpoint`] / [`Self::timeout`] to
/// customize; `BrowserBuilder::geo_auto` wires the proxy (and its
/// credentials, if any) via the crate-private [`Self::with_proxy`].
#[must_use]
pub fn new() -> Self {
Self {
endpoint: "http://ip-api.com/json".into(),
proxy: None,
proxy_auth: None,
timeout: Duration::from_secs(5),
}
}
/// Override the probe endpoint (default `http://ip-api.com/json`, which
/// is plaintext HTTP — a malicious or compromised proxy operator can
/// observe or tamper with the response since it's routed through
/// `with_proxy`; override to an HTTPS endpoint if you need integrity).
/// Must return a JSON body with a top-level `countryCode` string field.
#[must_use]
pub fn endpoint(mut self, url: impl Into<String>) -> Self {
self.endpoint = url.into();
self
}
/// Override the request timeout (default 5s).
#[must_use]
pub fn timeout(mut self, d: Duration) -> Self {
self.timeout = d;
self
}
/// Route the probe through `server` (mirrors the browser's own proxy so
/// the resolved country matches the exit IP Chrome will actually use),
/// authenticating with `auth` (`user`, `pass`) when the proxy requires
/// it — passed to reqwest via [`reqwest::Proxy::basic_auth`], never
/// embedded in the proxy URL string, so it can't leak into an error
/// `Display`.
///
/// Called by `BrowserBuilder::geo_auto`, wiring `self.proxy` from
/// [`crate::browser::BrowserBuilder::proxy`] through here.
#[must_use]
pub(crate) fn with_proxy(
mut self,
server: Option<String>,
auth: Option<(String, String)>,
) -> Self {
self.proxy = server;
self.proxy_auth = auth;
self
}
}
#[async_trait]
impl GeoResolver for IpApiResolver {
async fn country(&self) -> Option<Country> {
let mut builder = reqwest::Client::builder().timeout(self.timeout);
if let Some(p) = &self.proxy {
match reqwest::Proxy::all(p) {
Ok(mut px) => {
if let Some((user, pass)) = &self.proxy_auth {
px = px.basic_auth(user, pass);
}
builder = builder.proxy(px);
}
Err(e) => {
// `reqwest::Error`'s `Display` only ever includes the
// failed proxy/target URL text, never proxy credentials
// (those are sent via `basic_auth`, not embedded in the
// URL) — safe to log as-is.
tracing::warn!(error = %e, "geo probe: bad proxy; skipping");
return None;
}
}
}
let client = builder.build().ok()?;
let resp = match client.get(&self.endpoint).send().await {
Ok(r) => r,
Err(e) => {
tracing::warn!(error = %e, "geo probe request failed");
return None;
}
};
let body: serde_json::Value = resp.json().await.ok()?;
let cc = body.get("countryCode").and_then(|v| v.as_str())?;
match Country::try_from(cc) {
Ok(c) => Some(c),
Err(_) => {
tracing::warn!(country = %cc, "geo probe: unrecognized country code");
None
}
}
}
}
#[cfg(test)]
mod tests {
use super::*;
#[tokio::test]
async fn resolves_country_from_ipapi_json() {
let server = wiremock::MockServer::start().await;
wiremock::Mock::given(wiremock::matchers::method("GET"))
.respond_with(
wiremock::ResponseTemplate::new(200).set_body_string(r#"{"countryCode":"DE"}"#),
)
.mount(&server)
.await;
let r = IpApiResolver::new().endpoint(server.uri());
assert_eq!(r.country().await, Some(Country::try_from("DE").unwrap()));
}
#[tokio::test]
async fn bad_body_yields_none() {
let server = wiremock::MockServer::start().await;
wiremock::Mock::given(wiremock::matchers::method("GET"))
.respond_with(wiremock::ResponseTemplate::new(200).set_body_string("nope"))
.mount(&server)
.await;
assert_eq!(
IpApiResolver::new().endpoint(server.uri()).country().await,
None
);
}
/// C1: `with_proxy`'s `auth` must actually reach the underlying
/// `reqwest::Proxy` (via `basic_auth`), not just be stored and ignored.
/// A real authenticated-proxy wiremock (mocking the CONNECT/tunnel
/// handshake a real forward proxy performs) is impractical with
/// `wiremock` (it's an HTTP server, not a proxy), so this instead stands
/// a plain wiremock server in for the proxy and drives a plain-HTTP
/// target through it — reqwest relays plain-HTTP-through-HTTP-proxy
/// requests as absolute-form requests directly to the proxy's socket
/// with a `Proxy-Authorization` header when `basic_auth` was set, so the
/// mock server IS the thing that receives (and can assert on) that
/// header. If `with_proxy`'s `auth` were dropped (the C1 bug), the mock
/// (which requires the header) would never match and `country()` would
/// return `None`.
#[tokio::test]
async fn threads_proxy_credentials_into_reqwest_proxy() {
let proxy = wiremock::MockServer::start().await;
wiremock::Mock::given(wiremock::matchers::method("GET"))
.and(wiremock::matchers::header_exists("Proxy-Authorization"))
.respond_with(
wiremock::ResponseTemplate::new(200).set_body_string(r#"{"countryCode":"DE"}"#),
)
.mount(&proxy)
.await;
let r = IpApiResolver::new()
.endpoint("http://geo-probe.invalid/json")
.with_proxy(Some(proxy.uri()), Some(("bob".into(), "s3cret".into())));
assert_eq!(r.country().await, Some(Country::try_from("DE").unwrap()));
}
/// Without credentials, the mock (which requires `Proxy-Authorization`)
/// must NOT match — a control proving the above test isn't a false
/// positive from some other matcher laxity.
#[tokio::test]
async fn no_credentials_means_no_proxy_auth_header() {
let proxy = wiremock::MockServer::start().await;
wiremock::Mock::given(wiremock::matchers::method("GET"))
.and(wiremock::matchers::header_exists("Proxy-Authorization"))
.respond_with(
wiremock::ResponseTemplate::new(200).set_body_string(r#"{"countryCode":"DE"}"#),
)
.mount(&proxy)
.await;
let r = IpApiResolver::new()
.endpoint("http://geo-probe.invalid/json")
.with_proxy(Some(proxy.uri()), None);
// No `Proxy-Authorization` header sent -> mock doesn't match -> 404
// from wiremock -> `.json()` fails -> `country()` yields `None`.
assert_eq!(r.country().await, None);
}
}