admin/Flights
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Search: FlightAware backbone, blob catalog, diagnostic infra

Browse Source 
route-explorer's /api/token sits behind invisible Cloudflare Turnstile
that requires Apple's Private Access Token attestation. Third-party
iOS apps don't qualify for PAT issuance, and Linux Docker containers
can't pass it either (cross-OS fingerprint, even with patchright /
Camoufox). Migrates direct-flight search to FlightAware; multi-stop
and where-can-I-go remain via embedded SFSafariViewController.

- FlightAwareScheduleClient — scrapes route.rvt + trackpoll JSON for
  real schedules without auth. T+0..2 day window. Tests against
  captured HTML fixtures.
- BlobRouteClient — pulls the public Vercel blob route catalog
  route-explorer's frontend reads (no auth, no Turnstile).
- DiagnosticLogger + LoggingURLSessionDelegate + DiagnosticsView —
  device-shareable forensic trace. Boot header captures device, OS,
  locale, UA; share-sheet export of session logs.
- TurnstileDebugView — live WKWebView gate inspector. Used to prove
  the PAT-entitlement gap on a real device.
- RouteExplorerBrowserView — SFSafariViewController wrapper. Real
  Safari clears Turnstile naturally; the in-app browser opens at
  pre-filled search URLs. Surfaced from Search ("Open in
  route-explorer") and Settings → Tools.
- RouteExplorerTokenStore + RouteExplorerSetupView — bookmarklet
  capture flow (token round-tripped via flights://routeexplorer-token
  URL scheme). Kept dormant for future use.

backend/ — Docker proxy attempts (Playwright, patchright, Camoufox).
All fail on Linux because Cloudflare auto-denies before the Turnstile
widget renders. Documented; kept as scaffolding for a future paid-
solver integration.

scripts/probe_flightaware.py — reference algorithm for the FA path.
scripts/probe_nodriver.py — local-Mac sanity check confirming the
gate clears with real macOS Chrome (proves the blocker is
fingerprint-level, not network-level).
This commit is contained in:
Trey T
2026-06-06 01:09:59 -05:00
parent d122c95342
commit ba0688a412
70 changed files with 89096 additions and 209 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend/README.md
+45
View File
@@ -0,0 +1,45 @@
# flights backend
Cloudflare-bypassing proxy for route-explorer.com. Hosts at
`https://flights.treytartt.com/`.
## Why this exists
Cloudflare Turnstile on route-explorer.com's `/api/token` requires
Apple's Private Access Token (PAT), which third-party iOS apps cannot
mint. Running headed Chromium on a Linux server with `nodriver` lets us
defeat Turnstile via TLS/JS fingerprinting (which works), cache the
resulting token, and expose a thin proxy the iOS app authenticates
against with a shared bearer secret.
## Endpoints
| Method | Path | Notes |
|--------|---------------------|---------------------------------------------|
| GET | `/health` | Public. Returns cache status. |
| GET | `/api/token` | Bearer. Returns cached token, refreshes. |
| POST | `/api/flight-search`| Bearer. Pass-through with token + cookies. |
| POST | `/api/route` | Bearer. Wraps body with `endpoint=/route`. |
| POST | `/api/departures` | Bearer. Wraps body with `endpoint=/departures`. |
| POST | `/api/schedule` | Bearer. Wraps body with `endpoint=/schedule`. |
## Deploy
```bash
# 1. Set the shared secret on the unraid box:
ssh unraid
cd /mnt/user/appdata/flights-backend
cp .env.example .env
echo "SHARED_SECRET=$(openssl rand -hex 32)" > .env
# 2. Bring up the container
docker compose up -d --build
# 3. Confirm it's healthy
curl -s http://localhost:8090/health
```
## Reverse proxy
`flights.treytartt.com``localhost:8090` configured in
NginxProxyManager.