# flights backend

Cloudflare-bypassing proxy for route-explorer.com. Hosts at
`https://flights.treytartt.com/`.

## Why this exists

Cloudflare Turnstile on route-explorer.com's `/api/token` requires
Apple's Private Access Token (PAT), which third-party iOS apps cannot
mint. Running headed Chromium on a Linux server with `nodriver` lets us
defeat Turnstile via TLS/JS fingerprinting (which works), cache the
resulting token, and expose a thin proxy the iOS app authenticates
against with a shared bearer secret.

## Endpoints

| Method | Path                | Notes                                       |
|--------|---------------------|---------------------------------------------|
| GET    | `/health`           | Public. Returns cache status.              |
| GET    | `/api/token`        | Bearer. Returns cached token, refreshes.   |
| POST   | `/api/flight-search`| Bearer. Pass-through with token + cookies. |
| POST   | `/api/route`        | Bearer. Wraps body with `endpoint=/route`. |
| POST   | `/api/departures`   | Bearer. Wraps body with `endpoint=/departures`. |
| POST   | `/api/schedule`     | Bearer. Wraps body with `endpoint=/schedule`. |

## Deploy

```bash
# 1. Set the shared secret on the unraid box:
ssh unraid
cd /mnt/user/appdata/flights-backend
cp .env.example .env
echo "SHARED_SECRET=$(openssl rand -hex 32)" > .env

# 2. Bring up the container
docker compose up -d --build

# 3. Confirm it's healthy
curl -s http://localhost:8090/health
```

## Reverse proxy

`flights.treytartt.com` → `localhost:8090` configured in
NginxProxyManager.