Trey T
ba0688a412
route-explorer's /api/token sits behind invisible Cloudflare Turnstile
that requires Apple's Private Access Token attestation. Third-party
iOS apps don't qualify for PAT issuance, and Linux Docker containers
can't pass it either (cross-OS fingerprint, even with patchright /
Camoufox). Migrates direct-flight search to FlightAware; multi-stop
and where-can-I-go remain via embedded SFSafariViewController.
- FlightAwareScheduleClient — scrapes route.rvt + trackpoll JSON for
real schedules without auth. T+0..2 day window. Tests against
captured HTML fixtures.
- BlobRouteClient — pulls the public Vercel blob route catalog
route-explorer's frontend reads (no auth, no Turnstile).
- DiagnosticLogger + LoggingURLSessionDelegate + DiagnosticsView —
device-shareable forensic trace. Boot header captures device, OS,
locale, UA; share-sheet export of session logs.
- TurnstileDebugView — live WKWebView gate inspector. Used to prove
the PAT-entitlement gap on a real device.
- RouteExplorerBrowserView — SFSafariViewController wrapper. Real
Safari clears Turnstile naturally; the in-app browser opens at
pre-filled search URLs. Surfaced from Search ("Open in
route-explorer") and Settings → Tools.
- RouteExplorerTokenStore + RouteExplorerSetupView — bookmarklet
capture flow (token round-tripped via flights://routeexplorer-token
URL scheme). Kept dormant for future use.
backend/ — Docker proxy attempts (Playwright, patchright, Camoufox).
All fail on Linux because Cloudflare auto-denies before the Turnstile
widget renders. Documented; kept as scaffolding for a future paid-
solver integration.
scripts/probe_flightaware.py — reference algorithm for the FA path.
scripts/probe_nodriver.py — local-Mac sanity check confirming the
gate clears with real macOS Chrome (proves the blocker is
fingerprint-level, not network-level).
25 lines
876 B
Docker
25 lines
876 B
Docker
# Playwright's official Python image ships Chromium + Firefox + WebKit
|
|
# pre-installed with all the system libs they need. patchright reuses
|
|
# Playwright's deps but ships its own (de-fingerprinted) Chromium build.
|
|
FROM mcr.microsoft.com/playwright/python:v1.49.0-jammy
|
|
|
|
ENV PYTHONUNBUFFERED=1 \
|
|
HOME=/tmp
|
|
|
|
WORKDIR /app
|
|
COPY requirements.txt .
|
|
RUN pip install --no-cache-dir -r requirements.txt
|
|
|
|
# patchright fork — minimum stealth so route-explorer's SPA executes
|
|
# normally. We deliberately *don't* use anti-detect tools beyond that;
|
|
# the strategy is to drive the page like a real user (fill form, click
|
|
# search) which makes the SPA trigger Turnstile organically, then let
|
|
# Cloudflare auto-pass our session.
|
|
RUN patchright install chromium --with-deps
|
|
|
|
COPY app.py .
|
|
|
|
EXPOSE 8090
|
|
|
|
CMD ["uvicorn", "app:app", "--host", "0.0.0.0", "--port", "8090", "--proxy-headers"]
|