Use environment variables for endpoint URLs

Custom endpoints
- minor change to customise textures & session server host for custom yggdrasil server
2026-03-21 23:41:18 +01:00 · 2025-12-08 21:05:09 +01:00 · 2025-12-08 21:02:48 +01:00 · 2024-02-01 22:29:09 +01:00 · 2024-02-01 22:25:43 +01:00 · 2024-02-01 22:24:29 +01:00
30 changed files with 2111 additions and 1955 deletions
--- a/.buildpacks
+++ b/.buildpacks
@ -1,2 +0,0 @@
-https://github.com/mojodna/heroku-buildpack-cairo.git
-https://github.com/heroku/heroku-buildpack-nodejs.git
--- a/.dockerignore
+++ b/.dockerignore
@ -0,0 +1,6 @@
+.*
+*.md
+Dockerfile
+LICENSE
+images/
+node_modules/
--- a/.editorconfig
+++ b/.editorconfig
@ -1,21 +0,0 @@
-# We use EditorConfig to standardize settings between contributors
-# See http://editorconfig.org for more info and plugin downloads
-
-root = true
-
-[*]
-end_of_line = lf
-insert_final_newline = false
-trim_trailing_whitespace = true
-
-[*.{js, json, yml}]
-indent_style = space
-indent_size = 2
-charset = utf-8
-
-[*.md]
-trim_trailing_whitespace = false
-
-[.gitignore]
-# echo "filename" >> .gitignorre
-insert_final_newline = true
--- a/.travis.yml
+++ b/.travis.yml
@ -1,24 +0,0 @@
-language: node_js
-node_js:
-  - 12.16.1
-sudo: false
-addons:
-  apt:
-    sources:
-    - ubuntu-toolchain-r-test
-    packages:
-    - libcairo2-dev
-    - libjpeg8-dev
-    - libpango1.0-dev
-    - libgif-dev
-    - build-essential
-    - g++-4.8
-script:
-  - npm run-script test-travis
-env:
-  - TRAVIS=true CXX=g++-4.8
-services:
-  - redis-server
-cache:
-  directories:
-    - node_modules
--- a/70
+++ b/70
@ -1,47 +1,35 @@
-FROM node:12-alpine
+FROM node:12-alpine AS builder

-ARG AVATAR_MIN
-ARG AVATAR_MAX
-ARG AVATAR_DEFAULT
-ARG RENDER_MIN
-ARG RENDER_MAX
-ARG RENDER_DEFAULT
-ARG FACE_DIR
-ARG HELM_DIR
-ARG SKIN_DIR
-ARG RENDER_DIR
-ARG CAPE_DIR
-ARG CACHE_LOCAL
-ARG CACHE_BROWSER
-ARG EPHEMERAL_STORAGE
-ARG REDIS_URL
-ARG PORT
-ARG BIND
-ARG EXTERNAL_HTTP_TIMEOUT
-ARG DEBUG
-ARG LOG_TIME
-ARG SPONSOR_SIDE
-ARG TOP_RIGHT
+RUN apk --no-cache add git python3 build-base redis cairo-dev pango-dev jpeg-dev giflib-dev

-ENV NODE_ENV production
-
-RUN apk --no-cache --virtual .build-deps add git python build-base
-RUN apk --no-cache --virtual .canvas-deps add cairo-dev pango-dev jpeg-dev giflib-dev
-
-RUN mkdir -p /crafatar/images/faces
-RUN mkdir -p /crafatar/images/helms
-RUN mkdir -p /crafatar/images/skins
-RUN mkdir -p /crafatar/images/renders
-RUN mkdir -p /crafatar/images/capes
-
-VOLUME /crafatar/images
-
-COPY package.json www.js config.js crafatar/
-COPY lib/ crafatar/lib/
-
-WORKDIR /crafatar
+RUN adduser -D app
+USER app

+COPY --chown=app package.json package-lock.json /home/app/crafatar/
+WORKDIR /home/app/crafatar
 RUN npm install

+COPY --chown=app . .
+RUN mkdir -p images/faces images/helms images/skins images/renders images/capes
+
+ARG VERBOSE_TEST
+ARG DEBUG
+RUN nohup redis-server & npm test
+
+
+FROM node:12-alpine
+RUN apk --no-cache add cairo pango jpeg giflib
+RUN adduser -D app
+USER app
+RUN mkdir /home/app/crafatar
+WORKDIR /home/app/crafatar
+RUN mkdir -p images/faces images/helms images/skins images/renders images/capes
+
+COPY --chown=app --from=builder /home/app/crafatar/node_modules/ node_modules/
+COPY --chown=app package.json www.js config.js ./
+COPY --chown=app lib/ lib/
+
+VOLUME /home/app/crafatar/images
+ENV NODE_ENV production
+ENTRYPOINT ["npm", "start"]
 EXPOSE 3000
-ENTRYPOINT npm start
--- a/1
+++ b/1
@ -1 +0,0 @@
-web: npm start
--- a/README.md
+++ b/README.md
@ -1,8 +1,8 @@
-# Crafatar [![travis](https://img.shields.io/travis/crafatar/crafatar/master.svg?style=flat-square)](https://travis-ci.org/crafatar/crafatar/) [![Coverage Status](https://img.shields.io/coveralls/crafatar/crafatar.svg?style=flat-square)](https://coveralls.io/r/crafatar/crafatar) [![Code Climate](https://img.shields.io/codeclimate/github/crafatar/crafatar.svg?style=flat-square)](https://codeclimate.com/github/crafatar/crafatar)
-[![dependency status](https://img.shields.io/david/crafatar/crafatar.svg?style=flat-square)](https://david-dm.org/crafatar/crafatar) [![devDependency status](https://img.shields.io/david/dev/crafatar/crafatar.svg?style=flat-square)](https://david-dm.org/crafatar/crafatar#info=devDependencies) [![docs status](https://inch-ci.org/github/crafatar/crafatar.svg?branch=master&style=flat-square)](https://inch-ci.org/github/crafatar/crafatar)
+# Crafatar
+<img alt="logo" src="lib/public/logo.png" align="right" width="128px" height="128px">

+[![travis](https://img.shields.io/travis/crafatar/crafatar/master.svg?style=flat-square)](https://travis-ci.org/crafatar/crafatar/) [![Coverage Status](https://img.shields.io/coveralls/crafatar/crafatar.svg?style=flat-square)](https://coveralls.io/r/crafatar/crafatar) [![Code Climate](https://img.shields.io/codeclimate/github/crafatar/crafatar.svg?style=flat-square)](https://codeclimate.com/github/crafatar/crafatar) [![dependency status](https://img.shields.io/david/crafatar/crafatar.svg?style=flat-square)](https://david-dm.org/crafatar/crafatar) [![devDependency status](https://img.shields.io/david/dev/crafatar/crafatar.svg?style=flat-square)](https://david-dm.org/crafatar/crafatar#info=devDependencies) [![docs status](https://inch-ci.org/github/crafatar/crafatar.svg?branch=master&style=flat-square)](https://inch-ci.org/github/crafatar/crafatar)

-<img alt="logo" src="lib/public/logo.png" align="right">
 <a href="https://crafatar.com">Crafatar</a> serves Minecraft avatars based on the skin for use in external applications.
 Inspired by <a href="https://gravatar.com">Gravatar</a> (hence the name) and <a href="https://minotar.net">Minotar</a>.

@ -34,6 +34,14 @@ Please [visit the website](https://crafatar.com) for details.

 # Installation

+## Docker
+
+```sh
+docker network create crafatar
+docker run --net crafatar -d --name redis redis
+docker run --net crafatar -v crafatar-images:/home/app/crafatar/images -e REDIS_URL=redis://redis -p 3000:3000 crafatar/crafatar
+```
+
 ## Manual

 - Install [nodejs](https://nodejs.org/) 12 (LTS)
@ -44,15 +52,6 @@ Please [visit the website](https://crafatar.com) for details.

 Crafatar is now available at http://0.0.0.0:3000.

-## Docker
-
-```sh
-docker pull crafatar/crafatar
-docker network create crafatar
-docker run --net crafatar -d --name redis redis
-docker run --net crafatar -v crafatar-images:/crafatar/images -e REDIS_URL=redis://redis -p 3000:3000 crafatar/crafatar
-```
-
 ## Configration / Environment variables

 See the `config.js` file.
--- a/app.json
+++ b/app.json
@ -1,30 +0,0 @@
-{
-    "name": "Crafatar",
-    "description": "A blazing fast API for Minecraft faces!",
-    "repository": "https://github.com/crafatar/crafatar",
-    "keywords": [
-        "node",
-        "minecraft",
-        "avatar",
-        "redis"
-    ],
-    "website": "https://crafatar.com/",
-    "env": {
-        "EPHEMERAL_STORAGE": {
-            "description": "Set to true if your storage is gone after deploying",
-            "required": false,
-            "value": true
-        }
-    },
-    "addons": [
-        "rediscloud"
-    ],
-    "buildpacks": [
-        {
-            "url": "https://github.com/mojodna/heroku-buildpack-cairo.git"
-        },
-        {
-            "url": "https://github.com/heroku/heroku-buildpack-nodejs.git"
-        }
-    ]
-}
--- a/config.js
+++ b/config.js
@ -54,12 +54,16 @@ var config = {
    log_time: process.env.LOG_TIME === "true",
    // rate limit per second for outgoing requests to the Mojang session server
    // requests exceeding this limit are skipped and considered failed
-    sessions_rate_limit: parseInt(process.env.SESSIONS_RATE_LIMIT) || Infinity
+    sessions_rate_limit: parseInt(process.env.SESSIONS_RATE_LIMIT)
  },
  sponsor: {
    sidebar: process.env.SPONSOR_SIDE,
    top_right: process.env.SPONSOR_TOP_RIGHT
  },
+  endpoints: {
+    textures_url: process.env.TEXTURES_ENDPOINT || "https://textures.minecraft.net/texture/",
+    session_url: process.env.SESSION_ENDPOINT || "https://sessionserver.mojang.com/session/minecraft/profile/"
+  }
 };

 module.exports = config;
--- a/lib/helpers.js
+++ b/lib/helpers.js
@ -7,8 +7,8 @@ var skins = require("./skins");
 var path = require("path");
 var fs = require("fs");

-// 0098cb60-fa8e-427c-b299-793cbd302c9a
-var valid_user_id = /^[0-9a-f-A-F-]{32,36}$/; // uuid
+// 0098cb60fa8e427cb299793cbd302c9a
+var valid_user_id = /^[0-9a-fA-F]{32}$/; // uuid
 var hash_pattern = /[0-9a-f]+$/;

 // gets the hash from the textures.minecraft.net +url+
@ -122,13 +122,22 @@ var requests = {
  cape: {}
 };

-function push_request(userId, type, fun) {
+var loginterval = setInterval(function(){
+  var skinreqs = Object.keys(requests.skin).length;
+  var capereqs = Object.keys(requests.cape).length;
+  if (skinreqs || capereqs) {
+    logging.log("Currently waiting for " + skinreqs + " skin requests and " + capereqs + " cape requests.");
+  }
+}, 1000);
+
+// add a request for +userId+ and +type+ to the queue
+function push_request(userId, type, callback) {
  // avoid special properties (e.g. 'constructor')
  var userId_safe = "!" + userId;
  if (!requests[type][userId_safe]) {
    requests[type][userId_safe] = [];
  }
-  requests[type][userId_safe].push(fun);
+  requests[type][userId_safe].push(callback);
 }

 // calls back all queued requests that match userId and type
@ -162,7 +171,6 @@ function store_images(rid, userId, cache_details, type, callback) {
    logging.debug(rid, "adding to request queue");
    push_request(userId, type, callback);
  } else {
-    // add request to the queue
    push_request(userId, type, callback);

    networking.get_profile(rid, userId, function(err, profile) {
@ -243,7 +251,7 @@ exp.get_image_hash = function(rid, userId, type, callback) {
            // an error occured, but we have a cached hash
            // (e.g. Mojang servers not reachable, using outdated hash)

-            // when hitting the rate limit, let's pretend the request succeeded and bump the TTL
+            // bump the TTL after hitting the rate limit
            var ratelimited = store_err.code === "RATELIMIT";
            cache.update_timestamp(rid, userId, !ratelimited, function(err2) {
              callback(err2 || store_err, 4, cache_details && cached_hash, slim);
@ -324,7 +332,7 @@ function get_type(overlay, body) {
 }

 // handles creations of 3D renders
-// callback: error, skin hash, image buffer
+// callback: error, status, skin hash, image buffer
 exp.get_render = function(rid, userId, scale, overlay, body, callback) {
  exp.get_skin(rid, userId, function(err, skin_hash, status, img, slim) {
    if (!skin_hash) {
@ -350,7 +358,7 @@ exp.get_render = function(rid, userId, scale, overlay, body, callback) {
            callback(null, 0, skin_hash, null);
          } else {
            fs.writeFile(renderpath, drawn_img, "binary", function(write_err) {
-              callback(write_err, 2, skin_hash, drawn_img);
+              callback(write_err, status, skin_hash, drawn_img);
            });
          }
        });
@ -387,4 +395,8 @@ exp.get_cape = function(rid, userId, callback) {
  });
 };

+exp.stoplog = function() {
+  clearInterval(loginterval);
+}
+
 module.exports = exp;
--- a/lib/logging.js
+++ b/lib/logging.js
@ -23,15 +23,19 @@ function log(level, args, logger) {
  }
 }

+// log with INFO level
 exp.log = function() {
  log(" INFO", arguments);
 };
+// log with WARN level
 exp.warn = function() {
  log(" WARN", arguments, console.warn);
 };
+// log with ERROR level
 exp.error = function() {
  log("ERROR", arguments, console.error);
 };
+// log with DEBUG level if debug logging is enabled
 if (config.server.debug_enabled) {
  exp.debug = function() {
    log("DEBUG", arguments);
--- a/lib/networking.js
+++ b/lib/networking.js
@ -5,14 +5,15 @@ var skins = require("./skins");
 var http = require("http");
 require("./object-patch");

-var session_url = "https://sessionserver.mojang.com/session/minecraft/profile/";
-var textures_url = "https://textures.minecraft.net/texture/";
+var session_url = config.endpoints.session_url;
+var textures_url = config.endpoints.textures_url;

 // count requests made to session_url in the last 1000ms
 var session_requests = [];

 var exp = {};

+// returns the amount of outgoing session requests made in the last 1000ms
 function req_count() {
  var index = session_requests.findIndex((i) => i >= Date.now() - 1000);
  if (index >= 0) {
@ -22,6 +23,7 @@ function req_count() {
  }
 }

+// deletes all entries in session_requests, should be called every 1000ms
 exp.resetCounter = function() {
  var count = req_count();
  if (count) {
@ -39,10 +41,10 @@ exp.resetCounter = function() {
 // callback: the body, response,
 // and error buffer. get_from helper method is available
 exp.get_from_options = function(rid, url, options, callback) {
-  var session_req = url.startsWith(session_url);
+  var is_session_req = config.server.sessions_rate_limit && url.startsWith(session_url);

  // This is to prevent being blocked by CloudFront for exceeding the rate limit
-  if (session_req && req_count() >= config.server.sessions_rate_limit) {
+  if (is_session_req && req_count() >= config.server.sessions_rate_limit) {
    var e = new Error("Skipped, rate limit exceeded");
    e.name = "HTTP";
    e.code = "RATELIMIT";
@ -52,7 +54,7 @@ exp.get_from_options = function(rid, url, options, callback) {

    callback(null, response, e);
  } else {
-    session_req && session_requests.push(Date.now());
+    is_session_req && session_requests.push(Date.now());
    request.get({
      url: url,
      headers: {
--- a/lib/public/favicon.ico
+++ b/lib/public/favicon.ico
--- a/lib/public/favicon.png
+++ b/lib/public/favicon.png
--- a/lib/public/javascript/crafatar.js
+++ b/lib/public/javascript/crafatar.js
@ -1,34 +1,64 @@
 var valid_user_id = /^[0-9a-f-A-F-]{32,36}$/; // uuid
-var xhr = new XMLHttpRequest();

-xhr.onload = function() {
-  var response = JSON.parse(xhr.responseText);
-  var status = {};
-  response.map(function(elem) {
-    var key = Object.keys(elem)[0];
-    status[key] = elem[key];
-  });
+var quotes = [
+  ["Crafatar is the best at what it does.", "Shotbow Network", "https://twitter.com/ShotbowNetwork/status/565201303555829762"],
+  ["Crafatar seems to stand out from others", "Dabsunter", "https://github.com/crafatar/crafatar/wiki/What-people-say-about-Crafatar"],
+  ["I can’t tell you how much Crafatar helped me along the way! You guys do some amazing work.", "Luke Chatton", "https://github.com/lukechatton"],
+  ["It's just awesome! Keep up the good work", "Dannyps", "https://forums.spongepowered.org/t/title-cant-be-empty/4964/22"],
+  ["It's one of the few services that actually does HTTP header caching correctly", "confuser", "https://github.com/BanManagement/BanManager-WebUI/issues/16#issuecomment-73230674"],
+  ["It's so beautiful. &lt;3", "FerusGrim", "https://twitter.com/FerusGrim/status/642824817683656704"],
+  ["Love it! It's great!", "Reddit User", "https://reddit.com/comments/2nth0j/-/cmh5771"],
+  ["Such a useful service!", "Tim Z, NameMC", "https://twitter.com/CoderTimZ/status/602682146793349120"],
+  ["Thanks for providing us with such a reliable service :)", "BeanBlockz", "https://twitter.com/BeanBlockz/status/743927789422845952"],
+  ["This is excellent for my website! Good work.", "cyanide43", "https://reddit.com/comments/2nth0j/-/cmgpq85"],
+  ["This is really cool!", "AlexWebber", "https://forums.spongepowered.org/t/crafatar-a-new-minecraft-avatar-service/4964/19"],
+  ["This really is looking amazing. Absolutely love it!", "Enter_", "https://forums.spongepowered.org/t/crafatar-a-new-minecraft-avatar-service/4964/21"],
+  ["We couldn't believe how flawless your API is, Good job!", "SenceServers", "https://twitter.com/SenceServers/status/697132506626265089"],
+  ["WOW, Crafatar is FAST", "Rileriscool", "https://twitter.com/rileriscool/status/562057234986065921"],
+  ["You deserve way more popularity", "McSlushie", "https://github.com/crafatar/crafatar/wiki/Credit/a8f37373531b1d2c2cb3557ba809542a2ed81626"],
+  ["You do excellent work on Crafatar and are awesome! A very polished, concise & clean project.", "DrCorporate", "https://reddit.com/comments/2r1ns6/-/cnbq5f1"]
+];
+// shuffle quotes
+for (i = quotes.length -1; i > 0; i--) {
+  var a = Math.floor(Math.random() * i);
+  var b = quotes[i];
+  quotes[i] = quotes[a];
+  quotes[a] = b;
+}

-  var textures_err = status["textures.minecraft.net"] !== "green";
-  var session_err = status["sessionserver.mojang.com"] !== "green";
+var current_quote = 0;
+
+function changeQuote() {
+  var elem = document.querySelector("#quote");
+  var quote = quotes[current_quote];
+  elem.innerHTML = "<b>“" + quote[0] + "”</b><br>― <i>" + quote[1] + "</i>";
+  elem.href = quote[2];
+  current_quote = (current_quote + 1) % quotes.length;
+}
+
+fetch('https://mc-heads.net/json/mc_status').then(r => r.json()).then(data => {
+  var textures_err = data.report.skins.status !== "up";
+  var session_err = data.report.session.status !== "up";

  if (textures_err || session_err) {
    var warn = document.createElement("div");
    warn.setAttribute("class", "alert alert-warning");
    warn.setAttribute("role", "alert");
-    warn.innerHTML = "<h5>Mojang issues</h5> Mojang's servers are having trouble <i>right now</i>, this may affect requests at Crafatar. <small><a href=\"https://help.mojang.com\" target=\"_blank\">check status</a>";
+    warn.innerHTML = "<h5>Mojang issues</h5> Mojang's servers are having trouble <i>right now</i>, this may affect requests at Crafatar. <small><a href=\"https://mc-heads.net/mcstatus\" target=\"_blank\">check status</a>";
    document.querySelector("#alerts").appendChild(warn);
  }
-};
+});

 document.addEventListener("DOMContentLoaded", function(event) {
  var avatars = document.querySelector("#avatar-wrapper");
+  // shuffle avatars
  for (var i = 0; i < avatars.children.length; i++) {
-    // shake 'em on down!
-    // https://stackoverflow.com/a/11972692/2517068
    avatars.appendChild(avatars.children[Math.random() * i | 0]);
  }

+  setInterval(changeQuote, 5000);
+  changeQuote();
+
  var tryit = document.querySelector("#tryit");
  var tryname = document.querySelector("#tryname");
  var images = document.querySelectorAll(".tryit");
@ -44,7 +74,4 @@ document.addEventListener("DOMContentLoaded", function(event) {
      images[j].src = images[j].dataset.src.replace("$", value);
    }
  };
-
-  xhr.open("GET", "https://status.mojang.com/check", true);
-  xhr.send();
 });
--- a/lib/public/logo.png
+++ b/lib/public/logo.png
--- a/lib/public/stylesheets/style.css
+++ b/lib/public/stylesheets/style.css
@ -58,6 +58,22 @@ a.sponsor-item {
  background: #fff8ec !important;
 }

+#quote-wrapper {
+  line-height: 9.5em;
+}
+
+#quote {
+  display: inline-block;
+  vertical-align: middle;
+  line-height: initial;
+  background: #d4e7ff;
+  border-color: #94cbfc;
+}
+
+#quote:hover {
+  background: #dcedff;
+}
+
 .alert {
  font-size: 1rem;
 }
--- a/lib/response.js
+++ b/lib/response.js
@ -95,7 +95,13 @@ module.exports = function(request, response, result) {
    if (result.err && result.err.code === "ENOENT") {
      result.code = result.code || 500;
    }
-    response.writeHead(result.code || 502, headers);
+    if (!result.code) {
+      // Don't use 502 on Cloudflare
+      // As they will show their own error page instead
+      // https://support.cloudflare.com/hc/en-us/articles/200172706
+      result.code = config.caching.cloudflare ? 500 : 502;
+    }
+    response.writeHead(result.code, headers);
  } else {
    if (result.body) {
      if (result.status === 4) {
--- a/lib/routes/avatars.js
+++ b/lib/routes/avatars.js
@ -14,12 +14,10 @@ function handle_default(img_status, userId, size, def, req, err, callback) {
  if (defname !== "steve" && defname !== "mhf_steve" && defname !== "alex" && defname !== "mhf_alex") {
    if (helpers.id_valid(def)) {
      // clean up the old URL to match new image
-      var parsed = req.url;
-      delete parsed.query.default;
-      delete parsed.search;
-      parsed.path_list[1] = def;
-      parsed.pathname = "/" + parsed.path_list.join("/");
-      var newUrl = url.format(parsed);
+      req.url.searchParams.delete('default');
+      req.url.path_list[1] = def;
+      req.url.pathname = req.url.path_list.join('/');
+      var newUrl = req.url.toString();
      callback({
        status: img_status,
        redirect: newUrl,
@ -53,9 +51,9 @@ function handle_default(img_status, userId, size, def, req, err, callback) {
 // GET avatar request
 module.exports = function(req, callback) {
  var userId = (req.url.path_list[1] || "").split(".")[0];
-  var size = parseInt(req.url.query.size) || config.avatars.default_size;
-  var def = req.url.query.default;
-  var overlay = Object.prototype.hasOwnProperty.call(req.url.query, "overlay") || Object.prototype.hasOwnProperty.call(req.url.query, "helm");
+  var size = parseInt(req.url.searchParams.get("size")) || config.avatars.default_size;
+  var def = req.url.searchParams.get("default");
+  var overlay = req.url.searchParams.has("overlay") || req.url.searchParams.has("helm");

  // check for extra paths
  if (req.url.path_list.length > 2) {
@ -67,6 +65,9 @@ module.exports = function(req, callback) {
    return;
  }

+  // strip dashes
+  userId = userId.replace(/-/g, "");
+
  // Prevent app from crashing/freezing
  if (size < config.avatars.min_size || size > config.avatars.max_size) {
    // "Unprocessable Entity", valid request, but semantically erroneous:
@ -84,9 +85,6 @@ module.exports = function(req, callback) {
    return;
  }

-  // strip dashes
-  userId = userId.replace(/-/g, "");
-
  try {
    helpers.get_avatar(req.id, userId, overlay, size, function(err, status, image, hash) {
      if (err) {
--- a/lib/routes/capes.js
+++ b/lib/routes/capes.js
@ -4,7 +4,7 @@ var cache = require("../cache");
 // GET cape request
 module.exports = function(req, callback) {
  var userId = (req.url.path_list[1] || "").split(".")[0];
-  var def = req.url.query.default;
+  var def = req.url.searchParams.get('default');
  var rid = req.id;

  // check for extra paths
@ -17,6 +17,8 @@ module.exports = function(req, callback) {
    return;
  }

+  // strip dashes
+  userId = userId.replace(/-/g, "");
  if (!helpers.id_valid(userId)) {
    callback({
      status: -2,
@ -25,9 +27,6 @@ module.exports = function(req, callback) {
    return;
  }

-  // strip dashes
-  userId = userId.replace(/-/g, "");
-
  try {
    helpers.get_cape(rid, userId, function(err, hash, status, image) {
      if (err) {
--- a/lib/routes/index.js
+++ b/lib/routes/index.js
@ -7,6 +7,7 @@ var ejs = require("ejs");
 var str;
 var index;

+// pre-compile the index page
 function compile() {
  logging.log("Compiling index page");
  str = read(path.join(__dirname, "..", "views", "index.html.ejs"), "utf-8");
--- a/lib/routes/renders.js
+++ b/lib/routes/renders.js
@ -17,12 +17,10 @@ function handle_default(rid, scale, overlay, body, img_status, userId, size, def
  if (defname !== "steve" && defname !== "mhf_steve" && defname !== "alex" && defname !== "mhf_alex") {
    if (helpers.id_valid(def)) {
      // clean up the old URL to match new image
-      var parsed = req.url;
-      delete parsed.query.default;
-      delete parsed.search;
-      parsed.path_list[2] = def;
-      parsed.pathname = "/" + parsed.path_list.join("/");
-      var newUrl = url.format(parsed);
+      req.url.searchParams.delete('default');
+      req.url.path_list[2] = def;
+      req.url.pathname = req.url.path_list.join('/');
+      var newUrl = req.url.toString();
      callback({
        status: img_status,
        redirect: newUrl,
@ -62,9 +60,9 @@ module.exports = function(req, callback) {
  var rid = req.id;
  var body = raw_type === "body";
  var userId = (req.url.path_list[2] || "").split(".")[0];
-  var def = req.url.query.default;
-  var scale = parseInt(req.url.query.scale) || config.renders.default_scale;
-  var overlay = Object.prototype.hasOwnProperty.call(req.url.query, "overlay") || Object.prototype.hasOwnProperty.call(req.url.query, "helm");
+  var def = req.url.searchParams.get("default");
+  var scale = parseInt(req.url.searchParams.get("scale")) || config.renders.default_scale;
+  var overlay = req.url.searchParams.has("overlay") || req.url.searchParams.has("helm");

  // check for extra paths
  if (req.url.path_list.length > 3) {
@ -85,6 +83,9 @@ module.exports = function(req, callback) {
    return;
  }

+  // strip dashes
+  userId = userId.replace(/-/g, "");
+
  if (scale < config.renders.min_scale || scale > config.renders.max_scale) {
    callback({
      status: -2,
@ -99,9 +100,6 @@ module.exports = function(req, callback) {
    return;
  }

-  // strip dashes
-  userId = userId.replace(/-/g, "");
-
  try {
    helpers.get_render(rid, userId, scale, overlay, body, function(err, status, hash, image) {
      if (err) {
--- a/lib/routes/skins.js
+++ b/lib/routes/skins.js
@ -14,12 +14,10 @@ function handle_default(img_status, userId, def, req, err, callback) {
  if (defname !== "steve" && defname !== "mhf_steve" && defname !== "alex" && defname !== "mhf_alex") {
    if (helpers.id_valid(def)) {
      // clean up the old URL to match new image
-      var parsed = req.url;
-      delete parsed.query.default;
-      delete parsed.search;
-      parsed.path_list[1] = def;
-      parsed.pathname = "/" + parsed.path_list.join("/");
-      var newUrl = url.format(parsed);
+      req.url.searchParams.delete('default');
+      req.url.path_list[1] = def;
+      req.url.pathname = req.url.path_list.join('/');
+      var newUrl = req.url.toString();
      callback({
        status: img_status,
        redirect: newUrl,
@ -62,7 +60,7 @@ function handle_default(img_status, userId, def, req, err, callback) {
 // GET skin request
 module.exports = function(req, callback) {
  var userId = (req.url.path_list[1] || "").split(".")[0];
-  var def = req.url.query.default;
+  var def = req.url.searchParams.get("default");
  var rid = req.id;

  // check for extra paths
@ -75,6 +73,8 @@ module.exports = function(req, callback) {
    return;
  }

+  // strip dashes
+  userId = userId.replace(/-/g, "");
  if (!helpers.id_valid(userId)) {
    callback({
      status: -2,
@ -83,9 +83,6 @@ module.exports = function(req, callback) {
    return;
  }

-  // strip dashes
-  userId = userId.replace(/-/g, "");
-
  try {
    helpers.get_skin(rid, userId, function(err, hash, status, image, slim) {
      if (err) {
--- a/lib/server.js
+++ b/lib/server.js
@ -1,6 +1,7 @@
 #!/usr/bin/env node
 var querystring = require("querystring");
 var response = require("./response");
+var helpers = require("./helpers.js");
 var toobusy = require("toobusy-js");
 var logging = require("./logging");
 var config = require("../config");
@ -21,7 +22,9 @@ var routes = {

 // serves assets from lib/public
 function asset_request(req, callback) {
-  var filename = path.join(__dirname, "public", req.url.path_list.join("/"));
+  const filename = path.join(__dirname, "public", ...req.url.path_list);
+  const relative = path.relative(path.join(__dirname, "public"), filename);
+  if (relative && !relative.startsWith('..') && !path.isAbsolute(relative)) {
    fs.access(filename, function(fs_err) {
      if (!fs_err) {
        fs.readFile(filename, function(err, data) {
@ -39,6 +42,13 @@ function asset_request(req, callback) {
        });
      }
    });
+  } else {
+    callback({
+      body: "Forbidden",
+      status: -2,
+      code: 403,
+    });
+  }
 }

 // generates a 12 character random string
@ -46,26 +56,18 @@ function request_id() {
  return Math.random().toString(36).substring(2, 14);
 }

-// splits a URL path into an Array
-// the path is resolved and decoded
+// splits decoded URL path into an Array
 function path_list(pathname) {
-  // remove double and trailing slashes
-  pathname = pathname.replace(/\/\/+/g, "/").replace(/(.)\/$/, "$1");
  var list = pathname.split("/");
  list.shift();
-  for (var i = 0; i < list.length; i++) {
-    // URL decode
-    list[i] = querystring.unescape(list[i]);
-  }
  return list;
 }

 // handles the +req+ by routing to the request to the appropriate module
 function requestHandler(req, res) {
-  req.url = url.parse(req.url, true);
-  req.url.query = req.url.query || {};
+  req.url = new URL(decodeURI(req.url), 'http://' + req.headers.host);
+  req.url.pathname = path.resolve('/', req.url.pathname);
  req.url.path_list = path_list(req.url.pathname);
-
  req.id = request_id();
  req.start = Date.now();

@ -135,6 +137,7 @@ function requestHandler(req, res) {

 var exp = {};

+// Start the server
 exp.boot = function(callback) {
  var port = config.server.port;
  var bind_ip = config.server.bind;
@ -163,7 +166,9 @@ exp.boot = function(callback) {
  });
 };

+// Close the server
 exp.close = function(callback) {
+  helpers.stoplog();
  server.close(callback);
 };

--- a/lib/views/index.html.ejs
+++ b/lib/views/index.html.ejs
@ -3,7 +3,7 @@
 <head>
  <title>Crafatar – A blazing fast API for Minecraft faces!</title>
  <meta charset="utf-8">
-  <link rel="icon" sizes="16x16" type="image/png" href="/favicon.png">
+  <link rel="icon" type="image/png" href="/favicon.png">
  <link rel="stylesheet" href="/stylesheets/bootstrap.min.css">
  <link rel="stylesheet" href="/stylesheets/style.css">
  <meta name="description" content="A blazing fast API for Minecraft faces with support for avatars, skins, and 3D renders!">
@ -76,7 +76,7 @@
              </div>
            </div>
          </form>
-          <p>You can use <a rel="nofollow" target="_blank" href="https://mcuuid.net">mcuuid.net</a> to find the UUID of a username.</p>
+          <p>You can use <a rel="nofollow" target="_blank" href="https://minecraftuuid.com">minecraftuuid.com</a> to find the UUID of a username.</p>
        </section>

        <section id="avatars">
@ -227,7 +227,12 @@
          <section id="meta-http-headers">
            <h3><a href="#meta-http-headers">HTTP Headers</a></h3>
            <p>
-              Crafatar always replies with a <code>200 OK</code> status code when the requested user's skin/cape was found. This is also used in some rare cases when Mojang servers are having issues and the image couldn't be checked for changes, but Crafatar still had a cached version. <code>502 Bad Gateway</code> and <code>500 Server Error</code> are used when no skin/cape was found because of Mojang or Crafatar server issues.
+              Crafatar always replies with a <code>200 OK</code> status code when the requested user's skin/cape was found. This is also used in some rare cases when Mojang servers are having issues and the image couldn't be checked for changes, but Crafatar still had a cached version.
+              <% if (config.caching.cloudflare) { %>
+                <code>500 Server Error</code> is used when no skin/cape was found because of Mojang or Crafatar server issues.
+              <% } else { %>
+                <code>502 Bad Gateway</code> and <code>500 Server Error</code> are used when no skin/cape was found because of Mojang or Crafatar server issues.
+              <% } %>
            </p>
            <p>
              Note that requests are usually answered with an image (with Steve/Alex skin), even if an error occured!
@ -272,23 +277,28 @@
    <div class="col-md-3">
      <h4>Popular Crafatar users</h4>
      <div class="list-group">
-        <a rel="nofollow" href="http://technicpack.net" target="_blank" class="list-group-item">Technic</a>
        <a rel="nofollow" href="https://hypixel.net" target="_blank" class="list-group-item">Hypixel</a>
-        <a rel="nofollow" href="https://www.minecraft-index.com" target="_blank" class="list-group-item">MC Index</a>
-        <a rel="nofollow" href="https://www.minehq.com/hcteams/leaderboards" target="_blank" class="list-group-item">MineHQ</a>
-        <a rel="nofollow" href="https://shotbow.net" target="_blank" class="list-group-item">Shotbow</a>
+        <a rel="nofollow" href="https://mineplex.com" target="_blank" class="list-group-item">Mineplex</a>
+        <a rel="nofollow" href="https://hivemc.com" target="_blank" class="list-group-item">The Hive</a>
+        <a rel="nofollow" href="https://www.technicpack.net" target="_blank" class="list-group-item">Technic Pack</a>
+        <a rel="nofollow" href="https://namemc.com" target="_blank" class="list-group-item">NameMC</a>
        <a rel="nofollow" href="https://mcuuid.net/" target="_blank" class="list-group-item">MCUUID</a>
        <a href="https://github.com/crafatar/crafatar/wiki/Who-uses-crafatar%3F" target="_blank" class="list-group-item">and many more…</a>
      </div>
-      <p>See also: <a rel="nofollow" href="https://github.com/crafatar/crafatar/wiki/What-people-say-about-Crafatar" target="_blank">what users say</a> about Crafatar</p>
+      <hr>
+      <h4>Quotes</h4>
+      <div id="quote-wrapper" class="list-group">
+        <a id="quote" rel="nofollow" target="_blank" class="list-group-item"></a>
+      </div>
+      <p>See <a rel="nofollow" href="https://github.com/crafatar/crafatar/wiki/What-people-say-about-Crafatar" target="_blank">all quotes</a>.</p>
      <hr>
      <h4>Crafatar Tools & Plugins</h4>
      <div class="list-group">
+        <a rel="nofollow" href="https://github.com/DiscordSRV/DiscordSRV#readme" target="_blank" class="list-group-item">DiscordSRV</a>
+        <a rel="nofollow" href="https://github.com/the-obsidian/discourse-minecraft-avatar" target="_blank" class="list-group-item">Discourse Minecraft Avatar</a>
        <a rel="nofollow" href="https://xenforo.com/community/resources/associationmc.3232/" target="_blank" class="list-group-item">AssociationMc <i>(XenForo)</i></a>
-        <a rel="nofollow" href="https://github.com/yeahwhat-mc/discourse-yeahwhat" target="_blank" class="list-group-item">Minecraft Heads <i>(Discourse)</i></a>
-        <a rel="nofollow" href="http://vanillaforums.org/addon/crafatar-plugin" target="_blank" class="list-group-item">Crafatar Avatars <i>(Vanilla)</i></a>
-        <a rel="nofollow" href="https://www.spigotmc.org/resources/picture-login.4514/" target="_blank" class="list-group-item">Picture Login <i>(Bukkit)</i></a>
-        <a rel="nofollow" href="https://github.com/sk89q/Plumeria" target="_blank" class="list-group-item">Plumeria <i>(Discord)</i></a>
+        <a rel="nofollow" href="https://open.vanillaforums.com/addon/crafatar-plugin" target="_blank" class="list-group-item">Crafatar Avatars <i>(Vanilla)</i></a>
+        <a rel="nofollow" href="https://www.spigotmc.org/resources/picture-login.4514/" target="_blank" class="list-group-item">Picture Login <i>(Spigot/Bukkit)</i></a>
        <a href="https://github.com/crafatar/crafatar/wiki/Who-uses-crafatar%3F#other-services-using-crafatar" target="_blank" class="list-group-item">and many more…</a>
      </div>
      <hr>
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@ -1,51 +1,25 @@
 {
  "name": "crafatar",
-  "version": "2.1.2",
+  "version": "2.1.5",
  "private": true,
-  "description": "A blazing fast API for Minecraft faces!",
-  "contributors": [
-    {
-      "name": "jomo",
-      "url": "https://github.com/jomo"
-    },
-    {
-      "name": "Jake",
-      "url": "https://github.com/Jake0oo0"
-    }
-  ],
-  "repository": {
-    "type": "git",
-    "url": "https://github.com/crafatar/crafatar"
-  },
-  "issues": {
-    "url": "https://github.com/crafatar/crafatar/issues"
-  },
-  "keywords": [
-    "minecraft",
-    "avatar"
-  ],
  "scripts": {
    "start": "node www.js",
-    "test": "mocha",
-    "test-travis": "istanbul cover ./node_modules/mocha/bin/_mocha --report lcovonly -- -R spec && cat ./coverage/lcov.info | ./node_modules/coveralls/bin/coveralls.js && rm -rf ./coverage"
+    "test": "mocha"
  },
  "engines": {
    "node": "12.16.1"
  },
  "dependencies": {
-    "@randy.tarampi/lwip": "^1.1.0",
+    "@randy.tarampi/lwip": "^1.3.1",
    "canvas": "^2.6.1",
    "crc": "^3.8.0",
-    "ejs": "^3.0.1",
-    "mime": "^2.4.4",
+    "ejs": "^3.1.5",
+    "mime": "^2.4.6",
    "redis": "^3.0.2",
    "request": "^2.88.2",
    "toobusy-js": "^0.5.1"
  },
  "devDependencies": {
-    "coveralls": "^3.0.11",
-    "istanbul": "^0.4.5",
-    "mocha": "^7.1.1",
-    "mocha-lcov-reporter": "^1.3.0"
+    "mocha": "^7.2.0"
  }
 }
--- a/test/bulk.sh
+++ b/test/bulk.sh
@ -1,36 +1,55 @@
 #!/usr/bin/env bash

+hostname="crafatar.com"
 async="true"
+random="false"
 interval="0.1"
-if [ "$1" = "-s" ]; then
-  async=""
-  shift
-elif [ "$1" = "-i" ]; then
-  interval="$2"
-  shift 2
-fi
-host="$1"
-shift
-if [ -z "$host" ] || [ ! -z "$@" ]; then
-  echo "Usage: $0 [-s | -i <interval>] <host uri>"
-  exit 1
-fi

-# insert newline after uuids
-ids="$(cat 'uuids.txt')"
-# `brew install coreutils` on OS X
-ids="$(shuf <<< "$ids" 2>/dev/null || gshuf <<< "$ids")"
+usage() {
+  echo "Usage: $0 [-s | -r | -i <interval> | -h <hostname>]... <host uri>" >&2
+  exit 1
+}
+
+get_ids() {
+  local shuf
+  if [ "$random" = "true" ]; then
+    while true; do uuid -v 4; done
+  else
+    # `brew install coreutils` on OS X for gshuf
+    shuf=$(command -v shuf gshuf)
+    # randomize ids
+    $shuf < uuids.txt
+  fi
+}

 bulk() {
-  trap return INT
-  echo "$ids" | while read id; do
-    if [ -z "$async" ]; then
-      curl -sSL -o /dev/null -w "%{url_effective} %{http_code} %{time_total}s\\n" -- "$host/avatars/$id?overlay"
+  trap return INT # return from this function on Ctrl+C
+  get_ids | while read id; do
+    if [ "$async" = "false" ]; then
+      curl -H "Host: $hostname" -sSL -o /dev/null -w "%{url_effective} %{http_code} %{time_total}s\\n" -- "$host/avatars/$id?overlay"
    else
-      curl -sSL -o /dev/null -w "%{url_effective} %{http_code} %{time_total}s\\n" -- "$host/avatars/$id?overlay" &
+      curl -H "Host: $hostname" -sSL -o /dev/null -w "%{url_effective} %{http_code} %{time_total}s\\n" -- "$host/avatars/$id?overlay" &
      sleep "$interval"
    fi
  done
 }

+while [ $# != 0 ]; do
+  case "$1" in
+    -s)
+      async="false";;
+    -r)
+      random="true";;
+    -i)
+      interval="$2"
+      shift;;
+    *)
+      [ -n "$host" ] && usage
+      host="$1";;
+  esac
+  shift
+done
+
+[ -z "$host" ] && usage
+
 time bulk
--- a/test/test.js
+++ b/test/test.js
@ -3,7 +3,7 @@

 // no spam
 var logging = require("../lib/logging");
-if (process.env.VERBOSE_TEST !== "true" && process.env.TRAVIS !== "true") {
+if (process.env.VERBOSE_TEST !== "true") {
  logging.log = logging.debug = logging.warn = logging.error = function() {};
 }

@ -88,8 +88,8 @@ describe("Crafatar", function() {
      assert.strictEqual(helpers.id_valid("1DCEF164FF0A47F2B9A691385C774EE7"), true);
      done();
    });
-    it("dashed uuid is valid", function(done) {
-      assert.strictEqual(helpers.id_valid("0098cb60-fa8e-427c-b299-793cbd302c9a"), true);
+    it("dashed uuid is not valid", function(done) {
+      assert.strictEqual(helpers.id_valid("0098cb60-fa8e-427c-b299-793cbd302c9a"), false);
      done();
    });
    it("username is invalid", function(done) {
@ -158,7 +158,7 @@ describe("Crafatar", function() {
    it("should time out on skin download", function(done) {
      var original_timeout = config.http_timeout;
      config.server.http_timeout = 1;
-      networking.get_from(rid(), "http://textures.minecraft.net/texture/477be35554684c28bdeee4cf11c591d3c88afb77e0b98da893fd7bc318c65184", function(body, res, error) {
+      networking.get_from(rid(), config.endpoints.textures_url + "477be35554684c28bdeee4cf11c591d3c88afb77e0b98da893fd7bc318c65184", function(body, res, error) {
        assert.notStrictEqual(["ETIMEDOUT", "ESOCKETTIMEDOUT"].indexOf(error.code), -1);
        config.server.http_timeout = original_timeout;
        done();
@ -166,7 +166,7 @@ describe("Crafatar", function() {
    });
    it("should not find the skin", function(done) {
      assert.doesNotThrow(function() {
-        networking.get_from(rid(), "http://textures.minecraft.net/texture/this-does-not-exist", function(img, response, err) {
+        networking.get_from(rid(), config.endpoints.textures_url + "this-does-not-exist", function(img, response, err) {
          assert.strictEqual(err, null); // no error here, but it shouldn't throw exceptions
          done();
        });
@ -298,20 +298,24 @@ describe("Crafatar", function() {
    var server_tests = {
      "avatar with existing uuid": {
        url: "http://localhost:3000/avatars/853c80ef3c3749fdaa49938b674adae6?size=16",
-        crc32: [3337292777],
+        crc32: [4264176600],
+      },
+      "avatar with existing dashed uuid": {
+        url: "http://localhost:3000/avatars/853c80ef-3c37-49fd-aa49938b674adae6?size=16",
+        crc32: [4264176600],
      },
      "avatar with non-existent uuid": {
        url: "http://localhost:3000/avatars/00000000000000000000000000000000?size=16",
-        crc32: [2416827277, 1243826040],
+        crc32: [3348154329],
      },
      "avatar with non-existent uuid defaulting to mhf_alex": {
        url: "http://localhost:3000/avatars/00000000000000000000000000000000?size=16&default=mhf_alex",
-        crc32: [862751081, 809395677],
+        crc32: [73899130],
      },
      "avatar with non-existent uuid defaulting to uuid": {
        url: "http://localhost:3000/avatars/00000000000000000000000000000000?size=16&default=853c80ef3c3749fdaa49938b674adae6",
        crc32: [0],
-        redirect: "/avatars/853c80ef3c3749fdaa49938b674adae6?size=16",
+        redirect: "http://localhost:3000/avatars/853c80ef3c3749fdaa49938b674adae6?size=16",
      },
      "avatar with non-existent uuid defaulting to url": {
        url: "http://localhost:3000/avatars/00000000000000000000000000000000?size=16&default=http%3A%2F%2Fexample.com%2FCaseSensitive",
@ -320,20 +324,20 @@ describe("Crafatar", function() {
      },
      "overlay avatar with existing uuid": {
        url: "http://localhost:3000/avatars/853c80ef3c3749fdaa49938b674adae6?size=16&overlay",
-        crc32: [1710265722],
+        crc32: [575355728],
      },
      "overlay avatar with non-existent uuid": {
        url: "http://localhost:3000/avatars/00000000000000000000000000000000?size=16&overlay",
-        crc32: [2416827277, 1243826040],
+        crc32: [3348154329],
      },
      "overlay avatar with non-existent uuid defaulting to mhf_alex": {
        url: "http://localhost:3000/avatars/00000000000000000000000000000000?size=16&overlay&default=mhf_alex",
-        crc32: [862751081, 809395677],
+        crc32: [73899130],
      },
      "overlay avatar with non-existent uuid defaulting to uuid": {
        url: "http://localhost:3000/avatars/00000000000000000000000000000000?size=16&default=853c80ef3c3749fdaa49938b674adae6",
        crc32: [0],
-        redirect: "/avatars/853c80ef3c3749fdaa49938b674adae6?size=16",
+        redirect: "http://localhost:3000/avatars/853c80ef3c3749fdaa49938b674adae6?size=16",
      },
      "overlay avatar with non-existent uuid defaulting to url": {
        url: "http://localhost:3000/avatars/00000000000000000000000000000000?size=16&overlay&default=http%3A%2F%2Fexample.com%2FCaseSensitive",
@ -342,7 +346,7 @@ describe("Crafatar", function() {
      },
      "cape with existing uuid": {
        url: "http://localhost:3000/capes/853c80ef3c3749fdaa49938b674adae6",
-        crc32: [2556702429],
+        crc32: [985789174, 2099310578],
      },
      "cape with non-existent uuid": {
        url: "http://localhost:3000/capes/00000000000000000000000000000000",
@ -355,20 +359,20 @@ describe("Crafatar", function() {
      },
      "skin with existing uuid": {
        url: "http://localhost:3000/skins/853c80ef3c3749fdaa49938b674adae6",
-        crc32: [26500336],
+        crc32: [1759176487],
      },
      "skin with non-existent uuid": {
        url: "http://localhost:3000/skins/00000000000000000000000000000000",
-        crc32: [981937087],
+        crc32: [1853029228],
      },
      "skin with non-existent uuid defaulting to mhf_alex": {
        url: "http://localhost:3000/skins/00000000000000000000000000000000?default=mhf_alex",
-        crc32: [2298915739],
+        crc32: [427506205],
      },
      "skin with non-existent uuid defaulting to uuid": {
        url: "http://localhost:3000/skins/00000000000000000000000000000000?size=16&default=853c80ef3c3749fdaa49938b674adae6",
        crc32: [0],
-        redirect: "/skins/853c80ef3c3749fdaa49938b674adae6?size=16",
+        redirect: "http://localhost:3000/skins/853c80ef3c3749fdaa49938b674adae6?size=16",
      },
      "skin with non-existent uuid defaulting to url": {
        url: "http://localhost:3000/skins/00000000000000000000000000000000?default=http%3A%2F%2Fexample.com%2FCaseSensitive",
@ -390,7 +394,7 @@ describe("Crafatar", function() {
      "head render with non-existent uuid defaulting to uuid": {
        url: "http://localhost:3000/renders/head/00000000000000000000000000000000?scale=2&default=853c80ef3c3749fdaa49938b674adae6",
        crc32: [0],
-        redirect: "/renders/head/853c80ef3c3749fdaa49938b674adae6?scale=2",
+        redirect: "http://localhost:3000/renders/head/853c80ef3c3749fdaa49938b674adae6?scale=2",
      },
      "head render with non-existent uuid defaulting to url": {
        url: "http://localhost:3000/renders/head/00000000000000000000000000000000?scale=2&default=http%3A%2F%2Fexample.com%2FCaseSensitive",
@ -412,7 +416,7 @@ describe("Crafatar", function() {
      "overlay head with non-existent uuid defaulting to uuid": {
        url: "http://localhost:3000/renders/head/00000000000000000000000000000000?scale=2&overlay&default=853c80ef3c3749fdaa49938b674adae6",
        crc32: [0],
-        redirect: "/renders/head/853c80ef3c3749fdaa49938b674adae6?scale=2&overlay=",
+        redirect: "http://localhost:3000/renders/head/853c80ef3c3749fdaa49938b674adae6?scale=2&overlay=",
      },
      "overlay head render with non-existent uuid defaulting to url": {
        url: "http://localhost:3000/renders/head/00000000000000000000000000000000?scale=2&overlay&default=http%3A%2F%2Fexample.com%2FCaseSensitive",
@ -421,7 +425,7 @@ describe("Crafatar", function() {
      },
      "body render with existing uuid": {
        url: "http://localhost:3000/renders/body/853c80ef3c3749fdaa49938b674adae6?scale=2",
-        crc32: [2745192436],
+        crc32: [1144887125],
      },
      "body render with non-existent uuid": {
        url: "http://localhost:3000/renders/body/00000000000000000000000000000000?scale=2",
@ -429,12 +433,12 @@ describe("Crafatar", function() {
      },
      "body render with non-existent uuid defaulting to mhf_alex": {
        url: "http://localhost:3000/renders/body/00000000000000000000000000000000?scale=2&default=mhf_alex",
-        crc32: [1255106465],
+        crc32: [4280894468],
      },
      "body render with non-existent uuid defaulting to uuid": {
        url: "http://localhost:3000/renders/body/00000000000000000000000000000000?scale=2&default=853c80ef3c3749fdaa49938b674adae6",
        crc32: [0],
-        redirect: "/renders/body/853c80ef3c3749fdaa49938b674adae6?scale=2",
+        redirect: "http://localhost:3000/renders/body/853c80ef3c3749fdaa49938b674adae6?scale=2",
      },
      "body render with non-existent uuid defaulting to url": {
        url: "http://localhost:3000/renders/body/00000000000000000000000000000000?scale=2&default=http%3A%2F%2Fexample.com%2FCaseSensitive",
@ -443,7 +447,7 @@ describe("Crafatar", function() {
      },
      "overlay body render with existing uuid": {
        url: "http://localhost:3000/renders/body/853c80ef3c3749fdaa49938b674adae6?scale=2&overlay",
-        crc32: [2441671793],
+        crc32: [1107696668],
      },
      "overlay body render with non-existent uuid": {
        url: "http://localhost:3000/renders/body/00000000000000000000000000000000?scale=2&overlay",
@ -451,7 +455,7 @@ describe("Crafatar", function() {
      },
      "overlay body render with non-existent uuid defaulting to mhf_alex": {
        url: "http://localhost:3000/renders/body/00000000000000000000000000000000?scale=2&overlay&default=mhf_alex",
-        crc32: [1255106465],
+        crc32: [4280894468],
      },
      "overlay body render with non-existent uuid defaulting to url": {
        url: "http://localhost:3000/renders/body/00000000000000000000000000000000?scale=2&overlay&default=http%3A%2F%2Fexample.com%2FCaseSensitive",
@ -535,7 +539,7 @@ describe("Crafatar", function() {
    });

    it("should return a 422 (invalid render type)", function(done) {
-      request.get("http://localhost:3000/renders/invalid/Jake_0", function(error, res, body) {
+      request.get("http://localhost:3000/renders/invalid/2d5aa9cdaeb049189930461fc9b91cc5", function(error, res, body) {
        assert.ifError(error);
        assert.strictEqual(res.statusCode, 422);
        done();
@ -564,6 +568,30 @@ describe("Crafatar", function() {
        });
      }(loc));
    }
+
+    it("should return /public resources", function(done) {
+      request.get("http://localhost:3000/javascript/crafatar.js", function(error, res, body) {
+        assert.ifError(error);
+        assert.strictEqual(res.statusCode, 200);
+        done();
+      });
+    });
+
+    it("should not allow path traversal on /public", function(done) {
+      request.get("http://localhost:3000/../server.js", function(error, res, body) {
+        assert.ifError(error);
+        assert.strictEqual(res.statusCode, 404);
+        done();
+      });
+    });
+
+    it("should not allow encoded path traversal on /public", function(done) {
+      request.get("http://localhost:3000/%2E%2E/server.js", function(error, res, body) {
+        assert.ifError(error);
+        assert.strictEqual(res.statusCode, 404);
+        done();
+      });
+    });
  });

  // we have to make sure that we test both a 32x64 and 64x64 skin
@ -584,7 +612,7 @@ describe("Crafatar", function() {

  describe("Networking: Cape", function() {
    it("should not fail (guaranteed cape)", function(done) {
-      helpers.get_cape(rid(), "Dinnerbone", function(err, hash, status, img) {
+      helpers.get_cape(rid(), "61699b2ed3274a019f1e0ea8c3f06bc6", function(err, hash, status, img) {
        assert.strictEqual(err, null);
        done();
      });
@ -593,13 +621,13 @@ describe("Crafatar", function() {
      before(function() {
        cache.get_redis().flushall();
      });
-      helpers.get_cape(rid(), "Dinnerbone", function(err, hash, status, img) {
+      helpers.get_cape(rid(), "61699b2ed3274a019f1e0ea8c3f06bc6", function(err, hash, status, img) {
        assert.strictEqual(err, null);
        done();
      });
    });
    it("should not be found", function(done) {
-      helpers.get_cape(rid(), "Jake_0", function(err, hash, status, img) {
+      helpers.get_cape(rid(), "2d5aa9cdaeb049189930461fc9b91cc5", function(err, hash, status, img) {
        assert.ifError(err);
        assert.strictEqual(img, null);
        done();
@ -609,7 +637,7 @@ describe("Crafatar", function() {

  describe("Networking: Skin", function() {
    it("should not fail", function(done) {
-      helpers.get_cape(rid(), "Jake_0", function(err, hash, status, img) {
+      helpers.get_cape(rid(), "2d5aa9cdaeb049189930461fc9b91cc5", function(err, hash, status, img) {
        assert.strictEqual(err, null);
        done();
      });
@ -618,7 +646,7 @@ describe("Crafatar", function() {
      before(function() {
        cache.get_redis().flushall();
      });
-      helpers.get_cape(rid(), "Jake_0", function(err, hash, status, img) {
+      helpers.get_cape(rid(), "2d5aa9cdaeb049189930461fc9b91cc5", function(err, hash, status, img) {
        assert.strictEqual(err, null);
        done();
      });
@ -686,15 +714,16 @@ describe("Crafatar", function() {
      cache.get_redis().flushall();
    });

-    it("uuid SHOULD be rate limited", function(done) {
-      networking.get_profile(rid(), uuid, function() {
-        networking.get_profile(rid(), uuid, function(err, profile) {
-          assert.strictEqual(err.toString(), "HTTP: 429");
-          assert.strictEqual(profile, null);
-          done();
-        });
-      });
-    });
+    // Mojang has changed its rate limiting, so we no longer expect to hit the rate limit
+    // it("uuid SHOULD be rate limited", function(done) {
+    //   networking.get_profile(rid(), uuid, function() {
+    //     networking.get_profile(rid(), uuid, function(err, profile) {
+    //       assert.strictEqual(err.toString(), "HTTP: 429");
+    //       assert.strictEqual(profile, null);
+    //       done();
+    //     });
+    //   });
+    // });

    it("CloudFront rate limit is handled", function(done) {
      var original_rate_limit = config.server.sessions_rate_limit;
Author	SHA1	Message	Date
Azures	0e2a23ccbb	Use environment variables for endpoint URLs	2025-12-08 21:05:09 +01:00
azures04	41690f84c7	Custom endpoints - minor change to customise textures & session server host for custom yggdrasil server	2025-12-08 21:02:48 +01:00
jomo	d6293cc73d	bump version to 2.1.5	2024-02-01 22:29:09 +01:00
jomo	c155c8d098	update dependencies	2024-02-01 22:25:43 +01:00
jomo	bba004acc7	improve URL parsing uses `new URL()` and `decodeURI()` instead of `url.parse()` also checks that the requested file is in a subdirectory of `public/` before serving the file fixes path traversal vulnerability GHSA-5cxq-25mp-q5f2	2024-02-01 22:24:29 +01:00
jomo	9cb32a843f	strip dashes from uuids before handling them	2024-02-01 22:19:02 +01:00
jomo	e44ebda56f	periodically log number of current skin and cape requests	2024-02-01 22:00:44 +01:00
jomo	fb4d24de6b	bump version to 2.1.4	2020-12-12 23:46:41 +01:00
Jonathan Madeley	59f27f0769	mcuuid.net -> minecraftuuid.com	2020-12-12 23:39:13 +01:00
jomo	019ca37037	improve Dockerfile	2020-12-12 23:38:04 +01:00
jomo	56765488e0	improve test script	2020-12-12 23:37:13 +01:00
jomo	1328f98746	change old tests from usernames to uuids	2020-12-12 22:50:29 +01:00
jomo	ef4b2f8005	fix an issue with rate limiting	2020-12-12 22:49:31 +01:00
jomo	fe5ce6b688	update dependencies, remove some devDependencies	2020-12-12 22:48:57 +01:00
jomo	a6e8e6b0f9	delete travis stuff	2020-12-12 22:45:58 +01:00
jomo	29955a1765	improve mojang status message as Mojang has removed their status page and their status API is no longer updating, status information is now fetched from https://mc-heads.net/json/mc_status and the warning message links to https://mc-heads.net/mcstatus see #271, closes #272	2020-09-10 22:32:23 +02:00
jomo	265a98d404	pass on caching status information foor 3D renders this was falsely always set to 2, indicating the skin was downloaded, even when it was cached	2020-07-13 00:41:21 +02:00
jomo	624bf0e338	don't count session_requests when SESSIONS_RATE_LIMIT is not set	2020-07-13 00:14:27 +02:00
jomo	db565f86c8	delete unnecessary files	2020-07-13 00:01:50 +02:00
jomo	0d2fe02cbc	bump version to 2.1.3	2020-04-05 05:40:25 +02:00
jomo	e69b3f38fb	new logo \o/	2020-04-05 05:15:59 +02:00
jomo	22309efba9	show quotes on frontpage	2020-04-05 05:15:27 +02:00
jomo	3bd76ad918	update popular users and tools	2020-04-05 05:14:02 +02:00
jomo	22448c098b	use 500 instead of 502 when using Cloudflare Otherwise Cloudflare will replace images served with 502 with their own error page. This can only be turned off in paid plans of Cloudflare.	2020-04-05 02:42:14 +02:00
jomo	7ad6f85aec	improve regex	2020-03-30 01:23:16 +02:00
jomo	b87be6f9f3	simplify package.json	2020-03-29 20:59:33 +02:00
jomo	e0233f2899	document undocumented functions	2020-03-29 20:13:24 +02:00