From 1967c076a9b3b6b40d3a2c6f57c25803187920db Mon Sep 17 00:00:00 2001
From: zefie <zefie@zefie.net>
Date: Sun, 15 Aug 2021 18:51:48 -0400
Subject: [PATCH] add protection against requesting direct service files

---
 .../ServiceVault/http_pc/get.js               |  2 +
 .../ServiceVault/http_pc/index.js             |  2 +
 .../ServiceVault/wtv-1800/noflash.js          |  2 +
 .../wtv-1800/offer-open-isp-suggest.js        |  2 +
 .../ServiceVault/wtv-1800/preregister.js      | 76 ++++++++++---------
 .../ServiceVault/wtv-chat/MakeChatPage.js     |  2 +
 .../ServiceVault/wtv-chat/home.js             |  2 +
 .../ServiceVault/wtv-cookie/add.js            |  2 +
 .../ServiceVault/wtv-cookie/get.js            |  2 +
 .../ServiceVault/wtv-cookie/list.js           |  2 +
 .../ServiceVault/wtv-cookie/reset.js          |  2 +
 .../ServiceVault/wtv-disk/delete-group.js     |  2 +
 .../ServiceVault/wtv-disk/sync.js             |  2 +
 .../ServiceVault/wtv-disk/userstore.js        |  2 +
 .../wtv-flashrom/content/content-serve.js     |  2 +
 .../wtv-flashrom/current-noflash.js           |  2 +
 .../ServiceVault/wtv-flashrom/get-by-path.js  |  2 +
 .../ServiceVault/wtv-flashrom/get-lc2-page.js |  4 +-
 .../wtv-flashrom/initiate-lc2-download.js     |  2 +
 .../wtv-flashrom/lc2-download-complete.js     |  4 +-
 .../wtv-flashrom/lc2-download-failed.js       |  2 +
 .../ServiceVault/wtv-flashrom/noflash.js      |  2 +
 .../ServiceVault/wtv-flashrom/willie.js       |  2 +
 .../wtv-head-waiter/finalize-security.js      |  2 +
 .../wtv-head-waiter/login-stage-two.js        |  2 +
 .../ServiceVault/wtv-head-waiter/login.js     |  2 +
 .../ServiceVault/wtv-head-waiter/relogin.js   |  2 +
 .../ServiceVault/wtv-home/home.js             |  2 +
 .../ServiceVault/wtv-home/splash.js           |  2 +
 .../ServiceVault/wtv-log/log.js               |  2 +
 .../ServiceVault/wtv-music/get-playlist.js    |  2 +
 .../ServiceVault/wtv-register/BeMyGuest.js    |  2 +
 .../wtv-register/FinishRegistration.js        |  2 +
 .../wtv-register/ValidateAccountInfo.js       |  2 +-
 .../wtv-register/ValidateAgreement.js         |  2 +
 .../wtv-register/ValidateReviewAccountInfo.js |  2 +
 .../ServiceVault/wtv-register/register.js     |  2 +
 .../ServiceVault/wtv-register/splash.js       |  2 +
 .../ServiceVault/wtv-setup/get.js             |  2 +
 .../ServiceVault/wtv-tricks/access.js         |  2 +
 .../ServiceVault/wtv-tricks/blastbacklist.js  |  2 +
 .../ServiceVault/wtv-tricks/go-offline.js     |  2 +
 .../ServiceVault/wtv-tricks/info.js           |  1 +
 .../ServiceVault/wtv-tricks/register.js       |  2 +
 .../ServiceVault/wtv-tricks/tricks.js         |  2 +
 .../ServiceVault/wtv-tricks/unregister.js     |  2 +
 zefie_wtvp_minisrv/WTVShared.js               | 31 ++++++++
 zefie_wtvp_minisrv/app.js                     | 67 +++++++++++++---
 48 files changed, 215 insertions(+), 52 deletions(-)

diff --git a/zefie_wtvp_minisrv/ServiceVault/http_pc/get.js b/zefie_wtvp_minisrv/ServiceVault/http_pc/get.js
index 658b975a..65bd2d4c 100644
--- a/zefie_wtvp_minisrv/ServiceVault/http_pc/get.js
+++ b/zefie_wtvp_minisrv/ServiceVault/http_pc/get.js
@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 if (request_headers.query.url) {
     if (request_headers.query.url.indexOf(":/") > 0) {
         var service_request = request_headers.query.url.split(":/")[0];
diff --git a/zefie_wtvp_minisrv/ServiceVault/http_pc/index.js b/zefie_wtvp_minisrv/ServiceVault/http_pc/index.js
index 802a1f4b..30c83bfe 100644
--- a/zefie_wtvp_minisrv/ServiceVault/http_pc/index.js
+++ b/zefie_wtvp_minisrv/ServiceVault/http_pc/index.js
@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 headers = `200 OK
 Content-Type: text/html`
 
diff --git a/zefie_wtvp_minisrv/ServiceVault/wtv-1800/noflash.js b/zefie_wtvp_minisrv/ServiceVault/wtv-1800/noflash.js
index 1c68e5b8..79ba73c1 100644
--- a/zefie_wtvp_minisrv/ServiceVault/wtv-1800/noflash.js
+++ b/zefie_wtvp_minisrv/ServiceVault/wtv-1800/noflash.js
@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 if (socket.ssid != null && !ssid_sessions[socket.ssid].get("wtvsec_login")) {
 	var wtvsec_login = new WTVSec(minisrv_config);
 	wtvsec_login.IssueChallenge();
diff --git a/zefie_wtvp_minisrv/ServiceVault/wtv-1800/offer-open-isp-suggest.js b/zefie_wtvp_minisrv/ServiceVault/wtv-1800/offer-open-isp-suggest.js
index 2885e20f..6b76eb8d 100644
--- a/zefie_wtvp_minisrv/ServiceVault/wtv-1800/offer-open-isp-suggest.js
+++ b/zefie_wtvp_minisrv/ServiceVault/wtv-1800/offer-open-isp-suggest.js
@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 var gourl = "wtv-1800:/finish-prereg?";
 if (request_headers.query.relogin) gourl += "relogin=true";
 
diff --git a/zefie_wtvp_minisrv/ServiceVault/wtv-1800/preregister.js b/zefie_wtvp_minisrv/ServiceVault/wtv-1800/preregister.js
index 31321803..ffd68c3d 100644
--- a/zefie_wtvp_minisrv/ServiceVault/wtv-1800/preregister.js
+++ b/zefie_wtvp_minisrv/ServiceVault/wtv-1800/preregister.js
@@ -1,45 +1,47 @@
-	var gourl = "wtv-head-waiter:/login?";
+var minisrv_service_file = true;
 
-	if (socket.ssid) {
-		if (ssid_sessions[socket.ssid].loadSessionData() == true) {
-			console.log(" * Loaded session data from disk for", wtvshared.filterSSID(socket.ssid))
-			ssid_sessions[socket.ssid].setSessionData("registered", (ssid_sessions[socket.ssid].getSessionData("registered") == true) ? true : false);
-		} else {
-			ssid_sessions[socket.ssid].session_data = {};
-			ssid_sessions[socket.ssid].setSessionData("registered", false);
-		}
-		if (ssid_sessions[socket.ssid].data_store) {
-			if (ssid_sessions[socket.ssid].data_store.sockets) {
-				var i = 0;
-				ssid_sessions[socket.ssid].data_store.sockets.forEach(function (k) {
-					if (typeof k != "undefined") {
-						if (k != socket) {
-							k.destroy();
-							ssid_sessions[socket.ssid].data_store.sockets.delete(k);
-							i++;
-						}
-					}
-				});
-				if (i > 0 && minisrv_config.config.debug_flags.debug) console.log(" # Closed", i, "previous sockets for", wtvshared.filterSSID(socket.ssid));
-			}
-		}
-		if (ssid_sessions[socket.ssid].data_store.wtvsec_login) {
-			if (minisrv_config.config.debug_flags.debug) console.log(" # Recreating primary WTVSec login instance for", wtvshared.filterSSID(socket.ssid));
-			delete ssid_sessions[socket.ssid].data_store.wtvsec_login;
-		}
+var gourl = "wtv-head-waiter:/login?";
 
-		ssid_sessions[socket.ssid].data_store.wtvsec_login = new WTVSec(minisrv_config);
-		ssid_sessions[socket.ssid].data_store.wtvsec_login.IssueChallenge();
-		ssid_sessions[socket.ssid].data_store.wtvsec_login.set_incarnation(request_headers["wtv-incarnation"] || 1);
+if (socket.ssid) {
+	if (ssid_sessions[socket.ssid].loadSessionData() == true) {
+		console.log(" * Loaded session data from disk for", wtvshared.filterSSID(socket.ssid))
+		ssid_sessions[socket.ssid].setSessionData("registered", (ssid_sessions[socket.ssid].getSessionData("registered") == true) ? true : false);
 	} else {
-		console.log(" * Something bad happened (we don't know the client ssid???)");
-		var errpage = doErrorPage(400)
-		headers = errpage[0];
-		data = errpage[1];
+		ssid_sessions[socket.ssid].session_data = {};
+		ssid_sessions[socket.ssid].setSessionData("registered", false);
+	}
+	if (ssid_sessions[socket.ssid].data_store) {
+		if (ssid_sessions[socket.ssid].data_store.sockets) {
+			var i = 0;
+			ssid_sessions[socket.ssid].data_store.sockets.forEach(function (k) {
+				if (typeof k != "undefined") {
+					if (k != socket) {
+						k.destroy();
+						ssid_sessions[socket.ssid].data_store.sockets.delete(k);
+						i++;
+					}
+				}
+			});
+			if (i > 0 && minisrv_config.config.debug_flags.debug) console.log(" # Closed", i, "previous sockets for", wtvshared.filterSSID(socket.ssid));
+		}
+	}
+	if (ssid_sessions[socket.ssid].data_store.wtvsec_login) {
+		if (minisrv_config.config.debug_flags.debug) console.log(" # Recreating primary WTVSec login instance for", wtvshared.filterSSID(socket.ssid));
+		delete ssid_sessions[socket.ssid].data_store.wtvsec_login;
 	}
 
-	if (request_headers.query.relogin && ssid_sessions[socket.ssid].getSessionData("registered")) gourl += "relogin=true";
-	if (request_headers.query.reconnect && ssid_sessions[socket.ssid].getSessionData("registered")) gourl += "reconnect=true";
+	ssid_sessions[socket.ssid].data_store.wtvsec_login = new WTVSec(minisrv_config);
+	ssid_sessions[socket.ssid].data_store.wtvsec_login.IssueChallenge();
+	ssid_sessions[socket.ssid].data_store.wtvsec_login.set_incarnation(request_headers["wtv-incarnation"] || 1);
+} else {
+	console.log(" * Something bad happened (we don't know the client ssid???)");
+	var errpage = doErrorPage(400)
+	headers = errpage[0];
+	data = errpage[1];
+}
+
+if (request_headers.query.relogin && ssid_sessions[socket.ssid].getSessionData("registered")) gourl += "relogin=true";
+if (request_headers.query.reconnect && ssid_sessions[socket.ssid].getSessionData("registered")) gourl += "reconnect=true";
 
 if (ssid_sessions[socket.ssid].data_store.wtvsec_login) {
 	var prereg_contype = "text/html";
diff --git a/zefie_wtvp_minisrv/ServiceVault/wtv-chat/MakeChatPage.js b/zefie_wtvp_minisrv/ServiceVault/wtv-chat/MakeChatPage.js
index 22725453..5bdb1ed8 100644
--- a/zefie_wtvp_minisrv/ServiceVault/wtv-chat/MakeChatPage.js
+++ b/zefie_wtvp_minisrv/ServiceVault/wtv-chat/MakeChatPage.js
@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 headers = "200 OK";
 if (request_headers.query.nick) headers += "\n" + ssid_sessions[socket.ssid].setIRCNick(request_headers.query.nick);
 headers += "\nContent-Type: text/html";
diff --git a/zefie_wtvp_minisrv/ServiceVault/wtv-chat/home.js b/zefie_wtvp_minisrv/ServiceVault/wtv-chat/home.js
index 27008043..e3602a33 100644
--- a/zefie_wtvp_minisrv/ServiceVault/wtv-chat/home.js
+++ b/zefie_wtvp_minisrv/ServiceVault/wtv-chat/home.js
@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 var irc_nick = "";
 headers = "200 OK";
 if (request_headers.query.nick) headers += "\n" + ssid_sessions[socket.ssid].setIRCNick(request_headers.query.nick);
diff --git a/zefie_wtvp_minisrv/ServiceVault/wtv-cookie/add.js b/zefie_wtvp_minisrv/ServiceVault/wtv-cookie/add.js
index 80975afb..2e592bbf 100644
--- a/zefie_wtvp_minisrv/ServiceVault/wtv-cookie/add.js
+++ b/zefie_wtvp_minisrv/ServiceVault/wtv-cookie/add.js
@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 if (socket.ssid) {
     if (request_headers.post_data) {
         if (ssid_sessions[socket.ssid]) {
diff --git a/zefie_wtvp_minisrv/ServiceVault/wtv-cookie/get.js b/zefie_wtvp_minisrv/ServiceVault/wtv-cookie/get.js
index 90f5ad98..6c177a20 100644
--- a/zefie_wtvp_minisrv/ServiceVault/wtv-cookie/get.js
+++ b/zefie_wtvp_minisrv/ServiceVault/wtv-cookie/get.js
@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 if (request_headers.post_data) {
     if (request_headers.query.domain && request_headers.query.path) {
         if (socket.ssid) {
diff --git a/zefie_wtvp_minisrv/ServiceVault/wtv-cookie/list.js b/zefie_wtvp_minisrv/ServiceVault/wtv-cookie/list.js
index e3f6a46b..c511861b 100644
--- a/zefie_wtvp_minisrv/ServiceVault/wtv-cookie/list.js
+++ b/zefie_wtvp_minisrv/ServiceVault/wtv-cookie/list.js
@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 if (socket.ssid) {
     if (ssid_sessions[socket.ssid]) {
 
diff --git a/zefie_wtvp_minisrv/ServiceVault/wtv-cookie/reset.js b/zefie_wtvp_minisrv/ServiceVault/wtv-cookie/reset.js
index 6a1801dc..2244ed90 100644
--- a/zefie_wtvp_minisrv/ServiceVault/wtv-cookie/reset.js
+++ b/zefie_wtvp_minisrv/ServiceVault/wtv-cookie/reset.js
@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 if (socket.ssid) {
     if (ssid_sessions[socket.ssid]) {
         ssid_sessions[socket.ssid].resetCookies();
diff --git a/zefie_wtvp_minisrv/ServiceVault/wtv-disk/delete-group.js b/zefie_wtvp_minisrv/ServiceVault/wtv-disk/delete-group.js
index cc568a9c..1b3d42ae 100644
--- a/zefie_wtvp_minisrv/ServiceVault/wtv-disk/delete-group.js
+++ b/zefie_wtvp_minisrv/ServiceVault/wtv-disk/delete-group.js
@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 if (request_headers.query.group) {
     const WTVDownloadList = require("./WTVDownloadList.js");
     var wtvdl = new WTVDownloadList(minisrv_config, service_name);
diff --git a/zefie_wtvp_minisrv/ServiceVault/wtv-disk/sync.js b/zefie_wtvp_minisrv/ServiceVault/wtv-disk/sync.js
index e303f960..ba035998 100644
--- a/zefie_wtvp_minisrv/ServiceVault/wtv-disk/sync.js
+++ b/zefie_wtvp_minisrv/ServiceVault/wtv-disk/sync.js
@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 const WTVDownloadList = require("./WTVDownloadList.js");
 var wtvdl = new WTVDownloadList(minisrv_config, service_name);
 
diff --git a/zefie_wtvp_minisrv/ServiceVault/wtv-disk/userstore.js b/zefie_wtvp_minisrv/ServiceVault/wtv-disk/userstore.js
index f53bd496..c0ed0273 100644
--- a/zefie_wtvp_minisrv/ServiceVault/wtv-disk/userstore.js
+++ b/zefie_wtvp_minisrv/ServiceVault/wtv-disk/userstore.js
@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 if (request_headers.post_data) {
     if (request_headers.query.partialPath || request_headers.query.path) {
         if (socket.ssid) {
diff --git a/zefie_wtvp_minisrv/ServiceVault/wtv-flashrom/content/content-serve.js b/zefie_wtvp_minisrv/ServiceVault/wtv-flashrom/content/content-serve.js
index 95fdea50..51e8d521 100644
--- a/zefie_wtvp_minisrv/ServiceVault/wtv-flashrom/content/content-serve.js
+++ b/zefie_wtvp_minisrv/ServiceVault/wtv-flashrom/content/content-serve.js
@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 const WTVFlashrom = require("./WTVFlashrom.js");
 request_is_async = true;
 
diff --git a/zefie_wtvp_minisrv/ServiceVault/wtv-flashrom/current-noflash.js b/zefie_wtvp_minisrv/ServiceVault/wtv-flashrom/current-noflash.js
index 25858295..dfef8bf7 100644
--- a/zefie_wtvp_minisrv/ServiceVault/wtv-flashrom/current-noflash.js
+++ b/zefie_wtvp_minisrv/ServiceVault/wtv-flashrom/current-noflash.js
@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 const WTVFlashrom = require("./WTVFlashrom.js");
 request_is_async = true;
 
diff --git a/zefie_wtvp_minisrv/ServiceVault/wtv-flashrom/get-by-path.js b/zefie_wtvp_minisrv/ServiceVault/wtv-flashrom/get-by-path.js
index 317c5fa4..eabb483a 100644
--- a/zefie_wtvp_minisrv/ServiceVault/wtv-flashrom/get-by-path.js
+++ b/zefie_wtvp_minisrv/ServiceVault/wtv-flashrom/get-by-path.js
@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 const WTVFlashrom = require("./WTVFlashrom.js");
 request_is_async = true;
 
diff --git a/zefie_wtvp_minisrv/ServiceVault/wtv-flashrom/get-lc2-page.js b/zefie_wtvp_minisrv/ServiceVault/wtv-flashrom/get-lc2-page.js
index 4af7560b..62ee06b3 100644
--- a/zefie_wtvp_minisrv/ServiceVault/wtv-flashrom/get-lc2-page.js
+++ b/zefie_wtvp_minisrv/ServiceVault/wtv-flashrom/get-lc2-page.js
@@ -93,7 +93,9 @@ data += `
 nexturl="${flashrom_info.next_rompath}"
 errorurl="${service_name}:/lc2-download-failed?"
 `
-		if (!flashrom_info.is_last_part) data += `blockurl = "${flashrom_info.rompath}"`;
+		if (!var minisrv_service_file = true;
+
+flashrom_info.is_last_part) data += `blockurl = "${flashrom_info.rompath}"`;
 
 		data += `
 lastblock="${flashrom_info.is_last_part}"
diff --git a/zefie_wtvp_minisrv/ServiceVault/wtv-flashrom/initiate-lc2-download.js b/zefie_wtvp_minisrv/ServiceVault/wtv-flashrom/initiate-lc2-download.js
index dc6ca784..0f69b193 100644
--- a/zefie_wtvp_minisrv/ServiceVault/wtv-flashrom/initiate-lc2-download.js
+++ b/zefie_wtvp_minisrv/ServiceVault/wtv-flashrom/initiate-lc2-download.js
@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 if (request_headers.query.path) {
 var url = service_name + ":/get-lc2-page?path=" + request_headers.query.path;
 var romtype = ssid_sessions[socket.ssid].get("wtv-client-rom-type");
diff --git a/zefie_wtvp_minisrv/ServiceVault/wtv-flashrom/lc2-download-complete.js b/zefie_wtvp_minisrv/ServiceVault/wtv-flashrom/lc2-download-complete.js
index b0e11ad6..ee8b277f 100644
--- a/zefie_wtvp_minisrv/ServiceVault/wtv-flashrom/lc2-download-complete.js
+++ b/zefie_wtvp_minisrv/ServiceVault/wtv-flashrom/lc2-download-complete.js
@@ -42,7 +42,9 @@ Updating complete
 <td colspan=12 width=560 height=10 valign=top align=left>
 <img src="${service_name}:/ROMCache/S40H1.gif" width=560 height=6>
 <tr>
-<td width=104 height=10 valign=top align=left>
+<td width=104 height=10 valign=top align=left>var minisrv_service_file = true;
+
+
 <td width=20 valign=top align=left>
 <td width=67 valign=top align=left>
 <td width=20 valign=top align=left>
diff --git a/zefie_wtvp_minisrv/ServiceVault/wtv-flashrom/lc2-download-failed.js b/zefie_wtvp_minisrv/ServiceVault/wtv-flashrom/lc2-download-failed.js
index 3f6e1b91..5008076c 100644
--- a/zefie_wtvp_minisrv/ServiceVault/wtv-flashrom/lc2-download-failed.js
+++ b/zefie_wtvp_minisrv/ServiceVault/wtv-flashrom/lc2-download-failed.js
@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 var error = '';
 if (request_headers.query.error) {
     switch (request_headers.query.error) {
diff --git a/zefie_wtvp_minisrv/ServiceVault/wtv-flashrom/noflash.js b/zefie_wtvp_minisrv/ServiceVault/wtv-flashrom/noflash.js
index 1ee36f57..489d9a21 100644
--- a/zefie_wtvp_minisrv/ServiceVault/wtv-flashrom/noflash.js
+++ b/zefie_wtvp_minisrv/ServiceVault/wtv-flashrom/noflash.js
@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 const WTVFlashrom = require("./WTVFlashrom.js");
 request_is_async = true;
 
diff --git a/zefie_wtvp_minisrv/ServiceVault/wtv-flashrom/willie.js b/zefie_wtvp_minisrv/ServiceVault/wtv-flashrom/willie.js
index 2ac678cf..b13b17ea 100644
--- a/zefie_wtvp_minisrv/ServiceVault/wtv-flashrom/willie.js
+++ b/zefie_wtvp_minisrv/ServiceVault/wtv-flashrom/willie.js
@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 // willie is just a graphical frontend to a list of ROMs
 // the rest of the scripts should work if you manually link to a ROM, and actually have it.
 
diff --git a/zefie_wtvp_minisrv/ServiceVault/wtv-head-waiter/finalize-security.js b/zefie_wtvp_minisrv/ServiceVault/wtv-head-waiter/finalize-security.js
index 086789bc..02c75246 100644
--- a/zefie_wtvp_minisrv/ServiceVault/wtv-head-waiter/finalize-security.js
+++ b/zefie_wtvp_minisrv/ServiceVault/wtv-head-waiter/finalize-security.js
@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 var challenge_response, challenge_header = '';
 var gourl;
 
diff --git a/zefie_wtvp_minisrv/ServiceVault/wtv-head-waiter/login-stage-two.js b/zefie_wtvp_minisrv/ServiceVault/wtv-head-waiter/login-stage-two.js
index 033ada1c..54df129f 100644
--- a/zefie_wtvp_minisrv/ServiceVault/wtv-head-waiter/login-stage-two.js
+++ b/zefie_wtvp_minisrv/ServiceVault/wtv-head-waiter/login-stage-two.js
@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 var challenge_response, challenge_header = '';
 var gourl;
 
diff --git a/zefie_wtvp_minisrv/ServiceVault/wtv-head-waiter/login.js b/zefie_wtvp_minisrv/ServiceVault/wtv-head-waiter/login.js
index 38e60ef4..77a2a638 100644
--- a/zefie_wtvp_minisrv/ServiceVault/wtv-head-waiter/login.js
+++ b/zefie_wtvp_minisrv/ServiceVault/wtv-head-waiter/login.js
@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 var challenge_response, challenge_header = "";
 
 var gourl = "wtv-head-waiter:/login-stage-two?";
diff --git a/zefie_wtvp_minisrv/ServiceVault/wtv-head-waiter/relogin.js b/zefie_wtvp_minisrv/ServiceVault/wtv-head-waiter/relogin.js
index 52cb2023..23bfa01d 100644
--- a/zefie_wtvp_minisrv/ServiceVault/wtv-head-waiter/relogin.js
+++ b/zefie_wtvp_minisrv/ServiceVault/wtv-head-waiter/relogin.js
@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 var gourl = "wtv-1800:/preregister?";
 if (request_headers.query.relogin) gourl += "relogin=true";
 else if (request_headers.query.reconnect) gourl += "reconnect=true";
diff --git a/zefie_wtvp_minisrv/ServiceVault/wtv-home/home.js b/zefie_wtvp_minisrv/ServiceVault/wtv-home/home.js
index 6b804319..c9dca1b5 100644
--- a/zefie_wtvp_minisrv/ServiceVault/wtv-home/home.js
+++ b/zefie_wtvp_minisrv/ServiceVault/wtv-home/home.js
@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 headers =`200 OK
 Connection: Keep-Alive
 wtv-expire-all: wtv-home:/splash
diff --git a/zefie_wtvp_minisrv/ServiceVault/wtv-home/splash.js b/zefie_wtvp_minisrv/ServiceVault/wtv-home/splash.js
index 52aa1306..93014d6d 100644
--- a/zefie_wtvp_minisrv/ServiceVault/wtv-home/splash.js
+++ b/zefie_wtvp_minisrv/ServiceVault/wtv-home/splash.js
@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 headers = `200 OK
 Connection: Keep-Alive
 wtv-expire-all: wtv-
diff --git a/zefie_wtvp_minisrv/ServiceVault/wtv-log/log.js b/zefie_wtvp_minisrv/ServiceVault/wtv-log/log.js
index b3e69ae5..a547fda7 100644
--- a/zefie_wtvp_minisrv/ServiceVault/wtv-log/log.js
+++ b/zefie_wtvp_minisrv/ServiceVault/wtv-log/log.js
@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 // write posted log data to disk. should be decrypted by this point (if it was encrypted) if the crypto stream didn't break
 
 request_is_async = true;
diff --git a/zefie_wtvp_minisrv/ServiceVault/wtv-music/get-playlist.js b/zefie_wtvp_minisrv/ServiceVault/wtv-music/get-playlist.js
index 28e9685d..446f2f90 100644
--- a/zefie_wtvp_minisrv/ServiceVault/wtv-music/get-playlist.js
+++ b/zefie_wtvp_minisrv/ServiceVault/wtv-music/get-playlist.js
@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 headers = `200 OK
 Content-Type: text/html`;
 
diff --git a/zefie_wtvp_minisrv/ServiceVault/wtv-register/BeMyGuest.js b/zefie_wtvp_minisrv/ServiceVault/wtv-register/BeMyGuest.js
index dffe9ebf..d0ac71fa 100644
--- a/zefie_wtvp_minisrv/ServiceVault/wtv-register/BeMyGuest.js
+++ b/zefie_wtvp_minisrv/ServiceVault/wtv-register/BeMyGuest.js
@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 if (minisrv_config.config.allow_guests) {
     headers = `300 Moved
 Connection: Close
diff --git a/zefie_wtvp_minisrv/ServiceVault/wtv-register/FinishRegistration.js b/zefie_wtvp_minisrv/ServiceVault/wtv-register/FinishRegistration.js
index 1b4eb3b2..16db0283 100644
--- a/zefie_wtvp_minisrv/ServiceVault/wtv-register/FinishRegistration.js
+++ b/zefie_wtvp_minisrv/ServiceVault/wtv-register/FinishRegistration.js
@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 headers = `300 Moved
 Connection: Close
 wtv-noback-all: wtv-register:
diff --git a/zefie_wtvp_minisrv/ServiceVault/wtv-register/ValidateAccountInfo.js b/zefie_wtvp_minisrv/ServiceVault/wtv-register/ValidateAccountInfo.js
index 7c749a62..96afb568 100644
--- a/zefie_wtvp_minisrv/ServiceVault/wtv-register/ValidateAccountInfo.js
+++ b/zefie_wtvp_minisrv/ServiceVault/wtv-register/ValidateAccountInfo.js
@@ -1,4 +1,4 @@
-
+var minisrv_service_file = true;
 
 if (!request_headers.query.registering) {
     var errpage = doErrorPage(400);
diff --git a/zefie_wtvp_minisrv/ServiceVault/wtv-register/ValidateAgreement.js b/zefie_wtvp_minisrv/ServiceVault/wtv-register/ValidateAgreement.js
index 29c5464c..9d6f5b2c 100644
--- a/zefie_wtvp_minisrv/ServiceVault/wtv-register/ValidateAgreement.js
+++ b/zefie_wtvp_minisrv/ServiceVault/wtv-register/ValidateAgreement.js
@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 if (!request_headers.query.registering) {
     var errpage = doErrorPage(400);
     headers = errpage[0];
diff --git a/zefie_wtvp_minisrv/ServiceVault/wtv-register/ValidateReviewAccountInfo.js b/zefie_wtvp_minisrv/ServiceVault/wtv-register/ValidateReviewAccountInfo.js
index 9479296b..75521cfe 100644
--- a/zefie_wtvp_minisrv/ServiceVault/wtv-register/ValidateReviewAccountInfo.js
+++ b/zefie_wtvp_minisrv/ServiceVault/wtv-register/ValidateReviewAccountInfo.js
@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 if (!request_headers.query.registering ||
     !request_headers.query.subscriber_name ||
     !request_headers.query.subscriber_username ||
diff --git a/zefie_wtvp_minisrv/ServiceVault/wtv-register/register.js b/zefie_wtvp_minisrv/ServiceVault/wtv-register/register.js
index 4b68acc4..2de623ce 100644
--- a/zefie_wtvp_minisrv/ServiceVault/wtv-register/register.js
+++ b/zefie_wtvp_minisrv/ServiceVault/wtv-register/register.js
@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 headers = `200 OK
 Content-Type: text/html`;
 
diff --git a/zefie_wtvp_minisrv/ServiceVault/wtv-register/splash.js b/zefie_wtvp_minisrv/ServiceVault/wtv-register/splash.js
index e2cca5fe..d2cb7e6a 100644
--- a/zefie_wtvp_minisrv/ServiceVault/wtv-register/splash.js
+++ b/zefie_wtvp_minisrv/ServiceVault/wtv-register/splash.js
@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 headers = `200 OK
 Connection: Keep-Alive
 wtv-expire-all: wtv-
diff --git a/zefie_wtvp_minisrv/ServiceVault/wtv-setup/get.js b/zefie_wtvp_minisrv/ServiceVault/wtv-setup/get.js
index 87468535..ecba5e22 100644
--- a/zefie_wtvp_minisrv/ServiceVault/wtv-setup/get.js
+++ b/zefie_wtvp_minisrv/ServiceVault/wtv-setup/get.js
@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 headers = `200 OK
 wtv-backgroundmusic-load-playlist: wtv-music:/get-playlist
 wtv-printer-model: -1,-1
diff --git a/zefie_wtvp_minisrv/ServiceVault/wtv-tricks/access.js b/zefie_wtvp_minisrv/ServiceVault/wtv-tricks/access.js
index 28423f37..35281012 100644
--- a/zefie_wtvp_minisrv/ServiceVault/wtv-tricks/access.js
+++ b/zefie_wtvp_minisrv/ServiceVault/wtv-tricks/access.js
@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 // Allow URL access outside our trusted minisrv
 
 if (request_headers.query.url) var url = request_headers.query.url;
diff --git a/zefie_wtvp_minisrv/ServiceVault/wtv-tricks/blastbacklist.js b/zefie_wtvp_minisrv/ServiceVault/wtv-tricks/blastbacklist.js
index 6e352b5c..5489aaad 100644
--- a/zefie_wtvp_minisrv/ServiceVault/wtv-tricks/blastbacklist.js
+++ b/zefie_wtvp_minisrv/ServiceVault/wtv-tricks/blastbacklist.js
@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 headers = `200 OK
 wtv-expire-all: wtv-
 wtv-expire-all: http
diff --git a/zefie_wtvp_minisrv/ServiceVault/wtv-tricks/go-offline.js b/zefie_wtvp_minisrv/ServiceVault/wtv-tricks/go-offline.js
index 4d108b25..07bc02ee 100644
--- a/zefie_wtvp_minisrv/ServiceVault/wtv-tricks/go-offline.js
+++ b/zefie_wtvp_minisrv/ServiceVault/wtv-tricks/go-offline.js
@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 headers = `200 OK
 wtv-noback-all: wtv-
 wtv-expire-all: wtv-
diff --git a/zefie_wtvp_minisrv/ServiceVault/wtv-tricks/info.js b/zefie_wtvp_minisrv/ServiceVault/wtv-tricks/info.js
index bc3d6111..ba68beda 100644
--- a/zefie_wtvp_minisrv/ServiceVault/wtv-tricks/info.js
+++ b/zefie_wtvp_minisrv/ServiceVault/wtv-tricks/info.js
@@ -1,3 +1,4 @@
+var minisrv_service_file = true;
 
 var client_caps = null;
 
diff --git a/zefie_wtvp_minisrv/ServiceVault/wtv-tricks/register.js b/zefie_wtvp_minisrv/ServiceVault/wtv-tricks/register.js
index 6c7393f7..c9be28be 100644
--- a/zefie_wtvp_minisrv/ServiceVault/wtv-tricks/register.js
+++ b/zefie_wtvp_minisrv/ServiceVault/wtv-tricks/register.js
@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 headers = `200 OK
 Content-Type: text/html`;
 
diff --git a/zefie_wtvp_minisrv/ServiceVault/wtv-tricks/tricks.js b/zefie_wtvp_minisrv/ServiceVault/wtv-tricks/tricks.js
index acc79f73..b14b558e 100644
--- a/zefie_wtvp_minisrv/ServiceVault/wtv-tricks/tricks.js
+++ b/zefie_wtvp_minisrv/ServiceVault/wtv-tricks/tricks.js
@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 headers = `200 OK
 Content-Type: text/html`
 
diff --git a/zefie_wtvp_minisrv/ServiceVault/wtv-tricks/unregister.js b/zefie_wtvp_minisrv/ServiceVault/wtv-tricks/unregister.js
index 1f0af15a..7e7a2646 100644
--- a/zefie_wtvp_minisrv/ServiceVault/wtv-tricks/unregister.js
+++ b/zefie_wtvp_minisrv/ServiceVault/wtv-tricks/unregister.js
@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 headers = `200 OK
 Content-Type: text/html`;
 
diff --git a/zefie_wtvp_minisrv/WTVShared.js b/zefie_wtvp_minisrv/WTVShared.js
index 44235cf8..618ced78 100644
--- a/zefie_wtvp_minisrv/WTVShared.js
+++ b/zefie_wtvp_minisrv/WTVShared.js
@@ -199,6 +199,37 @@ class WTVShared {
         return path.reverse().split(".")[0].reverse();
     }
 
+    getLineFromFile(filename, line_no, callback) {
+        var stream = this.fs.createReadStream(filename, {
+            flags: 'r',
+            encoding: 'utf-8',
+            fd: null,
+            bufferSize: 64 * 1024
+        });
+
+
+        var fileData = '';
+        stream.on('data', function (data) {
+            fileData += data;
+
+            // The next lines should be improved
+            var lines = fileData.split("\n");
+
+            if (lines.length >= +line_no) {
+                stream.destroy();
+                callback(null, lines[+line_no]);
+            }
+        });
+
+        stream.on('error', function () {
+            callback('Error', null);
+        });
+
+        stream.on('end', function () {
+            callback('File end reached without finding line', null);
+        });
+    }
+
     /**
      * Strips bad things from paths
      * @param {string} base Base path
diff --git a/zefie_wtvp_minisrv/app.js b/zefie_wtvp_minisrv/app.js
index a43b163d..3e133222 100644
--- a/zefie_wtvp_minisrv/app.js
+++ b/zefie_wtvp_minisrv/app.js
@@ -102,6 +102,17 @@ function doErrorPage(code, data = null, pc_mode = false) {
     return new Array(headers, data);
 }
 
+async function sendRawFile(socket, path) {
+    if (!minisrv_config.config.debug_flags.quiet) console.log(" * Found " + path + " to handle request (Direct File Mode) [Socket " + socket.id + "]");
+    var contypes = wtvmime.getContentType(path);
+    var headers = "200 OK\n"
+    headers += "Content-Type: " + contypes[0] + "\n";
+    headers += "wtv-modern-content-type" + contypes[1];
+    fs.readFile(path, null, function (err, data) {
+        sendToClient(socket, headers, data);
+    });
+}
+
 async function processPath(socket, service_vault_file_path, request_headers = new Array(), service_name) {
     var headers, data = null;
     var request_is_async = false;
@@ -120,9 +131,9 @@ async function processPath(socket, service_vault_file_path, request_headers = ne
                 else minisrv_catchall = minisrv_config.config.catchall_file_name || null;
                 if (minisrv_catchall) {
                     if (service_path_request_file == minisrv_catchall) {
+                        request_is_async = true;
                         var errpage = doErrorPage(401, "Access Denied");
-                        headers = errpage[0];
-                        data = errpage[1];
+                        sendToClient(socket, errpage[0], errpage[1]);
                         return;
                     }
                 }                
@@ -136,18 +147,50 @@ async function processPath(socket, service_vault_file_path, request_headers = ne
             }
 
             if (file_exists && !is_dir) {
-                // file exists, read it and return it
+                // file exists, read it and return it 
                 service_vault_found = true;
                 request_is_async = true;
-                if (!minisrv_config.config.debug_flags.quiet) console.log(" * Found " + service_vault_file_path + " to handle request (Direct File Mode) [Socket " + socket.id + "]");
                 request_headers.service_file_path = service_vault_file_path;
-                var contypes = wtvmime.getContentType(service_vault_file_path);
-                headers = "200 OK\n"
-                headers += "Content-Type: " + contypes[0] + "\n";
-                headers += "wtv-modern-content-type" + contypes[1];
-                fs.readFile(service_vault_file_path, null, function (err, data) {
-                    sendToClient(socket, headers, data);
-                });
+                request_headers.raw_file = true;
+
+                // service parsed files, we might not want to expose our service source files so we can protect them with a flag on the first line
+                if (wtvshared.getFileExt(service_vault_file_path).toLowerCase() == "js" || wtvshared.getFileExt(service_vault_file_path).toLowerCase() == "txt") {
+                    if (wtvshared.getFileExt(service_vault_file_path).toLowerCase() == "js") {
+                        wtvshared.getLineFromFile(service_vault_file_path, 0, function (status, line) {
+                            if (!status) {
+                                if (line.match(/minisrv\_service\_file.*true/i)) {
+                                    var errpage = doErrorPage(403, "Access Denied");
+                                    sendToClient(socket, errpage[0], errpage[1]);
+                                } else {
+                                    sendRawFile(socket, service_vault_file_path);
+                                }
+                            } else {
+                                var errpage = doErrorPage(400);
+                                sendToClient(socket, errpage[0], errpage[1]);
+                            }
+                        });
+                    }
+
+                    if (wtvshared.getFileExt(service_vault_file_path).toLowerCase() == "txt") {
+                        wtvshared.getLineFromFile(service_vault_file_path, 0, function (status, line) {
+                            if (!status) {
+                                if (line.match(/^#!minisrv/i)) {
+                                    var errpage = doErrorPage(403, "Access Denied");
+                                    sendToClient(socket, errpage[0], errpage[1]);
+                                } else {
+                                    sendRawFile(socket, service_vault_file_path);
+                                }
+                            } else {
+                                var errpage = doErrorPage(400);
+                                sendToClient(socket, errpage[0], errpage[1]);
+                            }
+                        });
+                    }
+                } else {
+                    // not a potential service file, so save to send
+                    sendRawFile(socket, service_vault_file_path);
+                }
+
             } else if (fs.existsSync(service_vault_file_path + ".txt")) {
                 // raw text format, entire payload expected (headers and content)
                 service_vault_found = true;
@@ -595,7 +638,7 @@ async function sendToClient(socket, headers_obj, data) {
     if (socket_sessions[socket.id]) {
         if (socket_sessions[socket.id].request_headers) {
             if (socket_sessions[socket.id].request_headers.service_file_path) {
-                if (wtvshared.getFileExt(socket_sessions[socket.id].request_headers.service_file_path).toLowerCase() !== "js") {
+                if (wtvshared.getFileExt(socket_sessions[socket.id].request_headers.service_file_path).toLowerCase() !== "js" || socket_sessions[socket.id].request_headers.raw_file === true) {
                     var last_modified = wtvshared.getFileLastModifiedUTCString(socket_sessions[socket.id].request_headers.service_file_path);
                     if (last_modified) headers_obj["Last-Modified"] = last_modified;
                 }