fix: block expensive params on /api/stream for anonymous requests

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: Digidai

src/__tests__/index-conversion-stream-og.test.ts

@@ -408,7 +408,7 @@ describe("index conversion/stream/og routes", () => {
     const req = new Request(
       "https://md.example.com/api/stream?url=https%3A%2F%2Fexample.com%2Fstream&selector=.main&force_browser=true&no_cache=true&engine=jina&token=public-token",
     );
-    const res = await worker.fetch(req, createMockEnv().env);
+    const res = await worker.fetch(req, createMockEnv({ PUBLIC_API_TOKEN: "public-token" }).env);
     const body = await res.text();
 
     expect(res.status).toBe(200);

src/index.ts

@@ -273,18 +273,27 @@ export default {
       if (request.method !== "GET") {
         return new Response("Method Not Allowed", { status: 405, headers: CORS_HEADERS });
       }
+      const streamToken = url.searchParams.get("token");
+      const streamNoCache = url.searchParams.get("no_cache") === "true";
+      const streamEngine = url.searchParams.get("engine");
+      const streamForceBrowser = url.searchParams.get("force_browser") === "true";
       if (env.PUBLIC_API_TOKEN) {
         const authorized = await isAuthorizedByToken(
           request,
           env.PUBLIC_API_TOKEN,
-          url.searchParams.get("token"),
+          streamToken,
         );
         if (!authorized) {
           return Response.json(
             { error: "Unauthorized", message: "Valid token required for /api/stream" },
             { status: 401, headers: CORS_HEADERS },
           );
         }
+      } else if (streamNoCache || streamEngine || streamForceBrowser) {
+        return Response.json(
+          { error: "Unauthorized", message: "Parameters no_cache, engine, and force_browser require a valid token." },
+          { status: 401, headers: CORS_HEADERS },
+        );
       }
       const decision = await consumeRateLimit(request, env, "stream");
       if (decision?.exceeded) {