Merge pull request #105 from c64bob/codex/implement-dynamic-static-files-handling

Build setup static-asset allowlist from manifest

Author: c64bob

internal/handler/middleware_test.go

@@ -8,6 +8,7 @@ import (
 	"strings"
 	"testing"
 
+	"caldo/internal/assets"
 	"caldo/internal/logging"
 	"caldo/internal/view"
 	"github.com/google/uuid"
@@ -254,7 +255,7 @@ func TestReverseProxyAuthMiddlewareAllowsHealthWithoutAuth(t *testing.T) {
 func TestSetupGateMiddlewareRedirectsDisallowedRoutesWhenSetupIncomplete(t *testing.T) {
 	t.Parallel()
 
-	h := SetupGateMiddleware(NewSetupState(false))(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+	h := SetupGateMiddleware(NewSetupState(false), assets.Manifest{"app.css": "app.8f3a1c2.css", "htmx.min.js": "htmx.5e741aa.min.js"})(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusNoContent)
 	}))
 
@@ -270,11 +271,10 @@ func TestSetupGateMiddlewareRedirectsDisallowedRoutesWhenSetupIncomplete(t *test
 	}
 }
 
-
 func TestSetupGateMiddlewareAllowsStaticAssetsWhenSetupIncomplete(t *testing.T) {
 	t.Parallel()
 
-	h := SetupGateMiddleware(NewSetupState(false))(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+	h := SetupGateMiddleware(NewSetupState(false), assets.Manifest{"app.css": "app.8f3a1c2.css", "htmx.min.js": "htmx.5e741aa.min.js"})(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusNoContent)
 	}))
 
@@ -286,10 +286,26 @@ func TestSetupGateMiddlewareAllowsStaticAssetsWhenSetupIncomplete(t *testing.T)
 		t.Fatalf("unexpected status code: got %d want %d", rr.Code, http.StatusNoContent)
 	}
 }
+func TestSetupGateMiddlewareRedirectsUnknownStaticAssetWhenSetupIncomplete(t *testing.T) {
+	t.Parallel()
+
+	h := SetupGateMiddleware(NewSetupState(false), assets.Manifest{"app.css": "app.8f3a1c2.css"})(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusNoContent)
+	}))
+
+	rr := httptest.NewRecorder()
+	req := httptest.NewRequest(http.MethodGet, "/static/unknown.js", nil)
+	h.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusFound {
+		t.Fatalf("unexpected status code: got %d want %d", rr.Code, http.StatusFound)
+	}
+}
+
 func TestSetupGateMiddlewareAllowsSetupRoutesWhenSetupIncomplete(t *testing.T) {
 	t.Parallel()
 
-	h := SetupGateMiddleware(NewSetupState(false))(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+	h := SetupGateMiddleware(NewSetupState(false), assets.Manifest{"app.css": "app.8f3a1c2.css", "htmx.min.js": "htmx.5e741aa.min.js"})(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusNoContent)
 	}))
 
@@ -305,7 +321,7 @@ func TestSetupGateMiddlewareAllowsSetupRoutesWhenSetupIncomplete(t *testing.T) {
 func TestSetupGateMiddlewareAllowsAllRoutesWhenSetupComplete(t *testing.T) {
 	t.Parallel()
 
-	h := SetupGateMiddleware(NewSetupState(true))(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+	h := SetupGateMiddleware(NewSetupState(true), assets.Manifest{"app.css": "app.8f3a1c2.css"})(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusNoContent)
 	}))
 
@@ -322,7 +338,7 @@ func TestSetupGateMiddlewareReflectsRuntimeCompletionState(t *testing.T) {
 	t.Parallel()
 
 	state := NewSetupState(false)
-	h := SetupGateMiddleware(state)(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+	h := SetupGateMiddleware(state, assets.Manifest{"app.css": "app.8f3a1c2.css"})(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusNoContent)
 	}))
 

internal/handler/router.go

@@ -29,7 +29,7 @@ func NewRouter(logger *slog.Logger, proxyUserHeader string, manifest assets.Mani
 	router.Use(SafeLoggingMiddleware(logger))
 	router.Use(SecurityHeadersMiddleware())
 	router.Use(ReverseProxyAuthMiddleware(proxyUserHeader))
-	router.Use(SetupGateMiddleware(setupState))
+	router.Use(SetupGateMiddleware(setupState, manifest))
 	router.Use(AssetManifestMiddleware(manifest))
 
 	router.Get("/health", Health)

internal/handler/setup_gate.go

@@ -2,11 +2,12 @@ package handler
 
 import (
 	"net/http"
-	"strings"
+
+	"caldo/internal/assets"
 )
 
 // SetupGateMiddleware blocks normal routes until setup is completed.
-func SetupGateMiddleware(state *SetupState) func(http.Handler) http.Handler {
+func SetupGateMiddleware(state *SetupState, manifest assets.Manifest) func(http.Handler) http.Handler {
 	allowedWhenIncomplete := map[string]struct{}{
 		routeKey(http.MethodGet, "/setup"):               {},
 		routeKey(http.MethodGet, "/setup/"):              {},
@@ -19,6 +20,8 @@ func SetupGateMiddleware(state *SetupState) func(http.Handler) http.Handler {
 		routeKey(http.MethodGet, "/health"):              {},
 	}
 
+	allowedStaticAssets := resolveSetupStaticAssetPaths(manifest)
+
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			if state != nil && state.IsComplete() {
@@ -31,9 +34,11 @@ func SetupGateMiddleware(state *SetupState) func(http.Handler) http.Handler {
 				return
 			}
 
-			if r.Method == http.MethodGet && strings.HasPrefix(r.URL.Path, "/static/") {
-				next.ServeHTTP(w, r)
-				return
+			if r.Method == http.MethodGet {
+				if _, ok := allowedStaticAssets[r.URL.Path]; ok {
+					next.ServeHTTP(w, r)
+					return
+				}
 			}
 
 			http.Redirect(w, r, "/setup", http.StatusFound)
@@ -44,3 +49,11 @@ func SetupGateMiddleware(state *SetupState) func(http.Handler) http.Handler {
 func routeKey(method string, path string) string {
 	return method + " " + path
 }
+
+func resolveSetupStaticAssetPaths(manifest assets.Manifest) map[string]struct{} {
+	allowed := make(map[string]struct{}, len(manifest))
+	for _, resolved := range manifest {
+		allowed["/static/"+resolved] = struct{}{}
+	}
+	return allowed
+}