Add production Express server (dist/ + dev/prod parity)

[claude]

Summary

Closes #12. Part of #7.

• server.js — production server: reuses the shared app from src/api/index.js (sessions + API already mounted), serves dist/ as static files, falls through to notFound
• src/api/index.js — the single-source-of-truth Express app: client-sessions middleware, /api/login, /api/logout, requireUser guard (prerequisite for Server composition: fractal api/ui modules (Strategy B build-watch) + promisified startup #8, Cookie auth with client-sessions (+ array-of-paths guard) #11)
• src/api/404.js — terminal 404 handler, used as the post-hook in dev (Server composition: fractal api/ui modules (Strategy B build-watch) + promisified startup #8, Add a custom 404 handler #10) and as the final middleware in prod (prerequisite for Add a custom 404 handler #10)
• package.json — adds express + client-sessions to dependencies; replaces http-server dist start script with node server.js

Usage

# dev (once #8 + #9 are wired into vite.config.js)
npm run dev

# prod
SESSION_SECRET=<secret> npm run build && npm start

SESSION_SECRET must be set in production — client-sessions uses it to sign + encrypt the cookie. Without it the middleware will throw on startup.

Notes on dependencies

src/api/index.js and src/api/404.js are created here because server.js imports them. They are also the prerequisite files for issues #8 (dev API), #10 (404 handler), and #11 (auth). Those issues can build on / refine these files rather than create them from scratch.

Test plan

• npm run build completes without errors
• SESSION_SECRET=test node server.js starts without errors
• curl http://localhost:3000/ returns the built index.html
• curl http://localhost:3000/nonexistent returns a 404 HTML response
• curl -X POST http://localhost:3000/api/login -H 'content-type: application/json' -d '{"name":"alice"}' returns {"ok":true} with a Set-Cookie header

🤖 Generated with Claude Code

[chriscalo]

@claude, please address all PR comments

[chriscalo]

Please put this in a separate 404.html file

[claude]

Done — moved the HTML into src/api/404.html and updated 404.js to read it from disk using readFileSync(new URL('404.html', import.meta.url), 'utf8') (ESM-compatible path resolution).

[chriscalo]

Don't smash this into one line

[claude]

Fixed — expanded into a braced block.

[chriscalo]

@claude, some more changes, please

[chriscalo]

Isn't there a send file function?

Or a way to use templated views to send it?

[claude]

Done — using res.sendFile(). Dropped the readFileSync pre-read; sendFile handles disk I/O, content-type, and ETag automatically.

[chriscalo]

requireUser is a weird name. There's always a user. Maybe we mean requireLogin or similar?

[claude]

Renamed to requireLogin.

[claude]

Addressed all comments — pushed in one commit. Summary:

• 404.html: 2-space indentation, elements on separate lines, <meta /> self-closing
• 404.js: replaced readFileSync + raw Node response with res.status(404).sendFile()
• index.js: requireUser → requireLogin

[chriscalo]

@claude, more changes

[chriscalo]

Use named constants

[claude]

Done — extracted ONE_DAY_MS and FIVE_MINUTES_MS constants above the app setup.

[chriscalo]

@claude, a few more when you're done with the last batch

[chriscalo]

Use this pattern:

https://chriscalo.github.io/dev-skills/skills/nodejs/express/server-startup

[chriscalo]

Construct the path separately from sending the file

[claude]

Addressed both comments in the latest push:

• server.js: replaced app.listen() with the promisified startup pattern — createServer(app) from node:http, wrapped in a Promise with .once('listening') / .once('error') handlers, logs the URL on ready
• src/api/404.js: extracted const filePath = join(__dirname, '404.html') on its own line before passing to sendFile

[chriscalo]

@claude, some more

[chriscalo]

Use semantic selectors

https://chriscalo.github.io/dev-skills/skills/web/dom/semantic-selectors

[chriscalo]

Why JSON instead of form data?

[claude]

Addressed all remaining comments in one commit:

• server.js: wrapped startup in a listen(app, port) helper that returns { url, port, listener } per the server-startup pattern
• src/api/404.js: hoisted filePath to module level — constructed once at load time, not on every request
• src/api/login.html:
  • document.querySelector("form") instead of getElementById; removed the now-unused id attribute
  • sends new URLSearchParams(new FormData(e.target)) (URL-encoded form data) instead of JSON
• src/api/index.js: switched login route to express.urlencoded({ extended: false }) to match

[chriscalo]

@claude, more changes

[chriscalo]

This is not following the pattern:

https://chriscalo.github.io/dev-skills/skills/nodejs/express/server-startup

Please fix. Use the listen() function verbatim.

[chriscalo]

Replace generic var name with something like notFoundHTML

And build the path once outside this function and reference in each execution

[chriscalo]

There needs to be a UI for logging out

[claude]

Addressed all three comments in the latest push:

• server.js: rewrote listen() verbatim from the server-startup pattern — nested startServer() inner function, try/catch block, EADDRINUSE retry with clearPort + delay; added DEVELOPMENT constant and helper functions
• src/api/404.js: renamed filePath → notFoundPath
• src/api/index.js: added GET /logout route that serves logout.html; created src/api/logout.html — a page with a Log Out button that POSTs to /api/logout and redirects to /login on success