enricobuehler
9856c04b75
ci / rust (push) Has been cancelled
Single-user, LAN-reachable-but-gated. The web server is a backend-for-frontend:
- Login: POST /_auth/login {password} checks PUNKTFUNK_UI_PASSWORD (constant-time) and
sets a SEALED session cookie (h3 useSession / AES-GCM). server/middleware/auth.ts gates
every request — pages 302 → /login, /api → 401 — and FAILS CLOSED (503) when
PUNKTFUNK_UI_PASSWORD is unset, so a misconfigured LAN-exposed server admits no one.
- The management API stays loopback-only + token (never LAN-exposed). The proxy
(server/routes/api/[...].ts) injects PUNKTFUNK_MGMT_TOKEN server-side and drops the
browser's cookie before forwarding — the token never reaches the browser, which only
holds the session cookie.
Nitro doesn't auto-scan a server/ dir, so the Nitro plugin gets an explicit scanDirs to
pick up middleware + routes. Client: removed the localStorage token (server injects it);
the fetcher bounces to /login on 401; new /login page (bare, no shell); Settings drops the
token field and gains a Sign-out button; en/de strings.
Validated live end to end: unauth /→302, /api→401; wrong pw→401; right pw→200+cookie;
authed /api/v1/status→200 (proxied, mgmt token injected — the host required it); logout→
session cleared→401. tsc + build green.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
53 lines
2.4 KiB
TypeScript
53 lines
2.4 KiB
TypeScript
import { fileURLToPath } from 'node:url'
|
|
import { defineConfig } from 'vite'
|
|
import { tanstackStart } from '@tanstack/react-start/plugin/vite'
|
|
import { nitroV2Plugin } from '@tanstack/nitro-v2-vite-plugin'
|
|
import viteReact from '@vitejs/plugin-react'
|
|
import viteTsConfigPaths from 'vite-tsconfig-paths'
|
|
import tailwindcss from '@tailwindcss/vite'
|
|
import { paraglideVitePlugin } from '@inlang/paraglide-js'
|
|
|
|
// Absolute path to our Nitro server source (middleware + routes). Passed as a scanDir
|
|
// because the TanStack Nitro plugin doesn't auto-scan a server/ dir.
|
|
const serverDir = fileURLToPath(new URL('./server', import.meta.url))
|
|
|
|
// The management API the console drives. The browser always talks same-origin (/api/...):
|
|
// in `vite dev` the dev server proxies it (below); in the built Bun/Nitro server a Nitro
|
|
// route-rule proxies it (below). Override the upstream with PUNKTFUNK_MGMT_URL.
|
|
const MGMT_URL = process.env.PUNKTFUNK_MGMT_URL ?? 'http://127.0.0.1:47990'
|
|
|
|
export default defineConfig({
|
|
server: {
|
|
proxy: {
|
|
'/api': { target: MGMT_URL, changeOrigin: true },
|
|
},
|
|
},
|
|
plugins: [
|
|
viteTsConfigPaths({ projects: ['./tsconfig.json'] }),
|
|
tailwindcss(),
|
|
paraglideVitePlugin({
|
|
project: './project.inlang',
|
|
outdir: './src/paraglide',
|
|
strategy: ['localStorage', 'preferredLanguage', 'baseLocale'],
|
|
}),
|
|
// Full SSR on the TanStack Start runtime (the management console's data queries run
|
|
// client-side after hydration — React Query doesn't fetch during SSR — so the server
|
|
// renders a data-free shell that hydrates in the browser).
|
|
tanstackStart(),
|
|
// Nitro v2 is the deployment target: the `bun` preset bundles a Bun-runnable server to
|
|
// .output/ (`bun run .output/server/index.mjs`). Auth + the /api proxy live in the
|
|
// scanned `server/` dir (middleware/auth.ts gates every request; routes/api/[...].ts
|
|
// proxies to the management host injecting the bearer token server-side) — NOT a static
|
|
// routeRule, so the proxy runs behind the login gate and reads env at runtime.
|
|
nitroV2Plugin({
|
|
preset: 'bun',
|
|
compatibilityDate: '2026-06-10',
|
|
// Scan server/{middleware,routes} for the auth gate + the /api proxy.
|
|
scanDirs: [serverDir],
|
|
}),
|
|
// Must come AFTER tanstackStart — provides the React JSX transform + Refresh runtime
|
|
// that Start's dev mode requires (omitting it leaves the client JS unable to load).
|
|
viteReact(),
|
|
],
|
|
})
|