byterover-cli/src/server/infra/webui/webui-middleware.ts at d4494919c8a4b24b1c460be62c1e413ee6aa18da · campfirein/byterover-cli · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
import express, {type Express} from 'express'
import {existsSync} from 'node:fs'

interface WebUiConfig {
  daemonPort: number
  port: number
  projectCwd: string
  version: string
}

interface CreateWebUiMiddlewareOptions {
  getConfig: () => WebUiConfig
  webuiDistDir: string
}

/**
 * Creates an Express app that serves the web UI and config endpoint.
 *
 * Mounted on the WebUI server (stable port) so the browser
 * can load the app and discover the daemon's transport port.
 *
 * Routes:
 * - GET /api/ui/config → { daemonPort, port, version, projectCwd }
 * - GET /*             → static files from dist/webui/ (SPA fallback)
 */
export function createWebUiMiddleware({getConfig, webuiDistDir}: CreateWebUiMiddlewareOptions): Express {
  const app = express()

  app.use((_req, res, next) => {
    res.setHeader(
      'Content-Security-Policy',
      [
        "default-src 'self'",
        "base-uri 'self'",
        "connect-src 'self' ws: wss:",
        "font-src 'self' data: https://fonts.gstatic.com",
        "frame-ancestors 'none'",
        // `img-src https:` is deliberately broad: user avatars come from an
        // open-ended set of OAuth provider CDNs (Google, GitHub, Gravatar,
        // self-hosted identity providers, …) that can't be enumerated ahead
        // of time. Images can't execute code, so the attack surface is just
        // pixel exfiltration / tracking, which we accept for this use case.
        "img-src 'self' data: https:",
        "object-src 'none'",
        "script-src 'self'",
        "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com",
      ].join('; '),
    )
    res.setHeader('Referrer-Policy', 'no-referrer')
    res.setHeader('X-Content-Type-Options', 'nosniff')
    next()
  })

  // Config endpoint for browser to bootstrap Socket.IO connection
  app.get('/api/ui/config', (_req, res) => {
    res.json(getConfig())
  })

  // Serve static files from dist/webui/
  if (existsSync(webuiDistDir)) {
    app.use(express.static(webuiDistDir))

    // SPA fallback. `root` scopes send's dotfile check to the relative
    // path; without it, a dotfile anywhere in the absolute install path
    // (e.g. ~/.nvm/...) triggers a 404.
    app.get('*splat', (_req, res) => {
      res.sendFile('index.html', {root: webuiDistDir})
    })
  }

  return app
}