ZDDC
d90975662f
The /incoming/ path regex in browse/js/grid.js was the second-most
visible client-side hardcode of the canonical convention. Migrating
it to the cascade:
Header surface:
X-ZDDC-Default-Tool: <name> The cascade-resolved default tool
for the listing's directory. Empty
header = no default declared.
Client wiring:
loader.fetchServerChildren reads the header into
state.scopeDefaultTool on every listing fetch (initial mount,
rescope on dblclick, popstate). grid.classifierAvailableHere
now returns scopeDefaultTool === 'classifier' instead of
regex-matching the URL.
Effect:
Grid mode auto-activates wherever the cascade picks classifier
as the default — currently archive/<party>/incoming per
defaults.zddc.yaml. An operator who sets default_tool: classifier
on a custom directory gets grid mode there too, no code change.
An operator who removes the default at incoming sees grid mode
stop auto-activating there.
Bootstrap timing fix:
The initial events.init() runs applyResolvedViewMode before the
detection fetch completes, so state.scopeDefaultTool is empty
at that point and grid never auto-activates on first paint.
app.js bootstrap now re-applies the resolved view mode after
autoDetectServerMode returns, so a fresh /incoming URL lands
on grid mode immediately.
The /incoming/ regex is gone. Two client hardcodes remaining
(archive source heuristics, shared/nav stage strip) — Phase 4c/d.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
212 lines
8 KiB
Go
212 lines
8 KiB
Go
package handler
|
|
|
|
import (
|
|
"crypto/sha256"
|
|
"encoding/hex"
|
|
"encoding/json"
|
|
"log/slog"
|
|
"net/http"
|
|
"os"
|
|
"path/filepath"
|
|
"strings"
|
|
|
|
"codeberg.org/VARASYS/ZDDC/zddc/internal/apps"
|
|
"codeberg.org/VARASYS/ZDDC/zddc/internal/config"
|
|
appfs "codeberg.org/VARASYS/ZDDC/zddc/internal/fs"
|
|
"codeberg.org/VARASYS/ZDDC/zddc/internal/policy"
|
|
"codeberg.org/VARASYS/ZDDC/zddc/internal/zddc"
|
|
)
|
|
|
|
// listingETag returns a hex-encoded SHA-256 prefix of the rendered JSON
|
|
// listing body. Truncated to 16 chars (64 bits) — collisions on a
|
|
// listing of any realistic size are vanishingly unlikely, and the short
|
|
// header keeps the wire footprint trim.
|
|
func listingETag(body []byte) string {
|
|
h := sha256.Sum256(body)
|
|
return hex.EncodeToString(h[:8])
|
|
}
|
|
|
|
// safeJoin joins fsRoot and relPath, then verifies the result is under fsRoot.
|
|
// Returns ("", false) if relPath would escape fsRoot.
|
|
func safeJoin(fsRoot, relPath string) (string, bool) {
|
|
abs := filepath.Join(fsRoot, filepath.FromSlash(relPath))
|
|
if !strings.HasPrefix(abs, fsRoot+string(filepath.Separator)) && abs != fsRoot {
|
|
return "", false
|
|
}
|
|
return abs, true
|
|
}
|
|
|
|
// ServeDirectory handles a request for a directory path.
|
|
// If Accept: application/json → return Caddy-compatible JSON listing.
|
|
// Otherwise → return minimal HTML.
|
|
//
|
|
// appsSrv is optional: when non-nil, HTML responses resolve the
|
|
// `browse` tool through the apps subsystem so a `.zddc apps:` cascade
|
|
// entry can override the embedded bytes (handy for live alpha-dev
|
|
// iteration: point apps.browse: at a path source and every ./build is
|
|
// served from disk without recompiling the binary). When nil, the
|
|
// embedded copy is served directly — same behavior as before the
|
|
// cascade hook was added.
|
|
func ServeDirectory(cfg config.Config, appsSrv *apps.Server, w http.ResponseWriter, r *http.Request) {
|
|
urlPath := r.URL.Path
|
|
if !strings.HasSuffix(urlPath, "/") {
|
|
http.Redirect(w, r, urlPath+"/", http.StatusFound)
|
|
return
|
|
}
|
|
|
|
email := EmailFromContext(r)
|
|
decider := DeciderFromContext(r)
|
|
ctx := r.Context()
|
|
|
|
// Compute relative dir path (no leading or trailing slash)
|
|
dirPath := strings.TrimPrefix(urlPath, "/")
|
|
dirPath = strings.TrimSuffix(dirPath, "/")
|
|
|
|
// ACL check on this directory itself.
|
|
// Bypassed at the root path: the landing page is a public project
|
|
// picker. Per-project filtering inside fs.ListDirectory still hides
|
|
// directories the caller can't reach.
|
|
absDir, ok := safeJoin(cfg.Root, dirPath)
|
|
if !ok {
|
|
http.Error(w, "Not Found", http.StatusNotFound)
|
|
return
|
|
}
|
|
chain, err := zddc.EffectivePolicy(cfg.Root, absDir)
|
|
if err != nil {
|
|
slog.Warn("ACL policy error", "path", absDir, "err", err)
|
|
}
|
|
isRoot := dirPath == ""
|
|
if !isRoot {
|
|
if allowed, _ := policy.AllowFromChain(ctx, decider, chain, email, urlPath); !allowed {
|
|
http.Error(w, "Forbidden", http.StatusForbidden)
|
|
return
|
|
}
|
|
}
|
|
|
|
accept := r.Header.Get("Accept")
|
|
|
|
// For HTML requests, serve index.html if present (landing page convention)
|
|
if !strings.Contains(accept, "application/json") {
|
|
indexPath := filepath.Join(absDir, "index.html")
|
|
if info, err := os.Stat(indexPath); err == nil && !info.IsDir() {
|
|
ServeFile(w, r, indexPath)
|
|
return
|
|
}
|
|
|
|
// Tables redirect: when this directory is the rows directory of
|
|
// a registered table — i.e. the parent declares
|
|
// `tables: { <name>: ... }` with a valid spec, OR the default-MDL
|
|
// fallback kicks in at archive/<party>/mdl/ — bounce HTML
|
|
// requests to the canonical <parent>/<name>.table.html URL so
|
|
// users land on the table view instead of a bare folder listing.
|
|
// JSON requests fall through unchanged so the table client can
|
|
// still enumerate row files.
|
|
if redirect := tableRowsRedirect(cfg.Root, urlPath); redirect != "" {
|
|
http.Redirect(w, r, redirect, http.StatusFound)
|
|
return
|
|
}
|
|
}
|
|
|
|
// Build base URL for listing entries
|
|
baseURL := urlPath // relative URLs suffice for JSON listings
|
|
|
|
entries, err := appfs.ListDirectory(ctx, decider, cfg.Root, dirPath, email, baseURL)
|
|
if err != nil {
|
|
if os.IsNotExist(err) {
|
|
http.Error(w, "Not Found", http.StatusNotFound)
|
|
} else {
|
|
slog.Error("listing directory", "path", dirPath, "err", err)
|
|
http.Error(w, "Internal Server Error", http.StatusInternalServerError)
|
|
}
|
|
return
|
|
}
|
|
|
|
// Vary: Accept is critical — the same URL serves either the JSON
|
|
// listing or the embedded browse.html depending on the Accept
|
|
// header. Without Vary, browsers/CDNs cache one response and
|
|
// serve it for the other Accept value, breaking browse.html's
|
|
// auto-detect (which fetches the same URL with Accept: JSON).
|
|
w.Header().Set("Vary", "Accept")
|
|
|
|
// Surface cascade-resolved scope flags via response headers so
|
|
// the browse SPA can render scope-aware UI (drop-zone overlay,
|
|
// grid-mode auto-activation, future affordances) without
|
|
// re-implementing the cascade client-side. Keep the header
|
|
// surface tight — only routing-shape signals go here; ACL
|
|
// details stay server-side.
|
|
if zddc.DropTargetAt(cfg.Root, absDir) {
|
|
w.Header().Set("X-ZDDC-Drop-Target", "true")
|
|
}
|
|
if dt := zddc.DefaultToolAt(cfg.Root, absDir); dt != "" {
|
|
w.Header().Set("X-ZDDC-Default-Tool", dt)
|
|
}
|
|
|
|
if strings.Contains(accept, "application/json") {
|
|
// Content-hash ETag on the listing payload. Re-fetched on every
|
|
// request (the cascade is walked, ACL filter applied, JSON
|
|
// rendered, hashed) — that's the same server work the previous
|
|
// no-cache version did. The win is on the *response*: identical
|
|
// listings (e.g. the same vendor refreshing their archive page)
|
|
// short-circuit to 304 with no body.
|
|
//
|
|
// Crucially, this scheme tolerates unreliable filesystem
|
|
// watching (Azure SMB, network shares with delayed inotify):
|
|
// the ETag is the actual response hash, not a watcher-derived
|
|
// invalidation token, so it can never lie about content.
|
|
body, err := json.Marshal(entries)
|
|
if err != nil {
|
|
slog.Error("encoding directory listing", "err", err)
|
|
http.Error(w, "Internal Server Error", http.StatusInternalServerError)
|
|
return
|
|
}
|
|
etag := `"` + listingETag(body) + `"`
|
|
w.Header().Set("Content-Type", "application/json")
|
|
w.Header().Set("ETag", etag)
|
|
w.Header().Set("Cache-Control", "private, max-age=0, must-revalidate")
|
|
if match := r.Header.Get("If-None-Match"); match != "" && match == etag {
|
|
w.WriteHeader(http.StatusNotModified)
|
|
return
|
|
}
|
|
_, _ = w.Write(body)
|
|
return
|
|
}
|
|
|
|
// Browser HTML fallback: serve the `browse` tool. By default it's
|
|
// the embedded copy (single-file SPA whose autoDetectServerMode
|
|
// loads the JSON listing for the current directory and renders it
|
|
// as a sortable, filterable tree). A `.zddc apps: browse:` entry
|
|
// up the chain can override with a path or URL source — when
|
|
// appsSrv is wired up, delegate to it so cascade entries are
|
|
// honored at directory URLs too (not just /<dir>/browse.html).
|
|
if appsSrv != nil {
|
|
appsSrv.Serve(w, r, "browse", chain, absDir)
|
|
return
|
|
}
|
|
body := apps.EmbeddedBytes("browse")
|
|
if len(body) == 0 {
|
|
// Bootstrap state: a fresh build hasn't populated browse.html
|
|
// into the embed yet. Fall through to JSON for clients that
|
|
// will still parse it.
|
|
w.Header().Set("Content-Type", "application/json")
|
|
w.Header().Set("Cache-Control", "no-cache")
|
|
if err := json.NewEncoder(w).Encode(entries); err != nil {
|
|
slog.Error("encoding directory listing (no-embed fallback)", "err", err)
|
|
}
|
|
return
|
|
}
|
|
// ETag + max-age=0 + must-revalidate: every request re-validates and
|
|
// gets a 304 unless the binary has been redeployed (the ETag is a
|
|
// content hash, computed once at startup and memoized in apps.embed).
|
|
// Saves re-transmitting ~230 KB of browse.html on every page load
|
|
// while still picking up redeploys immediately.
|
|
etag := `"` + apps.EmbeddedETag("browse") + `"`
|
|
w.Header().Set("ETag", etag)
|
|
w.Header().Set("Cache-Control", "public, max-age=0, must-revalidate")
|
|
w.Header().Set("Content-Type", "text/html; charset=utf-8")
|
|
w.Header().Set("X-ZDDC-Source", "embedded:browse")
|
|
if match := r.Header.Get("If-None-Match"); match != "" && match == etag {
|
|
w.WriteHeader(http.StatusNotModified)
|
|
return
|
|
}
|
|
_, _ = w.Write(body)
|
|
}
|