fabi/Mangalord
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs: production proxy path + capability-URL guidance

Browse Source 
Two small documentation gaps the second-pass audit flagged:

- CLAUDE.md described only the Vite dev proxy ("Vite dev-proxies to
  the backend"), which left the production path opaque. Now lists
  both: the Vite proxy for `npm run dev` and
  `frontend/src/hooks.server.ts` for adapter-node. Same-origin cookie
  story called out explicitly.

- `/api/v1/files/{key}` is an unauthenticated capability URL by
  design — reads stay public, keys are unguessable v4 UUIDs, leaked
  URL leaks one file. Documented both in `backend/src/api/files.rs`'s
  module doc (with a pointer at the seam a future
  feat/private-libraries branch would use) and in a new "Capability
  URLs" section in README so a casual reader doesn't mistake the lack
  of auth for an oversight.

No code or behaviour change.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
MechaCat02
2026-05-16 23:57:30 +02:00
parent a8d6da167c
commit 68b7f32568
3 changed files with 19 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
CLAUDE.md
View File

@@ -102,7 +102,9 @@ Do not call `tokio::fs` or any filesystem API from handlers. Go through `state.s
## Frontend layout
- [frontend/src/lib/api/](frontend/src/lib/api/) — typed API client. **All backend calls go through here**, not raw `fetch` in components. The base URL is `import.meta.env.VITE_API_BASE`, defaulting to `/api` (which Vite dev-proxies to the backend).
- [frontend/src/lib/api/](frontend/src/lib/api/) — typed API client. **All backend calls go through here**, not raw `fetch` in components. The base URL is `import.meta.env.VITE_API_BASE`, defaulting to `/api`. Two layers route `/api/*` to axum depending on environment:
- **`npm run dev`** uses the Vite proxy in [vite.config.ts](frontend/vite.config.ts) to forward `/api` to `http://localhost:8080`.
- **Production / adapter-node** uses [frontend/src/hooks.server.ts](frontend/src/hooks.server.ts) to reverse-proxy `/api/*` to `BACKEND_URL` (compose wires `http://backend:8080`). The browser only ever talks to the SvelteKit container on `:3000`, so cookies stay same-origin and `CORS_ALLOWED_ORIGINS` can stay empty.
- [frontend/src/routes/](frontend/src/routes/) — SvelteKit routes.
- Use Svelte 5 runes (`$state`, `$derived`, `$effect`, `$props`). Do not use the legacy `let`-reactive syntax or `on:event=` directive form — prefer `onevent={...}`.
- The Node adapter is configured for production; `npm run build && node build` is what the Dockerfile runs.