fix(server): prevent SPA fallback from swallowing API routes

- add ShouldSkipSPAFallback() deny prefixes: /api, /admin/api, /payments, /pay
- apply StaticWithConfig Skipper in both main http server and install server
- add unit tests for fallback skip matching behavior
This commit is contained in:
line-6000
2026-04-22 20:27:34 +08:00
parent 59aa71209c
commit 3a3a830d93
26 changed files with 82 additions and 26 deletions
+19
View File
@@ -6,6 +6,25 @@ import (
"strings"
)
var spaFallbackDenyPrefixes = []string{
"/api",
"/admin/api",
"/payments",
"/pay",
}
// ShouldSkipSPAFallback reports whether a request path should bypass
// server-side SPA fallback to index.html and continue normal backend routing.
func ShouldSkipSPAFallback(requestPath string) bool {
for _, prefix := range spaFallbackDenyPrefixes {
if requestPath == prefix || strings.HasPrefix(requestPath, prefix+"/") {
return true
}
}
return false
}
// ResolveSPAFilePath normalizes a wildcard SPA path and maps it under wwwRoot.
// It strips any leading slash and blocks path traversal outside wwwRoot.
// The second return value indicates whether the caller should try os.Stat