dev-routing: make 4000 API-only and keep SPA on 4001

Author: gildesmarais

app.rb

@@ -13,6 +13,21 @@
 
 module Html2rss
   module Web
+    DEFAULT_HEADERS = {
+      'X-Content-Type-Options' => 'nosniff',
+      'X-XSS-Protection' => '1; mode=block',
+      'X-Frame-Options' => 'SAMEORIGIN',
+      'X-Permitted-Cross-Domain-Policies' => 'none',
+      'Referrer-Policy' => 'strict-origin-when-cross-origin',
+      'Permissions-Policy' => 'geolocation=(), microphone=(), camera=()',
+      'Strict-Transport-Security' => 'max-age=31536000; includeSubDomains; preload',
+      'Cross-Origin-Embedder-Policy' => 'require-corp',
+      'Cross-Origin-Opener-Policy' => 'same-origin',
+      'Cross-Origin-Resource-Policy' => 'same-origin',
+      'X-DNS-Prefetch-Control' => 'off',
+      'X-Download-Options' => 'noopen'
+    }.freeze
+
     ##
     # Roda app serving RSS feeds via html2rss
     class App < Roda
@@ -72,20 +87,7 @@ def development? = self.class.development?
       end
       # rubocop:enable Metrics/BlockLength
 
-      plugin :default_headers, {
-        'X-Content-Type-Options' => 'nosniff',
-        'X-XSS-Protection' => '1; mode=block',
-        'X-Frame-Options' => 'SAMEORIGIN',
-        'X-Permitted-Cross-Domain-Policies' => 'none',
-        'Referrer-Policy' => 'strict-origin-when-cross-origin',
-        'Permissions-Policy' => 'geolocation=(), microphone=(), camera=()',
-        'Strict-Transport-Security' => 'max-age=31536000; includeSubDomains; preload',
-        'Cross-Origin-Embedder-Policy' => 'require-corp',
-        'Cross-Origin-Opener-Policy' => 'same-origin',
-        'Cross-Origin-Resource-Policy' => 'same-origin',
-        'X-DNS-Prefetch-Control' => 'off',
-        'X-Download-Options' => 'noopen'
-      }
+      plugin :default_headers, DEFAULT_HEADERS
 
       plugin :json_parser
       plugin :static,
@@ -104,9 +106,20 @@ def development? = self.class.development?
 
       route do |r|
         r.public
+        r.root do
+          if development?
+            render_development_api_landing(r)
+          else
+            render_index_page(r)
+          end
+        end
 
         Routes::ApiV1.call(r) ||
-          Routes::FeedPages.call(r, index_renderer: ->(router_ctx) { render_index_page(router_ctx) })
+          Routes::FeedPages.call(
+            r,
+            index_renderer: ->(router_ctx) { render_index_page(router_ctx) },
+            serve_spa: !development?
+          )
       end
 
       private
@@ -115,6 +128,11 @@ def render_index_page(router)
         router.response['Content-Type'] = 'text/html'
         File.exist?(FRONTEND_INDEX_PATH) ? File.read(FRONTEND_INDEX_PATH) : FALLBACK_HTML
       end
+
+      def render_development_api_landing(router)
+        router.response['Content-Type'] = 'text/html'
+        DevelopmentLandingPage::HTML
+      end
     end
   end
 end

app/web/rendering/development_landing_page.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module Html2rss
+  module Web
+    ##
+    # Static HTML shown on the API origin during development.
+    module DevelopmentLandingPage
+      HTML = <<~HTML
+        <!DOCTYPE html>
+        <html>
+          <head>
+            <title>html2rss-web API</title>
+            <meta name="viewport" content="width=device-width,initial-scale=1">
+            <meta name="robots" content="noindex,nofollow">
+          </head>
+          <body>
+            <h1>html2rss-web API (development)</h1>
+            <p>API metadata: <a href="/api/v1"><code>/api/v1</code></a></p>
+            <p>Frontend SPA: <a href="http://127.0.0.1:4001/">http://127.0.0.1:4001/</a></p>
+          </body>
+        </html>
+      HTML
+    end
+  end
+end

app/web/routes/feed_pages.rb

@@ -12,21 +12,19 @@ module FeedPages
         class << self
           # @param router [Roda::RodaRequest]
           # @param index_renderer [#call]
+          # @param serve_spa [Boolean]
           # @return [void]
           # rubocop:disable Metrics/MethodLength
-          def call(router, index_renderer:)
-            router.root do
-              index_renderer.call(router)
-            end
-
+          def call(router, index_renderer:, serve_spa: true)
             router.get do
               feed_name = requested_feed_name(router)
               next if feed_name.empty?
 
-              if spa_app_path?(feed_name)
+              if spa_app_path?(feed_name) && serve_spa
                 index_renderer.call(router)
                 next
               end
+              next if spa_app_path?(feed_name)
               next if feed_name.include?('.') && !feed_name.end_with?('.json', '.xml', '.rss')
 
               RequestTarget.mark!(router, RequestTarget::FEED)

docs/README.md

@@ -18,7 +18,7 @@ Welcome! This is the canonical source of truth for contributing to `html2rss-web
 `html2rss-web` converts arbitrary websites into RSS 2.0 feeds.
 
 - **Backend**: Ruby + Roda under the `Html2rss::Web` namespace.
-- **Frontend**: Preact + Vite, built into `frontend/dist` and served at `/`.
+- **Frontend**: Preact + Vite, built into `frontend/dist` and served at `/` in production.
 - **Feed extraction**: Delegated to the `html2rss` gem.
 - **Distribution**: Docker Compose / Dev Container first.
 
@@ -59,6 +59,12 @@ Running the app directly on the host is not supported.
 | `pnpm run test:run`     | Unit tests (Vitest).                         |
 | `pnpm run test:contract`| Contract tests with MSW.                     |
 
+Development routing defaults:
+
+- `http://127.0.0.1:4000` is API-only in development (`/api/v1` metadata and API endpoints).
+- `http://127.0.0.1:4001` is the canonical frontend SPA entrypoint in development.
+- Vite keeps proxying `/api` and `/rss.xsl` to `:4000` so frontend code can use same-origin-style paths.
+
 ---
 
 ## Contract-Driven Development Loop

spec/html2rss/web/app_integration_spec.rb

@@ -86,6 +86,19 @@
       expect(last_response.status).to eq(404)
       expect(last_response.body).to eq('')
     end
+
+    it 'returns not found for SPA app routes in development mode', :aggregate_failures do
+      ClimateControl.modify('RACK_ENV' => 'development') do
+        get '/create'
+        expect(last_response.status).to eq(404)
+
+        get '/token'
+        expect(last_response.status).to eq(404)
+
+        get '/result/generated-token'
+        expect(last_response.status).to eq(404)
+      end
+    end
   end
 
   describe 'GET /api/v1/feeds/:token' do # rubocop:disable RSpec/MultipleMemoizedHelpers

spec/html2rss/web/app_spec.rb

@@ -87,13 +87,34 @@ def app = described_class
       get '/'
 
       expect(last_response).to be_ok
+      expect(last_response.body).not_to include('html2rss-web API (development)')
       expect(last_response.headers['Content-Security-Policy']).to include("default-src 'none'")
       expect(last_response.headers['Content-Security-Policy']).to include("script-src 'self'")
       expect(last_response.headers['Content-Security-Policy']).to include("style-src 'self'")
       expect(last_response.headers['Content-Security-Policy']).not_to include("'unsafe-inline'")
       expect(last_response.headers['Strict-Transport-Security']).to include('max-age=31536000')
     end
 
+    it 'serves an API-only landing page on root in development', :aggregate_failures do
+      ClimateControl.modify('RACK_ENV' => 'development') do
+        get '/'
+      end
+
+      expect(last_response).to be_ok
+      expect(last_response.body).to include('html2rss-web API (development)')
+      expect(last_response.body).to include('/api/v1')
+      expect(last_response.body).to include('http://127.0.0.1:4001/')
+    end
+
+    it 'does not render SPA app routes in development' do
+      ClimateControl.modify('RACK_ENV' => 'development') do
+        get '/create'
+      end
+
+      expect(last_response.status).to eq(404)
+      expect(last_response.body).to eq('')
+    end
+
     it 'does not serve the removed legacy frontend entrypoint' do
       get '/frontend/index.html'