forked from baron/baron-sso
fix(userfront): prevent public env asset request
This commit is contained in:
@@ -35,6 +35,13 @@ const contentTypes = {
|
||||
const server = createServer((req, res) => {
|
||||
const url = new URL(req.url ?? '/', 'http://localhost');
|
||||
const pathname = decodeURIComponent(url.pathname);
|
||||
if (pathname === '/') {
|
||||
res.statusCode = 302;
|
||||
res.setHeader('Location', '/ko/signin');
|
||||
res.setHeader('Cache-Control', 'no-cache, max-age=0, must-revalidate');
|
||||
res.end();
|
||||
return;
|
||||
}
|
||||
const relative = pathname === '/' ? '/index.html' : pathname;
|
||||
const candidate = normalize(join(root, relative));
|
||||
|
||||
@@ -48,6 +55,13 @@ const server = createServer((req, res) => {
|
||||
let servesAppShellFallback = false;
|
||||
|
||||
if (!existsSync(filePath) || statSync(filePath).isDirectory()) {
|
||||
if (extname(pathname)) {
|
||||
res.statusCode = 404;
|
||||
res.setHeader('Cache-Control', 'no-cache, max-age=0, must-revalidate');
|
||||
res.end('Not Found');
|
||||
return;
|
||||
}
|
||||
|
||||
// Flutter web 라우팅 경로(`/ko`, `/ko/signin`)도 index.html로 fallback 처리
|
||||
filePath = join(root, 'index.html');
|
||||
servesAppShellFallback = true;
|
||||
|
||||
@@ -4,6 +4,7 @@ type LoadMetrics = {
|
||||
durationMs: number;
|
||||
transferredBytes: number;
|
||||
requestedUrls: string[];
|
||||
requestedPathCounts: Map<string, number>;
|
||||
cacheControlByPath: Map<string, string>;
|
||||
contentEncodingByPath: Map<string, string>;
|
||||
};
|
||||
@@ -30,15 +31,24 @@ async function mockPublicApis(page: Page): Promise<void> {
|
||||
|
||||
async function measureSigninLoad(page: Page): Promise<LoadMetrics> {
|
||||
const requestedUrls: string[] = [];
|
||||
const requestedPathCounts = new Map<string, number>();
|
||||
const cacheControlByPath = new Map<string, string>();
|
||||
const contentEncodingByPath = new Map<string, string>();
|
||||
let transferredBytes = 0;
|
||||
|
||||
page.on('request', (request: Request) => {
|
||||
const onRequest = (request: Request) => {
|
||||
const requestUrl = new URL(request.url());
|
||||
requestedUrls.push(request.url());
|
||||
});
|
||||
if (requestUrl.protocol === 'http:' || requestUrl.protocol === 'https:') {
|
||||
const resourceKey = `${requestUrl.origin}${requestUrl.pathname}`;
|
||||
requestedPathCounts.set(
|
||||
resourceKey,
|
||||
(requestedPathCounts.get(resourceKey) ?? 0) + 1,
|
||||
);
|
||||
}
|
||||
};
|
||||
|
||||
page.on('response', async (response) => {
|
||||
const onResponse = async (response) => {
|
||||
const url = new URL(response.url());
|
||||
const cacheControl = response.headers()['cache-control'];
|
||||
if (cacheControl) {
|
||||
@@ -54,20 +64,44 @@ async function measureSigninLoad(page: Page): Promise<LoadMetrics> {
|
||||
const sizes = await response.request().sizes().catch(() => null);
|
||||
transferredBytes += sizes?.responseBodySize ?? 0;
|
||||
}
|
||||
});
|
||||
|
||||
const start = performance.now();
|
||||
await page.goto('/ko/signin', { waitUntil: 'networkidle' });
|
||||
await expect(page).toHaveURL(/\/ko\/signin(?:\?.*)?$/);
|
||||
const durationMs = Math.round(performance.now() - start);
|
||||
|
||||
return {
|
||||
durationMs,
|
||||
transferredBytes,
|
||||
requestedUrls,
|
||||
cacheControlByPath,
|
||||
contentEncodingByPath,
|
||||
};
|
||||
|
||||
page.on('request', onRequest);
|
||||
page.on('response', onResponse);
|
||||
|
||||
try {
|
||||
const start = performance.now();
|
||||
await page.goto('/ko/signin', { waitUntil: 'networkidle' });
|
||||
await expect(page).toHaveURL(/\/ko\/signin(?:\?.*)?$/);
|
||||
const durationMs = Math.round(performance.now() - start);
|
||||
|
||||
return {
|
||||
durationMs,
|
||||
transferredBytes,
|
||||
requestedUrls,
|
||||
requestedPathCounts,
|
||||
cacheControlByPath,
|
||||
contentEncodingByPath,
|
||||
};
|
||||
} finally {
|
||||
page.off('request', onRequest);
|
||||
page.off('response', onResponse);
|
||||
}
|
||||
}
|
||||
|
||||
function expectNoDuplicateStaticRequests(metrics: LoadMetrics): void {
|
||||
const duplicates = [...metrics.requestedPathCounts.entries()].filter(
|
||||
([resourceKey, count]) => {
|
||||
const path = new URL(resourceKey).pathname;
|
||||
return (
|
||||
count > 1 &&
|
||||
!path.startsWith('/api/') &&
|
||||
!path.endsWith('/ko/signin') &&
|
||||
!path.endsWith('/')
|
||||
);
|
||||
},
|
||||
);
|
||||
expect(duplicates).toEqual([]);
|
||||
}
|
||||
|
||||
test.describe('UserFront login performance budget', () => {
|
||||
@@ -82,8 +116,11 @@ test.describe('UserFront login performance budget', () => {
|
||||
`[userfront-perf] cold=${cold.durationMs}ms/${cold.transferredBytes}B warm=${warm.durationMs}ms/${warm.transferredBytes}B`,
|
||||
);
|
||||
|
||||
expect(warm.durationMs).toBeLessThanOrEqual(2000);
|
||||
expect(cold.durationMs).toBeLessThanOrEqual(1500);
|
||||
expect(warm.durationMs).toBeLessThanOrEqual(1100);
|
||||
expect(warm.transferredBytes).toBeLessThanOrEqual(1_000_000);
|
||||
expectNoDuplicateStaticRequests(cold);
|
||||
expectNoDuplicateStaticRequests(warm);
|
||||
expect(warm.requestedUrls.some((url) => url.includes('NotoSansKR'))).toBe(
|
||||
false,
|
||||
);
|
||||
@@ -92,6 +129,19 @@ test.describe('UserFront login performance budget', () => {
|
||||
url.includes('fonts.googleapis.com/icon?family=Material+Icons'),
|
||||
),
|
||||
).toBe(false);
|
||||
expect(
|
||||
[...cold.requestedUrls, ...warm.requestedUrls].some((url) =>
|
||||
url.includes('www.gstatic.com/flutter-canvaskit'),
|
||||
),
|
||||
).toBe(false);
|
||||
expect(warm.requestedUrls.some((url) => url.endsWith('/assets/.env'))).toBe(
|
||||
false,
|
||||
);
|
||||
expect(
|
||||
cold.requestedUrls.some((url) =>
|
||||
url.endsWith('/flutter_service_worker.js'),
|
||||
),
|
||||
).toBe(false);
|
||||
|
||||
const cacheControlByPath = new Map([
|
||||
...cold.cacheControlByPath,
|
||||
@@ -112,5 +162,32 @@ test.describe('UserFront login performance budget', () => {
|
||||
encoding === 'br',
|
||||
);
|
||||
expect(brotliEntrypoint).toBe(true);
|
||||
expect(contentEncodingByPath.get('/canvaskit/skwasm.wasm')).toBe('br');
|
||||
});
|
||||
|
||||
test('root redirects to localized signin before Flutter boots', async ({
|
||||
page,
|
||||
}) => {
|
||||
await mockPublicApis(page);
|
||||
|
||||
const requestedUrls: string[] = [];
|
||||
page.on('request', (request) => {
|
||||
requestedUrls.push(request.url());
|
||||
});
|
||||
|
||||
const start = performance.now();
|
||||
await page.goto('/', { waitUntil: 'domcontentloaded' });
|
||||
await expect(page).toHaveURL(/\/ko\/signin(?:\?.*)?$/);
|
||||
const durationMs = Math.round(performance.now() - start);
|
||||
|
||||
expect(durationMs).toBeLessThanOrEqual(300);
|
||||
const rootIndex = requestedUrls.findIndex(
|
||||
(url) => new URL(url).pathname === '/',
|
||||
);
|
||||
const bootstrapIndex = requestedUrls.findIndex((url) =>
|
||||
new URL(url).pathname.endsWith('/flutter_bootstrap.js'),
|
||||
);
|
||||
expect(rootIndex).toBeGreaterThanOrEqual(0);
|
||||
expect(bootstrapIndex).toBeGreaterThan(rootIndex);
|
||||
});
|
||||
});
|
||||
|
||||
Reference in New Issue
Block a user