blumenjs 0.1.7 → 0.2.1

package/dist/templates/go-server/main.go

@@ -11,9 +11,22 @@ import (
 )
 
 const (
-	nodeSSRURL = "http://localhost:4000/render"
+	nodeSSRURL  = "http://localhost:4000/render"
+	nodeDataURL = "http://localhost:4000/data"
+	nodeAPIURL  = "http://localhost:4000/api"
 )
 
+// Global page cache — stores rendered HTML in Go memory for near-instant responses.
+// Max 500 entries with LRU eviction. A single Go server can cache the entire site.
+var pageCache = NewPageCache(500)
+
+// Global WebSocket hub — manages all real-time connections.
+// Each connection runs in its own goroutine for maximum concurrency.
+var wsHub = NewWSHub()
+
+// Global SSG server — serves pre-rendered HTML directly from disk.
+var ssgServer = NewSSGServer("dist/static-pages")
+
 // SSRResponse from Node service
 type SSRResponse struct {
 	HTML  string                 `json:"html"`
@@ -28,6 +41,21 @@ type SSRRequest struct {
 	Data   map[string]interface{} `json:"data,omitempty"`
 }
 
+// DataRequest to Node /data endpoint
+type DataRequest struct {
+	Path    string                 `json:"path"`
+	Query   map[string][]string    `json:"query"`
+	Params  map[string]interface{} `json:"params"`
+	Headers map[string]string      `json:"headers,omitempty"`
+}
+
+// DataResponse from Node /data endpoint
+type DataResponse struct {
+	Props          map[string]interface{} `json:"props"`
+	HasServerProps bool                   `json:"hasServerProps"`
+	Revalidate     int                    `json:"revalidate"` // TTL in seconds
+}
+
 var httpClient = &http.Client{
 	Timeout: 10 * time.Second,
 }
@@ -35,8 +63,51 @@ var httpClient = &http.Client{
 func main() {
 	mux := http.NewServeMux()
 
-	// Static files are served directly — must be registered first
-	mux.Handle("/static/", http.StripPrefix("/static/", http.FileServer(http.Dir("static"))))
+	// ── Middleware chain ─────────────────────────────────────
+	chain := NewMiddlewareChain()
+
+	// Redirects & rewrites (processed first, before logging)
+	SetupRedirects(chain, "blumen.routes.json")
+
+	// Global middleware (runs on every request)
+	chain.Use(LoggerMiddleware())
+
+	// CORS middleware for API routes
+	chain.UseOn("/api/*", CORSMiddleware(DefaultCORSConfig()))
+
+	// Security headers (CSP, HSTS, X-Frame-Options, etc.)
+	chain.Use(SecurityHeadersMiddleware(DefaultSecurityConfig()))
+
+	// SSR DoS protection: limit page rendering requests per IP
+	// Prevents abuse of the CPU-intensive SSR endpoint
+	chain.UseOn("/*", RateLimitMiddleware(200, time.Minute))
+
+	// Authentication middleware for protected routes
+	// Uncomment and configure to enable:
+	// chain.UseOn("/dashboard/*", AuthMiddleware(AuthConfig{
+	// 	CookieName:  "session",
+	// 	HeaderName:  "Authorization",
+	// 	RedirectURL: "/login",
+	// 	ValidateFunc: func(token string) bool {
+	// 		// Add your token validation logic here
+	// 		return token != ""
+	// 	},
+	// }))
+
+	// Static files with immutable cache headers
+	staticHandler := http.StripPrefix("/static/", http.FileServer(http.Dir("static")))
+	mux.HandleFunc("/static/", func(w http.ResponseWriter, r *http.Request) {
+		// Set aggressive cache headers for static assets
+		w.Header().Set("Cache-Control", "public, max-age=31536000, immutable")
+		w.Header().Set("X-Blumen-Cache", "STATIC")
+		staticHandler.ServeHTTP(w, r)
+	})
+
+	// Image optimization endpoint - processes and caches images on the fly
+	mux.HandleFunc("/_blumen/image", ImageHandler())
+
+	// Cache management endpoint (for development/debugging)
+	mux.HandleFunc("/_blumen/cache", cacheStatusHandler)
 
 	// Specific routes with Go loaders for data fetching
 	mux.HandleFunc("/dashboard/settings", PageHandler(func(r *http.Request) (map[string]interface{}, error) {
@@ -46,16 +117,52 @@ func main() {
 		}, nil
 	}))
 
-	mux.HandleFunc("/users/{id}", PageHandler(func(r *http.Request) (map[string]interface{}, error) {
-		id := r.PathValue("id")
-		return map[string]interface{}{
-			"userId":      id,
-			"userProfile": "Profile data for user " + id + " fetched from Go db",
-		}, nil
-	}))
+	// API routes: forward all /api/* requests to Node for TypeScript handling
+	mux.HandleFunc("/api/", APIProxyHandler())
+
+	// ── WebSocket endpoint ────────────────────────────────────
+	// Configure WebSocket event handlers
+	wsHub.OnConnect = func(client *WSClient, r *http.Request) bool {
+		// Accept all connections by default.
+		// Add authentication logic here (e.g. check JWT in query params).
+		return true
+	}
+
+	wsHub.OnMessage = func(client *WSClient, msg WSMessage) *WSMessage {
+		// Handle custom message types here.
+		// Return a *WSMessage to reply directly to the sender, or nil.
+		switch msg.Type {
+		case "echo":
+			// Example: echo the payload back
+			return &WSMessage{Type: "echo", Payload: msg.Payload}
+		default:
+			return nil
+		}
+	}
+
+	// Start the WebSocket hub event loop
+	go wsHub.Run()
+
+	// WebSocket upgrade endpoint
+	mux.HandleFunc("/_blumen/ws", WSHandler(wsHub))
+
+	// WebSocket status endpoint (for monitoring)
+	mux.HandleFunc("/_blumen/ws/status", func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		status := map[string]interface{}{
+			"connections": wsHub.ClientCount(),
+		}
+		json.NewEncoder(w).Encode(status)
+	})
+
+	// ── Server Actions endpoint ──────────────────────────────
+	// Handles POST /_blumen/action with CSRF validation.
+	// Forwards action execution to Node SSR server.
+	mux.HandleFunc("/_blumen/action", ActionHandler())
 
 	// Catch-all: forward every other request to the Node SSR server.
-	// This decouples Go from knowing about specific React page paths.
+	// If the page exports getServerProps, Node will fetch the data first.
+	// If a Go DataLoader is registered above, it takes priority.
 	mux.HandleFunc("/", PageHandler(nil))
 
 	startPort := 3000
@@ -73,7 +180,9 @@ func main() {
 	}
 
 	log.Printf("Go server starting on http://localhost:%d", startPort)
-	if err := http.Serve(listener, mux); err != nil {
+	log.Printf("Page cache initialized (max %d entries)", 500)
+	log.Printf("Middleware chain: %d middleware registered", len(chain.entries))
+	if err := http.Serve(listener, chain.Then(mux)); err != nil {
 		log.Fatalf("Server error: %v", err)
 	}
 }
@@ -87,33 +196,121 @@ func PageHandler(loader DataLoader) http.HandlerFunc {
 			return
 		}
 
-		var props map[string]interface{}
-		var err error
-		if loader != nil {
-			props, err = loader(r)
-			if err != nil {
-				log.Printf("Loader error: %v", err)
-				http.Error(w, "Internal Server Error", http.StatusInternalServerError)
+		// SSG: serve pre-rendered static pages directly from disk (< 0.5ms)
+		// Only for full page requests, not SPA data requests
+		if r.Header.Get("X-Blumen-Data") != "1" && ssgServer.HasPage(r.URL.Path) {
+			ssgServer.ServePage(w, r)
+			return
+		}
+
+		// Generate cache key from the full URL (path + query string)
+		cacheKey := r.URL.RequestURI()
+
+		// Check the page cache first
+		if entry, found, stale := pageCache.Get(cacheKey); found {
+			// Handle ETag conditional request
+			if match := r.Header.Get("If-None-Match"); match == entry.ETag {
+				w.Header().Set("X-Blumen-Cache", "HIT")
+				w.WriteHeader(http.StatusNotModified)
 				return
 			}
-		}
 
-		// If this is a SPA data fetch request, return JSON props
-		if r.Header.Get("X-Blumen-Data") == "1" || r.URL.Query().Get("_data") == "1" {
-			w.Header().Set("Content-Type", "application/json")
-			if props == nil {
-				props = make(map[string]interface{})
+			if !stale {
+				// CACHE HIT: serve directly from Go memory (sub-millisecond)
+				serveCachedPage(w, entry, "HIT")
+				return
 			}
-			json.NewEncoder(w).Encode(props)
+
+			// STALE: serve stale content immediately, revalidate in background
+			serveCachedPage(w, entry, "STALE")
+
+			// Background revalidation (fire and forget)
+			go func() {
+				html, revalidate := renderPage(r, loader)
+				if html != "" {
+					pageCache.Set(cacheKey, html, revalidate)
+				}
+			}()
 			return
 		}
 
-		handleRouteWithProps(w, r, props)
+		// CACHE MISS: render the page and cache the result
+		html, revalidate := renderPage(r, loader)
+		if html == "" {
+			// renderPage already wrote the error response
+			return
+		}
+
+		// Cache the rendered page
+		pageCache.Set(cacheKey, html, revalidate)
+
+		// Serve the fresh response
+		entry, _, _ := pageCache.Get(cacheKey)
+		if entry != nil {
+			serveCachedPage(w, entry, "MISS")
+		} else {
+			// Fallback: serve directly without cache metadata
+			writeHTMLResponse(w, html, "MISS", "")
+		}
+	}
+}
+
+// serveCachedPage writes a cached page response with proper headers.
+func serveCachedPage(w http.ResponseWriter, entry *CacheEntry, cacheStatus string) {
+	writeHTMLResponse(w, entry.HTML, cacheStatus, entry.ETag)
+}
+
+// writeHTMLResponse writes an HTML response with cache and security headers.
+func writeHTMLResponse(w http.ResponseWriter, html string, cacheStatus string, etag string) {
+	// Security headers
+	w.Header().Set("Content-Type", "text/html; charset=utf-8")
+	w.Header().Set("X-Content-Type-Options", "nosniff")
+	w.Header().Set("X-Frame-Options", "DENY")
+	w.Header().Set("Referrer-Policy", "strict-origin-when-cross-origin")
+
+	// Cache headers
+	w.Header().Set("X-Blumen-Cache", cacheStatus)
+	if etag != "" {
+		w.Header().Set("ETag", etag)
 	}
+	// Tell browsers and CDNs they can cache for 10s, serve stale for 60s while revalidating
+	w.Header().Set("Cache-Control", "public, s-maxage=10, stale-while-revalidate=60")
+
+	w.WriteHeader(http.StatusOK)
+	w.Write([]byte(html))
 }
 
-func handleRouteWithProps(w http.ResponseWriter, r *http.Request, props map[string]interface{}) {
-	// Prepare SSR request
+// renderPage performs the full SSR pipeline: fetch data + render HTML.
+// Returns the HTML string and the revalidation TTL in seconds.
+func renderPage(r *http.Request, loader DataLoader) (string, int) {
+	var props map[string]interface{}
+	var err error
+	revalidate := 0
+
+	if loader != nil {
+		// Use Go DataLoader (takes priority over getServerProps)
+		props, err = loader(r)
+		if err != nil {
+			log.Printf("Loader error: %v", err)
+			return "", 0
+		}
+	} else {
+		// No Go DataLoader - check if the page has getServerProps
+		tsProps, tsRevalidate, tsErr := fetchServerProps(r)
+		if tsErr != nil {
+			log.Printf("getServerProps error: %v", tsErr)
+			// Non-fatal: render the page without server props
+		} else if tsProps != nil {
+			props = tsProps
+			revalidate = tsRevalidate
+		}
+	}
+
+	// If this is a SPA data fetch request, return JSON props (don't cache)
+	// This check shouldn't happen in renderPage since it's called from the handler,
+	// but the handler already handles this case before reaching here.
+
+	// Call Node SSR to render the HTML
 	ssrReq := SSRRequest{
 		Path:  r.URL.Path,
 		Query: r.URL.Query(),
@@ -124,24 +321,64 @@ func handleRouteWithProps(w http.ResponseWriter, r *http.Request, props map[stri
 		Data: props,
 	}
 
-	// Call Node SSR service
 	ssrResp, err := callNodeSSR(ssrReq)
 	if err != nil {
 		log.Printf("SSR error: %v", err)
-		http.Error(w, "Internal Server Error", http.StatusInternalServerError)
-		return
+		return "", 0
 	}
 
+	return ssrResp.HTML, revalidate
+}
 
+// fetchServerProps calls the Node SSR /data endpoint to run getServerProps.
+// Returns nil if the page doesn't export getServerProps.
+// Also returns the revalidate TTL (0 = no caching from getServerProps).
+func fetchServerProps(r *http.Request) (map[string]interface{}, int, error) {
+	// Build a subset of headers to forward
+	headers := make(map[string]string)
+	for _, key := range []string{"Authorization", "Cookie", "Accept-Language", "User-Agent"} {
+		if val := r.Header.Get(key); val != "" {
+			headers[key] = val
+		}
+	}
 
-	// Security headers
-	w.Header().Set("Content-Type", "text/html; charset=utf-8")
-	w.Header().Set("X-Content-Type-Options", "nosniff")
-	w.Header().Set("X-Frame-Options", "DENY")
-	w.Header().Set("Referrer-Policy", "strict-origin-when-cross-origin")
+	dataReq := DataRequest{
+		Path:    r.URL.Path,
+		Query:   r.URL.Query(),
+		Params:  map[string]interface{}{},
+		Headers: headers,
+	}
 
-	w.WriteHeader(http.StatusOK)
-	w.Write([]byte(ssrResp.HTML))
+	reqBody, err := json.Marshal(dataReq)
+	if err != nil {
+		return nil, 0, fmt.Errorf("marshal data request: %w", err)
+	}
+
+	resp, err := httpClient.Post(
+		nodeDataURL,
+		"application/json",
+		bytes.NewReader(reqBody),
+	)
+	if err != nil {
+		return nil, 0, fmt.Errorf("http post /data: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, 0, fmt.Errorf("node /data returned %d", resp.StatusCode)
+	}
+
+	var dataResp DataResponse
+	if err := json.NewDecoder(resp.Body).Decode(&dataResp); err != nil {
+		return nil, 0, fmt.Errorf("decode data response: %w", err)
+	}
+
+	if !dataResp.HasServerProps {
+		// Page doesn't export getServerProps, skip
+		return nil, 0, nil
+	}
+
+	return dataResp.Props, dataResp.Revalidate, nil
 }
 
 func callNodeSSR(req SSRRequest) (*SSRResponse, error) {
@@ -172,4 +409,122 @@ func callNodeSSR(req SSRRequest) (*SSRResponse, error) {
 	return &ssrResp, nil
 }
 
+// cacheStatusHandler provides cache introspection for debugging.
+// GET /_blumen/cache — returns current cache size and status
+// DELETE /_blumen/cache — clears the entire cache
+func cacheStatusHandler(w http.ResponseWriter, r *http.Request) {
+	switch r.Method {
+	case http.MethodGet:
+		w.Header().Set("Content-Type", "application/json")
+		json.NewEncoder(w).Encode(map[string]interface{}{
+			"size":    pageCache.Size(),
+			"maxSize": 500,
+			"status":  "active",
+		})
+	case http.MethodDelete:
+		pageCache.Clear()
+		w.Header().Set("Content-Type", "application/json")
+		json.NewEncoder(w).Encode(map[string]interface{}{
+			"message": "Cache cleared",
+		})
+	default:
+		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+	}
+}
+
+// APINodeRequest is the envelope sent to Node for API route handling.
+type APINodeRequest struct {
+	Method  string                 `json:"method"`
+	Path    string                 `json:"path"`
+	Query   map[string][]string    `json:"query"`
+	Headers map[string]string      `json:"headers"`
+	Body    interface{}            `json:"body"`
+}
+
+// APINodeResponse is the envelope received from Node after API route handling.
+type APINodeResponse struct {
+	Status  int                    `json:"status"`
+	Headers map[string]string      `json:"headers"`
+	Body    interface{}            `json:"body"`
+}
+
+// APIProxyHandler forwards /api/* requests to the Node SSR server.
+// Accepts all HTTP methods (GET, POST, PUT, DELETE, PATCH).
+// Reads the request body, packages it into a JSON envelope, and sends it
+// to Node's /api endpoint. Node matches the route, runs the handler, and
+// returns { status, headers, body } which Go writes back to the client.
+func APIProxyHandler() http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		// Read request body (for POST, PUT, PATCH)
+		var requestBody interface{}
+		if r.Method == http.MethodPost || r.Method == http.MethodPut || r.Method == http.MethodPatch {
+			var bodyBuf bytes.Buffer
+			bodyBuf.ReadFrom(r.Body)
+			defer r.Body.Close()
+
+			// Try to parse as JSON; if it fails, send as raw string
+			var jsonBody interface{}
+			if err := json.Unmarshal(bodyBuf.Bytes(), &jsonBody); err == nil {
+				requestBody = jsonBody
+			} else if bodyBuf.Len() > 0 {
+				requestBody = bodyBuf.String()
+			}
+		}
+
+		// Forward a subset of headers
+		headers := make(map[string]string)
+		for _, key := range []string{
+			"Authorization", "Cookie", "Content-Type", "Accept",
+			"Accept-Language", "User-Agent", "X-Request-ID",
+		} {
+			if val := r.Header.Get(key); val != "" {
+				headers[key] = val
+			}
+		}
+
+		apiReq := APINodeRequest{
+			Method:  r.Method,
+			Path:    r.URL.Path,
+			Query:   r.URL.Query(),
+			Headers: headers,
+			Body:    requestBody,
+		}
+
+		reqBody, err := json.Marshal(apiReq)
+		if err != nil {
+			log.Printf("API proxy: marshal error: %v", err)
+			http.Error(w, `{"error":"Internal Server Error"}`, http.StatusInternalServerError)
+			return
+		}
+
+		resp, err := httpClient.Post(nodeAPIURL, "application/json", bytes.NewReader(reqBody))
+		if err != nil {
+			log.Printf("API proxy: node request error: %v", err)
+			http.Error(w, `{"error":"API service unavailable"}`, http.StatusBadGateway)
+			return
+		}
+		defer resp.Body.Close()
 
+		var apiResp APINodeResponse
+		if err := json.NewDecoder(resp.Body).Decode(&apiResp); err != nil {
+			log.Printf("API proxy: decode error: %v", err)
+			http.Error(w, `{"error":"Internal Server Error"}`, http.StatusInternalServerError)
+			return
+		}
+
+		// Write response headers from Node handler
+		for key, val := range apiResp.Headers {
+			w.Header().Set(key, val)
+		}
+
+		// Security headers
+		w.Header().Set("X-Content-Type-Options", "nosniff")
+		w.Header().Set("X-Blumen-Route", "api")
+
+		// Write status and body
+		w.WriteHeader(apiResp.Status)
+		if apiResp.Body != nil {
+			json.NewEncoder(w).Encode(apiResp.Body)
+		}
+	}
+}