blumenjs 0.2.0 → 0.2.1

package/dist/templates/go-server/main.go

@@ -13,12 +13,20 @@ import (
 const (
 	nodeSSRURL  = "http://localhost:4000/render"
 	nodeDataURL = "http://localhost:4000/data"
+	nodeAPIURL  = "http://localhost:4000/api"
 )
 
 // Global page cache — stores rendered HTML in Go memory for near-instant responses.
 // Max 500 entries with LRU eviction. A single Go server can cache the entire site.
 var pageCache = NewPageCache(500)
 
+// Global WebSocket hub — manages all real-time connections.
+// Each connection runs in its own goroutine for maximum concurrency.
+var wsHub = NewWSHub()
+
+// Global SSG server — serves pre-rendered HTML directly from disk.
+var ssgServer = NewSSGServer("dist/static-pages")
+
 // SSRResponse from Node service
 type SSRResponse struct {
 	HTML  string                 `json:"html"`
@@ -55,6 +63,37 @@ var httpClient = &http.Client{
 func main() {
 	mux := http.NewServeMux()
 
+	// ── Middleware chain ─────────────────────────────────────
+	chain := NewMiddlewareChain()
+
+	// Redirects & rewrites (processed first, before logging)
+	SetupRedirects(chain, "blumen.routes.json")
+
+	// Global middleware (runs on every request)
+	chain.Use(LoggerMiddleware())
+
+	// CORS middleware for API routes
+	chain.UseOn("/api/*", CORSMiddleware(DefaultCORSConfig()))
+
+	// Security headers (CSP, HSTS, X-Frame-Options, etc.)
+	chain.Use(SecurityHeadersMiddleware(DefaultSecurityConfig()))
+
+	// SSR DoS protection: limit page rendering requests per IP
+	// Prevents abuse of the CPU-intensive SSR endpoint
+	chain.UseOn("/*", RateLimitMiddleware(200, time.Minute))
+
+	// Authentication middleware for protected routes
+	// Uncomment and configure to enable:
+	// chain.UseOn("/dashboard/*", AuthMiddleware(AuthConfig{
+	// 	CookieName:  "session",
+	// 	HeaderName:  "Authorization",
+	// 	RedirectURL: "/login",
+	// 	ValidateFunc: func(token string) bool {
+	// 		// Add your token validation logic here
+	// 		return token != ""
+	// 	},
+	// }))
+
 	// Static files with immutable cache headers
 	staticHandler := http.StripPrefix("/static/", http.FileServer(http.Dir("static")))
 	mux.HandleFunc("/static/", func(w http.ResponseWriter, r *http.Request) {
@@ -78,6 +117,49 @@ func main() {
 		}, nil
 	}))
 
+	// API routes: forward all /api/* requests to Node for TypeScript handling
+	mux.HandleFunc("/api/", APIProxyHandler())
+
+	// ── WebSocket endpoint ────────────────────────────────────
+	// Configure WebSocket event handlers
+	wsHub.OnConnect = func(client *WSClient, r *http.Request) bool {
+		// Accept all connections by default.
+		// Add authentication logic here (e.g. check JWT in query params).
+		return true
+	}
+
+	wsHub.OnMessage = func(client *WSClient, msg WSMessage) *WSMessage {
+		// Handle custom message types here.
+		// Return a *WSMessage to reply directly to the sender, or nil.
+		switch msg.Type {
+		case "echo":
+			// Example: echo the payload back
+			return &WSMessage{Type: "echo", Payload: msg.Payload}
+		default:
+			return nil
+		}
+	}
+
+	// Start the WebSocket hub event loop
+	go wsHub.Run()
+
+	// WebSocket upgrade endpoint
+	mux.HandleFunc("/_blumen/ws", WSHandler(wsHub))
+
+	// WebSocket status endpoint (for monitoring)
+	mux.HandleFunc("/_blumen/ws/status", func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		status := map[string]interface{}{
+			"connections": wsHub.ClientCount(),
+		}
+		json.NewEncoder(w).Encode(status)
+	})
+
+	// ── Server Actions endpoint ──────────────────────────────
+	// Handles POST /_blumen/action with CSRF validation.
+	// Forwards action execution to Node SSR server.
+	mux.HandleFunc("/_blumen/action", ActionHandler())
+
 	// Catch-all: forward every other request to the Node SSR server.
 	// If the page exports getServerProps, Node will fetch the data first.
 	// If a Go DataLoader is registered above, it takes priority.
@@ -99,7 +181,8 @@ func main() {
 
 	log.Printf("Go server starting on http://localhost:%d", startPort)
 	log.Printf("Page cache initialized (max %d entries)", 500)
-	if err := http.Serve(listener, mux); err != nil {
+	log.Printf("Middleware chain: %d middleware registered", len(chain.entries))
+	if err := http.Serve(listener, chain.Then(mux)); err != nil {
 		log.Fatalf("Server error: %v", err)
 	}
 }
@@ -113,6 +196,13 @@ func PageHandler(loader DataLoader) http.HandlerFunc {
 			return
 		}
 
+		// SSG: serve pre-rendered static pages directly from disk (< 0.5ms)
+		// Only for full page requests, not SPA data requests
+		if r.Header.Get("X-Blumen-Data") != "1" && ssgServer.HasPage(r.URL.Path) {
+			ssgServer.ServePage(w, r)
+			return
+		}
+
 		// Generate cache key from the full URL (path + query string)
 		cacheKey := r.URL.RequestURI()
 
@@ -341,3 +431,100 @@ func cacheStatusHandler(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
 	}
 }
+
+// APINodeRequest is the envelope sent to Node for API route handling.
+type APINodeRequest struct {
+	Method  string                 `json:"method"`
+	Path    string                 `json:"path"`
+	Query   map[string][]string    `json:"query"`
+	Headers map[string]string      `json:"headers"`
+	Body    interface{}            `json:"body"`
+}
+
+// APINodeResponse is the envelope received from Node after API route handling.
+type APINodeResponse struct {
+	Status  int                    `json:"status"`
+	Headers map[string]string      `json:"headers"`
+	Body    interface{}            `json:"body"`
+}
+
+// APIProxyHandler forwards /api/* requests to the Node SSR server.
+// Accepts all HTTP methods (GET, POST, PUT, DELETE, PATCH).
+// Reads the request body, packages it into a JSON envelope, and sends it
+// to Node's /api endpoint. Node matches the route, runs the handler, and
+// returns { status, headers, body } which Go writes back to the client.
+func APIProxyHandler() http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		// Read request body (for POST, PUT, PATCH)
+		var requestBody interface{}
+		if r.Method == http.MethodPost || r.Method == http.MethodPut || r.Method == http.MethodPatch {
+			var bodyBuf bytes.Buffer
+			bodyBuf.ReadFrom(r.Body)
+			defer r.Body.Close()
+
+			// Try to parse as JSON; if it fails, send as raw string
+			var jsonBody interface{}
+			if err := json.Unmarshal(bodyBuf.Bytes(), &jsonBody); err == nil {
+				requestBody = jsonBody
+			} else if bodyBuf.Len() > 0 {
+				requestBody = bodyBuf.String()
+			}
+		}
+
+		// Forward a subset of headers
+		headers := make(map[string]string)
+		for _, key := range []string{
+			"Authorization", "Cookie", "Content-Type", "Accept",
+			"Accept-Language", "User-Agent", "X-Request-ID",
+		} {
+			if val := r.Header.Get(key); val != "" {
+				headers[key] = val
+			}
+		}
+
+		apiReq := APINodeRequest{
+			Method:  r.Method,
+			Path:    r.URL.Path,
+			Query:   r.URL.Query(),
+			Headers: headers,
+			Body:    requestBody,
+		}
+
+		reqBody, err := json.Marshal(apiReq)
+		if err != nil {
+			log.Printf("API proxy: marshal error: %v", err)
+			http.Error(w, `{"error":"Internal Server Error"}`, http.StatusInternalServerError)
+			return
+		}
+
+		resp, err := httpClient.Post(nodeAPIURL, "application/json", bytes.NewReader(reqBody))
+		if err != nil {
+			log.Printf("API proxy: node request error: %v", err)
+			http.Error(w, `{"error":"API service unavailable"}`, http.StatusBadGateway)
+			return
+		}
+		defer resp.Body.Close()
+
+		var apiResp APINodeResponse
+		if err := json.NewDecoder(resp.Body).Decode(&apiResp); err != nil {
+			log.Printf("API proxy: decode error: %v", err)
+			http.Error(w, `{"error":"Internal Server Error"}`, http.StatusInternalServerError)
+			return
+		}
+
+		// Write response headers from Node handler
+		for key, val := range apiResp.Headers {
+			w.Header().Set(key, val)
+		}
+
+		// Security headers
+		w.Header().Set("X-Content-Type-Options", "nosniff")
+		w.Header().Set("X-Blumen-Route", "api")
+
+		// Write status and body
+		w.WriteHeader(apiResp.Status)
+		if apiResp.Body != nil {
+			json.NewEncoder(w).Encode(apiResp.Body)
+		}
+	}
+}