blumenjs 0.2.0 → 0.2.2

package/dist/templates/go-server/main.go

@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"encoding/json"
 	"fmt"
+	"io"
 	"log"
 	"net"
 	"net/http"
@@ -11,14 +12,23 @@ import (
 )
 
 const (
-	nodeSSRURL  = "http://localhost:4000/render"
-	nodeDataURL = "http://localhost:4000/data"
+	nodeSSRURL       = "http://localhost:4000/render"
+	nodeStreamURL    = "http://localhost:4000/stream-render"
+	nodeDataURL      = "http://localhost:4000/data"
+	nodeAPIURL       = "http://localhost:4000/api"
 )
 
 // Global page cache — stores rendered HTML in Go memory for near-instant responses.
 // Max 500 entries with LRU eviction. A single Go server can cache the entire site.
 var pageCache = NewPageCache(500)
 
+// Global WebSocket hub — manages all real-time connections.
+// Each connection runs in its own goroutine for maximum concurrency.
+var wsHub = NewWSHub()
+
+// Global SSG server — serves pre-rendered HTML directly from disk.
+var ssgServer = NewSSGServer("dist/static-pages")
+
 // SSRResponse from Node service
 type SSRResponse struct {
 	HTML  string                 `json:"html"`
@@ -55,6 +65,37 @@ var httpClient = &http.Client{
 func main() {
 	mux := http.NewServeMux()
 
+	// ── Middleware chain ─────────────────────────────────────
+	chain := NewMiddlewareChain()
+
+	// Redirects & rewrites (processed first, before logging)
+	SetupRedirects(chain, "blumen.routes.json")
+
+	// Global middleware (runs on every request)
+	chain.Use(LoggerMiddleware())
+
+	// CORS middleware for API routes
+	chain.UseOn("/api/*", CORSMiddleware(DefaultCORSConfig()))
+
+	// Security headers (CSP, HSTS, X-Frame-Options, etc.)
+	chain.Use(SecurityHeadersMiddleware(DefaultSecurityConfig()))
+
+	// SSR DoS protection: limit page rendering requests per IP
+	// Prevents abuse of the CPU-intensive SSR endpoint
+	chain.UseOn("/*", RateLimitMiddleware(200, time.Minute))
+
+	// Authentication middleware for protected routes
+	// Uncomment and configure to enable:
+	// chain.UseOn("/dashboard/*", AuthMiddleware(AuthConfig{
+	// 	CookieName:  "session",
+	// 	HeaderName:  "Authorization",
+	// 	RedirectURL: "/login",
+	// 	ValidateFunc: func(token string) bool {
+	// 		// Add your token validation logic here
+	// 		return token != ""
+	// 	},
+	// }))
+
 	// Static files with immutable cache headers
 	staticHandler := http.StripPrefix("/static/", http.FileServer(http.Dir("static")))
 	mux.HandleFunc("/static/", func(w http.ResponseWriter, r *http.Request) {
@@ -78,6 +119,49 @@ func main() {
 		}, nil
 	}))
 
+	// API routes: forward all /api/* requests to Node for TypeScript handling
+	mux.HandleFunc("/api/", APIProxyHandler())
+
+	// ── WebSocket endpoint ────────────────────────────────────
+	// Configure WebSocket event handlers
+	wsHub.OnConnect = func(client *WSClient, r *http.Request) bool {
+		// Accept all connections by default.
+		// Add authentication logic here (e.g. check JWT in query params).
+		return true
+	}
+
+	wsHub.OnMessage = func(client *WSClient, msg WSMessage) *WSMessage {
+		// Handle custom message types here.
+		// Return a *WSMessage to reply directly to the sender, or nil.
+		switch msg.Type {
+		case "echo":
+			// Example: echo the payload back
+			return &WSMessage{Type: "echo", Payload: msg.Payload}
+		default:
+			return nil
+		}
+	}
+
+	// Start the WebSocket hub event loop
+	go wsHub.Run()
+
+	// WebSocket upgrade endpoint
+	mux.HandleFunc("/_blumen/ws", WSHandler(wsHub))
+
+	// WebSocket status endpoint (for monitoring)
+	mux.HandleFunc("/_blumen/ws/status", func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		status := map[string]interface{}{
+			"connections": wsHub.ClientCount(),
+		}
+		json.NewEncoder(w).Encode(status)
+	})
+
+	// ── Server Actions endpoint ──────────────────────────────
+	// Handles POST /_blumen/action with CSRF validation.
+	// Forwards action execution to Node SSR server.
+	mux.HandleFunc("/_blumen/action", ActionHandler())
+
 	// Catch-all: forward every other request to the Node SSR server.
 	// If the page exports getServerProps, Node will fetch the data first.
 	// If a Go DataLoader is registered above, it takes priority.
@@ -99,7 +183,8 @@ func main() {
 
 	log.Printf("Go server starting on http://localhost:%d", startPort)
 	log.Printf("Page cache initialized (max %d entries)", 500)
-	if err := http.Serve(listener, mux); err != nil {
+	log.Printf("Middleware chain: %d middleware registered", len(chain.entries))
+	if err := http.Serve(listener, chain.Then(mux)); err != nil {
 		log.Fatalf("Server error: %v", err)
 	}
 }
@@ -113,6 +198,13 @@ func PageHandler(loader DataLoader) http.HandlerFunc {
 			return
 		}
 
+		// SSG: serve pre-rendered static pages directly from disk (< 0.5ms)
+		// Only for full page requests, not SPA data requests
+		if r.Header.Get("X-Blumen-Data") != "1" && ssgServer.HasPage(r.URL.Path) {
+			ssgServer.ServePage(w, r)
+			return
+		}
+
 		// Generate cache key from the full URL (path + query string)
 		cacheKey := r.URL.RequestURI()
 
@@ -144,7 +236,23 @@ func PageHandler(loader DataLoader) http.HandlerFunc {
 			return
 		}
 
-		// CACHE MISS: render the page and cache the result
+		// CACHE MISS: try streaming SSR first for instant TTFB
+		// Streaming bypasses the cache — the HTML is sent directly to the browser.
+		// The next request will use renderPage and populate the cache.
+		if r.Header.Get("X-Blumen-Data") != "1" {
+			if streamRenderPage(w, r, loader) {
+				// Successfully streamed — also trigger a background cache fill
+				go func() {
+					html, revalidate := renderPage(r, loader)
+					if html != "" {
+						pageCache.Set(cacheKey, html, revalidate)
+					}
+				}()
+				return
+			}
+		}
+
+		// Streaming unavailable or SPA data request — fall back to renderPage
 		html, revalidate := renderPage(r, loader)
 		if html == "" {
 			// renderPage already wrote the error response
@@ -240,6 +348,91 @@ func renderPage(r *http.Request, loader DataLoader) (string, int) {
 	return ssrResp.HTML, revalidate
 }
 
+// streamRenderPage streams HTML from Node SSR directly to the client.
+// Uses chunked transfer encoding for instant TTFB.
+// Returns true if streaming succeeded, false if caller should fall back.
+func streamRenderPage(w http.ResponseWriter, r *http.Request, loader DataLoader) bool {
+	// Check if ResponseWriter supports flushing (required for streaming)
+	flusher, ok := w.(http.Flusher)
+	if !ok {
+		return false
+	}
+
+	var props map[string]interface{}
+	var err error
+
+	if loader != nil {
+		props, err = loader(r)
+		if err != nil {
+			log.Printf("Streaming: loader error: %v", err)
+			return false
+		}
+	} else {
+		tsProps, _, tsErr := fetchServerProps(r)
+		if tsErr != nil {
+			log.Printf("Streaming: getServerProps error: %v", tsErr)
+		} else if tsProps != nil {
+			props = tsProps
+		}
+	}
+
+	ssrReq := SSRRequest{
+		Path:  r.URL.Path,
+		Query: r.URL.Query(),
+		Params: map[string]interface{}{
+			"url":     r.URL.String(),
+			"headers": r.Header,
+		},
+		Data: props,
+	}
+
+	reqBody, err := json.Marshal(ssrReq)
+	if err != nil {
+		log.Printf("Streaming: marshal error: %v", err)
+		return false
+	}
+
+	resp, err := httpClient.Post(nodeStreamURL, "application/json", bytes.NewReader(reqBody))
+	if err != nil {
+		log.Printf("Streaming: node request error: %v", err)
+		return false
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		log.Printf("Streaming: node returned %d", resp.StatusCode)
+		return false
+	}
+
+	// Set response headers for streaming
+	w.Header().Set("Content-Type", "text/html; charset=utf-8")
+	w.Header().Set("Transfer-Encoding", "chunked")
+	w.Header().Set("X-Content-Type-Options", "nosniff")
+	w.Header().Set("X-Frame-Options", "DENY")
+	w.Header().Set("Referrer-Policy", "strict-origin-when-cross-origin")
+	w.Header().Set("X-Blumen-Cache", "STREAM")
+	w.Header().Set("Cache-Control", "no-cache")
+	w.WriteHeader(http.StatusOK)
+
+	// Stream chunks from Node to the browser
+	buf := make([]byte, 4096)
+	for {
+		n, readErr := resp.Body.Read(buf)
+		if n > 0 {
+			w.Write(buf[:n])
+			flusher.Flush()
+		}
+		if readErr != nil {
+			if readErr != io.EOF {
+				log.Printf("Streaming: read error: %v", readErr)
+			}
+			break
+		}
+	}
+
+	return true
+}
+
 // fetchServerProps calls the Node SSR /data endpoint to run getServerProps.
 // Returns nil if the page doesn't export getServerProps.
 // Also returns the revalidate TTL (0 = no caching from getServerProps).
@@ -341,3 +534,100 @@ func cacheStatusHandler(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
 	}
 }
+
+// APINodeRequest is the envelope sent to Node for API route handling.
+type APINodeRequest struct {
+	Method  string                 `json:"method"`
+	Path    string                 `json:"path"`
+	Query   map[string][]string    `json:"query"`
+	Headers map[string]string      `json:"headers"`
+	Body    interface{}            `json:"body"`
+}
+
+// APINodeResponse is the envelope received from Node after API route handling.
+type APINodeResponse struct {
+	Status  int                    `json:"status"`
+	Headers map[string]string      `json:"headers"`
+	Body    interface{}            `json:"body"`
+}
+
+// APIProxyHandler forwards /api/* requests to the Node SSR server.
+// Accepts all HTTP methods (GET, POST, PUT, DELETE, PATCH).
+// Reads the request body, packages it into a JSON envelope, and sends it
+// to Node's /api endpoint. Node matches the route, runs the handler, and
+// returns { status, headers, body } which Go writes back to the client.
+func APIProxyHandler() http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		// Read request body (for POST, PUT, PATCH)
+		var requestBody interface{}
+		if r.Method == http.MethodPost || r.Method == http.MethodPut || r.Method == http.MethodPatch {
+			var bodyBuf bytes.Buffer
+			bodyBuf.ReadFrom(r.Body)
+			defer r.Body.Close()
+
+			// Try to parse as JSON; if it fails, send as raw string
+			var jsonBody interface{}
+			if err := json.Unmarshal(bodyBuf.Bytes(), &jsonBody); err == nil {
+				requestBody = jsonBody
+			} else if bodyBuf.Len() > 0 {
+				requestBody = bodyBuf.String()
+			}
+		}
+
+		// Forward a subset of headers
+		headers := make(map[string]string)
+		for _, key := range []string{
+			"Authorization", "Cookie", "Content-Type", "Accept",
+			"Accept-Language", "User-Agent", "X-Request-ID",
+		} {
+			if val := r.Header.Get(key); val != "" {
+				headers[key] = val
+			}
+		}
+
+		apiReq := APINodeRequest{
+			Method:  r.Method,
+			Path:    r.URL.Path,
+			Query:   r.URL.Query(),
+			Headers: headers,
+			Body:    requestBody,
+		}
+
+		reqBody, err := json.Marshal(apiReq)
+		if err != nil {
+			log.Printf("API proxy: marshal error: %v", err)
+			http.Error(w, `{"error":"Internal Server Error"}`, http.StatusInternalServerError)
+			return
+		}
+
+		resp, err := httpClient.Post(nodeAPIURL, "application/json", bytes.NewReader(reqBody))
+		if err != nil {
+			log.Printf("API proxy: node request error: %v", err)
+			http.Error(w, `{"error":"API service unavailable"}`, http.StatusBadGateway)
+			return
+		}
+		defer resp.Body.Close()
+
+		var apiResp APINodeResponse
+		if err := json.NewDecoder(resp.Body).Decode(&apiResp); err != nil {
+			log.Printf("API proxy: decode error: %v", err)
+			http.Error(w, `{"error":"Internal Server Error"}`, http.StatusInternalServerError)
+			return
+		}
+
+		// Write response headers from Node handler
+		for key, val := range apiResp.Headers {
+			w.Header().Set(key, val)
+		}
+
+		// Security headers
+		w.Header().Set("X-Content-Type-Options", "nosniff")
+		w.Header().Set("X-Blumen-Route", "api")
+
+		// Write status and body
+		w.WriteHeader(apiResp.Status)
+		if apiResp.Body != nil {
+			json.NewEncoder(w).Encode(apiResp.Body)
+		}
+	}
+}