jeffemmett
/
rspace-online
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix space navigation redirects: server-side auth redirect + subdomain enforcement 

Authenticated users visiting {space}.rspace.online/ now get a server-side
302 to /rspace instead of rendering the full dashboard then JS-redirecting
(eliminates flash of wrong header + 2-3 redirect chain → single redirect).

Bare domain rspace.online/{space} now 301-redirects to {space}.rspace.online/
so /{space}/ never appears in the URL bar.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Jeff Emmett 2026-04-01 14:13:24 -07:00
parent 09ac17b332
commit ddf5772025
2 changed files with 35 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
server/index.ts
View File

@ -2825,6 +2825,12 @@ app.get("/:space", (c) => {
const space = c.req.param("space");
// Don't serve dashboard for static file paths
if (space.includes(".")) return c.notFound();
// On production bare domain, this route is unreachable (caught by subdomain redirect above).
// On localhost/dev: redirect authenticated users to canvas, show dashboard for guests.
const token = extractToken(c.req.raw.headers);
if (token) {
return c.redirect(`/${space}/rspace`, 302);
}
return c.html(renderSpaceDashboard(space, getModuleInfoList()));
});
@ -3228,8 +3234,14 @@ const server = Bun.serve<WSData>({
const pathSegments = url.pathname.split("/").filter(Boolean);
// Root: show space dashboard
// Root: redirect authenticated users straight to rSpace canvas
// (avoids rendering space dashboard just to JS-redirect, eliminating
// the flash of different header + 2-3 redirect chain)
if (pathSegments.length === 0) {
const token = extractTokenFromRequest(req);
if (token) {
return Response.redirect(`${proto}//${url.host}/rspace`, 302);
}
return new Response(renderSpaceDashboard(subdomain, getModuleInfoList()), {
headers: { "Content-Type": "text/html" },
});
@ -3385,24 +3397,28 @@ const server = Bun.serve<WSData>({
return app.fetch(rewrittenReq);
}
// rspace.online/{space}/{...} → handle space-prefixed paths
// rspace.online/{space} or rspace.online/{space}/{...} → redirect to subdomain
// (space is not a module ID — it's a space slug)
// Skip for known server paths (api, admin, etc.)
const serverPaths = new Set(["api", "admin", "admin-data", "admin-action", "modules", ".well-known"]);
if (!knownModuleIds.has(firstSegment) && !serverPaths.has(firstSegment) && pathSegments.length >= 2) {
const secondSeg = pathSegments[1]?.toLowerCase();
const isApiCall = secondSeg === "api" || pathSegments.some((s, i) => i >= 1 && s === "api");
if (isApiCall) {
// API calls: rewrite internally (avoid redirect + mixed-content)
const rewrittenUrl = new URL(url.pathname + url.search, `http://localhost:${PORT}`);
return app.fetch(new Request(rewrittenUrl, req));
}
// Page navigation: redirect to canonical subdomain URL
const serverPaths = new Set(["api", "admin", "admin-data", "admin-action", "modules", ".well-known", "about", "create-space", "new", "discover"]);
if (!knownModuleIds.has(firstSegment) && !serverPaths.has(firstSegment)) {
const space = firstSegment;
const rest = "/" + pathSegments.slice(1).join("/");
return Response.redirect(
`${proto}//${space}.rspace.online${rest}${url.search}`, 301
);
if (pathSegments.length >= 2) {
const secondSeg = pathSegments[1]?.toLowerCase();
const isApiCall = secondSeg === "api" || pathSegments.some((s, i) => i >= 1 && s === "api");
if (isApiCall) {
// API calls: rewrite internally (avoid redirect + mixed-content)
const rewrittenUrl = new URL(url.pathname + url.search, `http://localhost:${PORT}`);
return app.fetch(new Request(rewrittenUrl, req));
}
// Page navigation: redirect to canonical subdomain URL
const rest = "/" + pathSegments.slice(1).join("/");
return Response.redirect(
`${proto}//${space}.rspace.online${rest}${url.search}`, 301
);
}
// Single segment: rspace.online/{space} → {space}.rspace.online/
return Response.redirect(`${proto}//${space}.rspace.online/${url.search}`, 301);
}
}
}

31
server/landing.ts
View File

@ -340,34 +340,9 @@ export function renderSpaceDashboard(space: string, modules: ModuleInfo[]): stri
import '/shell.js';
document.querySelector('rstack-app-switcher')?.setModules(${moduleListJSON});
// Check session in localStorage OR cross-subdomain cookie
function _hasSession() {
try {
var raw = localStorage.getItem('encryptid_session');
if (raw && JSON.parse(raw)?.accessToken) return true;
} catch(e) {}
try {
var m = document.cookie.match(/(?:^|; )eid_token=([^;]*)/);
if (!m) return false;
var tok = decodeURIComponent(m[1]);
var parts = tok.split('.');
if (parts.length < 2) return false;
var b64 = parts[1].replace(/-/g,'+').replace(/_/g,'/');
var pad = '='.repeat((4 - b64.length % 4) % 4);
var payload = JSON.parse(atob(b64 + pad));
return payload.exp && Math.floor(Date.now()/1000) < payload.exp;
} catch(e) { return false; }
}
// Logged-in users: redirect to rSpace canvas instead of showing the grid
// Non-demo spaces: redirect logged-out visitors to the main domain landing
var loggedIn = _hasSession();
if (loggedIn) {
var dest = window.__rspaceNavUrl
? window.__rspaceNavUrl('${escapeAttr(space)}', 'rspace')
: '/${escapeAttr(space)}/rspace';
window.location.replace(dest);
} else if ('${escapeAttr(space)}' !== 'demo') {
// Authenticated users are redirected server-side (no JS redirect needed).
// Non-demo spaces: redirect logged-out visitors to the main domain landing.
if ('${escapeAttr(space)}' !== 'demo') {
var host = window.location.host.split(':')[0];
if (host.endsWith('.rspace.online') || host === 'rspace.online') {
window.location.replace('https://rspace.online/');