From b5a8d9733bbf02b3e288d438086e4733cdc3f3be Mon Sep 17 00:00:00 2001 From: TenerifeProp Dev Date: Sun, 5 Apr 2026 13:07:37 +0100 Subject: [PATCH] fix: serve static files correctly before CSRF middleware - Moved static file serving before CSRF middleware - Changed CSRF to only apply to /api/* routes - Fixed MIME type issues for CSS and JS files - Added explicit routes for .css and .js files --- src/server/index.ts | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/src/server/index.ts b/src/server/index.ts index 888aaae..854bd12 100644 --- a/src/server/index.ts +++ b/src/server/index.ts @@ -174,8 +174,16 @@ db.run(` // Middleware app.use('*', cors()) app.use('*', logger()) -// CSRF protection for state-changing endpoints -app.use('*', csrf()) + +// Serve static files FIRST (before CSRF and other middleware) +app.use('/css/*', serveStatic({ root: './public' })) +app.use('/js/*', serveStatic({ root: './public' })) +app.use('/images/*', serveStatic({ root: './public' })) +app.use('/*.css', serveStatic({ root: './public' })) +app.use('/*.js', serveStatic({ root: './public' })) + +// CSRF protection - only for API routes, not static files +app.use('/api/*', csrf()) // Global error handler app.use('*', async (c, next) => { @@ -191,9 +199,6 @@ app.use('*', async (c, next) => { } }) -// Serve static files -app.use('/public/*', serveStatic({ root: './' })) - // Helper const genId = () => crypto.randomUUID() @@ -1176,8 +1181,8 @@ app.get('/api/admin/stats', requireAdmin, (c) => { app.get('/property/*', serveStatic({ path: './public/property.html' })) app.get('/admin/*', serveStatic({ path: './public/admin.html' })) -// Serve index.html for all other routes -app.get('*', serveStatic({ path: './public/index.html' })) +// SPA fallback - serve index.html for non-API, non-static routes +app.get('/*', serveStatic({ path: './public/index.html' })) // Start server const port = parseInt(process.env.PORT || '8080')