From e1e6670603b1ba089bb24e3096025a0d62403806 Mon Sep 17 00:00:00 2001 From: adamp Date: Tue, 10 Feb 2026 00:37:03 -0600 Subject: [PATCH] Update CLAUDE.md with SPA route whitelist details Co-Authored-By: Claude Opus 4.6 --- CLAUDE.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CLAUDE.md b/CLAUDE.md index af77cff..46c18a5 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -31,7 +31,7 @@ No test runner or linter is currently configured. Full-stack monorepo: Express.js API + React 18 SPA (Vite + React Router v7). **Server** (`server/`): -- `index.js` — Express entry point. Applies `helmet()` for security headers, a global API rate limiter (100 req/min/IP via `express-rate-limit`), mounts all route groups under `/api`, and applies auth middleware to non-auth routes. In production, serves the built client as static files with SPA fallback. +- `index.js` — Express entry point. Applies `helmet()` for security headers, a global API rate limiter (100 req/min/IP via `express-rate-limit`), mounts all route groups under `/api`, and applies auth middleware to non-auth routes. Unmatched `/api` routes return 404 JSON. In production, serves the built client as static files with a whitelisted SPA fallback — only known client routes (`/`, `/inventory`, `/customers`, `/orders`, `/orders/new`, `/orders/:id`, `/restock`, `/reports`) serve `index.html`; all other paths return 404. **When adding new client routes, update the `spaRoutes` regex in `index.js`.** - `db.js` — SQLite via `better-sqlite3` (synchronous). Auto-creates the `data/` directory and tables on first run. Foreign keys are enabled. - `middleware/auth.js` — Optional HMAC-SHA256 session cookie auth. If `APP_PASSWORD` is not set in `.env`, authentication is disabled entirely (middleware passes through). Login route has a dedicated rate limiter (5 attempts/min/IP). - `utils.js` — Shared helpers (`parseId`, `isValidDate`, `parseLimit`) used across routes.