adamp/cookie-tracker
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update CLAUDE.md with SPA route whitelist details

Browse Source 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
adamp 2026-02-10 00:37:03 -06:00
parent a4d5461a8c
commit e1e6670603
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
CLAUDE.md
View File

@ -31,7 +31,7 @@ No test runner or linter is currently configured.
Full-stack monorepo: Express.js API + React 18 SPA (Vite + React Router v7).
**Server** (`server/`):
- `index.js` — Express entry point. Applies `helmet()` for security headers, a global API rate limiter (100 req/min/IP via `express-rate-limit`), mounts all route groups under `/api`, and applies auth middleware to non-auth routes. In production, serves the built client as static files with SPA fallback.
- `index.js` — Express entry point. Applies `helmet()` for security headers, a global API rate limiter (100 req/min/IP via `express-rate-limit`), mounts all route groups under `/api`, and applies auth middleware to non-auth routes. Unmatched `/api` routes return 404 JSON. In production, serves the built client as static files with a whitelisted SPA fallback — only known client routes (`/`, `/inventory`, `/customers`, `/orders`, `/orders/new`, `/orders/:id`, `/restock`, `/reports`) serve `index.html`; all other paths return 404. **When adding new client routes, update the `spaRoutes` regex in `index.js`.**
- `db.js` — SQLite via `better-sqlite3` (synchronous). Auto-creates the `data/` directory and tables on first run. Foreign keys are enabled.
- `middleware/auth.js` — Optional HMAC-SHA256 session cookie auth. If `APP_PASSWORD` is not set in `.env`, authentication is disabled entirely (middleware passes through). Login route has a dedicated rate limiter (5 attempts/min/IP).
- `utils.js` — Shared helpers (`parseId`, `isValidDate`, `parseLimit`) used across routes.