Merge pull request #556 from Chris0Jeky/feat/pkg-01-spa-static-serving

Chris0Jeky · web-flow · commit a35a4527f6c8 · 2026-03-29T19:18:02.000+01:00
feat: serve Vue SPA as static files from .NET API (PKG-01 #533)
diff --git a/backend/src/Taskdeck.Api/Extensions/PipelineConfiguration.cs b/backend/src/Taskdeck.Api/Extensions/PipelineConfiguration.cs
@@ -49,6 +49,39 @@ public static WebApplication ConfigureTaskdeckPipeline(
         app.UseMiddleware<UnhandledExceptionMiddleware>();
         app.UseMiddleware<SecurityHeadersMiddleware>();
 
+        // SPA static file serving: serve Vue build output from wwwroot/.
+        // Placed after security-headers middleware so that the OnStarting callback registered by
+        // SecurityHeadersMiddleware is already in scope when UseStaticFiles short-circuits the pipeline,
+        // ensuring CSP, X-Frame-Options, and other headers are applied to SPA assets including index.html.
+        // UseDefaultFiles must precede UseStaticFiles so that requests to "/" map to index.html.
+        // Directory listing is disabled by default (no DirectoryBrowser registered).
+        //
+        // Cache-control strategy (PKG-01 AC: "SPA assets served with appropriate cache headers"):
+        //   - Versioned/hashed assets (Vite output under /assets/): max-age=1 year + immutable.
+        //     Safe because Vite appends a content hash to each filename — stale content is impossible.
+        //   - All other files (including index.html): no-cache so the browser always revalidates,
+        //     ensuring users pick up new deployments immediately.
+        app.UseDefaultFiles();
+        app.UseStaticFiles(new StaticFileOptions
+        {
+            OnPrepareResponse = ctx =>
+            {
+                var path = ctx.Context.Request.Path.Value ?? string.Empty;
+                var headers = ctx.Context.Response.Headers;
+
+                if (path.StartsWith("/assets/", StringComparison.OrdinalIgnoreCase))
+                {
+                    // Vite hashes these filenames — safe to cache indefinitely.
+                    headers["Cache-Control"] = "public, max-age=31536000, immutable";
+                }
+                else
+                {
+                    // index.html and other non-versioned files: revalidate on every request.
+                    headers["Cache-Control"] = "no-cache";
+                }
+            }
+        });
+
         app.UseAuthentication();
         if (rateLimitingSettings.Enabled)
         {
@@ -59,6 +92,11 @@ public static WebApplication ConfigureTaskdeckPipeline(
         app.MapControllers();
         app.MapHub<BoardsHub>("/hubs/boards");
 
+        // SPA fallback: any route not matched by a controller or hub endpoint returns index.html,
+        // enabling Vue Router's client-side navigation. API (/api/*) and hub (/hubs/*) routes
+        // are matched above and never reach this fallback.
+        app.MapFallbackToFile("index.html");
+
         return app;
     }
 
