refactor(confighttp): HTML page handlers into generic getPage function#4645
Merged
ReenigneArcher merged 14 commits intomasterfrom Mar 8, 2026
Merged
refactor(confighttp): HTML page handlers into generic getPage function#4645ReenigneArcher merged 14 commits intomasterfrom
ReenigneArcher merged 14 commits intomasterfrom
Conversation
Bundle ReportChanges will increase total bundle size by 853 bytes (0.11%) ⬆️. This is within the configured threshold ✅ Detailed changes
Affected Assets, Files, and Routes:view changes for bundle: sunshine-esmAssets Changed:
|
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #4645 +/- ##
==========================================
+ Coverage 16.74% 17.52% +0.78%
==========================================
Files 106 106
Lines 21762 21813 +51
Branches 9737 9770 +33
==========================================
+ Hits 3644 3823 +179
+ Misses 13397 13257 -140
- Partials 4721 4733 +12
Flags with carried forward coverage won't be shown. Click here to find out more.
|
ReenigneArcher
force-pushed
the
refactor/confighttp/common-functions
branch
2 times, most recently
from
edee013 to
1f0d6d4
Compare
ReenigneArcher
force-pushed
the
refactor/confighttp/common-functions
branch
6 times, most recently
from
d19f7c2 to
cb500b9
Compare
ReenigneArcher
force-pushed
the
refactor/confighttp/common-functions
branch
from
38816e8 to
b1252cf
Compare
21 tasks
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
ReenigneArcher
force-pushed
the
refactor/confighttp/common-functions
branch
from
b1252cf to
d4bc50f
Compare
Consolidated multiple individual HTML page handler functions into a single getPage function that serves different HTML files based on parameters. Updated server route bindings to use the new generic handler, reducing code duplication and improving maintainability.
Updated all HTTP handler functions to take const reference parameters for response and request objects, improving const-correctness and clarity. Introduced a helper for page handlers and refactored server route setup to use concise lambda expressions and handler typedefs, reducing code duplication and improving maintainability.
Introduced check_request_body_empty to validate that certain API endpoints receive no request body, replacing previous content-type checks where appropriate. This improves request validation and ensures correct client usage for endpoints that do not expect a body.
Updated function signatures in confighttp.cpp to ensure consistent spacing between type and parameter names, improving code readability and style consistency.
Refactors the generateExamples function to only include Content-Type headers and body parameters in cURL, JavaScript, and PowerShell examples when a request body is present. This prevents unnecessary headers and parameters in generated code samples for endpoints that do not require a body.
Add initial unit tests for confighttp using a real HTTPS client/server (tests/unit/test_confighttp.cpp). Update confighttp public API and types: add necessary includes (nlohmann::json, Simple-Web-Server), introduce HTTPS type aliases (https_server_t, resp_https_t, req_https_t), and declare helper functions (print_req, send_response, send_unauthorized, send_redirect, authenticate, not_found, bad_request, check_* utilities, getPage, etc.). Align implementations in src/confighttp.cpp with the header by removing default parameters from not_found, bad_request, and getPage signatures. These changes improve test coverage and clarify the confighttp interface.
Wrap test header includes with #pragma GCC diagnostic push/pop to ignore -Warray-bounds and -Wstringop-overflow on GCC (excluding clang). This suppresses known false-positive warnings originating from Boost.Asio's basic_resolver_results.hpp on some GCC versions (notably observed on Arch Linux) and restores diagnostics after the includes.
Rename confighttp::getNodeModules to confighttp::getAsset and update the server resource mapping. Add function declarations for getAsset and getLocale to confighttp.h. Expand unit tests (tests/unit/test_confighttp.cpp): include iostream, persist/restore locale in setup/teardown, create a test HTML file in WEB_DIR, register multiple test routes exercising send_response, send_redirect, check_content_type, check_request_body_empty, getPage, and getLocale, and add many corresponding test cases to improve coverage and validate headers, content types, redirects, auth behavior, and JSON responses.
Override SUNSHINE_ASSETS_DIR in tests to ${CMAKE_CURRENT_BINARY_DIR}/test_assets so tests use a writable assets directory. Update test_confighttp setup to create a temporary web directory, use std::filesystem::create_directories for WEB_DIR, and write test_page.html directly (removing the previous try/catch and existence checks). These changes simplify test setup and ensure test files are created in writable temp locations.
Implement CSRF protection across HTTP API endpoints and expose a token endpoint. Changes include: - Add docs: API and configuration docs updated to describe CSRF protection and the new GET /api/csrf-token endpoint. - Config: add csrf_allowed_origins to config struct; parse comma-separated origin lists; include built-in localhost defaults and append web UI port-specific origins once port is known. - confighttp: implement CSRF token generation, storage (with expiration), client identification, and validation logic. Validation allows same-origin requests via Origin/Referer to bypass tokens and requires X-CSRF-Token header or csrf_token query param for cross-origin requests. Register GET /api/csrf-token and integrate validation into state-changing endpoints. - Web UI: add form field and localization strings for csrf_allowed_origins and include it in config HTML. - Tests: add unit tests for CSRF token generation, header/query validation, same-origin exemptions, and restore/cleanup of config state. Also remove usages of the old empty-body checker where CSRF/authentication flow was applied. This commit wires CSRF protection end-to-end (docs, config, server, UI, and tests).
Clean up src/confighttp.cpp: remove unused <set> include, simplify shared_ptr typedefs, and apply const correctness (make 'now' const and use const auto for header/query iterators and token lookup). Use if-with-init for authorization, origin and referer header checks and for parsing Basic auth and CSRF token index. Tighten origin prefix validation to require ":" or "/" after allowed origins. Make numerous small comment/grammar tweaks and minor formatting clarifications to improve readability and robustness.
ReenigneArcher
force-pushed
the
refactor/confighttp/common-functions
branch
from
d4bc50f to
35a5a38
Compare
ReenigneArcher
force-pushed
the
refactor/confighttp/common-functions
branch
from
39c5f00 to
92b2cc1
Compare
ReenigneArcher
force-pushed
the
refactor/confighttp/common-functions
branch
from
92b2cc1 to
783d672
Compare
Treat requests with no Origin or Referer header as safe (typical of non-browser clients) and only require CSRF tokens for browser-like cross-origin requests. In confighttp.cpp the Origin and Referer headers are looked up once and if both are absent the request is allowed; otherwise a mismatched Origin/Referer will trigger the existing token check. The docs/api.md text was updated to clarify that non-browser clients (curl, scripts, custom apps) are exempt from CSRF protection, to explain why (CSRF requires a browser to silently attach credentials), and to rename the example to indicate it is a browser-equivalent cross-origin flow.
Change is_allowed_origin to take a std::string_view to avoid unnecessary string copies when checking allowed CSRF origins. Add a new test helper assert_json_error_response that consolidates Content-Type, security header, and JSON body assertions, and refactor NotFoundResponse and BadRequestResponse tests to use this helper to remove duplicated checks.
ReenigneArcher
force-pushed
the
refactor/confighttp/common-functions
branch
from
bb2704b to
e8d59ee
Compare
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Initial motivation for the PR was to consolidate multiple individual HTML page handler functions into a single
getPagefunction. This works by providing the page as a parameter. Then HTTP handler functions were updated to take response and request by const reference, which was a clang-tidy suggestion. New helper functions for page handlers were added to simplify the server route setup.Introduced check_request_body_empty to validate that certain API endpoints receive no request body, replacing previous content-type checks where appropriate. I am not 100% sure if this is necessary. Docs were updated to only include the
Content-Typeheaders when necessary.Also, added some initial tests for
confighttp.cpp/h.Lastly, I had to add macros to ignore some error/warnings in tests/tests_common.h due to failures in the ArchLinux build. I am not fully understanding what caused these errors to start occurring.
Screenshot
Issues Fixed or Closed
Roadmap Issues
Type of Change
Checklist
AI Usage