From b917b1a92561288f4a346e528aae6f83fbf2bf41 Mon Sep 17 00:00:00 2001 From: Thomas Kpenou Date: Wed, 1 Jul 2026 08:06:33 -0400 Subject: [PATCH] chore: remove dead pre-Vite webpack whitelist in auth utils MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit is_allowed_during_login() still special-cased old webpack-style login asset paths (/js/login.js, /css/login.css, /fonts/..., /img/...) via the remove_webpack_suffixes() helper and a login_resources whitelist. Since the Vite migration, all of the login page's JS/CSS/fonts/images are built under /assets/ (already whitelisted, and verified in production — see the #31 login blank-page fix), so these old paths can never occur in a real request anymore. Remove remove_webpack_suffixes(), webpack_prefixed_extensions, and login_resources; is_allowed_during_login() now just checks favicon, the login page itself, /assets/, and /theme/ (custom theme assets). No behaviour change for any real request. Test file updated to match: drop WebpackSuffixesTest (tested the removed function) and the old-style parameterized cases; add /theme/ coverage that existed in code but wasn't tested. 1734 backend tests pass (14 fewer than before — exactly the removed dead-code tests, no other regressions). Co-Authored-By: Claude Opus 4.8 --- src/tests/web/web_auth_utils_test.py | 43 ++++------------------------ src/web/web_auth_utils.py | 40 +------------------------- 2 files changed, 6 insertions(+), 77 deletions(-) diff --git a/src/tests/web/web_auth_utils_test.py b/src/tests/web/web_auth_utils_test.py index fbee56a8..f1d33fa3 100644 --- a/src/tests/web/web_auth_utils_test.py +++ b/src/tests/web/web_auth_utils_test.py @@ -3,54 +3,21 @@ from parameterized import parameterized from tests.test_utils import mock_request_handler -from web.web_auth_utils import remove_webpack_suffixes, is_allowed_during_login - - -class WebpackSuffixesTest(TestCase): - def test_remove_webpack_suffixes_when_css(self): - normalized = remove_webpack_suffixes('js/chunk-login-vendors.59040343.css') - self.assertEqual('js/chunk-login-vendors.css', normalized) - - def test_remove_webpack_suffixes_when_js(self): - normalized = remove_webpack_suffixes('js/login.be16f278.js') - self.assertEqual('js/login.js', normalized) - - def test_remove_webpack_suffixes_when_js_map(self): - normalized = remove_webpack_suffixes('js/login.be16f278.js.map') - self.assertEqual('js/login.js.map', normalized) - - def test_remove_webpack_suffixes_when_favicon(self): - normalized = remove_webpack_suffixes('favicon.123.ico') - self.assertEqual('favicon.123.ico', normalized) - - def test_remove_webpack_suffixes_when_no_suffixes(self): - normalized = remove_webpack_suffixes('css/chunk-login-vendors.css') - self.assertEqual('css/chunk-login-vendors.css', normalized) - - def test_remove_webpack_suffixes_when_no_extension(self): - normalized = remove_webpack_suffixes('data/some_file') - self.assertEqual('data/some_file', normalized) +from web.web_auth_utils import is_allowed_during_login class LoginResourcesTest(TestCase): @parameterized.expand([ ('/favicon.ico'), ('login.html'), - ('/js/login.be16f278.js'), - ('/js/login.be16f278.js.map'), - ('/js/chunk-login-vendors.18e22e7f.js'), - ('/js/chunk-login-vendors.18e22e7f.js.map'), - ('/img/titleBackground_login.a6c36d4c.jpg'), - ('/css/login.8e74be0f.css'), - ('/fonts/roboto-latin-400.60fa3c06.woff'), - ('/fonts/roboto-latin-400.479970ff.woff2'), - ('/fonts/roboto-latin-500.020c97dc.woff2'), - ('/fonts/roboto-latin-500.87284894.woff'), # Vite-built hashed bundles served from /assets/ (used by the login page) ('/assets/login-jEjOHyEw.js'), ('/assets/css-Bn4Yn0er.css'), ('/assets/theme-C3Leg-oT.css'), - ('/assets/MaterialIcons-Regular-Bnsxcfr1.woff') + ('/assets/MaterialIcons-Regular-Bnsxcfr1.woff'), + # Custom theme assets (conf/theme/...) + ('/theme/theme.css'), + ('/theme/logo.png') ]) def test_is_allowed_during_login_when_allowed(self, resource): request_handler = mock_request_handler(method='GET') diff --git a/src/web/web_auth_utils.py b/src/web/web_auth_utils.py index 62c2becf..94d2578d 100644 --- a/src/web/web_auth_utils.py +++ b/src/web/web_auth_utils.py @@ -14,8 +14,6 @@ LOGGER = logging.getLogger('web_server') -webpack_prefixed_extensions = ['.css', '.js.map', '.js', '.jpg', '.woff', '.woff2', '.png'] - def check_authorization_sync(func): wrapper = check_authorization(func) @@ -101,21 +99,6 @@ def is_allowed_during_login(request_path, login_url, request_handler): if request_path == login_url: return True - request_path = remove_webpack_suffixes(request_path) - - login_resources = ['/js/login.js', - '/js/login.js.map', - '/js/chunk-login-vendors.js', - '/js/chunk-login-vendors.js.map', - '/favicon.ico', - '/css/login.css', - '/css/chunk-login-vendors.css', - '/fonts/roboto-latin-500.woff2', - '/fonts/roboto-latin-500.woff', - '/fonts/roboto-latin-400.woff2', - '/fonts/roboto-latin-400.woff', - '/img/titleBackground_login.jpg', - '/img/gitlab-icon-rgb.png'] # Vite emits the bundled JS/CSS/fonts/images (used by the login page too, # often as hashed and shared chunks) under /assets/. These are static client @@ -124,25 +107,4 @@ def is_allowed_during_login(request_path, login_url, request_handler): if request_path.startswith('/assets/'): return True - return (request_path in login_resources) or (request_path.startswith('/theme/')) - - -def remove_webpack_suffixes(request_path): - if request_path.endswith('.js.map'): - extension_start = len(request_path) - 7 - else: - extension_start = request_path.rfind('.') - - extension = request_path[extension_start:] - - if extension not in webpack_prefixed_extensions: - return request_path - - if extension_start < 0: - return request_path - - prefix_start = request_path.rfind('.', 0, extension_start) - if prefix_start < 0: - return request_path - - return request_path[:prefix_start] + extension + return request_path.startswith('/theme/')