fix(gateway): prevent /api/* routes from returning SPA HTML when basePath is empty

When controlUiBasePath is unset (empty string), handleControlUiHttpRequest acts as a catch-all and serves index.html for every unmatched path — including /api/* routes. This causes API consumers (browser UI, curl, Discord) to receive an HTML page instead of the expected JSON 404. Add an early return false for /api and /api/* paths in the empty-basePath branch so they fall through to the gateway's normal 404 handler. Closes #30295
2026-03-18 13:30:48 +00:00 · 2026-03-01 13:25:18 +08:00
parent e6049345db
commit db6236b2ff
2 changed files with 18 additions and 0 deletions
--- a/src/gateway/control-ui.http.test.ts
+++ b/src/gateway/control-ui.http.test.ts
@@ -326,6 +326,21 @@ describe("handleControlUiHttpRequest", () => {
    });
  });

+  it("does not handle /api paths when basePath is empty", async () => {
+    await withControlUiRoot({
+      fn: async (tmp) => {
+        for (const apiPath of ["/api", "/api/sessions", "/api/channels/nostr"]) {
+          const { handled } = runControlUiRequest({
+            url: apiPath,
+            method: "GET",
+            rootPath: tmp,
+          });
+          expect(handled, `expected ${apiPath} to not be handled`).toBe(false);
+        }
+      },
+    });
+  });
+
  it("rejects absolute-path escape attempts under basePath routes", async () => {
    await withBasePathRootFixture({
      siblingDir: "ui-secrets",
--- a/src/gateway/control-ui.ts
+++ b/src/gateway/control-ui.ts
@@ -292,6 +292,9 @@ export function handleControlUiHttpRequest(
      respondNotFound(res);
      return true;
    }
+    if (pathname === "/api" || pathname.startsWith("/api/")) {
+      return false;
+    }
  }

  if (basePath) {