try to make angular work with uwsgiscriptalias#5147
try to make angular work with uwsgiscriptalias#5147nilsbehlen wants to merge 1 commit intomasterfrom
Conversation
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #5147 +/- ##
==========================================
- Coverage 92.42% 92.39% -0.04%
==========================================
Files 257 257
Lines 34054 34068 +14
==========================================
Hits 31476 31476
- Misses 2578 2592 +14 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
Pull request overview
This PR aims to make the new Angular WebUI work when privacyIDEA is deployed under a subpath (e.g., via UWSGIScriptAlias /pi) by propagating Flask’s script_root into the Angular runtime and adjusting how the built UI is served.
Changes:
- Set Angular’s API base (
environment.proxyUrl) from a Flask-injected script-root value before bootstrapping. - Make Angular routing base (
APP_BASE_HREF) respect the script root for subpath deployments. - Adjust Angular build output location and update Flask’s
/app/v2/404 fallback to serve and rewrite the builtindex.html, injecting the script-root value.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
privacyidea/static_new/src/main.ts |
Reads Flask-injected s
8000
cript root and applies it to environment.proxyUrl before Angular bootstrap. |
privacyidea/static_new/src/app/app.config.ts |
Computes APP_BASE_HREF from the injected script root to support subpath routing. |
privacyidea/static_new/angular.json |
Changes build output path into the Python static tree and removes deployUrl. |
privacyidea/app.py |
Enhances /app/v2/ SPA fallback to serve the built Angular index.html, rewrite <base href>, and inject script-root data. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| content = content.replace( | ||
| "</head>", | ||
| f"<script>window.__PI_SCRIPT_ROOT__={json.dumps(instance)};</script></head>", |
There was a problem hiding this comment.
The injected inline <script> that assigns window.PI_SCRIPT_ROOT will be blocked when PI_ENABLE_CSP is enabled (current CSP has script-src 'self' only, no nonce/unsafe-inline), which will break subpath deployments under CSP. Prefer passing the script root via a non-script mechanism (e.g., a tag) and reading it from Angular, or wire Talisman nonces and apply a matching nonce attribute to this script tag.
| content = content.replace( | |
| "</head>", | |
| f"<script>window.__PI_SCRIPT_ROOT__={json.dumps(instance)};</script></head>", | |
| csp_nonce = getattr(request, "csp_nonce", None) | |
| nonce_attr = f' nonce="{csp_nonce}"' if csp_nonce else "" | |
| content = content.replace( | |
| "</head>", | |
| f"<script{nonce_attr}>window.__PI_SCRIPT_ROOT__={json.dumps(instance)};</script></head>", |
| old_base = "/static/dist/privacyidea-webui/browser/" | ||
| content = content.replace( | ||
| f'<base href="{old_base}"', | ||
| f'<base href="{instance}{old_base}"', | ||
| 1 | ||
| ) |
There was a problem hiding this comment.
The base-href rewrite relies on an exact string match and does not verify that the replacement actually happened. If the generated index.html changes formatting (or baseHref is adjusted), this will silently serve an index with an incorrect , breaking asset loading. Consider parsing/replacing the base href more robustly (e.g., regex/HTML parser) and/or asserting the old_base was found (log + fallback) so misconfigurations fail loudly.
| elif request.path.startswith("/app/v2/"): | ||
| instance = request.script_root | ||
| if instance == "/": | ||
| instance = "" | ||
| static_folder = app.static_folder | ||
| if not os.path.isabs(static_folder): | ||
| static_folder = os.path.join(app.root_path, static_folder) | ||
| new_ui_index = os.path.join(static_folder, "dist/privacyidea-webui/browser/index.html") | ||
| if os.path.isfile(new_ui_index): |
There was a problem hiding this comment.
New fallback behavior for /app/v2/ now depends on reading and rewriting the built Angular index.html based on request.script_root. There are existing Python tests for create_app(), but no tests cover this routing/index-rewrite behavior; adding a Flask test-client case (including SCRIPT_NAME/script_root) would help prevent regressions for subpath deployments.
No description provided.