fix: long caching flutter_bootstrap.js which stop new UI from showing up

[swalabtech]

Summary by CodeRabbit

• New Features

  • Added explicit serving of the app bootstrap script with caching disabled so the latest runtime is always fetched and updates apply promptly.

• Bug Fixes

  • Improved cache-busting so bootstrap-related files are never cached while long-lived assets retain aggressive caching.
  • Hardened static asset handling to prevent path-traversal and ensure only intended build assets are served.
  • Strengthened no-cache headers for fallback responses (index) to avoid stale content.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 6d02e03f-e025-4a4e-9172-8c1427ecd14c

📥 Commits

Reviewing files that changed from the base of the PR and between dc88a45 and 5eb25d2.

📒 Files selected for processing (1)

• app/main.py

---

📝 Walkthrough

Walkthrough

FastAPI web-serving logic for Flutter Web updated: stricter non-caching headers, new GET /flutter_bootstrap.js endpoint, and hardened SPA catch-all that validates asset paths and disables long caching for bootstrapper-related files.

Changes

Flutter Web Cache-Busting Strategy

Layer / File(s)	Summary
Cache-Control header improvements app/main.py	SPA mount comment updated; disabled-cache Cache-Control tightened to no-cache, no-store, must-revalidate, max-age=0.
Bootstrap script endpoint and route hardening app/main.py	New GET /flutter_bootstrap.js serves bootstrap with caching disabled. SPA catch-all resolves absolute paths, enforces containment within WEB_BUILD_PATH, and forces cache-disabling for bootstrapper-related assets while keeping long-term caching for other static files.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 I nibble bytes by moonlight bright,
Serving bootstrap fresh each night.
Headers strict, no stale cache here,
Paths resolved and held so dear.
Hop on—your SPA will load just right.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 60.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title is partially related to the changeset but uses awkward phrasing and grammar (missing article: 'stop' should be 'stops'). It addresses a specific aspect of the changes (disabling long caching for flutter_bootstrap.js) but the raw summary indicates the PR implements broader changes including path traversal protection, cache-busting behavior, and selective caching logic—making the title narrowly focused on only one aspect.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix-refresh

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@app/main.py`:
- Around line 454-465: The code in serve_spa constructs file_path =
WEB_BUILD_PATH / full_path from user input and returns
serve_static_file(FileResponse) without verifying the resolved path stays inside
WEB_BUILD_PATH, allowing directory traversal via “..”. Fix by resolving both
WEB_BUILD_PATH and the joined file path (use Path.resolve()) then verify the
resolved file_path is a child of WEB_BUILD_PATH (e.g.,
resolved_file_path.is_relative_to(resolved_web_build_path) or compare prefixes);
if the check fails or the resolved path is not a file, return a 404/abort rather
than calling serve_static_file. Also ensure you perform the containment check
before any is_file()/serve_static_file calls and reference serve_spa,
WEB_BUILD_PATH, file_path, full_path, and serve_static_file in the change.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 28d4daf3-6c33-4e86-b6be-f900629a2d5f

📥 Commits

Reviewing files that changed from the base of the PR and between dc88a45 and f398768.

📒 Files selected for processing (1)

• app/main.py

[swalabtech]

@coderabbitai full review

[coderabbitai]

✅ Actions performed

Full review triggered.