Merge pull request #13 from ollobrains/patch-2

Update webpackDevServer.config.js
CameronHudson8 · Jan 1, 2025 · a578544 · a578544
2 parents ac61d6d + 3e57dfd
commit a578544
Showing 1 changed file with 43 additions and 84 deletions.
diff --git a/config/webpackDevServer.config.js b/config/webpackDevServer.config.js
@@ -7,72 +7,55 @@ const ignoredFiles = require('react-dev-utils/ignoredFiles');
 const redirectServedPath = require('react-dev-utils/redirectServedPathMiddleware');
 const paths = require('./paths');
 
+// Host and socket configuration derived from environment variables
 const host = process.env.HOST || '0.0.0.0';
 const sockHost = process.env.WDS_SOCKET_HOST;
 const sockPath = process.env.WDS_SOCKET_PATH; // default: '/ws'
 const sockPort = process.env.WDS_SOCKET_PORT;
 
+/**
+ * Creates the devServer configuration.
+ * @param {Object} proxy - The proxy configuration, if any.
+ * @param {string} allowedHost - Whitelisted hostname or domain for development.
+ * @returns {Object} A webpack-dev-server config object.
+ */
 module.exports = function (proxy, allowedHost) {
+  // If there is no proxy or if the user chooses to disable the host check, 
+  // we allow all hosts (disable firewall). Otherwise, we enable the firewall
+  // for security.
   const disableFirewall =
     !proxy || process.env.DANGEROUSLY_DISABLE_HOST_CHECK === 'true';
+
   return {
-    // WebpackDevServer 2.4.3 introduced a security fix that prevents remote
-    // websites from potentially accessing local content through DNS rebinding:
-    // https://github.com/webpack/webpack-dev-server/issues/887
-    // https://medium.com/webpack/webpack-dev-server-middleware-security-issues-1489d950874a
-    // However, it made several existing use cases such as development in cloud
-    // environment or subdomains in development significantly more complicated:
-    // https://github.com/facebook/create-react-app/issues/2271
-    // https://github.com/facebook/create-react-app/issues/2233
-    // While we're investigating better solutions, for now we will take a
-    // compromise. Since our WDS configuration only serves files in the `public`
-    // folder we won't consider accessing them a vulnerability. However, if you
-    // use the `proxy` feature, it gets more dangerous because it can expose
-    // remote code execution vulnerabilities in backends like Django and Rails.
-    // So we will disable the host check normally, but enable it if you have
-    // specified the `proxy` setting. Finally, we let you override it if you
-    // really know what you're doing with a special environment variable.
-    // Note: ["localhost", ".localhost"] will support subdomains - but we might
-    // want to allow setting the allowedHosts manually for more complex setups
+    // Allowed hosts:
+    // - "all" means any host is permitted if disableFirewall is true
+    // - If not disabled, we explicitly set the single allowedHost
     allowedHosts: disableFirewall ? 'all' : [allowedHost],
+
+    // Common security headers
     headers: {
       'Access-Control-Allow-Origin': '*',
       'Access-Control-Allow-Methods': '*',
       'Access-Control-Allow-Headers': '*',
     },
-    // Enable gzip compression of generated files.
+
+    // Enable gzip compression for served files
     compress: true,
+
+    // Provide static file hosting from the public folder
     static: {
-      // By default WebpackDevServer serves physical files from current directory
-      // in addition to all the virtual build products that it serves from memory.
-      // This is confusing because those files won’t automatically be available in
-      // production build folder unless we copy them. However, copying the whole
-      // project directory is dangerous because we may expose sensitive files.
-      // Instead, we establish a convention that only files in `public` directory
-      // get served. Our build script will copy `public` into the `build` folder.
-      // In `index.html`, you can get URL of `public` folder with %PUBLIC_URL%:
-      // <link rel="icon" href="%PUBLIC_URL%/favicon.ico">
-      // In JavaScript code, you can access it with `process.env.PUBLIC_URL`.
-      // Note that we only recommend to use `public` folder as an escape hatch
-      // for files like `favicon.ico`, `manifest.json`, and libraries that are
-      // for some reason broken when imported through webpack. If you just want to
-      // use an image, put it in `src` and `import` it from JavaScript instead.
       directory: paths.appPublic,
+      // Public path: ensures the correct base path for served files
       publicPath: [paths.publicUrlOrPath],
-      // By default files from `contentBase` will not trigger a page reload.
+      // Watch settings for auto-reloading
       watch: {
-        // Reportedly, this avoids CPU overload on some systems.
-        // https://github.com/facebook/create-react-app/issues/293
-        // src/node_modules is not ignored to support absolute imports
-        // https://github.com/facebook/create-react-app/issues/1065
         ignored: ignoredFiles(paths.appSrc),
       },
     },
+
+    // Webpack Dev Client configuration
     client: {
       webSocketURL: {
-        // Enable custom sockjs pathname for websocket connection to hot reloading server.
-        // Enable custom sockjs hostname, pathname and port for websocket connection
-        // to hot reloading server.
         hostname: sockHost,
         pathname: sockPath,
         port: sockPort,
@@ -82,70 +65,46 @@ module.exports = function (proxy, allowedHost) {
         warnings: false,
       },
     },
+
+    // Middleware controlling the webpack output path
     devMiddleware: {
-      // It is important to tell WebpackDevServer to use the same "publicPath" path as
-      // we specified in the webpack config. When homepage is '.', default to serving
-      // from the root.
-      // remove last slash so user can land on `/test` instead of `/test/`
+      // The publicPath must match the same "publicPath" set in the Webpack config
       publicPath: paths.publicUrlOrPath.slice(0, -1),
     },
 
-    // Deprecated
-    // https: getHttpsConfig(),
+    // The server host used for dev
     host,
+
+    // Support for HTML5 History API based routing
     historyApiFallback: {
-      // Paths with dots should still use the history fallback.
-      // See https://github.com/facebook/create-react-app/issues/387.
       disableDotRule: true,
       index: paths.publicUrlOrPath,
     },
-    // `proxy` is run between `before` and `after` `webpack-dev-server` hooks
+
+    // Provide an optional HTTP proxy for your backend
     proxy,
-    setupMiddlewares: (middlewares, devServer) => { 
 
-      // Keep `evalSourceMapMiddleware`
-      // middlewares before `redirectServedPath` otherwise will not have any effect
-      // This lets us fetch source contents from webpack for the error overlay
+    // Fine-tune how the devServer sets up middlewares
+    setupMiddlewares: (middlewares, devServer) => {
+      // 1) Source Map Middleware: helps fetch source contents for error overlay
       devServer.app.use(evalSourceMapMiddleware(devServer));
 
+      // 2) Register additional user-provided middleware if `proxySetup.js` exists
       if (fs.existsSync(paths.proxySetup)) {
-        // This registers user provided middleware for proxy reasons
         require(paths.proxySetup)(devServer.app);
       }
 
-      // // Use the `unshift` method if you want to run a middleware before all other middlewares
-      // // or when you are migrating from the `onBeforeSetupMiddleware` option
-      // middlewares.unshift({
-      //   name: "first-in-array",
-      //   // `path` is optional
-      //   path: "/some/before-path",
-      //   middleware: (req, res) => {
-      //     res.send("Foo!");
-      //   },
-      // });
-
-      // // Use the `push` method if you want to run a middleware after all other middlewares
-      // // or when you are migrating from the `onAfterSetupMiddleware` option
-      // middlewares.push({
-      //   name: "hello-world-test-one",
-      //   // `path` is optional
-      //   path: "/some/after-bar",
-      //   middleware: (req, res) => {
-      //     res.send("Foo Bar!");
-      //   },
-      // });
-
-      // Redirect to `PUBLIC_URL` or `homepage` from `package.json` if url not match
+      // Example of how to prepend or append custom middleware:
+      // middlewares.unshift({ name: "my-first-middleware", path: "/before", middleware: (req, res) => { /* ... */ } });
+      // middlewares.push({ name: "my-last-middleware", path: "/after", middleware: (req, res) => { /* ... */ } });
+
+      // 3) Redirect requests if they don’t match (for correct base path usage)
       devServer.app.use(redirectServedPath(paths.publicUrlOrPath));
 
-      // This service worker file is effectively a 'no-op' that will reset any
-      // previous service worker registered for the same host:port combination.
-      // We do this in development to avoid hitting the production cache if
-      // it used the same host and port.
-      // https://github.com/facebook/create-react-app/issues/2272#issuecomment-302832432
+      // 4) Service worker reset - ensures old service workers don't cause conflicts
       devServer.app.use(noopServiceWorkerMiddleware(paths.publicUrlOrPath));
 
       return middlewares;
-    }
+    },
   };
 };