fix: support weak and list if-none-match etag validation

Author: cheluen

backend/main.go

@@ -11,6 +11,7 @@ import (
 	"log"
 	"mime"
 	"net/http"
+	"net/textproto"
 	"os"
 	"path/filepath"
 	"strconv"
@@ -421,7 +422,7 @@ func registerFrontendRoutes(r *gin.Engine, frontendDistDir string, appVersion st
 		c.Header("X-App-Version", appVersion)
 		c.Header("X-Frontend-Fingerprint", indexFingerprint)
 
-		if c.GetHeader("If-None-Match") == indexETag {
+		if ifNoneMatchMatchesCurrentETag(c.GetHeader("If-None-Match"), indexETag) {
 			c.Status(http.StatusNotModified)
 			c.Abort()
 			return
@@ -511,6 +512,76 @@ func calcContentFingerprint(content []byte) string {
 	return hex.EncodeToString(sum[:8])
 }
 
+func ifNoneMatchMatchesCurrentETag(ifNoneMatch string, currentETag string) bool {
+	if ifNoneMatch == "" || currentETag == "" {
+		return false
+	}
+
+	buf := ifNoneMatch
+	for {
+		buf = textproto.TrimString(buf)
+		if len(buf) == 0 {
+			break
+		}
+		if buf[0] == ',' {
+			buf = buf[1:]
+			continue
+		}
+		if buf[0] == '*' {
+			rest := textproto.TrimString(buf[1:])
+			if rest == "" || rest[0] == ',' {
+				return true
+			}
+		}
+
+		etag, remain := scanETagToken(buf)
+		if etag == "" {
+			buf = skipToNextETagToken(buf)
+			continue
+		}
+		if etagWeakMatch(etag, currentETag) {
+			return true
+		}
+		buf = remain
+	}
+
+	return false
+}
+
+func scanETagToken(s string) (etag string, remain string) {
+	s = textproto.TrimString(s)
+	start := 0
+	if strings.HasPrefix(s, "W/") {
+		start = 2
+	}
+	if len(s[start:]) < 2 || s[start] != '"' {
+		return "", ""
+	}
+
+	for i := start + 1; i < len(s); i++ {
+		c := s[i]
+		switch {
+		case c == 0x21 || c >= 0x23 && c <= 0x7E || c >= 0x80:
+		case c == '"':
+			return s[:i+1], s[i+1:]
+		default:
+			return "", ""
+		}
+	}
+	return "", ""
+}
+
+func etagWeakMatch(a string, b string) bool {
+	return strings.TrimPrefix(a, "W/") == strings.TrimPrefix(b, "W/")
+}
+
+func skipToNextETagToken(s string) string {
+	if idx := strings.IndexByte(s, ','); idx >= 0 {
+		return s[idx+1:]
+	}
+	return ""
+}
+
 func apiCorsMiddlewareFromEnv() gin.HandlerFunc {
 	allowed := parseCommaListEnv("CORS_ALLOWED_ORIGINS")
 	if len(allowed) == 0 {

backend/main_test.go

@@ -78,6 +78,30 @@ func TestRegisterFrontendRoutesServesIndexWithRevalidateHeaders(t *testing.T) {
 	if conditionalRec.Code != http.StatusNotModified {
 		t.Fatalf("expected 304 for matching etag, got %d", conditionalRec.Code)
 	}
+
+	weakReq := httptest.NewRequest(http.MethodGet, "/", nil)
+	weakReq.Header.Set("If-None-Match", "W/"+etag)
+	weakRec := httptest.NewRecorder()
+	r.ServeHTTP(weakRec, weakReq)
+	if weakRec.Code != http.StatusNotModified {
+		t.Fatalf("expected 304 for weak etag match, got %d", weakRec.Code)
+	}
+
+	multiReq := httptest.NewRequest(http.MethodGet, "/", nil)
+	multiReq.Header.Set("If-None-Match", `"other-tag", W/`+etag)
+	multiRec := httptest.NewRecorder()
+	r.ServeHTTP(multiRec, multiReq)
+	if multiRec.Code != http.StatusNotModified {
+		t.Fatalf("expected 304 for multi-etag match, got %d", multiRec.Code)
+	}
+
+	starReq := httptest.NewRequest(http.MethodGet, "/", nil)
+	starReq.Header.Set("If-None-Match", "*")
+	starRec := httptest.NewRecorder()
+	r.ServeHTTP(starRec, starReq)
+	if starRec.Code != http.StatusNotModified {
+		t.Fatalf("expected 304 for wildcard if-none-match, got %d", starRec.Code)
+	}
 }
 
 func TestRegisterFrontendRoutesServesAssetsWithImmutableCache(t *testing.T) {
@@ -289,3 +313,68 @@ func TestRegisterFrontendRoutesFallsBackToEmbeddedAssets(t *testing.T) {
 		t.Fatalf("embedded index.html seems invalid")
 	}
 }
+
+func TestIfNoneMatchMatchesCurrentETag(t *testing.T) {
+	currentETag := `"sbpm-1234"`
+	cases := []struct {
+		name        string
+		ifNoneMatch string
+		want        bool
+	}{
+		{
+			name:        "exact",
+			ifNoneMatch: `"sbpm-1234"`,
+			want:        true,
+		},
+		{
+			name:        "weak",
+			ifNoneMatch: `W/"sbpm-1234"`,
+			want:        true,
+		},
+		{
+			name:        "list",
+			ifNoneMatch: `"other", W/"sbpm-1234"`,
+			want:        true,
+		},
+		{
+			name:        "wildcard",
+			ifNoneMatch: `*`,
+			want:        true,
+		},
+		{
+			name:        "wildcard with spaces and list",
+			ifNoneMatch: `* , "other"`,
+			want:        true,
+		},
+		{
+			name:        "invalid wildcard token",
+			ifNoneMatch: `*foo`,
+			want:        false,
+		},
+		{
+			name:        "invalid",
+			ifNoneMatch: `not-an-etag`,
+			want:        false,
+		},
+		{
+			name:        "invalid then valid",
+			ifNoneMatch: `not-an-etag, W/"sbpm-1234"`,
+			want:        true,
+		},
+		{
+			name:        "no-match",
+			ifNoneMatch: `"other"`,
+			want:        false,
+		},
+	}
+
+	for _, tc := range cases {
+		tc := tc
+		t.Run(tc.name, func(t *testing.T) {
+			got := ifNoneMatchMatchesCurrentETag(tc.ifNoneMatch, currentETag)
+			if got != tc.want {
+				t.Fatalf("unexpected result for %q: got %v want %v", tc.ifNoneMatch, got, tc.want)
+			}
+		})
+	}
+}