Fix Obsidian sync race condition and block credentials.json from being served

Run ob login and sync-setup in foreground before backgrounding sync to prevent "Another sync instance is already running" error. Restrict the catch-all route to only serve whitelisted static file extensions to prevent sensitive files like credentials.json from being exposed. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-30 23:59:29 -04:00
parent 5e0e2994c2
commit 47238f8567
2 changed files with 40 additions and 15 deletions
@@ -68,12 +68,39 @@ async def static_files(filename):
    return await send_from_directory(app.static_folder, filename)


+# Allowed file extensions for static frontend assets
+ALLOWED_STATIC_EXTENSIONS = {
+    ".html",
+    ".css",
+    ".js",
+    ".svg",
+    ".png",
+    ".ico",
+    ".jpg",
+    ".jpeg",
+    ".webp",
+    ".woff",
+    ".woff2",
+    ".ttf",
+    ".txt",
+}
+
+# JSON files explicitly allowed to be served (e.g. PWA manifest)
+ALLOWED_JSON_FILES = {"manifest.json"}
+
+
 # Serve the React app for all routes (catch-all)
@app.route("/", defaults={"path": ""})
@app.route("/<path:path>")
 async def serve_react_app(path):
-    if path and os.path.exists(os.path.join(app.template_folder, path)):
-        return await send_from_directory(app.template_folder, path)
+    if path:
+        ext = os.path.splitext(path)[1].lower()
+        basename = os.path.basename(path)
+        allowed = ext in ALLOWED_STATIC_EXTENSIONS or (
+            ext == ".json" and basename in ALLOWED_JSON_FILES
+        )
+        if allowed and os.path.exists(os.path.join(app.template_folder, path)):
+            return await send_from_directory(app.template_folder, path)
    return await render_template("index.html")