Fix Obsidian sync race condition and block credentials.json from being served

Run ob login and sync-setup in foreground before backgrounding sync to prevent "Another sync instance is already running" error. Restrict the catch-all route to only serve whitelisted static file extensions to prevent sensitive files like credentials.json from being exposed. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-30 23:59:29 -04:00
parent 5e0e2994c2
commit 47238f8567
2 changed files with 40 additions and 15 deletions
@@ -68,12 +68,39 @@ async def static_files(filename):
    return await send_from_directory(app.static_folder, filename)


+# Allowed file extensions for static frontend assets
+ALLOWED_STATIC_EXTENSIONS = {
+    ".html",
+    ".css",
+    ".js",
+    ".svg",
+    ".png",
+    ".ico",
+    ".jpg",
+    ".jpeg",
+    ".webp",
+    ".woff",
+    ".woff2",
+    ".ttf",
+    ".txt",
+}
+
+# JSON files explicitly allowed to be served (e.g. PWA manifest)
+ALLOWED_JSON_FILES = {"manifest.json"}
+
+
 # Serve the React app for all routes (catch-all)
@app.route("/", defaults={"path": ""})
@app.route("/<path:path>")
 async def serve_react_app(path):
-    if path and os.path.exists(os.path.join(app.template_folder, path)):
-        return await send_from_directory(app.template_folder, path)
+    if path:
+        ext = os.path.splitext(path)[1].lower()
+        basename = os.path.basename(path)
+        allowed = ext in ALLOWED_STATIC_EXTENSIONS or (
+            ext == ".json" and basename in ALLOWED_JSON_FILES
+        )
+        if allowed and os.path.exists(os.path.join(app.template_folder, path)):
+            return await send_from_directory(app.template_folder, path)
    return await render_template("index.html")


@@ -12,19 +12,17 @@ if [ "${OBSIDIAN_CONTINUOUS_SYNC}" = "true" ]; then

    VAULT_PATH="${OBSIDIAN_VAULT_PATH:-/app/data/obsidian}"

-    # Login
-    ob login --email "${OBSIDIAN_EMAIL}" --password "${OBSIDIAN_PASSWORD}" && \
-    # Setup sync for vault
-    ob sync-setup \
-        --vault "${OBSIDIAN_VAULT_ID}" \
-        --path "${VAULT_PATH}" \
-        --password "${OBSIDIAN_E2E_PASSWORD}" \
-        --device-name "${OBSIDIAN_DEVICE_NAME:-simbarag}" && \
-    # Start continuous sync in background
-    echo "Starting Obsidian continuous sync..." && \
-    ob sync --continuous --path "${VAULT_PATH}" &
-
-    if [ $? -ne 0 ]; then
+    # Login and setup sync (foreground, must complete before sync starts)
+    if ob login --email "${OBSIDIAN_EMAIL}" --password "${OBSIDIAN_PASSWORD}" && \
+       ob sync-setup \
+           --vault "${OBSIDIAN_VAULT_ID}" \
+           --path "${VAULT_PATH}" \
+           --password "${OBSIDIAN_E2E_PASSWORD}" \
+           --device-name "${OBSIDIAN_DEVICE_NAME:-simbarag}"; then
+        # Start continuous sync in background
+        echo "Starting Obsidian continuous sync..."
+        ob sync --continuous --path "${VAULT_PATH}" &
+    else
        echo "WARNING: Obsidian sync setup failed. Continuing without sync."
    fi
 fi