etherpad-lite/docs/superpowers/specs
John McLear 86edd67f58
feat: support X-Forwarded-Prefix and X-Ingress-Path (#7802) (#7806)
* docs: design for URL base-path support (#7802)

Spec covers the architecture, header handling rules, components touched,
backwards-compatibility story, risks, and test plan for honoring
X-Forwarded-Prefix / X-Ingress-Path under trustProxy.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* docs: amend #7802 spec with discovery of pre-existing proxy-path helpers

After exploring the codebase, much of the proposed architecture is
already in place (sanitizeProxyPath, padBootstrap.js basePath derivation,
admin SPA rewrite). Spec now reflects the actual delta: header source
expansion, /manifest.json prefix-awareness, socialMeta proxyPath honoring,
and template URL touch-ups for index/timeslider/pad/export.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* docs(plan): implementation plan for URL base-path support (#7802)

Adds the bite-sized TDD task list to ship X-Forwarded-Prefix /
X-Ingress-Path support: extends sanitizeProxyPath, makes /manifest.json
and socialMeta prefix-aware, touches up the remaining leading-slash
URLs in index/pad/timeslider/export templates, fixes a pre-existing
manifest .. count bug. Drops the originally-proposed <base href>
belt-and-braces after discovering it'd break the existing relative
URLs in pad.html/timeslider.html and wouldn't help plugin DOM
injection anyway (path-absolute URLs ignore <base>'s path component).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(proxy): accept X-Forwarded-Prefix and X-Ingress-Path under trustProxy (#7802)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(pwa): make /manifest.json honor sanitised proxy-path (#7802)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(social-meta): honor proxyPath in from-request og:url and og:image (#7802)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(templates): index.html manifest + jslicense links honor proxyPath (#7802)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(templates): pad.html reconnect/jslicense honor proxyPath; fix manifest .. count (#7802)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(templates): timeslider.html reconnect/jslicense honor proxyPath; fix manifest .. count (#7802)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(templates): export_html.html manifest honors proxyPath when available (#7802)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* test: end-to-end coverage for X-Forwarded-Prefix / X-Ingress-Path (#7802)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* docs(settings): trustProxy also enables X-Forwarded-Prefix / X-Ingress-Path (#7802)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-18 13:27:59 +01:00
..
2026-04-18-gdpr-pr1-deletion-controls-design.md feat(gdpr): pad deletion controls (PR1 of #6701) (#7546) 2026-05-01 13:50:04 +01:00
2026-04-18-gdpr-pr2-ip-privacy-audit-design.md feat(gdpr): IP/privacy audit (PR2 of #6701) (#7547) 2026-05-01 13:47:40 +01:00
2026-04-19-gdpr-pr3-anon-identity-design.md feat(gdpr): HttpOnly author-token cookie (PR3 of #6701) (#7548) 2026-05-03 05:56:56 +01:00
2026-04-19-gdpr-pr4-privacy-banner-design.md feat(gdpr): configurable privacy banner (PR4 of #6701) (#7549) 2026-05-03 13:59:38 +08:00
2026-04-19-gdpr-pr5-author-erasure-design.md feat(gdpr): author erasure (PR5 of #6701) (#7550) 2026-05-03 12:30:49 +01:00
2026-04-20-issue-7570-ueberdb2-drivers-design.md fix(#7570): bundle DB drivers, add regression CI (#7572) 2026-04-20 18:10:01 +01:00
2026-04-25-auto-update-design.md feat(updater): tier 1 — notify admin and pad users of available updates (#7601) 2026-05-01 20:02:12 +08:00
2026-04-25-auto-update-runbook.md feat(updater): tier 4 — autonomous update in maintenance window (#7607) (#7753) 2026-05-17 13:50:34 +01:00
2026-04-30-issue-7599-open-graph-metadata-design.md feat(socialMeta): settings.socialMeta.description override (#7599 follow-up) (#7691) 2026-05-07 18:12:23 +08:00
2026-05-01-issue-7638-admin-typesafe-api-design.md feat(admin): document admin endpoints in OpenAPI (#7693) (#7705) 2026-05-10 15:55:33 +08:00
2026-05-03-gdpr-admin-author-erasure-ui-design.md feat(gdpr): admin UI for author erasure (follow-up to #7550) (#7667) 2026-05-14 08:11:48 +01:00
2026-05-08-issue-7693-admin-openapi-design.md feat(admin): document admin endpoints in OpenAPI (#7693) (#7705) 2026-05-10 15:55:33 +08:00
2026-05-08-native-docx-pdf-export-import-design.md feat(export): native DOCX export via html-to-docx (opt-in) (#7568) 2026-05-08 18:33:50 +01:00
2026-05-09-admin-settings-parsed-view-design.md admin: parsed JSONC settings editor (takes over #7666, closes #7603) (#7709) 2026-05-15 10:41:37 +01:00
2026-05-10-openapi-cleanup-design.md feat(api): clean up published OpenAPI spec for downstream codegens (#7714) 2026-05-10 13:02:05 +01:00
2026-05-15-issue-7524-swagger-ui-telemetry-design.md Drop swagger-ui, document telemetry, add opt-outs (#7524) (#7757) 2026-05-16 18:34:22 +01:00
2026-05-18-admin-settings-resolved-runtime-design.md fix(admin): show resolved runtime values on /admin/settings (#7803) (#7807) 2026-05-18 13:27:53 +01:00
2026-05-18-issue-7802-url-base-path-support-design.md feat: support X-Forwarded-Prefix and X-Ingress-Path (#7802) (#7806) 2026-05-18 13:27:59 +01:00
2026-05-18-outdated-notice-redesign-design.md fix(pad): redesign outdated-version notice (#7799) (#7804) 2026-05-18 12:23:40 +01:00