neuron-technologies/neuron-web
2
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

Fix JS files served as JSON envelope (checkout/Stripe/auth all broken) #53

Merged
will.anderson merged 1 commits from fix/checkout-auth-reveal into dev 2026-05-10 22:34:36 +00:00
Conversation 0 Commits 1 Files Changed 2
+109 -31
will.anderson commented 2026-05-10 22:34:23 +00:00
Owner
Copy Link
Copy Source

Root Cause

All compiled JS files (/js/*.js) were being served as the raw {"el_http_response":1,...} JSON wrapper instead of actual JavaScript. Every script on the page silently failed — auth, Stripe, and the free-tier flow were completely dead.

Why: http_parse_envelope() called json_parse() on the full ~47KB response envelope (JS body JSON-encoded inside). The parser fails on large/complex content, so is_envelope=0 and the raw JSON envelope was forwarded to the browser as the response body.

Secondary: http_detect_content_type() mis-identifies obfuscated JS as application/json (content starts with \n[javascript-obfuscator-cli]... — the [ triggers the JSON array heuristic). With X-Content-Type-Options: nosniff, this blocks script execution regardless.

Fix

runtime/el_runtime.c

Replace json_parse-of-full-envelope with a direct field scanner:

  • "status" — strtol scan
  • "headers" — brace-depth scan extracts the object literal, then json_parse only that small substring (headers are always simple k/v pairs < 1KB)
  • "body"jp_parse_string_raw directly on the JSON string field, no intermediate allocation, no size limit

src/main.el

  • /js/* route now calls http_response(200, js_headers_json(), content) with explicit Content-Type: application/javascript
  • handle_request already passes through pre-wrapped envelopes, so security headers are included

Result

JS files served correctly. The fixes from PR #51 (free-success + Stripe auto-init) take effect automatically.

## Root Cause All compiled JS files (`/js/*.js`) were being served as the raw `{"el_http_response":1,...}` JSON wrapper instead of actual JavaScript. Every script on the page silently failed — auth, Stripe, and the free-tier flow were completely dead. **Why:** `http_parse_envelope()` called `json_parse()` on the full ~47KB response envelope (JS body JSON-encoded inside). The parser fails on large/complex content, so `is_envelope=0` and the raw JSON envelope was forwarded to the browser as the response body. Secondary: `http_detect_content_type()` mis-identifies obfuscated JS as `application/json` (content starts with `\n[javascript-obfuscator-cli]...` — the `[` triggers the JSON array heuristic). With `X-Content-Type-Options: nosniff`, this blocks script execution regardless. ## Fix ### `runtime/el_runtime.c` Replace `json_parse`-of-full-envelope with a direct field scanner: - `"status"` — strtol scan - `"headers"` — brace-depth scan extracts the object literal, then `json_parse` **only that small substring** (headers are always simple k/v pairs < 1KB) - `"body"` — `jp_parse_string_raw` directly on the JSON string field, no intermediate allocation, no size limit ### `src/main.el` - `/js/*` route now calls `http_response(200, js_headers_json(), content)` with explicit `Content-Type: application/javascript` - `handle_request` already passes through pre-wrapped envelopes, so security headers are included ## Result JS files served correctly. The fixes from PR #51 (free-success + Stripe auto-init) take effect automatically.
will.anderson added 1 commit 2026-05-10 22:34:26 +00:00
Fix JS files served as raw JSON envelope instead of JavaScript
Dev — Build & local smoke test / build-smoke (pull_request) Failing after 1m36s
Details
c99ca82302 
http_parse_envelope() called json_parse() on the entire response envelope
(~47KB when body is obfuscated JS). The parser failed on large/complex content,
so is_envelope=0 and the raw JSON was sent — browsers got {"el_http_response":1,...}
instead of executable JavaScript, silently breaking all client-side code.

Fix: replace json_parse-of-full-envelope with a direct field scanner:
- "status" extracted via strtol
- "headers" object extracted via brace-depth scan, then json_parse only that
  small substring (always safe — headers are simple k/v string pairs < 1KB)
- "body" string extracted via jp_parse_string_raw — no intermediate allocation

Also: /js/* route now returns http_response(200, js_headers_json(), content)
with explicit Content-Type: application/javascript so the browser doesn't
apply the json-heuristic (obfuscated JS starting with '[' was detected as JSON,
which with X-Content-Type-Options: nosniff blocks script execution).
will.anderson merged commit 9da4d50883 into dev 2026-05-10 22:34:36 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No labels
Milestone
No items
No Milestone
Projects
Clear projects
No projects
Assignees
Clear assignees
tim.lingo (Tim Lingo) will.anderson (Will Anderson)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: neuron-technologies/neuron-web#53
Delete Branch "fix/checkout-auth-reveal"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?