Fix writing signature relay 403

[gocanto]

Summary

• route POST /relay/generate-signature* at the public API edge before the SPA/web fallback
• keep /api/generate-signature* blocked publicly and preserve the existing internal mTLS listener
• add production Caddyfile contract coverage for the public block, browser relay, method guard, and mTLS signature route

Production repro

• Agent Browser on https://oullin.io/writing shows No articles found. and console errors for API requests failing with status 403
• Live POST https://oullin.io/relay/generate-signature currently returns HTTP/2 403 with two Caddy via hops
• Live preflight already returns HTTP/2 204, so the broken path is the POST relay hop

Verification

• go test ./infra/caddy
• go test ./...
• docker run --rm -v /Users/gocanto/Sites/oullin/api/infra/caddy/Caddyfile.prod:/etc/caddy/Caddyfile:ro -v /Users/gocanto/Sites/oullin/api/infra/caddy/mtls:/etc/caddy/mtls:ro caddy:2.10.2 caddy validate --config /etc/caddy/Caddyfile

Summary by CodeRabbit

Release Notes

• New Features

  • Added a browser-accessible signature relay endpoint featuring built-in security controls, including preflight request handling and origin verification for enhanced protection.

• Tests

  • Added comprehensive test coverage to validate the signature relay endpoint correctly processes requests and enforces security protocols across all supported scenarios.

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 9016da96-1fdf-4cdd-88b9-c59a5b90c6bb

📥 Commits

Reviewing files that changed from the base of the PR and between be7a269 and 0f38942.

📒 Files selected for processing (2)

• infra/caddy/Caddyfile.prod
• infra/caddy/caddyfile_prod_test.go

---

Walkthrough

A browser-facing signature relay endpoint is added to the production Caddy configuration. Requests to /relay/generate-signature* are handled with CORS headers, OPTIONS preflight responses, POST proxying to the backend API with header forwarding, and 405 fallback handling. Corresponding test coverage validates the configuration.

Changes

Signature Relay Endpoint

Layer / File(s)	Summary
Relay Endpoint Configuration infra/caddy/Caddyfile.prod	Adds /relay/generate-signature* route with CORS headers (Access-Control-Allow-Origin: https://oullin.io), OPTIONS preflight returning 204 with 86400-second max age, POST handler that strips /relay prefix and reverse-proxies to api:8080 with selective header forwarding (including X-API-Intended-Origin), and 405 fallback for unsupported methods.
Test Coverage infra/caddy/caddyfile_prod_test.go	Introduces TestProdCaddyfileHandlesBrowserSignatureRelayAtEdge which validates the Caddyfile configuration via regex matching, verifying CORS matcher setup, OPTIONS preflight response (204 with age header), POST proxying to api:8080 with X-API-Intended-Origin propagation, and 405 error responses for disallowed methods.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• hotfic: Use Caddy router instead web#48 — Modifies the same /relay/generate-signature* route in Caddy configuration with relay handling and proxying behaviour.
• hotfix: Block generate signature endpoint #102 — Updates Caddy configuration access control for the generate-signature endpoint by blocking public /api/generate-signature and exposing via internal mTLS listener instead.
• fix: Issues from signatures mismatch  #170 — Implements server-side origin normalisation and signature validation that consume the X-API-Intended-Origin header forwarded by this relay configuration.

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check	❓ Inconclusive	The title is vague and doesn't clearly describe the main change; 'Fix writing signature relay 403' lacks specificity about what the fix involves or why it matters.	Consider revising to something like 'Add public-edge route for signature relay requests' or 'Route POST /relay/generate-signature at edge to fix 403 errors' for better clarity.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Review rate limit: 4/5 reviews remaining, refill in 12 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request introduces a browser-facing signature relay endpoint in the production Caddyfile and adds a suite of tests to verify routing, CORS, and mTLS configurations. The review feedback identifies a logic error in a test helper function that causes it to return prematurely and recommends expanding the allowed CORS headers for the new relay endpoint to ensure consistency with existing API blocks and prevent potential preflight failures.