@@ 136,8 136,16 @@ func (h *spaHandler) serveIndex(w http.ResponseWriter, _ *http.Request) {
return
}
+ original := buf.Bytes()
script := []byte("<script>window.__LETHE_CONFIG__=" + string(cfgJSON) + ";</script></head>")
- injected := bytes.Replace(buf.Bytes(), []byte("</head>"), script, 1)
+ injected := bytes.Replace(original, []byte("</head>"), script, 1)
+ if bytes.Equal(injected, original) {
+ // </head> is required for config injection. Failing loud beats serving
+ // uninjected HTML and letting the SPA render its "auth-config missing"
+ // card with no server-side diagnostic.
+ http.Error(w, "internal server error: index.html missing </head> for config injection", http.StatusInternalServerError)
+ return
+ }
w.Header().Set("Content-Type", "text/html; charset=utf-8")
w.WriteHeader(http.StatusOK)