feat: implement client proxy for Astro-rendered websites

- Added 'http' and 'jwt' gems for proxy functionality
- Implemented ClientRenderingConstraint to route requests based on website rendering mode
- Added Pwb::ClientProxyController to handle proxying requests to the Astro client service
- Configured routes for client-admin and public proxying
- Added specs for the constraint and controller

Author: etewiah

Gemfile

@@ -164,6 +164,12 @@ gem "graphiql-rails", group: :development
 
 gem "faraday", "~> 2.3"
 
+# HTTP client for reverse proxy (client-rendered websites)
+gem "http", "~> 5.0"
+
+# JWT for proxy authentication tokens
+gem "jwt", "~> 2.7"
+
 # RETS gem removed - MLS/RETS integration deprecated (Dec 2024)
 # See docs/claude_thoughts/DEPRECATED_FEATURES.md for details
 

Gemfile.lock

@@ -177,6 +177,7 @@ GEM
       warden (~> 1.2.3)
     diff-lcs (1.6.2)
     docile (1.4.1)
+    domain_name (0.6.20240107)
     dotenv (3.2.0)
     dotenv-rails (3.2.0)
       dotenv (= 3.2.0)
@@ -212,6 +213,9 @@ GEM
     ffi (1.17.3-x86_64-darwin)
     ffi (1.17.3-x86_64-linux-gnu)
     ffi (1.17.3-x86_64-linux-musl)
+    ffi-compiler (1.3.2)
+      ffi (>= 1.15.5)
+      rake
     fiber-storage (1.0.1)
     firebase (0.2.8)
       googleauth
@@ -275,6 +279,14 @@ GEM
     hashdiff (1.2.1)
     hashie (5.1.0)
       logger
+    http (5.3.1)
+      addressable (~> 2.8)
+      http-cookie (~> 1.0)
+      http-form_data (~> 2.2)
+      llhttp-ffi (~> 0.5.0)
+    http-cookie (1.1.0)
+      domain_name (~> 0.5)
+    http-form_data (2.3.0)
     httpclient (2.9.0)
       mutex_m
     i18n (1.14.8)
@@ -301,7 +313,7 @@ GEM
     json_spec (1.1.5)
       multi_json (~> 1.0)
       rspec (>= 2.0, < 4.0)
-    jwt (3.1.2)
+    jwt (2.10.2)
       base64
     language_server-protocol (3.17.0.5)
     launchy (3.1.1)
@@ -314,6 +326,9 @@ GEM
     liquid (5.11.0)
       bigdecimal
       strscan (>= 3.1.1)
+    llhttp-ffi (0.5.1)
+      ffi-compiler (~> 1.0)
+      rake (~> 13.0)
     logger (1.7.0)
     lograge (0.14.0)
       actionpack (>= 4)
@@ -768,11 +783,13 @@ DEPENDENCIES
   graphiql-rails
   graphql (~> 2.0)
   groupdate (~> 6.0)
+  http (~> 5.0)
   i18n (~> 1.10)
   i18n-active_record (~> 1.1)
   image_processing (~> 1.2)
   importmap-rails (~> 2.0)
   json_spec
+  jwt (~> 2.7)
   launchy
   letter_opener
   liquid (~> 5.3)

app/constraints/client_rendering_constraint.rb

@@ -0,0 +1,69 @@
+# frozen_string_literal: true
+
+# Routing constraint to identify requests for client-rendered websites
+# Used to route requests to the Astro proxy for websites using A themes
+class ClientRenderingConstraint
+  # Paths that should always go to Rails, even for client-rendered sites
+  EXCLUDED_PATHS = %w[
+    /site_admin
+    /tenant_admin
+    /api
+    /api_public
+    /users
+    /rails
+    /assets
+    /packs
+    /cable
+    /active_storage
+    /health
+    /setup
+    /signup
+    /pwb_login
+    /pwb_sign_up
+    /pwb_forgot_password
+    /pwb_change_password
+    /auth
+    /graphql
+    /graphiql
+    /api-docs
+    /.well-known
+  ].freeze
+
+  # Check if request should be handled by Astro proxy
+  def matches?(request)
+    return false if excluded_path?(request.path)
+
+    website = website_from_request(request)
+    website&.client_rendering? || false
+  end
+
+  private
+
+  # Find website from request (by custom domain or subdomain)
+  def website_from_request(request)
+    # Try custom domain first
+    website = Pwb::Website.find_by(custom_domain: request.host)
+    return website if website
+
+    # Try subdomain
+    subdomain = extract_subdomain(request.host)
+    Pwb::Website.find_by(subdomain: subdomain) if subdomain
+  end
+
+  # Extract subdomain from host
+  def extract_subdomain(host)
+    # Skip if it's an IP address
+    return nil if host.match?(/\A\d+\.\d+\.\d+\.\d+\z/)
+
+    parts = host.split('.')
+    return nil if parts.length < 3
+
+    # Handle cases like tenant.propertywebbuilder.com
+    parts.first
+  end
+
+  # Check if path should be excluded from proxy
+  def excluded_path?(path)
+    EXCLUDED_PATHS.any? { |prefix| path.start_with?(prefix) }
+  end
+end

app/controllers/pwb/client_proxy_controller.rb

@@ -0,0 +1,164 @@
+# frozen_string_literal: true
+
+require_dependency 'pwb/application_controller'
+
+module Pwb
+  # Proxy controller for client-rendered websites (A themes)
+  # Routes requests through Rails to the Astro client server while maintaining
+  # authentication and tenant context
+  class ClientProxyController < ApplicationController
+    include SubdomainTenant
+
+    # Skip standard Rails processing for proxied requests
+    skip_before_action :verify_authenticity_token, only: [:public_proxy, :admin_proxy]
+
+    before_action :ensure_client_rendering_mode
+    before_action :authenticate_for_admin_routes!, only: [:admin_proxy]
+
+    # Proxy public pages to Astro client
+    def public_proxy
+      proxy_to_astro_client(request.fullpath)
+    end
+
+    # Proxy admin/management pages to Astro client (requires auth)
+    def admin_proxy
+      proxy_to_astro_client(request.fullpath, with_auth: true)
+    end
+
+    private
+
+    # Ensure this controller only handles client-rendered websites
+    def ensure_client_rendering_mode
+      unless @current_website&.client_rendering?
+        # Fall through to normal Rails rendering
+        raise ActionController::RoutingError, 'Not Found'
+      end
+    end
+
+    # Require authentication for client admin routes
+    def authenticate_for_admin_routes!
+      return if user_signed_in?
+
+      store_location_for(:user, request.fullpath)
+      redirect_to new_user_session_path, alert: 'Please sign in to access this page.'
+    end
+
+    # Main proxy method - forwards requests to Astro client
+    def proxy_to_astro_client(path, with_auth: false)
+      astro_url = build_astro_url(path)
+
+      # Build request headers
+      headers = proxy_headers
+      headers.merge!(auth_headers) if with_auth
+
+      begin
+        response = HTTP
+          .timeout(connect: 5, read: 30)
+          .headers(headers)
+          .request(request.method.downcase.to_sym, astro_url, body: request.body.read)
+
+        render_proxy_response(response)
+      rescue HTTP::Error, HTTP::TimeoutError => e
+        Rails.logger.error "Astro proxy error: #{e.message}"
+        render_proxy_error
+      end
+    end
+
+    # Build the full URL to the Astro client
+    def build_astro_url(path)
+      "#{astro_client_url}#{path}"
+    end
+
+    # Get Astro client URL from environment
+    def astro_client_url
+      ENV.fetch('ASTRO_CLIENT_URL', 'http://localhost:4321')
+    end
+
+    # Headers to forward to Astro client
+    def proxy_headers
+      {
+        'X-Forwarded-Host' => request.host,
+        'X-Forwarded-Proto' => request.protocol.chomp('://'),
+        'X-Forwarded-For' => request.remote_ip,
+        'X-Website-Slug' => @current_website&.subdomain,
+        'X-Website-Id' => @current_website&.id.to_s,
+        'X-Rendering-Mode' => 'client',
+        'X-Client-Theme' => @current_website&.client_theme_name,
+        'Accept' => request.headers['Accept'] || '*/*',
+        'Accept-Language' => request.headers['Accept-Language'],
+        'Content-Type' => request.content_type
+      }.compact
+    end
+
+    # Authentication headers for Astro to verify
+    def auth_headers
+      {
+        'X-User-Id' => current_user&.id.to_s,
+        'X-User-Email' => current_user&.email,
+        'X-User-Role' => current_user_role,
+        'X-Auth-Token' => generate_proxy_auth_token
+      }.compact
+    end
+
+    # Get current user's role for this website
+    def current_user_role
+      return 'guest' unless current_user
+
+      membership = current_user.user_memberships.find_by(website: @current_website)
+      membership&.role || 'member'
+    end
+
+    # Generate short-lived JWT for Astro to verify request authenticity
+    def generate_proxy_auth_token
+      payload = {
+        user_id: current_user&.id,
+        website_id: @current_website&.id,
+        exp: 5.minutes.from_now.to_i,
+        iat: Time.current.to_i
+      }
+      JWT.encode(payload, Rails.application.secret_key_base, 'HS256')
+    end
+
+    # Render the response from Astro client
+    def render_proxy_response(response)
+      # Copy relevant response headers
+      response.headers.each do |key, value|
+        # Skip hop-by-hop headers
+        next if hop_by_hop_header?(key)
+
+        headers[key] = value
+      end
+
+      # Handle content type
+      content_type = response.content_type&.mime_type || 'text/html'
+
+      render body: response.body.to_s,
+             status: response.status,
+             content_type: content_type
+    end
+
+    # Check if header is a hop-by-hop header (should not be forwarded)
+    def hop_by_hop_header?(header_name)
+      %w[
+        connection
+        keep-alive
+        transfer-encoding
+        te
+        trailer
+        upgrade
+        proxy-authorization
+        proxy-authenticate
+      ].include?(header_name.downcase)
+    end
+
+    # Render error page when Astro client is unavailable
+    def render_proxy_error
+      if request.format.html?
+        render 'pwb/errors/proxy_unavailable', status: :service_unavailable, layout: false
+      else
+        render json: { error: 'Client application unavailable' },
+               status: :service_unavailable
+      end
+    end
+  end
+end