From eca635a1758e56c979b78e450c1fe0d7f78435eb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mateusz=20Gruszczy=C5=84ski?=
 <mateusz.gruszczynski@firma.interia.pl>
Date: Thu, 25 Sep 2025 10:18:39 +0200
Subject: [PATCH] varnish reconfig

---
 app.py                              | 29 ++++++++++++-----------------
 deploy/varnish/default.vcl.template | 29 +++++++++++++++++++++++++++++
 static/js/expense_chart.js          |  1 -
 3 files changed, 41 insertions(+), 18 deletions(-)

diff --git a/app.py b/app.py
index b0ae4f8..d0ac194 100644
--- a/app.py
+++ b/app.py
@@ -1377,7 +1377,18 @@ def inject_is_blocked():
 @app.before_request
 def require_system_password():
     endpoint = request.endpoint
-    if endpoint in ("static_bp.serve_js_lib", "static_bp.serve_css_lib"):
+
+    if endpoint in (
+        "static_bp.serve_js",
+        "static_bp.serve_css",
+        "static_bp.serve_js_lib",
+        "static_bp.serve_css_lib",
+        "favicon",
+        "favicon_ico",
+    ):
+        return
+
+    if endpoint in ("system_auth", "healthcheck", "robots_txt"):
         return
 
     ip = request.access_route[0]
@@ -1387,26 +1398,10 @@ def require_system_password():
     if endpoint is None:
         return
 
-    if endpoint in ("system_auth", "healthcheck", "robots_txt"):
-        return
-
     if (
         "authorized" not in request.cookies
         and not endpoint.startswith("login")
-        and endpoint != "favicon"
     ):
-
-        if endpoint == "static_bp.serve_js":
-            requested_file = request.view_args.get("filename", "")
-            if requested_file == "toasts.js":
-                return
-            if requested_file.endswith(".js"):
-                return redirect(url_for("system_auth", next=request.url))
-            return
-
-        if endpoint.startswith("static_bp."):
-            return
-
         if request.path == "/":
             return redirect(url_for("system_auth"))
 
diff --git a/deploy/varnish/default.vcl.template b/deploy/varnish/default.vcl.template
index 1e382c1..345251f 100644
--- a/deploy/varnish/default.vcl.template
+++ b/deploy/varnish/default.vcl.template
@@ -116,6 +116,35 @@ sub vcl_backend_response {
     return (deliver);
   }
 
+    # Nie cache'uj statyków, jeśli status ≠ 200
+    if (bereq.url ~ "^/static/" ||
+        bereq.url ~ "\.(css|js|png|jpe?g|webp|svg|ico|woff2?)($|\?)") {
+      if (beresp.status != 200) {
+        set beresp.uncacheable = true;
+        set beresp.ttl = 0s;
+        return (deliver);
+      }
+    }
+
+    # Jeśli pod .js przychodzi text/html — też nie cache'uj (to zwykle redirect/login)
+    if (bereq.url ~ "\.js(\?.*)?$" && beresp.http.Content-Type ~ "(?i)text/html") {
+      set beresp.uncacheable = true;
+      set beresp.ttl = 0s;
+      return (deliver);
+    }
+
+    # Wymuś poprawny Content-Type dla .js/.css, gdy backend zwróci HTML
+    if (bereq.url ~ "\.js(\?.*)?$") {
+      if (!beresp.http.Content-Type || beresp.http.Content-Type ~ "(?i)text/html") {
+        set beresp.http.Content-Type = "application/javascript; charset=utf-8";
+      }
+    }
+    if (bereq.url ~ "\.css(\?.*)?$") {
+      if (!beresp.http.Content-Type || beresp.http.Content-Type ~ "(?i)text/html") {
+        set beresp.http.Content-Type = "text/css; charset=utf-8";
+      }
+    }
+
   }
 
   # ---- STATYCZNE: zdejmij Set-Cookie i Vary: Cookie, zapewnij TTL ----
diff --git a/static/js/expense_chart.js b/static/js/expense_chart.js
index 19076a2..2b8c918 100644
--- a/static/js/expense_chart.js
+++ b/static/js/expense_chart.js
@@ -74,7 +74,6 @@ document.addEventListener("DOMContentLoaded", function () {
     }
 
     // Publiczne API – kontroler zawsze woła nas z odpowiednim 'range' i (dla daily) z datami.
-    // Dla odporności: jeśli przyjdzie 'daily' BEZ dat, wymusimy ostatnie 30 dni (to była usterka źródłowa) :contentReference[oaicite:5]{index=5}
     function loadExpenses(range = "monthly", startDate = null, endDate = null) {
         // Naprawa: daily bez dat => ostatnie 30 dni
         if (range === "daily" && !(startDate && endDate)) {