Support every ASGI framework's mount convention via root_path

audreyfeldroy · audreyfeldroy · commit 2c3ef7bff857 · 2026-03-12T21:00:03.000+08:00
HashedStatic.__call__ reads scope["root_path"] to determine how the
framework scoped the request. Starlette and FastAPI set root_path
but leave the full path intact; Litestar strips the mount prefix
from the path entirely. Both styles now resolve to the same relative
file path. Standalone raw ASGI usage without a framework falls back
to self.prefix matching.

Key design decisions:
- prefix remains a URL-generation concern (used by url() only).
  Request routing in __call__ uses root_path, not prefix.
- Path traversal protections (resolve + is_relative_to) sit
  downstream of the dispatch, guarding all three branches equally.
diff --git a/src/staticware/middleware.py b/src/staticware/middleware.py
@@ -118,11 +118,22 @@ async def __call__(self, scope: Scope, receive: Receive, send: Send) -> None:
             return
 
         request_path: str = scope["path"]
-        if not request_path.startswith(self.prefix + "/"):
-            await _send_text(send, 404, b"Not Found")
-            return
+        root_path: str = scope.get("root_path", "")
 
-        relative_path = request_path[len(self.prefix) + 1 :]
+        if root_path:
+            # Framework mount: use root_path to derive the local path.
+            if request_path.startswith(root_path + "/"):
+                # Starlette-style: path still includes the mount prefix.
+                relative_path = request_path[len(root_path) + 1 :]
+            else:
+                # Litestar-style: framework already stripped the prefix.
+                relative_path = request_path.lstrip("/")
+        else:
+            # Standalone raw ASGI: use self.prefix to find the local path.
+            if not request_path.startswith(self.prefix + "/"):
+                await _send_text(send, 404, b"Not Found")
+                return
+            relative_path = request_path[len(self.prefix) + 1 :]
 
         # Hashed filename — serve with immutable caching
         original_path = self._reverse.get(relative_path)
diff --git a/tests/test_staticware.py b/tests/test_staticware.py
@@ -387,3 +387,77 @@ async def bad_encoding_app(scope: dict, receive: Any, send: Any) -> None:
     resp = ResponseCollector()
     await app(make_scope("/"), receive, resp)
     assert resp.body == raw_body
+
+
+# ── HashedStatic: framework mount compatibility ───────────────────────
+
+
+def make_mount_scope(path: str, *, root_path: str = "") -> dict[str, Any]:
+    """Like make_scope but accepts root_path for framework-mount simulation."""
+    return {"type": "http", "path": path, "root_path": root_path, "method": "GET"}
+
+
+async def test_serve_with_root_path_scope(
+    static: HashedStatic, static_dir: Path
+) -> None:
+    """Starlette-style mount: root_path set, path still includes the prefix.
+
+    Starlette sets scope["root_path"] = "/static" and leaves
+    scope["path"] = "/static/styles.css".  The current code happens to
+    pass because the prefix check still matches, but we need this test
+    to lock in the expected behavior when root_path is present.
+    """
+    resp = ResponseCollector()
+    scope = make_mount_scope("/static/styles.css", root_path="/static")
+    await static(scope, receive, resp)
+    assert resp.status == 200
+    assert resp.text == "body { color: red; }"
+
+
+async def test_serve_with_stripped_path(
+    static: HashedStatic, static_dir: Path
+) -> None:
+    """Litestar-style mount: framework strips the prefix from scope["path"].
+
+    The sub-app sees scope["root_path"] = "/static" and
+    scope["path"] = "/styles.css".  The current code 404s because
+    "/styles.css" does not start with "/static/".
+    """
+    resp = ResponseCollector()
+    scope = make_mount_scope("/styles.css", root_path="/static")
+    await static(scope, receive, resp)
+    assert resp.status == 200
+    assert resp.text == "body { color: red; }"
+    assert b"cache-control" not in resp.headers
+
+
+async def test_serve_hashed_with_stripped_path(static: HashedStatic) -> None:
+    """Litestar-style mount with a hashed filename request.
+
+    scope["root_path"] = "/static", scope["path"] = "/styles.<hash>.css".
+    Should serve the file with immutable cache headers but will 404
+    against current code.
+    """
+    hashed_name = static.file_map["styles.css"]
+    resp = ResponseCollector()
+    scope = make_mount_scope(f"/{hashed_name}", root_path="/static")
+    await static(scope, receive, resp)
+    assert resp.status == 200
+    assert resp.text == "body { color: red; }"
+    assert resp.headers[b"cache-control"] == b"public, max-age=31536000, immutable"
+
+
+async def test_serve_with_mismatched_mount_and_prefix(static_dir: Path) -> None:
+    """Mount prefix differs from HashedStatic prefix.
+
+    HashedStatic is constructed with prefix="/assets" but the framework
+    mounts it at /static, so root_path="/static" and
+    path="/static/styles.css".  The current code 404s because the prefix
+    check looks for "/assets/" which does not match "/static/...".
+    """
+    static = HashedStatic(static_dir, prefix="/assets")
+    resp = ResponseCollector()
+    scope = make_mount_scope("/static/styles.css", root_path="/static")
+    await static(scope, receive, resp)
+    assert resp.status == 200
+    assert resp.text == "body { color: red; }"
