Add dev-only YARP proxy from back-office Kestrel listener to rsbuild dev server

Author: tjementum

application/AppHost/Program.cs

@@ -90,6 +90,9 @@
     // Second Kestrel port for back-office.dev.localhost so localhost mirrors the Azure post-split
     // topology where back-office has its own external ingress and AppGateway is not in the path.
     .WithEnvironment("BACK_OFFICE_KESTREL_PORT", ports.BackOfficeApi.ToString())
+    // BackOfficeDevStaticProxy forwards /static/* and HMR traffic on the back-office Kestrel listener
+    // to the rsbuild dev server. Dev-only; production builds serve a baked bundle from disk.
+    .WithEnvironment("BACK_OFFICE_STATIC_PORT", ports.BackOfficeStatic.ToString())
     // Back-office bundle URLs target the dedicated Kestrel port directly (no AppGateway).
     .WithEnvironment("BACK_OFFICE_PUBLIC_URL", backOfficeBaseUrl)
     .WithEnvironment("BACK_OFFICE_CDN_URL", backOfficeBaseUrl)

application/account/Api/Account.Api.csproj

@@ -38,6 +38,7 @@
             <IncludeAssets>runtime; build; native; contentFiles; analyzers; buildTransitive</IncludeAssets>
             <PrivateAssets>all</PrivateAssets>
         </PackageReference>
+        <PackageReference Include="Yarp.ReverseProxy"/>
     </ItemGroup>
 
     <!--

application/account/Api/BackOfficeDevStaticProxy.cs

@@ -0,0 +1,82 @@
+using System.Net;
+using System.Net.Security;
+using Microsoft.AspNetCore.Http.Extensions;
+using Yarp.ReverseProxy.Forwarder;
+
+namespace Account.Api;
+
+// Dev-only proxy that forwards back-office static-asset and HMR traffic from the back-office Kestrel
+// listener (BACK_OFFICE_KESTREL_PORT) to the rsbuild dev server (BACK_OFFICE_STATIC_PORT). Production
+// builds bake the bundle into BackOfficeWebApp/dist and serve it via UseStaticFiles, so this proxy
+// is registered only in development. The proxy must run before authentication so anonymous browsers
+// can fetch /static/*, /rsbuild-hmr, and HMR /{filename}.hot-update.{ext} during the SPA bootstrap.
+public static class BackOfficeDevStaticProxy
+{
+    public static IServiceCollection AddBackOfficeDevStaticProxy(this IServiceCollection services)
+    {
+        services.AddHttpForwarder();
+        return services;
+    }
+
+    public static IApplicationBuilder UseBackOfficeDevStaticProxy(this WebApplication app, string backOfficeHostname)
+    {
+        if (!app.Environment.IsDevelopment()) return app;
+
+        var rawPort = Environment.GetEnvironmentVariable("BACK_OFFICE_STATIC_PORT");
+        if (!int.TryParse(rawPort, out var staticPort) || staticPort <= 0) return app;
+
+        var destinationPrefix = $"https://localhost:{staticPort}";
+        var forwarder = app.Services.GetRequiredService<IHttpForwarder>();
+        var invoker = new HttpMessageInvoker(new SocketsHttpHandler
+            {
+                UseProxy = false,
+                AllowAutoRedirect = false,
+                AutomaticDecompression = DecompressionMethods.None,
+                UseCookies = false,
+                // The rsbuild dev server uses a self-signed certificate from Aspire; trust it locally.
+                SslOptions = new SslClientAuthenticationOptions
+                {
+                    RemoteCertificateValidationCallback = (_, _, _, _) => true
+                }
+            }
+        );
+
+        app.UseWhen(
+            context => IsBackOfficeStaticRequest(context, backOfficeHostname),
+            branch => branch.Run(async context =>
+                {
+                    var error = await forwarder.SendAsync(context, destinationPrefix, invoker, ForwarderRequestConfig.Empty);
+                    if (error != ForwarderError.None && !context.Response.HasStarted)
+                    {
+                        var feature = context.Features.Get<IForwarderErrorFeature>();
+                        app.Logger.LogWarning(
+                            feature?.Exception,
+                            "Back-office dev static proxy failed for {Url}: {Error}",
+                            context.Request.GetDisplayUrl(),
+                            error
+                        );
+                        context.Response.StatusCode = StatusCodes.Status502BadGateway;
+                    }
+                }
+            )
+        );
+        return app;
+    }
+
+    private static bool IsBackOfficeStaticRequest(HttpContext context, string backOfficeHostname)
+    {
+        if (!context.Request.Host.Host.Equals(backOfficeHostname, StringComparison.OrdinalIgnoreCase)) return false;
+
+        var path = context.Request.Path.Value;
+        if (string.IsNullOrEmpty(path)) return false;
+
+        // /static/* covers all bundled JS/CSS chunks. /rsbuild-hmr is rsbuild's HMR WebSocket endpoint
+        // (HTTP upgrade is handled by IHttpForwarder). The .hot-update.{ext} pattern catches HMR-delta
+        // chunks rsbuild emits at the SPA root rather than under /static.
+        if (path.StartsWith("/static/", StringComparison.OrdinalIgnoreCase)) return true;
+        if (path.StartsWith("/rsbuild-hmr", StringComparison.OrdinalIgnoreCase)) return true;
+        if (path.Contains(".hot-update.", StringComparison.OrdinalIgnoreCase)) return true;
+
+        return false;
+    }
+}

application/account/Api/Program.cs

@@ -1,5 +1,6 @@
 using System.Security.Claims;
 using Account;
+using Account.Api;
 using Microsoft.Extensions.Options;
 using SharedKernel.Authentication;
 using SharedKernel.Authentication.BackOfficeIdentity;
@@ -19,7 +20,8 @@
 // Configure dependency injection services like Repositories, MediatR, Pipelines, FluentValidation validators, etc.
 builder.Services
     .AddApiServices([Assembly.GetExecutingAssembly(), Configuration.Assembly], ApiDocumentLayout.AccountAndBackOffice)
-    .AddAccountServices();
+    .AddAccountServices()
+    .AddBackOfficeDevStaticProxy();
 
 var app = builder.Build();
 
@@ -52,6 +54,11 @@
     app.MapGet("/login", Results.Unauthorized).RequireHost(backOfficeHostname);
 }
 
+// Dev-only: forward back-office static-asset and HMR traffic on the back-office Kestrel listener to
+// the rsbuild dev server. Registered before UseApiServices so the conditional branch short-circuits
+// matching requests before the auth-gated SPA fallback.
+app.UseBackOfficeDevStaticProxy(backOfficeHostname);
+
 app
     .UseApiServices() // Add common configuration for all APIs like Swagger, HSTS, and DeveloperExceptionPage.
     .UseHostScopedSinglePageAppFallback(