Improve bundle path resolution with secure server bundle locations

Major improvements to bundle_js_file_path logic:

**Security & Architecture:**
- Server bundles (SSR/RSC) now try secure non-public locations first:
  - ssr-generated/ (primary)
  - generated/server-bundles/ (secondary)
- Client bundles continue using manifest lookup as primary approach
- Prevents exposure of server-side logic in public directories

**Priority Order:**
- SERVER BUNDLES: secure locations → manifest → legacy public locations
- CLIENT BUNDLES: manifest → fallback locations (original behavior)
- Fixed priority order (normal case first, edge cases second)

**Code Quality:**
- Extracted complex method into smaller, focused private methods
- Reduced cyclomatic complexity and improved maintainability
- Added comprehensive test coverage for all scenarios
- Added ssr-generated/ to .gitignore

**Backwards Compatibility:**
- Legacy public locations still work as fallbacks
- Existing client bundle behavior unchanged
- Gradual migration path for server bundles

This addresses the core architectural issue where server bundles were
unnecessarily exposed in public directories while maintaining full
compatibility with existing setups.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: justin808

.gitignore

@@ -61,5 +61,8 @@ yalc.lock
 # Generated by ROR FS-based Registry
 generated
 
+# Server-side rendering generated bundles
+ssr-generated
+
 # Claude Code local settings
 .claude/settings.local.json

lib/react_on_rails/utils.rb

@@ -69,38 +69,11 @@ def self.server_bundle_path_is_http?
     end
 
     def self.bundle_js_file_path(bundle_name)
-      # Either:
-      # 1. Using same bundle for both server and client, so server bundle will be hashed in manifest
-      # 2. Using a different bundle (different Webpack config), so file is not hashed, and
-      #    bundle_js_path will throw so the default path is used without a hash.
-      # 3. The third option of having the server bundle hashed and a different configuration than
-      #    the client bundle is not supported for 2 reasons:
-      #    a. The webpack manifest plugin would have a race condition where the same manifest.json
-      #       is edited by both the webpack-dev-server
-      #    b. There is no good reason to hash the server bundle name.
+      # Priority order depends on bundle type:
+      # SERVER BUNDLES (normal case): Try secure non-public locations first, then manifest, then legacy
+      # CLIENT BUNDLES (normal case): Try manifest first, then fallback locations
       if ReactOnRails::PackerUtils.using_packer? && bundle_name != "manifest.json"
-        begin
-          ReactOnRails::PackerUtils.bundle_js_uri_from_packer(bundle_name)
-        rescue Shakapacker::Manifest::MissingEntryError
-          # When manifest lookup fails, try multiple fallback locations:
-          # 1. Environment-specific path (e.g., public/webpack/test)
-          # 2. Standard Shakapacker location (public/packs)
-          # 3. Generated assets path (for legacy setups)
-          fallback_locations = [
-            File.join(ReactOnRails::PackerUtils.packer_public_output_path, bundle_name),
-            File.join("public", "packs", bundle_name),
-            File.join(generated_assets_full_path, bundle_name)
-          ].uniq
-
-          # Return the first location where the bundle file actually exists
-          fallback_locations.each do |path|
-            expanded_path = File.expand_path(path)
-            return expanded_path if File.exist?(expanded_path)
-          end
-
-          # If none exist, return the environment-specific path (original behavior)
-          File.expand_path(fallback_locations.first)
-        end
+        bundle_js_file_path_with_packer(bundle_name)
       else
         # Default to the non-hashed name in the specified output directory, which, for legacy
         # React on Rails, this is the output directory picked up by the asset pipeline.
@@ -109,6 +82,71 @@ def self.bundle_js_file_path(bundle_name)
       end
     end
 
+    def self.bundle_js_file_path_with_packer(bundle_name)
+      is_server_bundle = server_bundle?(bundle_name)
+
+      if is_server_bundle
+        # NORMAL CASE for server bundles: Try secure non-public locations first
+        secure_path = try_secure_server_locations(bundle_name)
+        return secure_path if secure_path
+      end
+
+      # For client bundles OR server bundle fallback: Try manifest lookup
+      begin
+        ReactOnRails::PackerUtils.bundle_js_uri_from_packer(bundle_name)
+      rescue Shakapacker::Manifest::MissingEntryError
+        handle_missing_manifest_entry(bundle_name, is_server_bundle)
+      end
+    end
+
+    def self.server_bundle?(bundle_name)
+      bundle_name == ReactOnRails.configuration.server_bundle_js_file ||
+        bundle_name == ReactOnRails.configuration.rsc_bundle_js_file
+    end
+
+    def self.try_secure_server_locations(bundle_name)
+      secure_server_locations = [
+        File.join("ssr-generated", bundle_name),
+        File.join("generated", "server-bundles", bundle_name)
+      ]
+
+      secure_server_locations.each do |path|
+        expanded_path = File.expand_path(path)
+        return expanded_path if File.exist?(expanded_path)
+      end
+
+      nil
+    end
+
+    def self.handle_missing_manifest_entry(bundle_name, is_server_bundle)
+      # When manifest lookup fails, try multiple fallback locations:
+      # 1. Environment-specific path (e.g., public/webpack/test)
+      # 2. Standard Shakapacker location (public/packs)
+      # 3. Generated assets path (for legacy setups)
+      fallback_locations = [
+        File.join(ReactOnRails::PackerUtils.packer_public_output_path, bundle_name),
+        File.join("public", "packs", bundle_name),
+        File.join(generated_assets_full_path, bundle_name)
+      ].uniq
+
+      # Return the first location where the bundle file actually exists
+      fallback_locations.each do |path|
+        expanded_path = File.expand_path(path)
+        return expanded_path if File.exist?(expanded_path)
+      end
+
+      # If none exist, return appropriate default based on bundle type
+      if is_server_bundle
+        # For server bundles, prefer secure location as final fallback
+        File.expand_path(File.join("ssr-generated", bundle_name))
+      else
+        # For client bundles, use environment-specific path (original behavior)
+        File.expand_path(fallback_locations.first)
+      end
+    end
+    private_class_method :bundle_js_file_path_with_packer, :server_bundle?, :try_secure_server_locations,
+                         :handle_missing_manifest_entry
+
     def self.server_bundle_js_file_path
       return @server_bundle_path if @server_bundle_path && !Rails.env.development?
 

spec/react_on_rails/utils_spec.rb

@@ -103,6 +103,14 @@ def mock_dev_server_running
       end
 
       describe ".bundle_js_file_path" do
+        before do
+          # Mock configuration calls to avoid server bundle detection for regular client bundles
+          allow(ReactOnRails).to receive_message_chain("configuration.server_bundle_js_file")
+            .and_return("server-bundle.js")
+          allow(ReactOnRails).to receive_message_chain("configuration.rsc_bundle_js_file")
+            .and_return("rsc-bundle.js")
+        end
+
         subject do
           described_class.bundle_js_file_path("webpack-bundle.js")
         end
@@ -158,6 +166,64 @@ def mock_dev_server_running
                 expect(result).to eq(File.expand_path(env_specific_path))
               end
             end
+
+            context "with server bundle (SSR/RSC) file not in manifest" do
+              let(:server_bundle_name) { "server-bundle.js" }
+              let(:ssr_generated_path) { File.expand_path(File.join("ssr-generated", server_bundle_name)) }
+              let(:generated_server_path) do
+                File.expand_path(File.join("generated", "server-bundles", server_bundle_name))
+              end
+
+              before do
+                mock_missing_manifest_entry(server_bundle_name)
+                allow(ReactOnRails).to receive_message_chain("configuration.server_bundle_js_file")
+                  .and_return(server_bundle_name)
+              end
+
+              it "tries secure locations first for server bundles" do
+                allow(File).to receive(:exist?).and_call_original
+                allow(File).to receive(:exist?).with(ssr_generated_path).and_return(true)
+
+                result = described_class.bundle_js_file_path(server_bundle_name)
+                expect(result).to eq(ssr_generated_path)
+              end
+
+              it "tries generated/server-bundles as second secure location" do
+                allow(File).to receive(:exist?).and_call_original
+                allow(File).to receive(:exist?).with(ssr_generated_path).and_return(false)
+                allow(File).to receive(:exist?).with(generated_server_path).and_return(true)
+
+                result = described_class.bundle_js_file_path(server_bundle_name)
+                expect(result).to eq(generated_server_path)
+              end
+
+              it "falls back to ssr-generated location when no bundle exists anywhere" do
+                allow(File).to receive(:exist?).and_call_original
+                allow(File).to receive(:exist?).and_return(false)
+
+                result = described_class.bundle_js_file_path(server_bundle_name)
+                expect(result).to eq(ssr_generated_path)
+              end
+            end
+
+            context "with RSC bundle file not in manifest" do
+              let(:rsc_bundle_name) { "rsc-bundle.js" }
+              let(:ssr_generated_path) { File.expand_path(File.join("ssr-generated", rsc_bundle_name)) }
+
+              before do
+                mock_missing_manifest_entry(rsc_bundle_name)
+                allow(ReactOnRails).to receive_message_chain("configuration.rsc_bundle_js_file")
+                  .and_return(rsc_bundle_name)
+              end
+
+              it "treats RSC bundles as server bundles and tries secure locations first" do
+                allow(File).to receive(:exist?).and_call_original
+                allow(File).to receive(:exist?).with(ssr_generated_path).and_return(true)
+
+                result = described_class.bundle_js_file_path(rsc_bundle_name)
+                expect(result).to eq(ssr_generated_path)
+              end
+            end
           end
         end
 
@@ -204,14 +270,14 @@ def mock_dev_server_running
           include_context "with #{packer_type} enabled"
 
           context "with server file not in manifest", packer_type.to_sym do
-            it "returns the unhashed server path" do
+            it "returns the secure ssr-generated path for server bundles" do
               server_bundle_name = "server-bundle.js"
               mock_bundle_configs(server_bundle_name: server_bundle_name)
               mock_missing_manifest_entry(server_bundle_name)
 
               path = described_class.server_bundle_js_file_path
 
-              expect(path).to end_with("public/webpack/development/#{server_bundle_name}")
+              expect(path).to end_with("ssr-generated/#{server_bundle_name}")
             end
 
             context "with bundle file existing in standard location but not environment-specific location" do
@@ -235,7 +301,7 @@ def mock_dev_server_running
             end
 
             context "with bundle file not existing in any fallback location" do
-              it "returns the environment-specific path as final fallback" do
+              it "returns the secure ssr-generated path as final fallback for server bundles" do
                 server_bundle_name = "server-bundle.js"
                 mock_bundle_configs(server_bundle_name: server_bundle_name)
                 mock_missing_manifest_entry(server_bundle_name)
@@ -246,7 +312,7 @@ def mock_dev_server_running
 
                 path = described_class.server_bundle_js_file_path
 
-                expect(path).to end_with("public/webpack/development/#{server_bundle_name}")
+                expect(path).to end_with("ssr-generated/#{server_bundle_name}")
               end
             end
           end
@@ -303,14 +369,14 @@ def mock_dev_server_running
           include_context "with #{packer_type} enabled"
 
           context "with server file not in manifest", packer_type.to_sym do
-            it "returns the unhashed server path" do
+            it "returns the secure ssr-generated path for RSC bundles" do
               server_bundle_name = "rsc-bundle.js"
               mock_bundle_configs(rsc_bundle_name: server_bundle_name)
               mock_missing_manifest_entry(server_bundle_name)
 
               path = described_class.rsc_bundle_js_file_path
 
-              expect(path).to end_with("public/webpack/development/#{server_bundle_name}")
+              expect(path).to end_with("ssr-generated/#{server_bundle_name}")
             end
           end