protect serving SSR assets in production

lib/core/renderer.js

@@ -24,6 +24,27 @@ const parseTemplate = templateStr => _.template(templateStr, {
   interpolate: /{{([\s\S]+?)}}/g
 })
 
+const resourceMap = [
+  {
+    key: 'clientManifest',
+    fileName: 'vue-ssr-client-manifest.json',
+    transform: JSON.parse
+  },
+  {
+    key: 'serverBundle',
+    fileName: 'server-bundle.json',
+    transform: JSON.parse
+  },
+  {
+    key: 'appTemplate',
+    fileName: 'index.html',
+    transform: parseTemplate
+  }
+]
+
+// Protector utility against request to SSR bundle files
+const ssrResourceRegex = new RegExp(resourceMap.map(resource => resource.fileName).join('|'), 'i')
+
 export default class Renderer extends Tapable {
   constructor (nuxt) {
     super()
@@ -91,29 +112,15 @@ export default class Renderer extends Tapable {
     return this
   }
 
-  async loadResources (_fs = fs, isServer) {
+  async loadResources (_fs) {
     let distPath = resolve(this.options.buildDir, 'dist')
 
-    const resourceMap = {
-      clientManifest: {
-        path: join(distPath, 'vue-ssr-client-manifest.json'),
-        transform: JSON.parse
-      },
-      serverBundle: {
-        path: join(distPath, 'server-bundle.json'),
-        transform: JSON.parse
-      },
-      appTemplate: {
-        path: join(distPath, 'index.html'),
-        transform: parseTemplate
-      }
-    }
-
     let updated = []
 
-    Object.keys(resourceMap).forEach(resourceKey => {
-      let { path, transform } = resourceMap[resourceKey]
-      let rawKey = '$$' + resourceKey
+    resourceMap.forEach(({ key, fileName, transform }) => {
+      let rawKey = '$$' + key
+      const path = join(distPath, fileName)
+
       let rawData, data
       if (!_fs.existsSync(path)) {
         return // Resource not exists
@@ -128,8 +135,8 @@ export default class Renderer extends Tapable {
       if (!data) {
         return // Invalid data ?
       }
-      this.resources[resourceKey] = data
-      updated.push(resourceKey)
+      this.resources[key] = data
+      updated.push(key)
     })
 
     if (updated.length > 0) {
@@ -189,8 +196,7 @@ export default class Renderer extends Tapable {
       await this.serveStatic(req, res)
 
       // Serve .nuxt/dist/ files (only for production)
-      const isValidExtension = (req.url.slice(-3) === '.js') || (req.url.slice(-4) === '.css') || (req.url.slice(-4) === '.map')
-      if (!this.options.dev && isValidExtension) {
+      if (!this.options.dev && !ssrResourceRegex.test(req.url)) {
         const url = req.url
         if (req.url.indexOf(this.options.build.publicPath) === 0) {
           req.url = req.url.replace(this.options.build.publicPath, '/')