@autumnsgrove/groveengine 0.4.0 → 0.4.2

package/dist/auth/session.d.ts

@@ -40,3 +40,21 @@ export function parseSessionCookie(cookieHeader: string): string | null;
  * @returns {boolean} - Whether the user is allowed
  */
 export function isAllowedAdmin(email: string, allowedList: string): boolean;
+/**
+ * Verify that a user owns/has access to a tenant
+ * @param {Object} db - D1 database instance
+ * @param {string} tenantId - Tenant ID to check
+ * @param {string} userEmail - User's email address
+ * @returns {Promise<boolean>} - Whether the user owns the tenant
+ */
+export function verifyTenantOwnership(db: Object, tenantId: string, userEmail: string): Promise<boolean>;
+/**
+ * Get tenant ID with ownership verification
+ * Throws 403 if user doesn't own the tenant
+ * @param {Object} db - D1 database instance
+ * @param {string} tenantId - Tenant ID from request
+ * @param {Object} user - User object with email
+ * @returns {Promise<string>} - Verified tenant ID
+ * @throws {Error} - If unauthorized
+ */
+export function getVerifiedTenantId(db: Object, tenantId: string, user: Object): Promise<string>;

package/dist/auth/session.js

@@ -54,7 +54,7 @@ export function createSessionCookie(token, isProduction = true) {
     "Path=/",
     `Max-Age=${SESSION_DURATION_SECONDS}`,
     "HttpOnly",
-    "SameSite=Lax",
+    "SameSite=Strict",
   ];
 
   if (isProduction) {
@@ -69,7 +69,7 @@ export function createSessionCookie(token, isProduction = true) {
  * @returns {string} - Cookie header value
  */
 export function clearSessionCookie() {
-  return `${SESSION_COOKIE_NAME}=; Path=/; Max-Age=0; HttpOnly; SameSite=Lax`;
+  return `${SESSION_COOKIE_NAME}=; Path=/; Max-Age=0; HttpOnly; SameSite=Strict`;
 }
 
 /**
@@ -103,3 +103,65 @@ export function isAllowedAdmin(email, allowedList) {
   const allowed = allowedList.split(",").map((e) => e.trim().toLowerCase());
   return allowed.includes(email.toLowerCase());
 }
+
+/**
+ * Verify that a user owns/has access to a tenant
+ * @param {Object} db - D1 database instance
+ * @param {string} tenantId - Tenant ID to check
+ * @param {string} userEmail - User's email address
+ * @returns {Promise<boolean>} - Whether the user owns the tenant
+ */
+export async function verifyTenantOwnership(db, tenantId, userEmail) {
+  if (!tenantId || !userEmail) {
+    return false;
+  }
+
+  try {
+    const tenant = await db
+      .prepare("SELECT email FROM tenants WHERE id = ?")
+      .bind(tenantId)
+      .first();
+
+    if (!tenant) {
+      return false;
+    }
+
+    // Check if user email matches tenant owner email
+    return tenant.email.toLowerCase() === userEmail.toLowerCase();
+  } catch (error) {
+    console.error("Error verifying tenant ownership:", error);
+    return false;
+  }
+}
+
+/**
+ * Get tenant ID with ownership verification
+ * Throws 403 if user doesn't own the tenant
+ * @param {Object} db - D1 database instance
+ * @param {string} tenantId - Tenant ID from request
+ * @param {Object} user - User object with email
+ * @returns {Promise<string>} - Verified tenant ID
+ * @throws {Error} - If unauthorized
+ */
+export async function getVerifiedTenantId(db, tenantId, user) {
+  if (!tenantId) {
+    const err = new Error("Tenant ID required");
+    err.status = 400;
+    throw err;
+  }
+
+  if (!user?.email) {
+    const err = new Error("Unauthorized");
+    err.status = 401;
+    throw err;
+  }
+
+  const isOwner = await verifyTenantOwnership(db, tenantId, user.email);
+  if (!isOwner) {
+    const err = new Error("Access denied - you do not own this tenant");
+    err.status = 403;
+    throw err;
+  }
+
+  return tenantId;
+}

package/dist/components/custom/ContentWithGutter.svelte

@@ -76,13 +76,16 @@
 
 	/**
 	 * Calculate positions based on anchor locations, with collision detection
+	 * Uses getBoundingClientRect() for accurate positioning regardless of offset parent chains
 	 */
 	async function updatePositions() {
 		if (!gutterElement || !contentBodyElement) return;
 
 		await tick(); // Wait for DOM to update
 
-		const gutterTop = gutterElement.offsetTop;
+		// Use getBoundingClientRect for accurate relative positioning
+		// This works regardless of offset parent chains and CSS transforms
+		const gutterRect = gutterElement.getBoundingClientRect();
 
 		let lastBottom = 0; // Track the bottom edge of the last positioned item
 		const newOverflowingAnchors = [];
@@ -94,20 +97,24 @@
 			if (!el && import.meta.env.DEV) {
 				console.warn(`Anchor element not found for: ${anchor}`);
 			}
+			// Use getBoundingClientRect for consistent positioning
+			const elRect = el ? el.getBoundingClientRect() : null;
 			return {
 				anchor,
 				key: getKey(anchor),
 				element: el,
-				top: el ? el.offsetTop : Infinity
+				elementRect: elRect,
+				top: elRect ? elRect.top : Infinity
 			};
 		}).sort((a, b) => a.top - b.top);
 
-		anchorPositions.forEach(({ anchor, key, element }) => {
+		anchorPositions.forEach(({ anchor, key, element, elementRect }) => {
 			const groupEl = anchorGroupElements[key];
 
-			if (element && groupEl) {
-				// Desired position (aligned with anchor element)
-				let desiredTop = element.offsetTop - gutterTop;
+			if (element && elementRect && groupEl) {
+				// Calculate position relative to the gutter element's top
+				// This accounts for any content above the content-body (headers, etc.)
+				let desiredTop = elementRect.top - gutterRect.top;
 
 				// Get the height of this gutter group
 				const groupHeight = groupEl.offsetHeight;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@autumnsgrove/groveengine",
-  "version": "0.4.0",
+  "version": "0.4.2",
   "description": "Multi-tenant blog engine for Grove Platform. Features gutter annotations, markdown editing, magic code auth, and Cloudflare Workers deployment.",
   "author": "AutumnsGrove",
   "license": "MIT",
@@ -129,25 +129,6 @@
     "dist",
     "!dist/**/*.test.*"
   ],
-  "scripts": {
-    "dev": "vite dev",
-    "dev:wrangler": "wrangler pages dev -- vite dev",
-    "build": "vite build",
-    "build:package": "svelte-kit sync && svelte-package -o dist",
-    "package": "svelte-kit sync && svelte-package -o dist",
-    "prepublishOnly": "npm run package",
-    "preview": "vite preview",
-    "audit": "npm audit --audit-level=moderate",
-    "audit:fix": "npm audit fix",
-    "check": "svelte-kit sync && svelte-check --tsconfig ./tsconfig.json",
-    "check:watch": "svelte-kit sync && svelte-check --tsconfig ./tsconfig.json --watch",
-    "test": "vitest",
-    "test:ui": "vitest --ui",
-    "test:run": "vitest run",
-    "test:security": "vitest run tests/security",
-    "test:coverage": "vitest run --coverage",
-    "test:watch": "vitest watch"
-  },
   "peerDependencies": {
     "@sveltejs/kit": "^2.0.0",
     "svelte": "^5.0.0",
@@ -187,5 +168,23 @@
     "sonner": "^2.0.7",
     "svelte-sonner": "^1.0.7",
     "tailwind-merge": "^3.4.0"
+  },
+  "scripts": {
+    "dev": "vite dev",
+    "dev:wrangler": "wrangler pages dev -- vite dev",
+    "build": "vite build",
+    "build:package": "svelte-kit sync && svelte-package -o dist",
+    "package": "svelte-kit sync && svelte-package -o dist",
+    "preview": "vite preview",
+    "audit": "pnpm audit --audit-level=moderate",
+    "audit:fix": "pnpm audit --fix",
+    "check": "svelte-kit sync && svelte-check --tsconfig ./tsconfig.json",
+    "check:watch": "svelte-kit sync && svelte-check --tsconfig ./tsconfig.json --watch",
+    "test": "vitest",
+    "test:ui": "vitest --ui",
+    "test:run": "vitest run",
+    "test:security": "vitest run tests/security",
+    "test:coverage": "vitest run --coverage",
+    "test:watch": "vitest watch"
   }
-}
+}