@commonpub/layer 0.1.0

package/server/api/users/[username]/feed.xml.get.ts

@@ -0,0 +1,65 @@
+import { listContent, getUserByUsername } from '@commonpub/server';
+
+function escapeXml(str: string): string {
+  return str
+    .replace(/&/g, '&')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/"/g, '&quot;')
+    .replace(/'/g, '&apos;');
+}
+
+export default defineEventHandler(async (event) => {
+  const db = useDB();
+  const config = useRuntimeConfig();
+  const siteUrl = config.public.siteUrl as string;
+  const { username } = parseParams(event, { username: 'string' });
+
+
+  const user = await getUserByUsername(db, username);
+  if (!user) {
+    throw createError({ statusCode: 404, statusMessage: 'User not found' });
+  }
+
+  const { items } = await listContent(db, {
+    status: 'published',
+    authorId: user.id,
+    sort: 'recent',
+    limit: 50,
+  });
+
+  const displayName = user.displayName ?? user.username;
+  const lastBuildDate = items.length > 0
+    ? new Date(items[0].publishedAt ?? items[0].createdAt).toUTCString()
+    : new Date().toUTCString();
+
+  const rssItems = items.map((item) => {
+    const link = `${siteUrl}/${item.type}/${item.slug}`;
+    const pubDate = new Date(item.publishedAt ?? item.createdAt).toUTCString();
+    return `    <item>
+      <title>${escapeXml(item.title)}</title>
+      <link>${escapeXml(link)}</link>
+      <guid isPermaLink="true">${escapeXml(link)}</guid>
+      <pubDate>${pubDate}</pubDate>
+      <description>${escapeXml(item.description ?? '')}</description>
+      <category>${escapeXml(item.type)}</category>
+    </item>`;
+  });
+
+  const xml = `<?xml version="1.0" encoding="UTF-8"?>
+<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
+  <channel>
+    <title>${escapeXml(displayName)} — CommonPub</title>
+    <link>${escapeXml(siteUrl)}/profile/${escapeXml(username)}</link>
+    <description>Content by ${escapeXml(displayName)}</description>
+    <language>en</language>
+    <lastBuildDate>${lastBuildDate}</lastBuildDate>
+    <atom:link href="${escapeXml(siteUrl)}/api/users/${escapeXml(username)}/feed.xml" rel="self" type="application/rss+xml"/>
+${rssItems.join('\n')}
+  </channel>
+</rss>`;
+
+  setResponseHeader(event, 'Content-Type', 'application/rss+xml; charset=utf-8');
+  setResponseHeader(event, 'Cache-Control', 'public, max-age=600, stale-while-revalidate=300');
+  return xml;
+});

package/server/api/users/[username]/follow.delete.ts

@@ -0,0 +1,15 @@
+import { getUserByUsername, unfollowUser } from '@commonpub/server';
+
+export default defineEventHandler(async (event): Promise<{ unfollowed: boolean }> => {
+  const db = useDB();
+  const user = requireAuth(event);
+  const { username } = parseParams(event, { username: 'string' });
+
+
+  const target = await getUserByUsername(db, username);
+  if (!target) {
+    throw createError({ statusCode: 404, statusMessage: 'User not found' });
+  }
+
+  return unfollowUser(db, user.id, target.id);
+});

package/server/api/users/[username]/follow.post.ts

@@ -0,0 +1,15 @@
+import { getUserByUsername, followUser } from '@commonpub/server';
+
+export default defineEventHandler(async (event): Promise<{ followed: boolean }> => {
+  const db = useDB();
+  const user = requireAuth(event);
+  const { username } = parseParams(event, { username: 'string' });
+
+
+  const target = await getUserByUsername(db, username);
+  if (!target) {
+    throw createError({ statusCode: 404, statusMessage: 'User not found' });
+  }
+
+  return followUser(db, user.id, target.id);
+});

package/server/api/users/[username]/followers.get.ts

@@ -0,0 +1,22 @@
+import { getUserByUsername, listFollowers } from '@commonpub/server';
+import type { PaginatedResponse, FollowUserItem } from '@commonpub/server';
+import { z } from 'zod';
+
+const paginationSchema = z.object({
+  limit: z.coerce.number().int().positive().max(100).optional(),
+  offset: z.coerce.number().int().min(0).optional(),
+});
+
+export default defineEventHandler(async (event): Promise<PaginatedResponse<FollowUserItem>> => {
+  const db = useDB();
+  const { username } = parseParams(event, { username: 'string' });
+  const query = parseQueryParams(event, paginationSchema);
+
+
+  const target = await getUserByUsername(db, username);
+  if (!target) {
+    throw createError({ statusCode: 404, statusMessage: 'User not found' });
+  }
+
+  return listFollowers(db, target.id, query);
+});

package/server/api/users/[username]/following.get.ts

@@ -0,0 +1,22 @@
+import { getUserByUsername, listFollowing } from '@commonpub/server';
+import type { PaginatedResponse, FollowUserItem } from '@commonpub/server';
+import { z } from 'zod';
+
+const paginationSchema = z.object({
+  limit: z.coerce.number().int().positive().max(100).optional(),
+  offset: z.coerce.number().int().min(0).optional(),
+});
+
+export default defineEventHandler(async (event): Promise<PaginatedResponse<FollowUserItem>> => {
+  const db = useDB();
+  const { username } = parseParams(event, { username: 'string' });
+  const query = parseQueryParams(event, paginationSchema);
+
+
+  const target = await getUserByUsername(db, username);
+  if (!target) {
+    throw createError({ statusCode: 404, statusMessage: 'User not found' });
+  }
+
+  return listFollowing(db, target.id, query);
+});

package/server/api/users/[username]/learning.get.ts

@@ -0,0 +1,18 @@
+import { getUserByUsername, getUserEnrollments, getUserCertificates } from '@commonpub/server';
+
+export default defineEventHandler(async (event) => {
+  const db = useDB();
+  const { username } = parseParams(event, { username: 'string' });
+
+  const profile = await getUserByUsername(db, username);
+  if (!profile) {
+    throw createError({ statusCode: 404, statusMessage: 'User not found' });
+  }
+
+  const [enrollments, certificates] = await Promise.all([
+    getUserEnrollments(db, profile.id),
+    getUserCertificates(db, profile.id),
+  ]);
+
+  return { enrollments, certificates };
+});

package/server/api/users/[username].get.ts

@@ -0,0 +1,25 @@
+import { getUserByUsername, isFollowing } from '@commonpub/server';
+import type { UserProfile } from '@commonpub/server';
+
+export default defineEventHandler(async (event): Promise<UserProfile & { isFollowing: boolean }> => {
+  const db = useDB();
+  const { username } = parseParams(event, { username: 'string' });
+
+  const profile = await getUserByUsername(db, username);
+  if (!profile) {
+    throw createError({ statusCode: 404, statusMessage: 'User not found' });
+  }
+
+  // Check if current user follows this profile
+  let followStatus = false;
+  try {
+    const auth = event.context.auth;
+    if (auth?.user?.id && auth.user.id !== profile.id) {
+      followStatus = await isFollowing(db, auth.user.id, profile.id);
+    }
+  } catch {
+    // Not authenticated — default to false
+  }
+
+  return { ...profile, isFollowing: followStatus };
+});

package/server/api/users/index.get.ts

@@ -0,0 +1,78 @@
+import { users, follows } from '@commonpub/schema';
+import { sql, desc, ilike, or, and, isNull } from 'drizzle-orm';
+import { z } from 'zod';
+import { escapeLike } from '@commonpub/server';
+
+const usersQuerySchema = z.object({
+  q: z.string().max(200).optional(),
+  search: z.string().max(200).optional(),
+  limit: z.coerce.number().int().positive().max(50).optional(),
+  offset: z.coerce.number().int().min(0).optional(),
+});
+
+export default defineEventHandler(async (event) => {
+  const db = useDB();
+  const query = parseQueryParams(event, usersQuerySchema);
+
+  const limit = query.limit ?? 20;
+  const offset = query.offset ?? 0;
+  const search = query.q || query.search;
+
+  const conditions = [isNull(users.deletedAt)];
+  if (search) {
+    const term = `%${escapeLike(search)}%`;
+    conditions.push(or(ilike(users.username, term), ilike(users.displayName, term))!);
+  }
+
+  const where = and(...conditions);
+
+  const rows = await db
+    .select({
+      id: users.id,
+      username: users.username,
+      displayName: users.displayName,
+      headline: users.headline,
+      avatarUrl: users.avatarUrl,
+      createdAt: users.createdAt,
+    })
+    .from(users)
+    .where(where)
+    .orderBy(desc(users.createdAt))
+    .limit(limit)
+    .offset(offset);
+
+  // Get follower counts in bulk
+  const userIds = rows.map((r) => r.id);
+  const followerCounts: Record<string, number> = {};
+
+  if (userIds.length > 0) {
+    const counts = await db
+      .select({
+        followingId: follows.followingId,
+        count: sql<number>`count(*)::int`,
+      })
+      .from(follows)
+      .where(sql`${follows.followingId} = ANY(ARRAY[${sql.join(userIds.map((id) => sql`${id}::uuid`), sql`, `)}])`)
+      .groupBy(follows.followingId);
+
+    for (const c of counts) {
+      followerCounts[c.followingId] = c.count;
+    }
+  }
+
+  const items = rows.map((r) => ({
+    id: r.id,
+    username: r.username,
+    displayName: r.displayName,
+    headline: r.headline,
+    avatarUrl: r.avatarUrl,
+    followerCount: followerCounts[r.id] ?? 0,
+  }));
+
+  const [countResult] = await db
+    .select({ count: sql<number>`count(*)::int` })
+    .from(users)
+    .where(where);
+
+  return { items, total: countResult?.count ?? items.length };
+});

package/server/api/videos/[id].get.ts

@@ -0,0 +1,18 @@
+import { getVideoById, incrementVideoViewCount } from '@commonpub/server';
+import type { VideoDetail } from '@commonpub/server';
+
+export default defineEventHandler(async (event) => {
+  const db = useDB();
+  const { id } = parseParams(event, { id: 'uuid' });
+  const video = await getVideoById(db, id);
+  if (!video) throw createError({ statusCode: 404, statusMessage: 'Video not found' });
+  await incrementVideoViewCount(db, id);
+  return {
+    ...video,
+    author: {
+      username: video.authorUsername,
+      displayName: video.authorName,
+      avatarUrl: video.authorAvatarUrl,
+    },
+  };
+});

package/server/api/videos/categories/[id].delete.ts

@@ -0,0 +1,15 @@
+import { deleteVideoCategory } from '@commonpub/server';
+
+export default defineEventHandler(async (event): Promise<{ success: boolean }> => {
+  requireAdmin(event);
+
+  const { id } = parseParams(event, { id: 'uuid' });
+
+  const db = useDB();
+  const deleted = await deleteVideoCategory(db, id);
+  if (!deleted) {
+    throw createError({ statusCode: 404, statusMessage: 'Category not found' });
+  }
+
+  return { success: true };
+});

package/server/api/videos/categories/[id].put.ts

@@ -0,0 +1,17 @@
+import { updateVideoCategory } from '@commonpub/server';
+import type { VideoCategoryItem } from '@commonpub/server';
+import { createVideoCategorySchema } from '@commonpub/schema';
+
+export default defineEventHandler(async (event): Promise<VideoCategoryItem> => {
+  requireAdmin(event);
+  const { id } = parseParams(event, { id: 'uuid' });
+  const input = await parseBody(event, createVideoCategorySchema.partial());
+
+  const db = useDB();
+  const result = await updateVideoCategory(db, id, input);
+  if (!result) {
+    throw createError({ statusCode: 404, statusMessage: 'Category not found' });
+  }
+
+  return result;
+});

package/server/api/videos/categories.get.ts

@@ -0,0 +1,7 @@
+import { listVideoCategories } from '@commonpub/server';
+import type { VideoCategoryItem } from '@commonpub/server';
+
+export default defineEventHandler(async (_event): Promise<VideoCategoryItem[]> => {
+  const db = useDB();
+  return listVideoCategories(db);
+});

package/server/api/videos/categories.post.ts

@@ -0,0 +1,11 @@
+import { createVideoCategory } from '@commonpub/server';
+import type { VideoCategoryItem } from '@commonpub/server';
+import { createVideoCategorySchema } from '@commonpub/schema';
+
+export default defineEventHandler(async (event): Promise<VideoCategoryItem> => {
+  requireAdmin(event);
+  const db = useDB();
+  const input = await parseBody(event, createVideoCategorySchema);
+
+  return createVideoCategory(db, input);
+});

package/server/api/videos/index.get.ts

@@ -0,0 +1,20 @@
+import { listVideos } from '@commonpub/server';
+import type { PaginatedResponse, VideoListItem } from '@commonpub/server';
+import { videoFiltersSchema } from '@commonpub/schema';
+
+export default defineEventHandler(async (event) => {
+  const db = useDB();
+  const filters = parseQueryParams(event, videoFiltersSchema);
+  const result = await listVideos(db, filters);
+  return {
+    ...result,
+    items: result.items.map((v) => ({
+      ...v,
+      author: {
+        username: v.authorUsername,
+        displayName: v.authorName,
+        avatarUrl: v.authorAvatarUrl,
+      },
+    })),
+  };
+});

package/server/api/videos/index.post.ts

@@ -0,0 +1,11 @@
+import { createVideo } from '@commonpub/server';
+import type { VideoDetail } from '@commonpub/server';
+import { createVideoSchema } from '@commonpub/schema';
+
+export default defineEventHandler(async (event): Promise<VideoDetail> => {
+  const user = requireAuth(event);
+  const db = useDB();
+  const input = await parseBody(event, createVideoSchema);
+
+  return createVideo(db, { ...input, authorId: user.id });
+});

package/server/middleware/auth.ts

@@ -0,0 +1,180 @@
+// Nitro middleware for authentication using @commonpub/auth
+import { createAuthMiddleware, type AuthLocals } from '@commonpub/auth';
+import { createAuth } from '@commonpub/auth';
+import { ConsoleEmailAdapter, SmtpEmailAdapter, ResendEmailAdapter, emailTemplates } from '@commonpub/server';
+import type { EmailAdapter } from '@commonpub/server';
+
+let authMiddleware: ReturnType<typeof createAuthMiddleware> | null = null;
+
+function createEmailAdapter(): EmailAdapter {
+  const runtimeConfig = useRuntimeConfig();
+  const adapter = (runtimeConfig.emailAdapter as string) || 'console';
+
+  if (adapter === 'smtp') {
+    const host = runtimeConfig.smtpHost as string;
+    const port = parseInt(runtimeConfig.smtpPort as string, 10) || 587;
+    const user = runtimeConfig.smtpUser as string;
+    const pass = runtimeConfig.smtpPass as string;
+    const from = runtimeConfig.smtpFrom as string;
+
+    if (!host || !user || !pass || !from) {
+      console.warn('[email] SMTP configured but missing credentials — falling back to console');
+      return new ConsoleEmailAdapter();
+    }
+
+    return new SmtpEmailAdapter({ host, port, user, pass, from });
+  }
+
+  if (adapter === 'resend') {
+    const apiKey = runtimeConfig.resendApiKey as string;
+    const from = runtimeConfig.resendFrom as string;
+
+    if (!apiKey || !from) {
+      console.warn('[email] Resend configured but missing API key or from address — falling back to console');
+      return new ConsoleEmailAdapter();
+    }
+
+    return new ResendEmailAdapter({ apiKey, from });
+  }
+
+  return new ConsoleEmailAdapter();
+}
+
+function getAuthMiddleware(): ReturnType<typeof createAuthMiddleware> {
+  if (authMiddleware) return authMiddleware;
+
+  const config = useConfig();
+  const db = useDB();
+  const runtimeConfig = useRuntimeConfig();
+  const siteUrl = (runtimeConfig.public?.siteUrl as string) || `https://${config.instance.domain}`;
+  const siteName = config.instance.name || 'CommonPub';
+
+  const emailAdapter = createEmailAdapter();
+
+  // In dev, trust any localhost origin so port changes don't break auth
+  const trustedOrigins = process.env.NODE_ENV !== 'production'
+    ? [siteUrl, 'http://localhost:3000', 'http://localhost:3001', 'http://localhost:3002', 'http://localhost:3003', 'http://localhost:3004', 'http://localhost:3005']
+    : [siteUrl];
+
+  const auth = createAuth({
+    config,
+    db: db as unknown as Parameters<typeof createAuth>[0]['db'],
+    secret: (() => {
+      const s = runtimeConfig.authSecret as string;
+      if (!s && process.env.NODE_ENV === 'production') {
+        throw new Error('AUTH_SECRET must be set in production');
+      }
+      return s || 'dev-secret-change-me';
+    })(),
+    baseURL: siteUrl,
+    trustedOrigins,
+    emailSender: {
+      async sendResetPasswordEmail(email: string, url: string, _token: string): Promise<void> {
+        const template = emailTemplates.passwordReset(siteName, url);
+        await emailAdapter.send({ ...template, to: email });
+      },
+      async sendVerificationEmail(email: string, url: string, _token: string): Promise<void> {
+        const template = emailTemplates.verification(siteName, url);
+        await emailAdapter.send({ ...template, to: email });
+      },
+    },
+  });
+
+  authMiddleware = createAuthMiddleware({ auth });
+  return authMiddleware;
+}
+
+declare module 'h3' {
+  interface H3EventContext {
+    auth: AuthLocals;
+  }
+}
+
+/**
+ * Enrich the session user with custom DB columns (role, username, status)
+ * that Better Auth doesn't include by default.
+ */
+async function enrichUser(auth: AuthLocals): Promise<void> {
+  if (!auth.user?.id) return;
+  try {
+    const db = useDB();
+    const { users } = await import('@commonpub/schema');
+    const { eq } = await import('drizzle-orm');
+    const [row] = await db.select({ role: users.role, username: users.username, status: users.status })
+      .from(users).where(eq(users.id, auth.user.id)).limit(1);
+    if (row) {
+      (auth.user as unknown as Record<string, unknown>).role = row.role;
+      (auth.user as unknown as Record<string, unknown>).username = row.username;
+      (auth.user as unknown as Record<string, unknown>).status = row.status;
+    }
+  } catch {
+    // Non-fatal — user just won't have role/username
+  }
+}
+
+export default defineEventHandler(async (event) => {
+  const pathname = getRequestURL(event).pathname;
+
+  // Skip auth for non-API routes and static assets
+  if (!pathname.startsWith('/api') && !pathname.startsWith('/_nuxt')) {
+    // Still resolve session for SSR pages
+    try {
+      const middleware = getAuthMiddleware();
+      const headers = getRequestHeaders(event);
+      const webHeaders = new Headers(headers as Record<string, string>);
+      event.context.auth = await middleware.resolveSession(webHeaders);
+      await enrichUser(event.context.auth);
+    } catch {
+      event.context.auth = { user: null, session: null };
+    }
+    return;
+  }
+
+  let middleware: ReturnType<typeof getAuthMiddleware>;
+  try {
+    middleware = getAuthMiddleware();
+  } catch {
+    // DB not connected — fail with a clear message
+    if (pathname.startsWith('/api/auth') || pathname.startsWith('/api/')) {
+      throw createError({
+        statusCode: 503,
+        statusMessage: 'Database unavailable. Check that PostgreSQL is running.',
+      });
+    }
+    event.context.auth = { user: null, session: null };
+    return;
+  }
+
+  // Handle auth API routes
+  if (pathname.startsWith('/api/auth')) {
+    try {
+      const response = await middleware.handleAuthRoute(
+        toWebRequest(event),
+        pathname,
+      );
+      if (response) {
+        return sendWebResponse(event, response);
+      }
+    } catch (err: unknown) {
+      console.error('[auth] Route handler error:', err instanceof Error ? err.message : err);
+      throw createError({
+        statusCode: 500,
+        statusMessage: 'Authentication service error',
+      });
+    }
+  }
+
+  // Resolve session for API requests
+  try {
+    const headers = getRequestHeaders(event);
+    const webHeaders = new Headers(headers as Record<string, string>);
+    event.context.auth = await middleware.resolveSession(webHeaders);
+    await enrichUser(event.context.auth);
+  } catch (err: unknown) {
+    // DB error during session resolution — don't silently eat it for API routes
+    if (pathname.startsWith('/api/')) {
+      console.error('[auth] Session resolution failed:', err instanceof Error ? err.message : err);
+    }
+    event.context.auth = { user: null, session: null };
+  }
+});

package/server/middleware/features.ts

@@ -0,0 +1,31 @@
+// Feature flag route gating — returns 404 for pages of disabled features.
+// API routes handle their own gating via requireFeature() in each handler.
+
+const ROUTE_FEATURE_MAP: Record<string, string> = {
+  '/learn': 'learning',
+  '/docs': 'docs',
+  '/videos': 'video',
+  '/admin': 'admin',
+  '/contests': 'contests',
+  '/explainer': 'explainers',
+};
+
+export default defineEventHandler((event) => {
+  const pathname = getRequestURL(event).pathname;
+
+  // Only gate page routes, not API/assets
+  if (pathname.startsWith('/api') || pathname.startsWith('/_nuxt') || pathname.startsWith('/__nuxt') || pathname.endsWith('_payload.json')) {
+    return;
+  }
+
+  for (const [prefix, feature] of Object.entries(ROUTE_FEATURE_MAP)) {
+    if (pathname === prefix || pathname.startsWith(prefix + '/')) {
+      const config = useConfig();
+      const flags = config.features as unknown as Record<string, boolean>;
+      if (!flags[feature]) {
+        throw createError({ statusCode: 404, statusMessage: 'Not Found' });
+      }
+      return;
+    }
+  }
+});

package/server/middleware/security.ts

@@ -0,0 +1,54 @@
+// Security middleware — rate limiting + security headers + CSP
+import { RateLimitStore, checkRateLimit, shouldSkipRateLimit, getSecurityHeaders, buildCspHeader, buildCspDirectives } from '@commonpub/server';
+
+const store = new RateLimitStore();
+const isDev = process.env.NODE_ENV !== 'production';
+
+export default defineEventHandler((event) => {
+  const url = getRequestURL(event);
+  const pathname = url.pathname;
+
+  // Skip rate limiting for static assets
+  if (shouldSkipRateLimit(pathname)) return;
+
+  // Skip rate limiting in development — SSR + HMR + prefetch burns through limits instantly
+  if (!isDev) {
+    const ip = getRequestHeader(event, 'x-forwarded-for')?.split(',')[0]?.trim()
+      || getRequestHeader(event, 'x-real-ip')
+      || 'unknown';
+
+    const userId = event.context.auth?.user?.id as string | undefined;
+    const { result, headers: rlHeaders } = checkRateLimit(store, ip, pathname, userId);
+
+    for (const [key, value] of Object.entries(rlHeaders)) {
+      setResponseHeader(event, key, value);
+    }
+
+    if (!result.allowed) {
+      throw createError({
+        statusCode: 429,
+        statusMessage: 'Too Many Requests',
+      });
+    }
+  }
+
+  // Security headers
+  const headers = getSecurityHeaders(isDev);
+  for (const [key, value] of Object.entries(headers)) {
+    setResponseHeader(event, key, value);
+  }
+
+  // Content Security Policy — skip for API responses (JSON doesn't need CSP)
+  if (!pathname.startsWith('/api/')) {
+    const cspDirectives = buildCspDirectives();
+    // Nuxt SSR emits inline scripts for payload hydration — unsafe-inline is required
+    cspDirectives['script-src'] = "'self' 'unsafe-inline'" + (isDev ? " 'unsafe-eval' blob:" : '');
+    cspDirectives['style-src'] = "'self' 'unsafe-inline' https://cdnjs.cloudflare.com https://fonts.googleapis.com";
+    cspDirectives['font-src'] = "'self' https://fonts.gstatic.com https://cdnjs.cloudflare.com";
+    if (isDev) {
+      cspDirectives['connect-src'] = "'self' ws: wss:";
+      cspDirectives['worker-src'] = "'self' blob:";
+    }
+    setResponseHeader(event, 'Content-Security-Policy', buildCspHeader(cspDirectives));
+  }
+});