@commonpub/layer 0.15.6 → 0.15.8

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@commonpub/layer",
-  "version": "0.15.6",
+  "version": "0.15.8",
   "type": "module",
   "main": "./nuxt.config.ts",
   "files": [
@@ -28,7 +28,7 @@
   },
   "dependencies": {
     "@aws-sdk/client-s3": "^3.1010.0",
-    "@commonpub/explainer": "^0.7.11",
+    "@commonpub/explainer": "^0.7.12",
     "@commonpub/schema": "^0.13.0",
     "@commonpub/server": "^2.43.0",
     "@tiptap/core": "^2.11.0",
@@ -53,12 +53,12 @@
     "vue": "^3.4.0",
     "vue-router": "^4.3.0",
     "zod": "^4.3.6",
+    "@commonpub/config": "0.10.0",
     "@commonpub/auth": "0.5.1",
     "@commonpub/editor": "0.7.9",
-    "@commonpub/config": "0.10.0",
-    "@commonpub/docs": "0.6.2",
     "@commonpub/learning": "0.5.0",
     "@commonpub/protocol": "0.9.9",
+    "@commonpub/docs": "0.6.2",
     "@commonpub/ui": "0.8.5"
   },
   "devDependencies": {

package/pages/[type]/index.vue

@@ -1,10 +1,19 @@
 <script setup lang="ts">
 import type { Serialized, ContentListItem, PaginatedResponse } from '@commonpub/server';
+import type { ContentType } from '../../composables/useContentTypes';
 
 const route = useRoute();
 const contentType = computed(() => route.params.type as string);
 const siteName = useSiteName();
 const { user } = useAuth();
+const { isTypeEnabled } = useContentTypes();
+
+// Hard 404 for any path that isn't an enabled content type — this catch-all
+// route would otherwise match /foo, /@username, /wp-admin, /.env, etc. and
+// render a broken empty listing with the URL segment as the "type".
+if (!isTypeEnabled(contentType.value as ContentType)) {
+  throw createError({ statusCode: 404, statusMessage: 'Not Found' });
+}
 
 useSeoMeta({
   title: () => `${contentType.value} — ${siteName}`,

package/server/api/content/index.get.ts

@@ -2,6 +2,11 @@ import { listContent } from '@commonpub/server';
 import type { PaginatedResponse, ContentListItem } from '@commonpub/server';
 import { contentFiltersSchema } from '@commonpub/schema';
 
+// Statuses a non-owner may request. Any other value (draft, scheduled, deleted,
+// etc.) is coerced to 'published' — the old behavior passed the filter through
+// verbatim, so /api/content?status=draft leaked every user's drafts.
+const PUBLIC_STATUSES = new Set(['published', 'archived']);
+
 export default defineEventHandler(async (event): Promise<PaginatedResponse<ContentListItem>> => {
   const db = useDB();
   const user = getOptionalUser(event);
@@ -11,9 +16,13 @@ export default defineEventHandler(async (event): Promise<PaginatedResponse<Conte
 
   const config = useConfig();
 
+  const resolvedStatus = isOwnContent
+    ? filters.status
+    : (filters.status && PUBLIC_STATUSES.has(filters.status) ? filters.status : 'published');
+
   return listContent(db, {
     ...filters,
-    status: isOwnContent ? filters.status : (filters.status ?? 'published'),
+    status: resolvedStatus,
     // Only show public content unless viewing own content
     visibility: isOwnContent ? filters.visibility : 'public',
   }, {

package/server/api/learn/index.get.ts

@@ -2,6 +2,10 @@ import { listPaths } from '@commonpub/server';
 import type { PaginatedResponse, LearningPathListItem } from '@commonpub/server';
 import { learningPathFiltersSchema } from '@commonpub/schema';
 
+// Statuses a non-owner may request. The old behavior passed filters.status
+// through verbatim, so /api/learn?status=draft leaked every author's drafts.
+const PUBLIC_STATUSES = new Set(['published', 'archived']);
+
 export default defineEventHandler(async (event): Promise<PaginatedResponse<LearningPathListItem>> => {
   const db = useDB();
   const user = getOptionalUser(event);
@@ -10,8 +14,12 @@ export default defineEventHandler(async (event): Promise<PaginatedResponse<Learn
   // Allow author to see their own drafts (same pattern as content API)
   const isOwnContent = filters.authorId && user?.id === filters.authorId;
 
+  const resolvedStatus = isOwnContent
+    ? filters.status
+    : (filters.status && PUBLIC_STATUSES.has(filters.status) ? filters.status : 'published');
+
   return listPaths(db, {
     ...filters,
-    status: isOwnContent ? filters.status : (filters.status ?? 'published'),
+    status: resolvedStatus,
   });
 });

package/server/middleware/mastodon-alias-redirect.ts

@@ -0,0 +1,45 @@
+import { users, hubs } from '@commonpub/schema';
+import { eq, and, isNull } from 'drizzle-orm';
+
+/**
+ * Redirect /@handle → canonical profile URL.
+ *
+ * WebFinger advertises `/@username` as the `profile-page` (Mastodon/Fediverse
+ * convention) — without this middleware, that URL falls through to the
+ * `[type]/index.vue` catchall and renders a broken content listing for
+ * "@usernames". Federated users clicking a CommonPub member's profile from
+ * Mastodon end up on a broken page.
+ *
+ * Matches /@{handle} exactly (no sub-paths). Looks up users first, then hubs
+ * (both are advertised via WebFinger). Misses 404.
+ */
+export default defineEventHandler(async (event) => {
+  const path = getRequestURL(event).pathname;
+  const match = path.match(/^\/@([a-zA-Z0-9._-]+)$/);
+  if (!match) return;
+
+  const handle = match[1]!;
+  const db = useDB();
+
+  const [user] = await db
+    .select({ username: users.username })
+    .from(users)
+    .where(and(eq(users.username, handle), isNull(users.deletedAt)))
+    .limit(1);
+
+  if (user) {
+    return sendRedirect(event, `/u/${user.username}`, 301);
+  }
+
+  const [hub] = await db
+    .select({ slug: hubs.slug })
+    .from(hubs)
+    .where(and(eq(hubs.slug, handle), isNull(hubs.deletedAt)))
+    .limit(1);
+
+  if (hub) {
+    return sendRedirect(event, `/hubs/${hub.slug}`, 301);
+  }
+
+  throw createError({ statusCode: 404, statusMessage: 'Not Found' });
+});