@commonpub/layer 0.21.2 → 0.21.3

package/components/blocks/BlockBuildStepView.vue

@@ -44,7 +44,13 @@ const hasChildren = computed(() => children.value.length > 0);
       <span v-if="time" class="cpub-step-time"><i class="fa-regular fa-clock"></i> {{ time }}</span>
     </div>
     <div v-if="hasChildren" class="cpub-step-body">
-      <BlockContentRenderer :blocks="children" />
+      <!-- Nuxt pathPrefix auto-imports components/blocks/BlockContentRenderer.vue
+           under the name BlocksBlockContentRenderer (the Blocks dir prefix only
+           de-dups when the filename starts with it). The bare tag would not
+           resolve and would silently blank nested step content. A static import
+           is not an option here: BlockContentRenderer and BlockBuildStepView are
+           mutually recursive (ESM cycle). Use the auto-import name. -->
+      <BlocksBlockContentRenderer :blocks="children" />
     </div>
   </div>
 </template>

package/components/views/ProjectView.vue

@@ -509,7 +509,10 @@ async function handleBuild(): Promise<void> {
                     <span v-if="step.time" class="cpub-build-step-time"><i class="fa-regular fa-clock"></i> {{ step.time }}</span>
                   </div>
                   <div v-if="step.children.length > 0" class="cpub-build-step-body">
-                    <BlockContentRenderer :blocks="step.children" />
+                    <!-- Auto-import name (same as the body renderer above); the
+                         bare BlockContentRenderer tag does not resolve under
+                         Nuxt pathPrefix and silently blanks nested content. -->
+                    <BlocksBlockContentRenderer :blocks="step.children" />
                   </div>
                 </div>
               </div>

package/layouts/default.vue

@@ -1,5 +1,11 @@
 <script setup lang="ts">
 import type { NavItem } from '@commonpub/server';
+// Explicit import: Nuxt's pathPrefix auto-import names this component
+// `<NavMobileNavRenderer>` (the `nav/` dir prefix only de-duplicates when
+// the filename starts with `Nav`, which `MobileNavRenderer` does not).
+// Referencing `<MobileNavRenderer>` below would otherwise silently fail to
+// resolve, leaving the mobile hamburger menu empty.
+import MobileNavRenderer from '../components/nav/MobileNavRenderer.vue';
 
 const { user, isAuthenticated, isAdmin, signOut, refreshSession } = useAuth();
 const { count: unreadCount, connect: connectNotifications, disconnect: disconnectNotifications } = useNotifications();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@commonpub/layer",
-  "version": "0.21.2",
+  "version": "0.21.3",
   "type": "module",
   "main": "./nuxt.config.ts",
   "files": [
@@ -50,16 +50,16 @@
     "vue": "^3.4.0",
     "vue-router": "^4.3.0",
     "zod": "^4.3.6",
-    "@commonpub/config": "0.12.0",
+    "@commonpub/auth": "0.6.0",
+    "@commonpub/docs": "0.6.3",
+    "@commonpub/learning": "0.5.2",
     "@commonpub/editor": "0.7.9",
     "@commonpub/explainer": "0.7.12",
-    "@commonpub/learning": "0.5.2",
-    "@commonpub/server": "2.51.0",
-    "@commonpub/auth": "0.6.0",
-    "@commonpub/ui": "0.8.5",
-    "@commonpub/protocol": "0.9.9",
     "@commonpub/schema": "0.16.0",
-    "@commonpub/docs": "0.6.2"
+    "@commonpub/ui": "0.8.5",
+    "@commonpub/protocol": "0.9.10",
+    "@commonpub/server": "2.53.0",
+    "@commonpub/config": "0.12.0"
   },
   "devDependencies": {
     "@testing-library/jest-dom": "^6.9.1",

package/server/api/files/upload-from-url.post.ts

@@ -1,5 +1,5 @@
 import { z } from 'zod';
-import { createStorageFromEnv, generateStorageKey, validateUpload, ALLOWED_IMAGE_TYPES } from '@commonpub/server';
+import { createStorageFromEnv, generateStorageKey, ALLOWED_IMAGE_TYPES, safeFetchBinary } from '@commonpub/server';
 
 const schema = z.object({
   url: z.string().url(),
@@ -7,62 +7,36 @@ const schema = z.object({
 });
 
 export default defineEventHandler(async (event) => {
-  const user = requireAuth(event);
+  requireAuth(event);
   const { url, purpose } = await parseBody(event, schema);
 
-  // SSRF protection — block private/internal IPs
-  const parsed = new URL(url);
-  const hostname = parsed.hostname.toLowerCase();
-  const h = hostname.replace(/^\[|\]$/g, '');
-  if (
-    h === 'localhost' ||
-    h === 'localhost.localdomain' ||
-    h === 'metadata.google.internal' ||
-    h.endsWith('.local') ||
-    /^127\./.test(h) ||
-    /^10\./.test(h) ||
-    /^172\.(1[6-9]|2\d|3[01])\./.test(h) ||
-    /^192\.168\./.test(h) ||
-    /^169\.254\./.test(h) ||
-    /^0\./.test(h) ||
-    h === '::1' ||
-    /^f[cd]/i.test(h) ||
-    /^fe80/i.test(h)
-  ) {
-    throw createError({ statusCode: 400, statusMessage: 'Cannot fetch from private/local addresses' });
-  }
-
-  // Download the remote image
-  const controller = new AbortController();
-  const timeout = setTimeout(() => controller.abort(), 10_000); // 10s timeout
-
-  let response: Response;
+  // SSRF-safe fetch: blocks private/reserved/numeric hosts and non-HTTP(S)
+  // schemes, re-validates every redirect hop, and enforces a 10 MB streaming
+  // cap + deadline. Replaces a hand-rolled denylist that missed redirect
+  // re-validation, IPv4-mapped IPv6, and numeric-IP encodings.
+  let buffer: Buffer;
+  let contentType: string;
   try {
-    response = await fetch(url, {
-      signal: controller.signal,
-      headers: { 'User-Agent': 'devEco.io Image Fetcher' },
-    });
+    ({ buffer, contentType } = await safeFetchBinary(url, {
+      accept: 'image/*',
+      userAgent: 'CommonPub/1.0 (image-upload)',
+      timeoutMs: 10_000,
+    }));
   } catch (err) {
+    const msg = err instanceof Error ? err.message : '';
+    if (msg.includes('private or reserved')) {
+      throw createError({ statusCode: 400, statusMessage: 'Cannot fetch from private/local addresses' });
+    }
+    if (msg === 'Response too large') {
+      throw createError({ statusCode: 400, statusMessage: 'Image too large (max 10MB)' });
+    }
     throw createError({ statusCode: 400, statusMessage: 'Failed to fetch remote image' });
-  } finally {
-    clearTimeout(timeout);
   }
 
-  if (!response.ok) {
-    throw createError({ statusCode: 400, statusMessage: `Remote server returned ${response.status}` });
-  }
-
-  const contentType = response.headers.get('content-type') || '';
   if (![...ALLOWED_IMAGE_TYPES].some((t: string) => contentType.startsWith(t))) {
     throw createError({ statusCode: 400, statusMessage: `Unsupported image type: ${contentType}` });
   }
 
-  const buffer = Buffer.from(await response.arrayBuffer());
-  const maxSize = 10 * 1024 * 1024; // 10MB
-  if (buffer.length > maxSize) {
-    throw createError({ statusCode: 400, statusMessage: 'Image too large (max 10MB)' });
-  }
-
   // Upload to storage
   const storage = createStorageFromEnv();
   const ext = contentType.split('/')[1] || 'jpg';

package/server/middleware/auth.ts

@@ -113,6 +113,7 @@ export default defineEventHandler(async (event) => {
   // Handle auth API routes — skip custom routes that Nitro handles directly
   const isCustomAuthRoute = pathname.startsWith('/api/auth/federated/')
     || pathname.startsWith('/api/auth/oauth2/')
+    || pathname.startsWith('/api/auth/mastodon/')
     || pathname === '/api/auth/sign-in-username'
     || pathname === '/api/auth/delete-user'
     || pathname === '/api/auth/export-data';