@commonpub/layer 0.73.3 → 0.74.0

package/composables/useAuth.ts

@@ -80,11 +80,16 @@ export function useAuth() {
     if (import.meta.server) return;
     try {
       const data = await authGet('/api/me');
+      // A *successful* response is authoritative: it reflects the real session
+      // (a logged-out user gets `{ user: null }`), so mirror it exactly.
       user.value = data?.user ?? null;
       session.value = data?.session ?? null;
     } catch {
-      user.value = null;
-      session.value = null;
+      // A *thrown* error means we couldn't reach /api/me (network blip, 5xx, a
+      // slow/overloaded server timing out). That is NOT evidence the session is
+      // gone — clearing auth here spuriously logs the user out on any transient
+      // hiccup. Keep the SSR-hydrated state; the next successful refresh
+      // reconciles it.
     }
   }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@commonpub/layer",
-  "version": "0.73.3",
+  "version": "0.74.0",
   "type": "module",
   "main": "./nuxt.config.ts",
   "files": [
@@ -53,17 +53,17 @@
     "vue": "^3.4.0",
     "vue-router": "^4.3.0",
     "zod": "^4.3.6",
-    "@commonpub/auth": "0.8.0",
-    "@commonpub/docs": "0.6.3",
     "@commonpub/config": "0.22.1",
-    "@commonpub/editor": "0.7.11",
+    "@commonpub/protocol": "0.13.0",
     "@commonpub/explainer": "0.7.15",
+    "@commonpub/schema": "0.41.0",
     "@commonpub/learning": "0.5.2",
-    "@commonpub/protocol": "0.13.0",
-    "@commonpub/schema": "0.40.1",
+    "@commonpub/ui": "0.13.1",
     "@commonpub/server": "2.84.1",
+    "@commonpub/auth": "0.8.0",
+    "@commonpub/docs": "0.6.3",
     "@commonpub/theme-studio": "0.6.1",
-    "@commonpub/ui": "0.13.1"
+    "@commonpub/editor": "0.7.12"
   },
   "devDependencies": {
     "@testing-library/jest-dom": "^6.9.1",

package/pages/contests/[slug]/edit.vue

@@ -10,7 +10,12 @@ const toast = useToast();
 const { extract: extractError } = useApiError();
 const { user, isAdmin } = useAuth();
 
-const { data: contest, refresh } = useLazyFetch(`/api/contests/${slug}`);
+const { data: contest, refresh, status: contestStatus } = useLazyFetch(`/api/contests/${slug}`);
+// `useLazyFetch` doesn't block navigation, so on a client-side nav (clicking
+// "Edit Contest") `contest` is null until the fetch resolves. Without this we'd
+// render the "Contest not found" branch during that window — which reads as a
+// broken link. Treat idle/pending as "loading", not "not found".
+const contestLoading = computed(() => contestStatus.value === 'idle' || contestStatus.value === 'pending');
 const isOwner = computed(() => isAdmin.value || !!(user.value?.id && contest.value?.createdById === user.value.id));
 useSeoMeta({ title: () => `Edit: ${contest.value?.title ?? 'Contest'}, ${useSiteName()}` });
 
@@ -344,12 +349,12 @@ async function transitionStatus(newStatus: string): Promise<void> {
         </div>
         <div class="cpub-form-field">
           <label class="cpub-form-label">Description</label>
-          <textarea v-model="description" class="cpub-form-textarea" rows="4" />
+          <textarea v-model="description" class="cpub-form-textarea" rows="4" maxlength="50000" />
           <p class="cpub-form-hint">Supports Markdown (headings, lists, bold, links) and inline HTML. Shown formatted on the contest page.</p>
         </div>
         <div class="cpub-form-field">
           <label class="cpub-form-label">Rules</label>
-          <textarea v-model="rules" class="cpub-form-textarea" rows="6" placeholder="One rule per line, or full Markdown" />
+          <textarea v-model="rules" class="cpub-form-textarea" rows="6" maxlength="50000" placeholder="One rule per line, or full Markdown" />
           <p class="cpub-form-hint">Supports Markdown. Plain one-rule-per-line text is rendered as a numbered list.</p>
         </div>
         <div class="cpub-form-field">
@@ -438,7 +443,7 @@ async function transitionStatus(newStatus: string): Promise<void> {
         <p class="cpub-form-hint">Every field is optional. Use <strong>place</strong> for ranked prizes, a <strong>category</strong> for themed awards, or just a <strong>description</strong>, whatever fits. Cash value is optional.</p>
         <div class="cpub-form-field">
           <label class="cpub-form-label">Prizes overview (optional)</label>
-          <textarea v-model="prizesDescription" class="cpub-form-textarea" rows="3" placeholder="Intro shown above the prize cards. Supports Markdown." />
+          <textarea v-model="prizesDescription" class="cpub-form-textarea" rows="3" maxlength="50000" placeholder="Intro shown above the prize cards. Supports Markdown." />
           <p class="cpub-form-hint">Markdown intro displayed on the Prizes tab, above the individual prizes.</p>
         </div>
         <div v-for="(prize, i) in prizes" :key="i" class="cpub-prize-row">
@@ -626,6 +631,7 @@ async function transitionStatus(newStatus: string): Promise<void> {
       </div>
     </form>
   </div>
+  <div v-else-if="contestLoading" class="cpub-not-found"><p>Loading contest…</p></div>
   <div v-else class="cpub-not-found"><p>Contest not found</p></div>
 </template>
 

package/pages/contests/create.vue

@@ -187,12 +187,12 @@ function prizeLabel(prize: Prize): string {
         </div>
         <div class="cpub-form-field">
           <label for="contest-desc" class="cpub-form-label">Description</label>
-          <textarea id="contest-desc" v-model="description" class="cpub-form-textarea" rows="4" placeholder="Describe your contest. Supports Markdown, # headings, - lists, **bold**, [links](url)…" />
+          <textarea id="contest-desc" v-model="description" class="cpub-form-textarea" rows="4" maxlength="50000" placeholder="Describe your contest. Supports Markdown, # headings, - lists, **bold**, [links](url)…" />
           <p class="cpub-form-hint">Supports Markdown (headings, lists, bold, links) and inline HTML. Shown formatted on the contest page.</p>
         </div>
         <div class="cpub-form-field">
           <label for="contest-rules" class="cpub-form-label">Rules</label>
-          <textarea id="contest-rules" v-model="rules" class="cpub-form-textarea" rows="6" placeholder="Contest rules and requirements. Supports Markdown, one rule per line, or full Markdown." />
+          <textarea id="contest-rules" v-model="rules" class="cpub-form-textarea" rows="6" maxlength="50000" placeholder="Contest rules and requirements. Supports Markdown, one rule per line, or full Markdown." />
           <p class="cpub-form-hint">Supports Markdown. Plain one-rule-per-line text is rendered as a numbered list.</p>
         </div>
         <div class="cpub-form-field">
@@ -336,7 +336,7 @@ function prizeLabel(prize: Prize): string {
         <p class="cpub-form-hint">Contests don't need prizes, leave this empty to skip them entirely. If you do add prizes, every field is optional: use <strong>place</strong> for ranked prizes (1st/2nd/3rd), a <strong>category</strong> for themed awards (e.g. "Best in Show"), or just a <strong>description</strong>. Cash value is optional.</p>
         <div class="cpub-form-field">
           <label for="prizes-desc" class="cpub-form-label">Prizes overview (optional)</label>
-          <textarea id="prizes-desc" v-model="prizesDescription" class="cpub-form-textarea" rows="3" placeholder="Intro shown above the prize cards. Supports Markdown." />
+          <textarea id="prizes-desc" v-model="prizesDescription" class="cpub-form-textarea" rows="3" maxlength="50000" placeholder="Intro shown above the prize cards. Supports Markdown." />
           <p class="cpub-form-hint">Markdown intro displayed on the Prizes tab, above the individual prizes.</p>
         </div>
         <div v-for="(prize, idx) in prizes" :key="idx" class="cpub-prize-card">

package/server/utils/validate.ts

@@ -9,10 +9,34 @@ import type { ZodType } from 'zod';
 const UUID_REGEX = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
 const SLUG_REGEX = /^[a-z0-9][a-z0-9-]*$/;
 
+/**
+ * Hard ceiling on JSON request bodies (10 MB). Every JSON write route funnels
+ * through `parseBody`, so this one guard caps them all. It rejects on the
+ * `Content-Length` header *before* `readBody` buffers + `JSON.parse`s the
+ * payload — both synchronous, event-loop-blocking, memory-spiking operations.
+ * A pathological body (e.g. a giant blob pasted/scripted into a write) is what
+ * can stall or OOM-restart the server; this stops it at the door.
+ *
+ * The ceiling is deliberately generous, NOT tight: some content bodies are
+ * legitimately large and *unbounded* at the schema layer (`content` is
+ * `z.unknown()` for articles/projects/docs), so a low cap would reject real
+ * saves. 10MB is impossible for a single legitimate document (~6000 pages of
+ * text) yet still kills the truly catastrophic payload. The per-field Zod
+ * `.max()` caps (e.g. contest text at `CONTEST_RICH_TEXT_MAX`) are the real
+ * semantic bound *within* this envelope. Multipart uploads use
+ * `readMultipartFormData` (not `parseBody`) and are bounded separately by
+ * `validateUpload`, so they are unaffected.
+ */
+const MAX_JSON_BODY_BYTES = 10_000_000;
+
 type ParamType = 'uuid' | 'slug' | 'string';
 
-/** Parse and validate request body against a Zod schema. Throws 400 on failure. */
+/** Parse and validate request body against a Zod schema. Throws 400 on failure, 413 if oversized. */
 export async function parseBody<T>(event: H3Event, schema: ZodType<T>): Promise<T> {
+  const declaredLength = Number(getRequestHeader(event, 'content-length') ?? 0);
+  if (Number.isFinite(declaredLength) && declaredLength > MAX_JSON_BODY_BYTES) {
+    throw createError({ statusCode: 413, statusMessage: 'Payload too large' });
+  }
   const body = await readBody(event);
   const parsed = schema.safeParse(body);
   if (!parsed.success) {