@hasna/shortlinks 0.1.14 → 0.1.16

package/dist/server.js

@@ -49,11 +49,16 @@ function saveConfig(config) {
 `);
 }
 function updateConfig(patch) {
+  const current = loadConfig();
   const next = {
-    ...loadConfig(),
+    ...current,
     ...patch,
+    api: {
+      ...current.api,
+      ...patch.api
+    },
     cloudflare: {
-      ...loadConfig().cloudflare,
+      ...current.cloudflare,
       ...patch.cloudflare
     }
   };
@@ -156,6 +161,10 @@ var SQLITE_MIGRATIONS = [
   CREATE INDEX IF NOT EXISTS idx_clicks_domain ON clicks(domain_id);
   CREATE INDEX IF NOT EXISTS idx_clicks_clicked_at ON clicks(clicked_at);
   CREATE INDEX IF NOT EXISTS idx_clicks_updated ON clicks(updated_at);
+  `,
+  `
+  ALTER TABLE links ADD COLUMN max_uses INTEGER;
+  ALTER TABLE links ADD COLUMN used_count INTEGER NOT NULL DEFAULT 0;
   `
 ];
 
@@ -262,6 +271,8 @@ function linkFromRow(row) {
   return {
     ...row,
     active: Boolean(row.active),
+    max_uses: row.max_uses ?? null,
+    used_count: row.used_count ?? 0,
     metadata: parseJsonObject(row.metadata),
     short_url: formatShortUrl(row.hostname, row.slug, publicBaseUrl)
   };
@@ -292,6 +303,13 @@ function isoOrNull(input) {
     throw new Error(`Invalid date: ${input}`);
   return date.toISOString();
 }
+function normalizeMaxUses(value) {
+  if (value === null || value === undefined)
+    return null;
+  if (!Number.isInteger(value) || value <= 0)
+    throw new Error("maxUses must be a positive integer.");
+  return value;
+}
 
 class ShortlinksStore {
   database;
@@ -367,15 +385,16 @@ class ShortlinksStore {
     const timestamp = now();
     const machineId = getMachineId();
     const expiresAt = isoOrNull(input.expiresAt);
+    const maxUses = normalizeMaxUses(input.maxUses);
     const slug = input.slug ? normalizeSlug(input.slug) : this.generateAvailableSlug(domain.id, input.slugLength || DEFAULT_SLUG_LENGTH);
     try {
       this.database.db.query(`
         INSERT INTO links (
-          id, domain_id, slug, destination_url, title, active, expires_at, metadata,
+          id, domain_id, slug, destination_url, title, active, expires_at, max_uses, used_count, metadata,
           machine_id, synced_at, created_at, updated_at
         )
-        VALUES (?, ?, ?, ?, ?, 1, ?, ?, ?, NULL, ?, ?)
-      `).run(makeId("lnk"), domain.id, slug, destinationUrl, input.title || null, expiresAt, JSON.stringify(input.metadata || {}), machineId, timestamp, timestamp);
+        VALUES (?, ?, ?, ?, ?, 1, ?, ?, 0, ?, ?, NULL, ?, ?)
+      `).run(makeId("lnk"), domain.id, slug, destinationUrl, input.title || null, expiresAt, maxUses, JSON.stringify(input.metadata || {}), machineId, timestamp, timestamp);
     } catch (error) {
       const message = error instanceof Error ? error.message : String(error);
       if (message.includes("UNIQUE")) {
@@ -385,6 +404,19 @@ class ShortlinksStore {
     }
     return this.getLink(domain.hostname, slug);
   }
+  consumeLinkUse(link) {
+    const timestamp = now();
+    const result = this.database.db.query(`
+      UPDATE links
+      SET used_count = used_count + 1, updated_at = ?, synced_at = NULL
+      WHERE id = ?
+        AND active = 1
+        AND (max_uses IS NULL OR used_count < max_uses)
+    `).run(timestamp, link.id);
+    if (result.changes === 0)
+      return null;
+    return this.getLink(link.hostname, link.slug);
+  }
   listLinks(options = {}) {
     const params = [];
     let where = "WHERE 1 = 1";
@@ -538,6 +570,121 @@ function json(data, status = 200) {
     headers: { "content-type": "application/json; charset=utf-8" }
   });
 }
+function apiToken(options) {
+  return options.apiToken || process.env.SHORTLINKS_API_TOKEN || process.env.HASNA_SHORTLINKS_API_TOKEN || null;
+}
+function requestToken(request) {
+  const auth = request.headers.get("authorization") || "";
+  const bearer = auth.toLowerCase().startsWith("bearer ") ? auth.slice(7).trim() : "";
+  return bearer || request.headers.get("x-shortlinks-token") || request.headers.get("x-api-key");
+}
+function isAuthorized(request, options) {
+  const token = apiToken(options);
+  if (!token)
+    return true;
+  return requestToken(request) === token;
+}
+async function readJsonBody(request) {
+  try {
+    const parsed = await request.json();
+    return parsed && typeof parsed === "object" && !Array.isArray(parsed) ? parsed : {};
+  } catch {
+    return {};
+  }
+}
+function requireMethod(store, method) {
+  const fn = store[method];
+  if (typeof fn !== "function")
+    throw new Error(`Store does not support ${String(method)}.`);
+  return fn.bind(store);
+}
+async function handleApi(request, apiPath, store, options) {
+  if (apiPath === "/health") {
+    return json({ ok: true, service: "shortlinks", api_auth_required: Boolean(apiToken(options)), stats: await store.totalStats() });
+  }
+  if (!isAuthorized(request, options))
+    return json({ error: "Unauthorized" }, 401);
+  const url = new URL(request.url);
+  const segments = apiPath.replace(/^\/+|\/+$/g, "").split("/").filter(Boolean);
+  try {
+    if (apiPath === "/links" && request.method === "GET") {
+      const listLinks = requireMethod(store, "listLinks");
+      return json(await listLinks({
+        domain: url.searchParams.get("domain") || undefined,
+        activeOnly: url.searchParams.get("active") === "true",
+        limit: Number(url.searchParams.get("limit") || "100")
+      }));
+    }
+    if (apiPath === "/links" && request.method === "POST") {
+      const body = await readJsonBody(request);
+      const destinationUrl = String(body.destination_url || body.url || "");
+      if (!destinationUrl)
+        return json({ error: "destination_url is required" }, 400);
+      const createLink = requireMethod(store, "createLink");
+      return json(await createLink({
+        destinationUrl,
+        domain: typeof body.domain === "string" ? body.domain : undefined,
+        slug: typeof body.slug === "string" ? body.slug : undefined,
+        title: typeof body.title === "string" ? body.title : undefined,
+        expiresAt: typeof body.expires_at === "string" ? body.expires_at : typeof body.expires === "string" ? body.expires : undefined,
+        maxUses: typeof body.max_uses === "number" ? body.max_uses : typeof body.maxUses === "number" ? body.maxUses : undefined,
+        slugLength: typeof body.length === "number" ? body.length : undefined
+      }), 201);
+    }
+    if (segments[0] === "links" && segments[1] && request.method === "GET") {
+      const getLink = requireMethod(store, "getLink");
+      const domain = url.searchParams.get("domain") || undefined;
+      const link = domain ? await getLink(domain, segments[1]) : await getLink(segments[1]);
+      return link ? json(link) : json({ error: "Link not found." }, 404);
+    }
+    if (segments[0] === "links" && segments[1] && request.method === "DELETE") {
+      const deleteLink = requireMethod(store, "deleteLink");
+      const domain = url.searchParams.get("domain") || undefined;
+      return json(domain ? await deleteLink(domain, segments[1]) : await deleteLink(segments[1]));
+    }
+    if (segments[0] === "links" && segments[1] && segments[2] === "active" && request.method === "POST") {
+      const body = await readJsonBody(request);
+      const setLinkActive = requireMethod(store, "setLinkActive");
+      const domain = url.searchParams.get("domain") || undefined;
+      const active = Boolean(body.active);
+      return json(domain ? await setLinkActive(domain, segments[1], active) : await setLinkActive(segments[1], active));
+    }
+    if (apiPath === "/stats" && request.method === "GET") {
+      return json(await store.totalStats());
+    }
+    if (segments[0] === "stats" && segments[1] && request.method === "GET") {
+      const getStats = requireMethod(store, "getStats");
+      const domain = url.searchParams.get("domain") || undefined;
+      return json(domain ? await getStats(domain, segments[1]) : await getStats(segments[1]));
+    }
+    if (apiPath === "/domains" && request.method === "GET") {
+      const listDomains = requireMethod(store, "listDomains");
+      return json(await listDomains());
+    }
+    if (apiPath === "/domains" && request.method === "POST") {
+      const body = await readJsonBody(request);
+      const hostname2 = String(body.hostname || "");
+      if (!hostname2)
+        return json({ error: "hostname is required" }, 400);
+      const addDomain = requireMethod(store, "addDomain");
+      return json(await addDomain({
+        hostname: hostname2,
+        provider: typeof body.provider === "string" ? body.provider : "manual",
+        defaultDomain: Boolean(body.default_domain || body.default),
+        originUrl: typeof body.origin_url === "string" ? body.origin_url : undefined,
+        notes: typeof body.notes === "string" ? body.notes : undefined
+      }), 201);
+    }
+    if (segments[0] === "domains" && segments[1] && request.method === "GET") {
+      const getDomain = requireMethod(store, "getDomain");
+      const domain = await getDomain(segments[1]);
+      return domain ? json(domain) : json({ error: "Domain not found." }, 404);
+    }
+  } catch (error) {
+    return json({ error: error instanceof Error ? error.message : String(error) }, 400);
+  }
+  return json({ error: "Not found." }, 404);
+}
 function getHost(request, fallback) {
   const forwarded = request.headers.get("x-forwarded-host");
   const host = forwarded || request.headers.get("host") || fallback || "";
@@ -556,8 +703,13 @@ function createShortlinksHandler(options = {}) {
   const store = options.store || new ShortlinksStore(options.dbPath);
   const redirectStatus = options.redirectStatus || 302;
   const reservedPathPrefixes = new Set((options.reservedPathPrefixes ?? ["a"]).map((prefix) => prefix.toLowerCase()));
+  const apiPathPrefix = (options.apiPathPrefix || process.env.SHORTLINKS_API_PATH_PREFIX || "/api").replace(/\/+$/, "") || "/api";
   return async (request) => {
     const url = new URL(request.url);
+    if (url.pathname === apiPathPrefix || url.pathname.startsWith(`${apiPathPrefix}/`)) {
+      const apiPath = url.pathname.slice(apiPathPrefix.length) || "/";
+      return handleApi(request, apiPath, store, options);
+    }
     if (url.pathname === "/healthz") {
       return json({ ok: true, service: "shortlinks", stats: await store.totalStats() });
     }
@@ -590,7 +742,14 @@ function createShortlinksHandler(options = {}) {
       return json({ error: "Shortlink is disabled.", slug, host }, 410);
     if (isExpired(link))
       return json({ error: "Shortlink is expired.", slug, host }, 410);
-    await store.recordClick(link, {
+    if (link.max_uses !== null && link.used_count >= link.max_uses) {
+      return json({ error: "Shortlink max uses reached.", slug, host }, 410);
+    }
+    const consumed = store.consumeLinkUse ? await store.consumeLinkUse(link) : link;
+    if (!consumed) {
+      return json({ error: "Shortlink max uses reached.", slug, host }, 410);
+    }
+    await store.recordClick(consumed, {
       ip: getClientIp(request),
       userAgent: request.headers.get("user-agent"),
       referer: request.headers.get("referer"),

package/dist/storage.js

@@ -5139,17 +5139,31 @@ function saveConfig(config) {
 `);
 }
 function updateConfig(patch) {
+  const current = loadConfig();
   const next = {
-    ...loadConfig(),
+    ...current,
     ...patch,
+    api: {
+      ...current.api,
+      ...patch.api
+    },
     cloudflare: {
-      ...loadConfig().cloudflare,
+      ...current.cloudflare,
       ...patch.cloudflare
     }
   };
   saveConfig(next);
   return next;
 }
+function getApiBaseUrl(config = loadConfig()) {
+  const baseUrl = process.env.SHORTLINKS_API_URL || process.env.HASNA_SHORTLINKS_API_URL || config.api?.baseUrl || "";
+  return baseUrl ? baseUrl.replace(/\/+$/, "") : null;
+}
+function getApiToken(config = loadConfig()) {
+  const envName = config.api?.tokenEnv || "SHORTLINKS_API_TOKEN";
+  const token = process.env[envName] || process.env.SHORTLINKS_API_TOKEN || process.env.HASNA_SHORTLINKS_API_TOKEN || config.api?.token || "";
+  return token || null;
+}
 function normalizeHostname(input) {
   const raw = input.trim().toLowerCase();
   if (!raw)
@@ -5246,6 +5260,10 @@ var SQLITE_MIGRATIONS = [
   CREATE INDEX IF NOT EXISTS idx_clicks_domain ON clicks(domain_id);
   CREATE INDEX IF NOT EXISTS idx_clicks_clicked_at ON clicks(clicked_at);
   CREATE INDEX IF NOT EXISTS idx_clicks_updated ON clicks(updated_at);
+  `,
+  `
+  ALTER TABLE links ADD COLUMN max_uses INTEGER;
+  ALTER TABLE links ADD COLUMN used_count INTEGER NOT NULL DEFAULT 0;
   `
 ];
 
@@ -5351,6 +5369,10 @@ var PG_MIGRATIONS = [
   CREATE INDEX IF NOT EXISTS idx_clicks_domain ON clicks(domain_id);
   CREATE INDEX IF NOT EXISTS idx_clicks_clicked_at ON clicks(clicked_at);
   CREATE INDEX IF NOT EXISTS idx_clicks_updated ON clicks(updated_at);
+  `,
+  `
+  ALTER TABLE links ADD COLUMN IF NOT EXISTS max_uses INTEGER;
+  ALTER TABLE links ADD COLUMN IF NOT EXISTS used_count INTEGER NOT NULL DEFAULT 0;
   `
 ];
 

package/dist/store.d.ts

@@ -9,6 +9,7 @@ export declare class ShortlinksStore {
     getDomain(hostnameOrId: string): Domain | null;
     getDefaultDomain(): Domain | null;
     createLink(input: CreateLinkInput): Link;
+    consumeLinkUse(link: Link): Link | null;
     listLinks(options?: {
         domain?: string;
         activeOnly?: boolean;

package/dist/types.d.ts

@@ -23,6 +23,8 @@ export interface Link {
     title: string | null;
     active: boolean;
     expires_at: string | null;
+    max_uses: number | null;
+    used_count: number;
     metadata: Record<string, unknown>;
     machine_id: string | null;
     synced_at: string | null;
@@ -66,6 +68,7 @@ export interface CreateLinkInput {
     slug?: string;
     title?: string;
     expiresAt?: string;
+    maxUses?: number | null;
     metadata?: Record<string, unknown>;
     slugLength?: number;
 }

package/infra/aws-ec2-user-data.sh

@@ -9,6 +9,7 @@ export RDS_HOST="${RDS_HOST:-}"
 export RDS_USERNAME="${RDS_USERNAME:-}"
 export SHORTLINKS_DOMAIN="${SHORTLINKS_DOMAIN:-}"
 export ATTACHMENTS_ORIGIN="${ATTACHMENTS_ORIGIN:-}"
+export SHORTLINKS_API_PATH_PREFIX="${SHORTLINKS_API_PATH_PREFIX:-/_shortlinks/api}"
 
 : "${RDS_SECRET_ID:?Set RDS_SECRET_ID to the AWS Secrets Manager secret for the PostgreSQL database_url}"
 : "${SHORTLINKS_DOMAIN:?Set SHORTLINKS_DOMAIN to the public host served by Caddy}"
@@ -85,6 +86,7 @@ AWS_REGION=${AWS_REGION}
 RDS_SECRET_ID=${RDS_SECRET_ID}
 SHORTLINKS_DOMAIN=${SHORTLINKS_DOMAIN}
 SHORTLINKS_STORE=remote
+SHORTLINKS_API_PATH_PREFIX=${SHORTLINKS_API_PATH_PREFIX}
 SHORTLINKS_ENV
 chmod 640 /etc/default/shortlinks
 chown root:shortlinks /etc/default/shortlinks
@@ -114,7 +116,7 @@ WorkingDirectory=/var/lib/shortlinks
 Environment=HOME=/var/lib/shortlinks
 Environment=PATH=/var/lib/shortlinks/.bun/bin:/usr/local/bin:/usr/bin:/bin
 EnvironmentFile=/etc/default/shortlinks
-ExecStart=/usr/local/bin/shortlinks-env-exec shortlinks serve --remote --host 127.0.0.1 --port 8787 --default-host ${SHORTLINKS_DOMAIN}
+ExecStart=/usr/local/bin/shortlinks-env-exec shortlinks serve --remote --host 127.0.0.1 --port 8787 --default-host ${SHORTLINKS_DOMAIN} --api-path-prefix ${SHORTLINKS_API_PATH_PREFIX}
 Restart=always
 RestartSec=5
 
@@ -159,6 +161,10 @@ ${SHORTLINKS_DOMAIN} {
     reverse_proxy ${ATTACHMENTS_ORIGIN}
   }
 
+  handle /_shortlinks/* {
+    reverse_proxy 127.0.0.1:8787
+  }
+
   handle {
     reverse_proxy 127.0.0.1:8787
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hasna/shortlinks",
-  "version": "0.1.14",
+  "version": "0.1.16",
   "description": "CLI-only shortlink manager for custom domains, click tracking, Cloudflare setup, and repo-native storage sync",
   "type": "module",
   "main": "dist/index.js",