@jant/core 0.3.18 → 0.3.20

package/dist/middleware/onboarding.js

@@ -1,7 +1,9 @@
 /**
  * Onboarding Middleware
  *
- * Redirects all requests to /setup if onboarding hasn't been completed.
+ * Redirects key page routes to /setup if onboarding hasn't been completed.
+ * Uses an allowlist approach: only explicitly listed page routes are redirected,
+ * so static assets, API endpoints, feeds, and other resources always pass through.
  * Caches the result in memory so the DB is only queried once per isolate lifetime.
  */ /** In-memory cache — persists across requests within a Worker isolate */ let onboardingComplete = false;
 /**
@@ -14,7 +16,7 @@
             return next();
         }
         const path = new URL(c.req.url).pathname;
-        if (shouldBypass(path)) {
+        if (!shouldRedirect(path)) {
             return next();
         }
         const isComplete = await c.var.services.settings.isOnboardingComplete();
@@ -25,8 +27,11 @@
         return c.redirect("/setup");
     };
 }
-function shouldBypass(path) {
-    return path === "/setup" || path === "/health" || path === "/signin" || path === "/signout" || path === "/reset" || path.startsWith("/api/auth/");
+/**
+ * Only these page routes are redirected to /setup during onboarding.
+ * Everything else (assets, API, feeds, media, etc.) passes through.
+ */ function shouldRedirect(path) {
+    return path === "/" || path === "/signin" || path === "/reset" || path.startsWith("/dash");
 }
 /**
  * Reset the onboarding cache. Only for testing.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@jant/core",
-  "version": "0.3.18",
+  "version": "0.3.20",
   "description": "A modern, open-source microblogging platform built on Cloudflare Workers",
   "type": "module",
   "bin": {

package/src/middleware/__tests__/onboarding.test.ts

@@ -32,6 +32,7 @@ function createApp(complete: boolean) {
   // Register routes for testing
   app.get("/", (c) => c.text("Home"));
   app.get("/dash", (c) => c.text("Dashboard"));
+  app.get("/dash/posts", (c) => c.text("Posts"));
   app.get("/archive", (c) => c.text("Archive"));
   app.get("/p/abc", (c) => c.text("Post"));
   app.get("/setup", (c) => c.text("Setup"));
@@ -40,6 +41,11 @@ function createApp(complete: boolean) {
   app.get("/signout", (c) => c.text("Signout"));
   app.get("/reset", (c) => c.text("Reset"));
   app.get("/api/auth/session", (c) => c.json({ ok: true }));
+  app.get("/assets/client-B2b-1X3C.js", (c) => c.text("js"));
+  app.get("/feed", (c) => c.text("rss"));
+  app.get("/robots.txt", (c) => c.text("robots"));
+  app.get("/sitemap.xml", (c) => c.text("sitemap"));
+  app.get("/media/abc.jpg", (c) => c.text("image"));
 
   return { app, getCallCount: mock.getCallCount };
 }
@@ -49,25 +55,41 @@ describe("requireOnboarding", () => {
     resetOnboardingCache();
   });
 
-  it("redirects to /setup when onboarding not complete", async () => {
-    const { app } = createApp(false);
-    const res = await app.request("/", { redirect: "manual" });
-    expect(res.status).toBe(302);
-    expect(res.headers.get("Location")).toBe("/setup");
-  });
+  describe("redirected paths", () => {
+    it("redirects / to /setup when onboarding not complete", async () => {
+      const { app } = createApp(false);
+      const res = await app.request("/", { redirect: "manual" });
+      expect(res.status).toBe(302);
+      expect(res.headers.get("Location")).toBe("/setup");
+    });
 
-  it("redirects /dash to /setup when onboarding not complete", async () => {
-    const { app } = createApp(false);
-    const res = await app.request("/dash", { redirect: "manual" });
-    expect(res.status).toBe(302);
-    expect(res.headers.get("Location")).toBe("/setup");
-  });
+    it("redirects /dash to /setup when onboarding not complete", async () => {
+      const { app } = createApp(false);
+      const res = await app.request("/dash", { redirect: "manual" });
+      expect(res.status).toBe(302);
+      expect(res.headers.get("Location")).toBe("/setup");
+    });
+
+    it("redirects /dash/* to /setup when onboarding not complete", async () => {
+      const { app } = createApp(false);
+      const res = await app.request("/dash/posts", { redirect: "manual" });
+      expect(res.status).toBe(302);
+      expect(res.headers.get("Location")).toBe("/setup");
+    });
+
+    it("redirects /signin to /setup when onboarding not complete", async () => {
+      const { app } = createApp(false);
+      const res = await app.request("/signin", { redirect: "manual" });
+      expect(res.status).toBe(302);
+      expect(res.headers.get("Location")).toBe("/setup");
+    });
 
-  it("redirects /archive to /setup when onboarding not complete", async () => {
-    const { app } = createApp(false);
-    const res = await app.request("/archive", { redirect: "manual" });
-    expect(res.status).toBe(302);
-    expect(res.headers.get("Location")).toBe("/setup");
+    it("redirects /reset to /setup when onboarding not complete", async () => {
+      const { app } = createApp(false);
+      const res = await app.request("/reset", { redirect: "manual" });
+      expect(res.status).toBe(302);
+      expect(res.headers.get("Location")).toBe("/setup");
+    });
   });
 
   it("allows through when onboarding is complete", async () => {
@@ -97,45 +119,80 @@ describe("requireOnboarding", () => {
     expect(getCallCount()).toBe(2); // queried again
   });
 
-  describe("bypass paths", () => {
-    it("allows /setup without checking DB", async () => {
+  describe("non-redirected paths (pass through without DB check)", () => {
+    it("allows /setup", async () => {
       const { app, getCallCount } = createApp(false);
       const res = await app.request("/setup");
       expect(res.status).toBe(200);
       expect(getCallCount()).toBe(0);
     });
 
-    it("allows /health without checking DB", async () => {
+    it("allows /health", async () => {
       const { app, getCallCount } = createApp(false);
       const res = await app.request("/health");
       expect(res.status).toBe(200);
       expect(getCallCount()).toBe(0);
     });
 
-    it("allows /signin without checking DB", async () => {
+    it("allows /signout", async () => {
       const { app, getCallCount } = createApp(false);
-      const res = await app.request("/signin");
+      const res = await app.request("/signout");
       expect(res.status).toBe(200);
       expect(getCallCount()).toBe(0);
     });
 
-    it("allows /signout without checking DB", async () => {
+    it("allows /api/auth/*", async () => {
       const { app, getCallCount } = createApp(false);
-      const res = await app.request("/signout");
+      const res = await app.request("/api/auth/session");
       expect(res.status).toBe(200);
       expect(getCallCount()).toBe(0);
     });
 
-    it("allows /reset without checking DB", async () => {
+    it("allows /assets/*", async () => {
       const { app, getCallCount } = createApp(false);
-      const res = await app.request("/reset");
+      const res = await app.request("/assets/client-B2b-1X3C.js");
       expect(res.status).toBe(200);
       expect(getCallCount()).toBe(0);
     });
 
-    it("allows /api/auth/* without checking DB", async () => {
+    it("allows /feed", async () => {
       const { app, getCallCount } = createApp(false);
-      const res = await app.request("/api/auth/session");
+      const res = await app.request("/feed");
+      expect(res.status).toBe(200);
+      expect(getCallCount()).toBe(0);
+    });
+
+    it("allows /robots.txt", async () => {
+      const { app, getCallCount } = createApp(false);
+      const res = await app.request("/robots.txt");
+      expect(res.status).toBe(200);
+      expect(getCallCount()).toBe(0);
+    });
+
+    it("allows /sitemap.xml", async () => {
+      const { app, getCallCount } = createApp(false);
+      const res = await app.request("/sitemap.xml");
+      expect(res.status).toBe(200);
+      expect(getCallCount()).toBe(0);
+    });
+
+    it("allows /media/*", async () => {
+      const { app, getCallCount } = createApp(false);
+      const res = await app.request("/media/abc.jpg");
+      expect(res.status).toBe(200);
+      expect(getCallCount()).toBe(0);
+    });
+
+    it("allows /archive", async () => {
+      const { app, getCallCount } = createApp(false);
+      const res = await app.request("/archive");
+      expect(res.status).toBe(200);
+      expect(getCallCount()).toBe(0);
+    });
+
+    it("allows /p/*", async () => {
+      const { app, getCallCount } = createApp(false);
+      const res = await app.request("/p/abc");
       expect(res.status).toBe(200);
       expect(getCallCount()).toBe(0);
     });

package/src/middleware/onboarding.ts

@@ -1,7 +1,9 @@
 /**
  * Onboarding Middleware
  *
- * Redirects all requests to /setup if onboarding hasn't been completed.
+ * Redirects key page routes to /setup if onboarding hasn't been completed.
+ * Uses an allowlist approach: only explicitly listed page routes are redirected,
+ * so static assets, API endpoints, feeds, and other resources always pass through.
  * Caches the result in memory so the DB is only queried once per isolate lifetime.
  */
 
@@ -26,7 +28,7 @@ export function requireOnboarding(): MiddlewareHandler<Env> {
     }
 
     const path = new URL(c.req.url).pathname;
-    if (shouldBypass(path)) {
+    if (!shouldRedirect(path)) {
       return next();
     }
 
@@ -40,14 +42,16 @@ export function requireOnboarding(): MiddlewareHandler<Env> {
   };
 }
 
-function shouldBypass(path: string): boolean {
+/**
+ * Only these page routes are redirected to /setup during onboarding.
+ * Everything else (assets, API, feeds, media, etc.) passes through.
+ */
+function shouldRedirect(path: string): boolean {
   return (
-    path === "/setup" ||
-    path === "/health" ||
+    path === "/" ||
     path === "/signin" ||
-    path === "/signout" ||
     path === "/reset" ||
-    path.startsWith("/api/auth/")
+    path.startsWith("/dash")
   );
 }