@jant/core 0.3.36 → 0.3.37

package/src/lib/view.ts

@@ -8,22 +8,21 @@
 import type {
   Post,
   PostWithMedia,
-  Page,
   Media,
   MediaView,
   PostView,
-  PageView,
+  CollectionTagView,
   NavItemView,
   NavItem,
   SearchResult,
   SearchResultView,
   ArchiveGroup,
+  Collection,
   Format,
   Status,
   NavItemType,
   AppConfig,
 } from "../types.js";
-import { encode } from "./sqid.js";
 import {
   toISOString,
   formatDate,
@@ -32,6 +31,9 @@ import {
 } from "./time.js";
 import { getMediaUrl, getImageUrl, getPublicUrlForProvider } from "./image.js";
 import { getHtmlExcerpt } from "./excerpt.js";
+import { highlightText } from "./search-snippet.js";
+import { renderCollectionIcon } from "./icons.js";
+import { escapeHtml } from "./html.js";
 
 // =============================================================================
 // Media Context
@@ -90,6 +92,18 @@ export function toMediaView(media: Media, ctx: MediaContext): MediaView {
       })
     : url;
 
+  const posterRawUrl = media.posterKey
+    ? getMediaUrl(media.posterKey, publicUrl)
+    : undefined;
+  const posterUrl = posterRawUrl
+    ? getImageUrl(posterRawUrl, ctx.imageTransformUrl, {
+        width: 640,
+        quality: 80,
+        format: "auto",
+        fit: "scale-down",
+      })
+    : undefined;
+
   return {
     id: media.id,
     url,
@@ -99,6 +113,10 @@ export function toMediaView(media: Media, ctx: MediaContext): MediaView {
     width: media.width ?? undefined,
     height: media.height ?? undefined,
     size: media.size,
+    blurhash: media.blurhash ?? undefined,
+    waveform: media.waveform ?? undefined,
+    posterUrl,
+    chars: media.chars ?? undefined,
   };
 }
 
@@ -111,10 +129,19 @@ export function toMediaView(media: Media, ctx: MediaContext): MediaView {
  *
  * @param post - Post with media attachments from database
  * @param _ctx - Media context with URL configuration
+ * @param postCollections - Optional collections this post belongs to
  * @returns Render-ready PostView with pre-computed fields
  */
-export function toPostView(post: PostWithMedia, _ctx: MediaContext): PostView {
-  const permalink = post.path ? `/${post.path}` : `/p/${encode(post.id)}`;
+export function toPostView(
+  post: PostWithMedia,
+  _ctx: MediaContext,
+  postCollections?: Collection[],
+  threadRootPermalink?: string,
+  isLastInThread?: boolean,
+): PostView {
+  const id = post.id;
+  const permalink = `/${post.slug}`;
+  const publishedAt = post.publishedAt ?? post.updatedAt;
 
   // Pre-compute excerpt from raw body
   let excerpt: string | undefined;
@@ -132,7 +159,7 @@ export function toPostView(post: PostWithMedia, _ctx: MediaContext): PostView {
       // Use stored summary (generated from Tiptap JSON)
       summaryHtml = post.summary
         .split("\n\n")
-        .map((p) => `<p>${p}</p>`)
+        .map((p) => `<p>${escapeHtml(p)}</p>`)
         .join("");
       summaryHasMore = true;
     } else {
@@ -152,6 +179,12 @@ export function toPostView(post: PostWithMedia, _ctx: MediaContext): PostView {
     }
   }
 
+  // Convert collection tags
+  const collections: CollectionTagView[] = (postCollections ?? []).map((c) => {
+    const iconHtml = renderCollectionIcon(c.icon, { size: 12 }) || undefined;
+    return { slug: c.slug, title: c.title, iconHtml };
+  });
+
   // Convert media attachments
   const media: MediaView[] = post.mediaAttachments.map((m) => ({
     id: m.id,
@@ -161,12 +194,19 @@ export function toPostView(post: PostWithMedia, _ctx: MediaContext): PostView {
     altText: m.alt ?? undefined,
     width: m.width ?? undefined,
     height: m.height ?? undefined,
+    size: m.size ?? undefined,
+    blurhash: m.blurhash ?? undefined,
+    waveform: m.waveform ?? undefined,
+    posterUrl: m.posterUrl ?? undefined,
+    originalName: m.originalName ?? undefined,
+    summary: m.summary ?? undefined,
+    chars: m.chars ?? undefined,
   }));
 
   return {
-    id: post.id,
+    id,
     permalink,
-    path: post.path ?? undefined,
+    slug: post.slug,
     title: post.title ?? undefined,
     bodyHtml: bodyHtmlWithAnchor ?? undefined,
     excerpt,
@@ -177,35 +217,68 @@ export function toPostView(post: PostWithMedia, _ctx: MediaContext): PostView {
     format: post.format as Format,
     status: post.status as Status,
     visibility: post.visibility,
-    pinned: post.pinned === 1,
+    pinned: post.pinnedAt !== null,
+    featured: post.featuredAt !== null,
     rating: post.rating ?? undefined,
-    publishedAt: toISOString(post.publishedAt),
-    publishedAtFormatted: formatDate(post.publishedAt),
-    publishedAtTime: formatTime(post.publishedAt),
-    publishedAtRelative: formatRelativeTime(post.publishedAt),
+    publishedAt: toISOString(publishedAt),
+    publishedAtFormatted: formatDate(publishedAt),
+    publishedAtTime: formatTime(publishedAt),
+    publishedAtRelative: formatRelativeTime(publishedAt),
     updatedAt: toISOString(post.updatedAt),
     media,
+    collections,
     replyToId: post.replyToId ?? undefined,
-    threadRootId: post.threadId ?? undefined,
+    threadRootId: post.replyToId ? post.threadId : undefined,
+    threadRootPermalink,
+    isLastInThread: isLastInThread ?? true,
     body: post.body ?? undefined,
   };
 }
 
 /**
  * Batch converts PostWithMedia[] to PostView[].
+ *
+ * @param posts - Posts with media attachments
+ * @param ctx - Media context with URL configuration
+ * @param threadRootPermalinkMap - Optional map of thread root ID → permalink
+ * @returns Render-ready PostView[]
  */
 export function toPostViews(
   posts: PostWithMedia[],
   ctx: MediaContext,
+  threadRootPermalinkMap?: Map<string, string>,
+  isLastInThreadMap?: Map<string, boolean>,
 ): PostView[] {
-  return posts.map((p) => toPostView(p, ctx));
+  return posts.map((p) => {
+    const rootPermalink = p.replyToId
+      ? threadRootPermalinkMap?.get(p.threadId)
+      : undefined;
+    return toPostView(
+      p,
+      ctx,
+      undefined,
+      rootPermalink,
+      isLastInThreadMap?.get(p.id),
+    );
+  });
 }
 
 /**
  * Converts a bare Post (no media) to a PostView with empty media array.
  */
-export function toPostViewFromPost(post: Post, ctx: MediaContext): PostView {
-  return toPostView({ ...post, mediaAttachments: [] }, ctx);
+export function toPostViewFromPost(
+  post: Post,
+  ctx: MediaContext,
+  threadRootPermalink?: string,
+  isLastInThread?: boolean,
+): PostView {
+  return toPostView(
+    { ...post, mediaAttachments: [] },
+    ctx,
+    undefined,
+    threadRootPermalink,
+    isLastInThread,
+  );
 }
 
 /**
@@ -214,27 +287,54 @@ export function toPostViewFromPost(post: Post, ctx: MediaContext): PostView {
 export function toPostViewsFromPosts(
   posts: Post[],
   ctx: MediaContext,
+  threadRootPermalinkMap?: Map<string, string>,
+  isLastInThreadMap?: Map<string, boolean>,
 ): PostView[] {
-  return posts.map((p) => toPostViewFromPost(p, ctx));
+  return posts.map((p) => {
+    const rootPermalink = p.replyToId
+      ? threadRootPermalinkMap?.get(p.threadId)
+      : undefined;
+    return toPostViewFromPost(
+      p,
+      ctx,
+      rootPermalink,
+      isLastInThreadMap?.get(p.id),
+    );
+  });
 }
 
 // =============================================================================
-// Page Conversions
+// Thread Helpers
 // =============================================================================
 
 /**
- * Converts a Page to a render-ready PageView.
+ * Builds a map of thread root ID → permalink for posts that are thread replies.
+ *
+ * @param posts - Posts to inspect for thread membership
+ * @param getById - Lookup function to fetch a post by ID
+ * @returns Map of thread root ID → permalink string (e.g. `/{slug}`)
+ *
+ * @example
+ * ```ts
+ * const map = await loadThreadRootPermalinks(posts, services.posts.getById);
+ * const views = toPostViews(postsWithMedia, mediaCtx, map);
+ * ```
  */
-export function toPageView(page: Page): PageView {
-  return {
-    id: page.id,
-    slug: page.slug,
-    title: page.title ?? undefined,
-    bodyHtml: page.bodyHtml ?? undefined,
-    status: page.status as Status,
-    createdAt: toISOString(page.createdAt),
-    updatedAt: toISOString(page.updatedAt),
-  };
+export async function loadThreadRootPermalinks(
+  posts: Post[],
+  getById: (id: string) => Promise<Post | null>,
+): Promise<Map<string, string>> {
+  const threadRootIds = [
+    ...new Set(posts.filter((p) => p.replyToId).map((p) => p.threadId)),
+  ];
+  const map = new Map<string, string>();
+  if (threadRootIds.length > 0) {
+    const roots = await Promise.all(threadRootIds.map(getById));
+    for (const root of roots) {
+      if (root) map.set(root.id, `/${root.slug}`);
+    }
+  }
+  return map;
 }
 
 // =============================================================================
@@ -246,7 +346,7 @@ export function toPageView(page: Page): PageView {
  *
  * @param item - Raw nav item from database
  * @param currentPath - Current URL path for active state
- * @param isAuthenticated - Whether the user is logged in (affects system dashboard item)
+ * @param isAuthenticated - Whether the user is logged in (affects system settings item)
  */
 export function toNavItemView(
   item: NavItem,
@@ -256,9 +356,13 @@ export function toNavItemView(
   let url = item.url;
   let label = item.label;
 
-  // System dashboard item: resolve URL and label based on auth
-  if (item.type === "system" && item.url === "/dash") {
-    url = isAuthenticated ? "/dash" : "/signin";
+  // System settings item: resolve URL and label based on auth
+  // Also handles legacy "/dash" URLs from existing DB data
+  if (
+    item.type === "system" &&
+    (item.url === "/settings" || item.url === "/dash")
+  ) {
+    url = isAuthenticated ? "/settings" : "/signin";
     if (!isAuthenticated) {
       label = "Sign in";
     }
@@ -280,7 +384,6 @@ export function toNavItemView(
     type: item.type as NavItemType,
     label,
     url,
-    pageId: item.pageId ?? undefined,
     isActive,
     isExternal,
   };
@@ -307,26 +410,57 @@ export function toNavItemViews(
 
 /**
  * Converts a SearchResult to a SearchResultView with PostView.
+ *
+ * @param result - Raw search result with post and FTS metadata
+ * @param ctx - Media context for URL computation
+ * @param query - Original search query for client-side title/quote highlighting
  */
 export function toSearchResultView(
   result: SearchResult,
   ctx: MediaContext,
+  query?: string,
 ): SearchResultView {
+  const post = toPostViewFromPost(result.post, ctx);
+
+  let titleHighlighted: string | undefined;
+  let quoteHighlighted: string | undefined;
+
+  if (query) {
+    if (post.title) {
+      titleHighlighted = highlightText(post.title, query);
+    }
+    if (post.quoteText) {
+      // Truncate before highlighting to avoid splitting inside <mark> tags
+      const truncated =
+        post.quoteText.length > 120
+          ? post.quoteText.slice(0, 120) + "..."
+          : post.quoteText;
+      quoteHighlighted = highlightText(truncated, query);
+    }
+  }
+
   return {
-    post: toPostViewFromPost(result.post, ctx),
+    post,
     rank: result.rank,
     snippet: result.snippet,
+    titleHighlighted,
+    quoteHighlighted,
   };
 }
 
 /**
  * Batch converts SearchResult[] to SearchResultView[].
+ *
+ * @param results - Raw search results
+ * @param ctx - Media context for URL computation
+ * @param query - Original search query for title/quote highlighting
  */
 export function toSearchResultViews(
   results: SearchResult[],
   ctx: MediaContext,
+  query?: string,
 ): SearchResultView[] {
-  return results.map((r) => toSearchResultView(r, ctx));
+  return results.map((r) => toSearchResultView(r, ctx, query));
 }
 
 // =============================================================================
@@ -360,3 +494,36 @@ export function toArchiveGroups(
   }
   return groups;
 }
+
+/**
+ * Converts a grouped PostWithMedia map to typed ArchiveGroup[].
+ * Unlike toArchiveGroups, this preserves media attachments on each post.
+ *
+ * @param grouped - Map of "YYYY-MM" keys to PostWithMedia arrays
+ * @param ctx - Media context for URL computation
+ * @returns ArchiveGroup[] with full media data on each PostView
+ */
+export function toArchiveGroupsWithMedia(
+  grouped: Map<string, PostWithMedia[]>,
+  ctx: MediaContext,
+): ArchiveGroup[] {
+  const groups: ArchiveGroup[] = [];
+  for (const [yearMonth, posts] of grouped) {
+    const [year, month] = yearMonth.split("-");
+    if (!year || !month) continue;
+
+    const date = new Date(parseInt(year, 10), parseInt(month, 10) - 1);
+    const label = date.toLocaleDateString("en-US", {
+      year: "numeric",
+      month: "long",
+    });
+
+    groups.push({
+      year,
+      month,
+      label,
+      posts: toPostViews(posts, ctx),
+    });
+  }
+  return groups;
+}

package/src/middleware/__tests__/auth.test.ts

@@ -1,6 +1,6 @@
-import { describe, it, expect } from "vitest";
+import { describe, it, expect, vi } from "vitest";
 import { Hono } from "hono";
-import { requireAuth, requireAuthApi } from "../auth.js";
+import { requireAuth, requireAuthApi, isLocalHostname } from "../auth.js";
 import { errorHandler } from "../error-handler.js";
 import type { Bindings } from "../../types.js";
 import type { AppVariables } from "../../types/app-context.js";
@@ -21,6 +21,32 @@ function createMockAuth(authenticated: boolean) {
   } as AppVariables["auth"];
 }
 
+function createMockApiTokenService(validToken?: string) {
+  const tokenId = "token-id-1";
+  return {
+    verify: vi.fn(async (raw: string) => (raw === validToken ? tokenId : null)),
+    updateLastUsed: vi.fn(async () => {}),
+    create: vi.fn(),
+    list: vi.fn(),
+    delete: vi.fn(),
+  };
+}
+
+describe("isLocalHostname", () => {
+  it.each([
+    ["localhost", true],
+    ["127.0.0.1", true],
+    ["::1", true],
+    ["jant.localtest.me", true],
+    ["sub.localtest.me", true],
+    ["myblog.com", false],
+    ["demo.jant.me", false],
+    ["localtest.me.evil.com", false],
+  ])("isLocalHostname(%s) → %s", (hostname, expected) => {
+    expect(isLocalHostname(hostname)).toBe(expected);
+  });
+});
+
 describe("requireAuth", () => {
   it("allows authenticated requests", async () => {
     const app = new Hono<Env>();
@@ -28,11 +54,11 @@ describe("requireAuth", () => {
       c.set("auth", createMockAuth(true));
       await next();
     });
-    app.get("/dash", requireAuth(), (c) => c.text("Dashboard"));
+    app.get("/settings", requireAuth(), (c) => c.text("Settings"));
 
-    const res = await app.request("/dash");
+    const res = await app.request("/settings");
     expect(res.status).toBe(200);
-    expect(await res.text()).toBe("Dashboard");
+    expect(await res.text()).toBe("Settings");
   });
 
   it("redirects unauthenticated requests to /signin", async () => {
@@ -41,9 +67,9 @@ describe("requireAuth", () => {
       c.set("auth", createMockAuth(false));
       await next();
     });
-    app.get("/dash", requireAuth(), (c) => c.text("Dashboard"));
+    app.get("/settings", requireAuth(), (c) => c.text("Settings"));
 
-    const res = await app.request("/dash", { redirect: "manual" });
+    const res = await app.request("/settings", { redirect: "manual" });
     expect(res.status).toBe(302);
     expect(res.headers.get("Location")).toBe("/signin");
   });
@@ -54,20 +80,23 @@ describe("requireAuth", () => {
       c.set("auth", createMockAuth(false));
       await next();
     });
-    app.get("/dash", requireAuth("/login"), (c) => c.text("Dashboard"));
+    app.get("/settings", requireAuth("/login"), (c) => c.text("Settings"));
 
-    const res = await app.request("/dash", { redirect: "manual" });
+    const res = await app.request("/settings", { redirect: "manual" });
     expect(res.status).toBe(302);
     expect(res.headers.get("Location")).toBe("/login");
   });
 });
 
 describe("requireAuthApi", () => {
-  it("allows authenticated requests", async () => {
+  it("allows authenticated requests via session", async () => {
     const app = new Hono<Env>();
     app.onError(errorHandler);
     app.use("*", async (c, next) => {
       c.set("auth", createMockAuth(true));
+      c.set("services", {
+        apiTokens: createMockApiTokenService(),
+      } as AppVariables["services"]);
       await next();
     });
     app.get("/api/data", requireAuthApi(), (c) => c.json({ data: "secret" }));
@@ -79,11 +108,14 @@ describe("requireAuthApi", () => {
     expect(body.data).toBe("secret");
   });
 
-  it("returns 401 for unauthenticated requests", async () => {
+  it("returns 401 for unauthenticated requests without Bearer token", async () => {
     const app = new Hono<Env>();
     app.onError(errorHandler);
     app.use("*", async (c, next) => {
       c.set("auth", createMockAuth(false));
+      c.set("services", {
+        apiTokens: createMockApiTokenService(),
+      } as AppVariables["services"]);
       await next();
     });
     app.get("/api/data", requireAuthApi(), (c) => c.json({ data: "secret" }));
@@ -107,6 +139,9 @@ describe("requireAuthApi", () => {
           },
         },
       } as AppVariables["auth"]);
+      c.set("services", {
+        apiTokens: createMockApiTokenService(),
+      } as AppVariables["services"]);
       await next();
     });
     app.get("/api/data", requireAuthApi(), (c) => c.json({ data: "secret" }));
@@ -114,4 +149,149 @@ describe("requireAuthApi", () => {
     const res = await app.request("/api/data");
     expect(res.status).toBe(401);
   });
+
+  it("allows requests with valid Bearer token when session auth fails", async () => {
+    const validToken = "jnt_abc123";
+    const mockApiTokens = createMockApiTokenService(validToken);
+
+    const app = new Hono<Env>();
+    app.onError(errorHandler);
+    app.use("*", async (c, next) => {
+      c.set("auth", createMockAuth(false));
+      c.set("services", {
+        apiTokens: mockApiTokens,
+      } as AppVariables["services"]);
+      await next();
+    });
+    app.get("/api/data", requireAuthApi(), (c) => c.json({ data: "secret" }));
+
+    const res = await app.request("/api/data", {
+      headers: { Authorization: `Bearer ${validToken}` },
+    });
+    expect(res.status).toBe(200);
+
+    const body = await res.json();
+    expect(body.data).toBe("secret");
+
+    expect(mockApiTokens.verify).toHaveBeenCalledWith(validToken);
+    expect(mockApiTokens.updateLastUsed).toHaveBeenCalledWith("token-id-1");
+  });
+
+  it("returns 401 for invalid Bearer token", async () => {
+    const mockApiTokens = createMockApiTokenService("jnt_valid");
+
+    const app = new Hono<Env>();
+    app.onError(errorHandler);
+    app.use("*", async (c, next) => {
+      c.set("auth", createMockAuth(false));
+      c.set("services", {
+        apiTokens: mockApiTokens,
+      } as AppVariables["services"]);
+      await next();
+    });
+    app.get("/api/data", requireAuthApi(), (c) => c.json({ data: "secret" }));
+
+    const res = await app.request("/api/data", {
+      headers: { Authorization: "Bearer jnt_invalid" },
+    });
+    expect(res.status).toBe(401);
+
+    expect(mockApiTokens.verify).toHaveBeenCalledWith("jnt_invalid");
+  });
+
+  it("prefers session auth over Bearer token", async () => {
+    const mockApiTokens = createMockApiTokenService("jnt_valid");
+
+    const app = new Hono<Env>();
+    app.onError(errorHandler);
+    app.use("*", async (c, next) => {
+      c.set("auth", createMockAuth(true));
+      c.set("services", {
+        apiTokens: mockApiTokens,
+      } as AppVariables["services"]);
+      await next();
+    });
+    app.get("/api/data", requireAuthApi(), (c) => c.json({ data: "secret" }));
+
+    const res = await app.request("/api/data", {
+      headers: { Authorization: "Bearer jnt_valid" },
+    });
+    expect(res.status).toBe(200);
+
+    // Should not check the token since session auth succeeded
+    expect(mockApiTokens.verify).not.toHaveBeenCalled();
+  });
+
+  it("allows DEV_API_TOKEN on localhost", async () => {
+    const devToken = "jnt_dev_test123";
+    const mockApiTokens = createMockApiTokenService();
+
+    const app = new Hono<Env>();
+    app.onError(errorHandler);
+    app.use("*", async (c, next) => {
+      c.env = { ...c.env, DEV_API_TOKEN: devToken } as Bindings;
+      c.set("auth", createMockAuth(false));
+      c.set("services", {
+        apiTokens: mockApiTokens,
+      } as AppVariables["services"]);
+      await next();
+    });
+    app.get("/api/data", requireAuthApi(), (c) => c.json({ data: "secret" }));
+
+    const res = await app.request("http://localhost:9020/api/data", {
+      headers: { Authorization: `Bearer ${devToken}` },
+    });
+    expect(res.status).toBe(200);
+
+    // Should NOT hit DB verification
+    expect(mockApiTokens.verify).not.toHaveBeenCalled();
+  });
+
+  it("rejects DEV_API_TOKEN on non-local hostname", async () => {
+    const devToken = "jnt_dev_test123";
+    const mockApiTokens = createMockApiTokenService();
+
+    const app = new Hono<Env>();
+    app.onError(errorHandler);
+    app.use("*", async (c, next) => {
+      c.env = { ...c.env, DEV_API_TOKEN: devToken } as Bindings;
+      c.set("auth", createMockAuth(false));
+      c.set("services", {
+        apiTokens: mockApiTokens,
+      } as AppVariables["services"]);
+      await next();
+    });
+    app.get("/api/data", requireAuthApi(), (c) => c.json({ data: "secret" }));
+
+    const res = await app.request("https://myblog.com/api/data", {
+      headers: { Authorization: `Bearer ${devToken}` },
+    });
+    expect(res.status).toBe(401);
+
+    // Falls through to normal DB verification (which also fails)
+    expect(mockApiTokens.verify).toHaveBeenCalledWith(devToken);
+  });
+
+  it("allows DEV_API_TOKEN on *.localtest.me", async () => {
+    const devToken = "jnt_dev_test123";
+    const mockApiTokens = createMockApiTokenService();
+
+    const app = new Hono<Env>();
+    app.onError(errorHandler);
+    app.use("*", async (c, next) => {
+      c.env = { ...c.env, DEV_API_TOKEN: devToken } as Bindings;
+      c.set("auth", createMockAuth(false));
+      c.set("services", {
+        apiTokens: mockApiTokens,
+      } as AppVariables["services"]);
+      await next();
+    });
+    app.get("/api/data", requireAuthApi(), (c) => c.json({ data: "secret" }));
+
+    const res = await app.request("https://jant.localtest.me/api/data", {
+      headers: { Authorization: `Bearer ${devToken}` },
+    });
+    expect(res.status).toBe(200);
+    expect(mockApiTokens.verify).not.toHaveBeenCalled();
+  });
 });