@jant/core 0.3.36 → 0.3.37

package/src/middleware/__tests__/onboarding.test.ts

@@ -31,14 +31,14 @@ function createApp(complete: boolean) {
 
   // Register routes for testing
   app.get("/", (c) => c.text("Home"));
-  app.get("/dash", (c) => c.text("Dashboard"));
-  app.get("/dash/posts", (c) => c.text("Posts"));
+  app.get("/settings", (c) => c.text("Settings"));
+  app.get("/settings/general", (c) => c.text("General"));
   app.get("/archive", (c) => c.text("Archive"));
   app.get("/p/abc", (c) => c.text("Post"));
   app.get("/setup", (c) => c.text("Setup"));
   app.get("/health", (c) => c.text("OK"));
   app.get("/signin", (c) => c.text("Signin"));
-  app.get("/signout", (c) => c.text("Signout"));
+  app.post("/signout", (c) => c.text("Signout"));
   app.get("/reset", (c) => c.text("Reset"));
   app.get("/api/auth/session", (c) => c.json({ ok: true }));
   app.get("/assets/client-B2b-1X3C.js", (c) => c.text("js"));
@@ -63,16 +63,18 @@ describe("requireOnboarding", () => {
       expect(res.headers.get("Location")).toBe("/setup");
     });
 
-    it("redirects /dash to /setup when onboarding not complete", async () => {
+    it("redirects /settings to /setup when onboarding not complete", async () => {
       const { app } = createApp(false);
-      const res = await app.request("/dash", { redirect: "manual" });
+      const res = await app.request("/settings", { redirect: "manual" });
       expect(res.status).toBe(302);
       expect(res.headers.get("Location")).toBe("/setup");
     });
 
-    it("redirects /dash/* to /setup when onboarding not complete", async () => {
+    it("redirects /settings/* to /setup when onboarding not complete", async () => {
       const { app } = createApp(false);
-      const res = await app.request("/dash/posts", { redirect: "manual" });
+      const res = await app.request("/settings/general", {
+        redirect: "manual",
+      });
       expect(res.status).toBe(302);
       expect(res.headers.get("Location")).toBe("/setup");
     });
@@ -105,7 +107,7 @@ describe("requireOnboarding", () => {
     await app.request("/");
     expect(getCallCount()).toBe(1);
 
-    await app.request("/dash");
+    await app.request("/settings");
     expect(getCallCount()).toBe(1); // still 1 — cached
   });
 
@@ -115,7 +117,7 @@ describe("requireOnboarding", () => {
     await app.request("/", { redirect: "manual" });
     expect(getCallCount()).toBe(1);
 
-    await app.request("/dash", { redirect: "manual" });
+    await app.request("/settings", { redirect: "manual" });
     expect(getCallCount()).toBe(2); // queried again
   });
 
@@ -136,7 +138,7 @@ describe("requireOnboarding", () => {
 
     it("allows /signout", async () => {
       const { app, getCallCount } = createApp(false);
-      const res = await app.request("/signout");
+      const res = await app.request("/signout", { method: "POST" });
       expect(res.status).toBe(200);
       expect(getCallCount()).toBe(0);
     });

package/src/middleware/auth.ts

@@ -1,19 +1,42 @@
 /**
  * Authentication Middleware
  *
- * Protects routes by requiring authentication
+ * Protects routes by requiring authentication via session cookies
+ * or Bearer API tokens.
  */
 
 import type { MiddlewareHandler } from "hono";
 import type { Bindings } from "../types.js";
 import type { AppVariables } from "../types/app-context.js";
-import { DomainError, UnauthorizedError } from "../lib/errors.js";
+import { UnauthorizedError } from "../lib/errors.js";
 
 type Env = { Bindings: Bindings; Variables: AppVariables };
 
+/**
+ * Checks whether a hostname is local (dev environment).
+ *
+ * @param hostname - The hostname to check
+ * @returns `true` for localhost, 127.0.0.1, ::1, and *.localtest.me
+ *
+ * @example
+ * ```ts
+ * isLocalHostname("localhost") // true
+ * isLocalHostname("myblog.com") // false
+ * ```
+ */
+export function isLocalHostname(hostname: string): boolean {
+  return (
+    hostname === "localhost" ||
+    hostname === "127.0.0.1" ||
+    hostname === "::1" ||
+    hostname.endsWith(".localtest.me")
+  );
+}
+
 /**
  * Middleware that requires authentication.
  * Redirects to signin page if not authenticated.
+ * Session-only — Bearer tokens are not accepted for dashboard pages.
  */
 export function requireAuth(redirectTo = "/signin"): MiddlewareHandler<Env> {
   return async (c, next) => {
@@ -35,23 +58,54 @@ export function requireAuth(redirectTo = "/signin"): MiddlewareHandler<Env> {
 
 /**
  * Middleware for API routes that requires authentication.
- * Returns 401 if not authenticated.
+ * Tries session auth first, then falls back to Bearer API token.
+ * Returns 401 if neither method succeeds.
  */
 export function requireAuthApi(): MiddlewareHandler<Env> {
   return async (c, next) => {
+    // 1. Try session auth (existing behavior)
     try {
       const session = await c.var.auth.api.getSession({
         headers: c.req.raw.headers,
       });
 
-      if (!session?.user) {
-        throw new UnauthorizedError();
+      if (session?.user) {
+        await next();
+        return;
       }
+    } catch {
+      // Session check failed — fall through to Bearer token
+    }
 
-      await next();
-    } catch (err) {
-      if (err instanceof DomainError) throw err;
-      throw new UnauthorizedError();
+    // 2. Try Bearer token auth
+    const authHeader = c.req.header("Authorization");
+    if (authHeader?.startsWith("Bearer ")) {
+      const rawToken = authHeader.slice(7);
+
+      // Dev shortcut: bypass DB lookup when DEV_API_TOKEN matches on a local hostname
+      const devToken = c.env?.DEV_API_TOKEN;
+      if (devToken && rawToken === devToken) {
+        const hostname = new URL(c.req.url).hostname;
+        if (isLocalHostname(hostname)) {
+          await next();
+          return;
+        }
+      }
+
+      const tokenId = await c.var.services.apiTokens.verify(rawToken);
+      if (tokenId) {
+        // Fire-and-forget last-used update (non-blocking)
+        const updatePromise = c.var.services.apiTokens.updateLastUsed(tokenId);
+        try {
+          c.executionCtx.waitUntil(updatePromise);
+        } catch {
+          // executionCtx not available (e.g. in tests) — ignore
+        }
+        await next();
+        return;
+      }
     }
+
+    throw new UnauthorizedError();
   };
 }

package/src/middleware/onboarding.ts

@@ -51,7 +51,7 @@ function shouldRedirect(path: string): boolean {
     path === "/" ||
     path === "/signin" ||
     path === "/reset" ||
-    path.startsWith("/dash")
+    path.startsWith("/settings")
   );
 }
 

package/src/middleware/secure-headers.ts

@@ -0,0 +1,40 @@
+/**
+ * Security Headers Middleware
+ *
+ * Adds Content-Security-Policy and other security headers via Hono's
+ * built-in secureHeaders middleware. Uses a baseline CSP that works with
+ * the current tech stack (Datastar, Lit, inline theme styles).
+ */
+
+import { secureHeaders } from "hono/secure-headers";
+import type { MiddlewareHandler } from "hono";
+import type { Bindings } from "../types.js";
+import type { AppVariables } from "../types/app-context.js";
+import { IS_VITE_DEV } from "../lib/version.js";
+
+type Env = { Bindings: Bindings; Variables: AppVariables };
+
+export function secureHeadersMiddleware(): MiddlewareHandler<Env> {
+  return secureHeaders({
+    contentSecurityPolicy: {
+      defaultSrc: ["'self'"],
+      scriptSrc: [
+        "'self'",
+        // Datastar evaluates expressions in data-on-* / data-signals attributes
+        "'unsafe-eval'",
+      ],
+      styleSrc: [
+        "'self'",
+        // Theme styles and custom CSS are injected as inline <style> tags
+        "'unsafe-inline'",
+      ],
+      imgSrc: ["'self'", "data:", "blob:", "https:"],
+      fontSrc: ["'self'"],
+      connectSrc: IS_VITE_DEV ? ["'self'", "ws:"] : ["'self'"],
+      frameSrc: ["'none'"],
+      objectSrc: ["'none'"],
+      baseUri: ["'self'"],
+      formAction: ["'self'"],
+    },
+  });
+}

package/src/preset.css

@@ -13,6 +13,12 @@
 @import "./styles/tokens.css";
 @import "./styles/ui.css";
 
+/*
+ * Override BaseCoat's class-based dark mode with media-query-based.
+ * Jant follows system preference automatically — no manual toggle.
+ */
+@custom-variant dark (@media (prefers-color-scheme: dark));
+
 @theme {
   --radius-default: 0.5rem;
   --color-success: var(--success);
@@ -24,8 +30,45 @@
   --success: oklch(0.518 0.16 145.071);
 }
 
-.dark {
-  --success: oklch(0.627 0.194 149.214);
+/*
+ * BaseCoat dark mode fallback — mirrors BaseCoat's `.dark { }` variables
+ * via media query so dark mode works without JS class toggling.
+ * These are overridden by the active color theme (higher specificity).
+ *
+ * Source: basecoat-css@0.3.11 .dark { } block
+ */
+@media (prefers-color-scheme: dark) {
+  :root {
+    color-scheme: dark;
+    --background: oklch(0.145 0 0);
+    --foreground: oklch(0.985 0 0);
+    --card: oklch(0.205 0 0);
+    --card-foreground: oklch(0.985 0 0);
+    --popover: oklch(0.269 0 0);
+    --popover-foreground: oklch(0.985 0 0);
+    --primary: oklch(0.922 0 0);
+    --primary-foreground: oklch(0.205 0 0);
+    --secondary: oklch(0.269 0 0);
+    --secondary-foreground: oklch(0.985 0 0);
+    --muted: oklch(0.269 0 0);
+    --muted-foreground: oklch(0.708 0 0);
+    --accent: oklch(0.371 0 0);
+    --accent-foreground: oklch(0.985 0 0);
+    --destructive: oklch(0.704 0.191 22.216);
+    --border: oklch(1 0 0 / 10%);
+    --input: oklch(1 0 0 / 15%);
+    --ring: oklch(0.556 0 0);
+    --sidebar: oklch(0.205 0 0);
+    --sidebar-foreground: oklch(0.985 0 0);
+    --sidebar-primary: oklch(0.488 0.243 264.376);
+    --sidebar-primary-foreground: oklch(0.985 0 0);
+    --sidebar-accent: oklch(0.269 0 0);
+    --sidebar-accent-foreground: oklch(0.985 0 0);
+    --sidebar-border: oklch(1 0 0 / 10%);
+    --sidebar-ring: oklch(0.439 0 0);
+    --scrollbar-thumb: rgba(255, 255, 255, 0.3);
+    --success: oklch(0.627 0.194 149.214);
+  }
 }
 
 /**

package/src/routes/__tests__/compose.test.ts

@@ -11,7 +11,7 @@ describe("Compose Routes", () => {
       const res = await app.request("/compose", {
         method: "POST",
         headers: { "Content-Type": "application/json" },
-        body: JSON.stringify({ format: "note", body: "Hello" }),
+        body: JSON.stringify({ format: "note", bodyMarkdown: "Hello" }),
       });
 
       expect(res.status).toBe(302);
@@ -25,23 +25,22 @@ describe("Compose Routes", () => {
       const res = await app.request("/compose", {
         method: "POST",
         headers: { "Content-Type": "application/json" },
-        body: JSON.stringify({ format: "note", body: "Hello world" }),
+        body: JSON.stringify({ format: "note", bodyMarkdown: "Hello world" }),
       });
 
       expect(res.status).toBe(200);
       expect(res.headers.get("Content-Type")).toBe("text/event-stream");
 
       const text = await res.text();
-      // SSE prepends the card to the timeline
+      // SSE closes the compose dialog and resets signals
       expect(text).toContain("datastar-patch-elements");
-      expect(text).toContain('data-format="note"');
-      expect(text).toContain("selector #timeline-items");
+      expect(text).toContain("compose-dialog");
 
       // Verify post was created
       const posts = await services.posts.list();
       expect(posts).toHaveLength(1);
       expect(posts[0].format).toBe("note");
-      expect(posts[0].body).toBe("Hello world");
+      expect(posts[0].bodyText).toBe("Hello world");
       expect(posts[0].status).toBe("published");
     });
 
@@ -54,7 +53,7 @@ describe("Compose Routes", () => {
         headers: { "Content-Type": "application/json" },
         body: JSON.stringify({
           format: "link",
-          body: "Check this out",
+          bodyMarkdown: "Check this out",
           url: "https://example.com",
         }),
       });
@@ -62,9 +61,6 @@ describe("Compose Routes", () => {
       expect(res.status).toBe(200);
       expect(res.headers.get("Content-Type")).toBe("text/event-stream");
 
-      const text = await res.text();
-      expect(text).toContain('data-format="link"');
-
       const posts = await services.posts.list();
       expect(posts).toHaveLength(1);
       expect(posts[0].format).toBe("link");
@@ -80,7 +76,7 @@ describe("Compose Routes", () => {
         headers: { "Content-Type": "application/json" },
         body: JSON.stringify({
           format: "quote",
-          body: "Great insight",
+          bodyMarkdown: "Great insight",
           quoteText: "The original quote",
           url: "https://example.com/source",
         }),
@@ -89,9 +85,6 @@ describe("Compose Routes", () => {
       expect(res.status).toBe(200);
       expect(res.headers.get("Content-Type")).toBe("text/event-stream");
 
-      const text = await res.text();
-      expect(text).toContain('data-format="quote"');
-
       const posts = await services.posts.list();
       expect(posts).toHaveLength(1);
       expect(posts[0].format).toBe("quote");
@@ -107,7 +100,7 @@ describe("Compose Routes", () => {
         headers: { "Content-Type": "application/json" },
         body: JSON.stringify({
           format: "note",
-          body: "Draft content",
+          bodyMarkdown: "Draft content",
           status: "draft",
         }),
       });
@@ -133,7 +126,7 @@ describe("Compose Routes", () => {
       const res = await app.request("/compose", {
         method: "POST",
         headers: { "Content-Type": "application/json" },
-        body: JSON.stringify({ format: "invalid", body: "Hello" }),
+        body: JSON.stringify({ format: "invalid", bodyMarkdown: "Hello" }),
       });
 
       expect(res.status).toBe(200);
@@ -163,7 +156,7 @@ describe("Compose Routes", () => {
         headers: { "Content-Type": "application/json" },
         body: JSON.stringify({
           format: "note",
-          body: "Post with media",
+          bodyMarkdown: "Post with media",
           mediaIds: [media.id],
         }),
       });
@@ -186,7 +179,7 @@ describe("Compose Routes", () => {
       const res = await app.request("/compose", {
         method: "POST",
         headers: { "Content-Type": "application/json" },
-        body: JSON.stringify({ format: "note", body: "Hello" }),
+        body: JSON.stringify({ format: "note", bodyMarkdown: "Hello" }),
       });
 
       const text = await res.text();
@@ -202,7 +195,7 @@ describe("Compose Routes", () => {
       const res = await app.request("/compose", {
         method: "POST",
         headers: { "Content-Type": "application/json" },
-        body: JSON.stringify({ body: "No format" }),
+        body: JSON.stringify({ bodyMarkdown: "No format" }),
       });
 
       expect(res.status).toBe(200);
@@ -222,7 +215,7 @@ describe("Compose Routes", () => {
           "Content-Type": "application/json",
           Accept: "application/json",
         },
-        body: JSON.stringify({ format: "note", body: "Hello JSON" }),
+        body: JSON.stringify({ format: "note", bodyMarkdown: "Hello JSON" }),
       });
 
       expect(res.status).toBe(200);
@@ -230,11 +223,11 @@ describe("Compose Routes", () => {
 
       const data = await res.json();
       expect(data.status).toBe("published");
-      expect(data.cardHtml).toContain('data-format="note"');
+      expect(data.permalink).toBeDefined();
 
       const posts = await services.posts.list();
       expect(posts).toHaveLength(1);
-      expect(posts[0].body).toBe("Hello JSON");
+      expect(posts[0].bodyText).toBe("Hello JSON");
     });
 
     it("returns JSON for draft", async () => {
@@ -249,7 +242,7 @@ describe("Compose Routes", () => {
         },
         body: JSON.stringify({
           format: "note",
-          body: "Draft JSON",
+          bodyMarkdown: "Draft JSON",
           status: "draft",
         }),
       });
@@ -274,7 +267,7 @@ describe("Compose Routes", () => {
           "Content-Type": "application/json",
           Accept: "application/json",
         },
-        body: JSON.stringify({ format: "invalid", body: "Hello" }),
+        body: JSON.stringify({ format: "invalid", bodyMarkdown: "Hello" }),
       });
 
       expect(res.status).toBe(422);