@jant/core 0.3.36 → 0.3.37

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@jant/core",
-  "version": "0.3.36",
+  "version": "0.3.37",
   "description": "A modern, open-source microblogging platform built on Cloudflare Workers",
   "type": "module",
   "exports": {
@@ -36,15 +36,23 @@
     "@tiptap/suggestion": "^3.20.0",
     "basecoat-css": "^0.3.10",
     "better-auth": "^1.4.18",
+    "blurhash": "^2.0.5",
     "drizzle-orm": "^0.45.1",
     "emoji-mart": "^5.6.0",
+    "fflate": "^0.8.2",
+    "fractional-indexing": "^3.2.0",
+    "heic-to": "^1.4.2",
     "limax": "^4.2.2",
     "lit": "^3.3.2",
     "lucide-static": "^0.574.0",
     "marked": "^17.0.1",
+    "mediabunny": "^1.35.1",
+    "nanoid": "^5.1.6",
+    "smol-toml": "^1.6.0",
     "sortablejs": "^1.15.6",
-    "sqids": "^0.3.0",
+    "tiptap-markdown": "^0.9.0",
     "uuidv7": "^1.1.0",
+    "yaml": "^2.8.2",
     "zod": "^4.3.6"
   },
   "peerDependencies": {
@@ -103,7 +111,7 @@
     "build:lib": "vite build --config vite.config.worker.ts",
     "typecheck": "tsc -b --noEmit",
     "db:generate": "drizzle-kit generate",
-    "i18n:extract": "lingui extract",
+    "i18n:extract": "lingui extract --clean",
     "i18n:compile": "lingui compile --typescript",
     "i18n:build": "pnpm i18n:extract && pnpm i18n:compile",
     "dev": "pnpm db:migrate:local && vite dev",

package/src/__tests__/helpers/app.ts

@@ -9,15 +9,15 @@ import type { Bindings } from "../../types.js";
 import type { AppVariables } from "../../types/app-context.js";
 import { createTestDatabase } from "./db.js";
 import { createPostService } from "../../services/post.js";
-import { createPageService } from "../../services/page.js";
+import { createPathService } from "../../services/path.js";
 import { createSettingsService } from "../../services/settings.js";
-import { createRedirectService } from "../../services/redirect.js";
+import { createCustomUrlService } from "../../services/custom-url.js";
 import { createMediaService } from "../../services/media.js";
 import { createCollectionService } from "../../services/collection.js";
 import { createSearchService } from "../../services/search.js";
 import { createNavItemService } from "../../services/navigation.js";
 import { createAuthService } from "../../services/auth.js";
-import { createPathRegistryService } from "../../services/path-registry.js";
+import { createApiTokenService } from "../../services/api-token.js";
 import type { Database } from "../../db/index.js";
 import type BetterSqlite3 from "better-sqlite3";
 import { errorHandler } from "../../middleware/error-handler.js";
@@ -46,18 +46,18 @@ export function createTestApp(options: TestAppOptions = {}) {
   const mockD1 = createMockD1(sqlite);
 
   const settingsService = createSettingsService(db);
-  const pathRegistryService = createPathRegistryService(db);
+  const pathService = createPathService(db);
   const services = {
-    posts: createPostService(db, pathRegistryService),
-    pages: createPageService(db, pathRegistryService),
+    paths: pathService,
+    posts: createPostService(db, { slugIdLength: 5 }, pathService),
     settings: settingsService,
-    pathRegistry: pathRegistryService,
-    redirects: createRedirectService(db, pathRegistryService),
+    customUrls: createCustomUrlService(db, pathService),
     media: createMediaService(db),
-    collections: createCollectionService(db),
+    collections: createCollectionService(db, pathService),
     search: createSearchService(mockD1),
     navItems: createNavItemService(db),
     auth: createAuthService(db, settingsService),
+    apiTokens: createApiTokenService(db),
   };
 
   const app = new Hono<Env>();

package/src/__tests__/helpers/db.ts

@@ -1,146 +1,144 @@
 /**
  * Test Database Helper
  *
- * Creates an in-memory SQLite database with all migrations applied (up to v2).
+ * Creates an in-memory SQLite database with all migrations applied.
  * Used for service integration tests.
  */
 
 import Database from "better-sqlite3";
 import { drizzle } from "drizzle-orm/better-sqlite3";
 import * as schema from "../../db/schema.js";
-import { readFileSync } from "fs";
+import { readFileSync, readdirSync } from "fs";
 import { resolve } from "path";
 
 const MIGRATIONS_DIR = resolve(import.meta.dirname, "../../db/migrations");
 
 /**
  * Applies a migration file, splitting on Drizzle statement breakpoints.
+ * When `skipFts` is true, silently skips statements that reference the
+ * FTS virtual table (triggers, rebuild) since it may not exist.
  */
-function applyMigration(sqlite: Database.Database, filename: string) {
+function applyMigration(
+  sqlite: Database.Database,
+  filename: string,
+  options?: { skipFts?: boolean },
+) {
   const migration = readFileSync(resolve(MIGRATIONS_DIR, filename), "utf-8");
   for (const sql of migration.split("--> statement-breakpoint")) {
     const trimmed = sql.trim();
-    if (trimmed) sqlite.exec(trimmed);
+    if (!trimmed) continue;
+    if (options?.skipFts && trimmed.includes("post_fts")) continue;
+    sqlite.exec(trimmed);
   }
 }
 
 /**
- * Creates a fresh in-memory SQLite database with all migrations applied.
- * Each call returns an isolated database instance for test isolation.
- *
- * @param options.fts - Whether to enable FTS5 for search tests (default: false).
- *   The trigram tokenizer used in production may not be available in all
- *   better-sqlite3 builds, so FTS is opt-in for tests that need it.
+ * Applies the FTS migration with fallback for environments lacking
+ * the trigram tokenizer.
  */
-export function createTestDatabase(options?: { fts?: boolean }) {
-  const sqlite = new Database(":memory:");
-
-  // Enable WAL mode for better performance
-  sqlite.pragma("journal_mode = WAL");
-  sqlite.pragma("foreign_keys = ON");
-
-  // Apply v1 base migrations (0000-0004)
-  applyMigration(sqlite, "0000_square_wallflower.sql");
-  // Skip 0001 (FTS) — v2 migration will create updated FTS if needed
-  applyMigration(sqlite, "0002_add_media_attachments.sql");
-  applyMigration(sqlite, "0003_add_navigation_links.sql");
-  applyMigration(sqlite, "0004_add_storage_provider.sql");
-
-  // Apply v2 schema migration (0005)
-  // Split FTS-related statements so we can handle them separately
-  const v2Migration = readFileSync(
-    resolve(MIGRATIONS_DIR, "0005_v2_schema_migration.sql"),
-    "utf-8",
-  );
-
-  for (const stmt of v2Migration.split("--> statement-breakpoint")) {
+function applyFtsMigration(sqlite: Database.Database, filename: string) {
+  const ftsSql = readFileSync(resolve(MIGRATIONS_DIR, filename), "utf-8");
+  for (const stmt of ftsSql.split("--> statement-breakpoint")) {
     const trimmed = stmt.trim();
     if (!trimmed) continue;
-
-    // Skip FTS-related statements if FTS not requested
-    const isFts = trimmed.includes("posts_fts");
-    if (!options?.fts && isFts) continue;
-
     try {
       sqlite.exec(trimmed);
     } catch {
-      // Handle trigram tokenizer failure for FTS virtual table
-      if (options?.fts && trimmed.includes("CREATE VIRTUAL TABLE")) {
+      // Trigram tokenizer may not be available — fall back to default tokenizer
+      if (trimmed.includes("CREATE VIRTUAL TABLE")) {
         sqlite.exec(`
-          CREATE VIRTUAL TABLE IF NOT EXISTS posts_fts USING fts5(
+          CREATE VIRTUAL TABLE IF NOT EXISTS post_fts USING fts5(
             title,
-            body,
+            body_text,
             quote_text,
-            content='posts',
-            content_rowid='id'
+            url,
+            content='post',
+            content_rowid='rowid'
           );
         `);
       }
-      // Ignore DROP TRIGGER/TABLE IF EXISTS failures silently
-      else if (
-        !trimmed.startsWith("DROP TRIGGER") &&
-        !trimmed.startsWith("DROP TABLE")
-      ) {
-        throw new Error(`Migration statement failed: ${trimmed.slice(0, 100)}`);
-      }
-    }
-  }
-
-  // Apply 0006: rename slug to path on posts
-  applyMigration(sqlite, "0006_rename_slug_to_path.sql");
-
-  // Apply 0007: post_collections M:N junction table
-  const m7 = readFileSync(
-    resolve(MIGRATIONS_DIR, "0007_post_collections_m2m.sql"),
-    "utf-8",
-  );
-  for (const stmt of m7.split("--> statement-breakpoint")) {
-    const trimmed = stmt.trim();
-    if (!trimmed) continue;
-    // Skip FTS trigger statements if FTS not requested
-    const isFts = trimmed.includes("posts_fts");
-    if (!options?.fts && isFts) continue;
-    try {
-      sqlite.exec(trimmed);
-    } catch {
-      // Ignore DROP TRIGGER failures silently
-      if (!trimmed.startsWith("DROP TRIGGER")) {
-        throw new Error(`Migration 0007 failed: ${trimmed.slice(0, 100)}`);
+      // Ignore trigger failures if virtual table creation failed
+      else if (!trimmed.startsWith("CREATE TRIGGER")) {
+        throw new Error(
+          `FTS migration statement failed: ${trimmed.slice(0, 100)}`,
+        );
       }
     }
   }
 
-  // Apply 0008: collection_dividers table
-  applyMigration(sqlite, "0008_add_collection_dividers.sql");
-
-  // Apply 0009: drop show_divider column from collections
-  applyMigration(sqlite, "0009_drop_collection_show_divider.sql");
-
-  // Apply 0010: performance indexes
-  applyMigration(sqlite, "0010_add_performance_indexes.sql");
+  // If trigram fallback was used, triggers need to be created without trigram
+  // Re-create triggers unconditionally (IF NOT EXISTS handles idempotency)
+  sqlite.exec(`
+    CREATE TRIGGER IF NOT EXISTS post_ai AFTER INSERT ON post BEGIN
+      INSERT INTO post_fts(rowid, title, body_text, quote_text, url)
+      VALUES (new.rowid, new.title, new.body_text, new.quote_text, new.url);
+    END;
+    CREATE TRIGGER IF NOT EXISTS post_ad AFTER DELETE ON post BEGIN
+      INSERT INTO post_fts(post_fts, rowid, title, body_text, quote_text, url)
+      VALUES ('delete', old.rowid, old.title, old.body_text, old.quote_text, old.url);
+    END;
+    CREATE TRIGGER IF NOT EXISTS post_au AFTER UPDATE ON post BEGIN
+      INSERT INTO post_fts(post_fts, rowid, title, body_text, quote_text, url)
+      VALUES ('delete', old.rowid, old.title, old.body_text, old.quote_text, old.url);
+      INSERT INTO post_fts(rowid, title, body_text, quote_text, url)
+      VALUES (new.rowid, new.title, new.body_text, new.quote_text, new.url);
+    END;
+  `);
+}
 
-  // Apply 0011: path registry
-  applyMigration(sqlite, "0011_add_path_registry.sql");
+/**
+ * Creates a fresh in-memory SQLite database with all migrations applied.
+ * Each call returns an isolated database instance for test isolation.
+ *
+ * @param options.fts - Whether to enable FTS5 for search tests (default: false).
+ *   The trigram tokenizer used in production may not be available in all
+ *   better-sqlite3 builds, so FTS is opt-in for tests that need it.
+ */
+export function createTestDatabase(options?: { fts?: boolean }) {
+  const sqlite = new Database(":memory:");
 
-  // Apply 0012: Tiptap columns (summary)
-  applyMigration(sqlite, "0012_add_tiptap_columns.sql");
+  // Enable WAL mode for better performance
+  sqlite.pragma("journal_mode = WAL");
+  sqlite.pragma("foreign_keys = ON");
 
-  // Apply 0013: Replace featured with visibility
-  applyMigration(sqlite, "0013_replace_featured_with_visibility.sql");
+  // Apply all migrations in order (sorted by filename prefix: 0000_, 0001_, …)
+  // FTS migration (0001_*) is only applied when requested because the trigram
+  // tokenizer may not be available in all better-sqlite3 builds.
+  const allFiles = readdirSync(MIGRATIONS_DIR)
+    .filter((f) => f.endsWith(".sql"))
+    .sort();
+
+  for (const file of allFiles) {
+    const isFts = file.startsWith("0001_");
+    if (isFts && !options?.fts) continue;
+
+    if (isFts) {
+      applyFtsMigration(sqlite, file);
+    } else {
+      applyMigration(sqlite, file, { skipFts: !options?.fts });
+    }
+  }
 
   const db = drizzle(sqlite, { schema });
 
   // Polyfill D1 batch() for test compatibility.
   // In production, D1 batch executes statements atomically in a single transaction.
-  // In tests, better-sqlite3 is synchronous and single-threaded so sequential
-  // execution is effectively atomic.
+  // In tests, wrap sequential execution in an explicit transaction so rollback
+  // behavior matches D1's all-or-nothing semantics.
   Object.defineProperty(db, "batch", {
     value: async (queries: PromiseLike<unknown>[]) => {
-      const results = [];
-      for (const q of queries) {
-        results.push(await q);
+      sqlite.exec("BEGIN");
+      try {
+        const results = [];
+        for (const q of queries) {
+          results.push(await q);
+        }
+        sqlite.exec("COMMIT");
+        return results;
+      } catch (err) {
+        sqlite.exec("ROLLBACK");
+        throw err;
       }
-      return results;
     },
   });
 

package/src/app.tsx

@@ -16,7 +16,6 @@ import { resetRoutes } from "./routes/auth/reset.js";
 
 // Routes - Pages
 import { homeRoutes } from "./routes/pages/home.js";
-import { postRoutes } from "./routes/pages/post.js";
 import { pageRoutes } from "./routes/pages/page.js";
 import { collectionRoutes } from "./routes/pages/collection.js";
 import { archiveRoutes } from "./routes/pages/archive.js";
@@ -24,23 +23,22 @@ import { searchRoutes } from "./routes/pages/search.js";
 import { featuredRoutes } from "./routes/pages/featured.js";
 import { latestRoutes } from "./routes/pages/latest.js";
 import { collectionsPageRoutes } from "./routes/pages/collections.js";
+import { newPostRoutes } from "./routes/pages/new.js";
 
-// Routes - Dashboard
-import { dashIndexRoutes } from "./routes/dash/index.js";
-import { postsRoutes as dashPostsRoutes } from "./routes/dash/posts.js";
-import { pagesRoutes as dashPagesRoutes } from "./routes/dash/pages.js";
-import { mediaRoutes as dashMediaRoutes } from "./routes/dash/media.js";
-import { settingsRoutes as dashSettingsRoutes } from "./routes/dash/settings.js";
-import { redirectsRoutes as dashRedirectsRoutes } from "./routes/dash/redirects.js";
+// Routes - Settings (admin)
+import { settingsRoutes } from "./routes/dash/settings.js";
+import { customUrlsRoutes } from "./routes/dash/custom-urls.js";
 
 // Routes - API
 import { postsApiRoutes } from "./routes/api/posts.js";
-import { pagesApiRoutes } from "./routes/api/pages.js";
 import { navItemsApiRoutes } from "./routes/api/nav-items.js";
 import { collectionsApiRoutes } from "./routes/api/collections.js";
 import { settingsApiRoutes } from "./routes/api/settings.js";
 import { uploadApiRoutes } from "./routes/api/upload.js";
+import { multipartUploadApiRoutes } from "./routes/api/upload-multipart.js";
 import { searchApiRoutes } from "./routes/api/search.js";
+import { customUrlsApiRoutes } from "./routes/api/custom-urls.js";
+import { exportApiRoutes } from "./routes/api/export.js";
 // Routes - Compose
 import { composeRoutes } from "./routes/compose.js";
 
@@ -49,10 +47,11 @@ import { rssRoutes } from "./routes/feed/rss.js";
 import { sitemapRoutes } from "./routes/feed/sitemap.js";
 
 // Middleware
-import { requireAuth } from "./middleware/auth.js";
+import { requireAuth, isLocalHostname } from "./middleware/auth.js";
 import { requireOnboarding } from "./middleware/onboarding.js";
 import { errorHandler } from "./middleware/error-handler.js";
 import { withConfig } from "./middleware/config.js";
+import { secureHeadersMiddleware } from "./middleware/secure-headers.js";
 
 import { createStorageDriver } from "./lib/storage.js";
 import { base64ToUint8Array } from "./lib/favicon.js";
@@ -80,6 +79,31 @@ export function createApp(): App {
 
   // Lightweight init — no DB queries
   app.use("*", async (c, next) => {
+    // Fail fast: DEV_API_TOKEN must never be reachable from a non-local hostname
+    if (c.env.DEV_API_TOKEN) {
+      const hostname = new URL(c.req.url).hostname;
+      if (!isLocalHostname(hostname)) {
+        return c.html(
+          `<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width, initial-scale=1">
+<title>Configuration Error</title>
+<style>body{font-family:system-ui,sans-serif;display:flex;justify-content:center;align-items:center;min-height:100vh;margin:0;background:#fafafa;color:#111}div{max-width:480px;text-align:center}h1{font-size:1.25rem;font-weight:600}p{color:#666;line-height:1.6}code{background:#eee;padding:2px 6px;border-radius:4px;font-size:.9em}</style>
+</head>
+<body>
+<div>
+<h1>DEV_API_TOKEN must not be set in production</h1>
+<p>Remove <code>DEV_API_TOKEN</code> from your environment variables. This token is only for local development.</p>
+</div>
+</body>
+</html>`,
+          500,
+        );
+      }
+    }
+
     if (!c.env.AUTH_SECRET) {
       return c.html(
         `<!DOCTYPE html>
@@ -107,7 +131,11 @@ export function createApp(): App {
     // Note: Drizzle ORM doesn't officially support D1DatabaseSession yet (issue #2226)
     // but it works at runtime. We use type assertion as a temporary workaround.
     const db = createDatabase(session as unknown as D1Database);
-    c.set("services", createServices(db, session as unknown as D1Database));
+    const slugIdLength = parseInt(c.env.SLUG_ID_LENGTH ?? "5", 10) || 5;
+    c.set(
+      "services",
+      createServices(db, session as unknown as D1Database, { slugIdLength }),
+    );
     c.set("storage", createStorageDriver(c.env));
 
     const baseURL = c.env.SITE_URL || new URL(c.req.url).origin;
@@ -124,20 +152,118 @@ export function createApp(): App {
     await next();
   });
 
+  // Security headers (CSP, X-Frame-Options, etc.)
+  app.use("*", secureHeadersMiddleware());
+
   // --- Routes that don't need config/theme ---
 
   // Health check
   app.get("/health", (c) => c.json({ status: "ok" }));
 
+  // Fetch text media content by ID (same-origin proxy to avoid CORS with CDN URLs)
+  app.get("/api/media/:id/content", async (c) => {
+    const media = await c.var.services.media.getById(c.req.param("id"));
+    if (!media) return c.notFound();
+
+    const storage = c.var.storage;
+    if (!storage) return c.notFound();
+
+    const object = await storage.get(media.storageKey);
+    if (!object) return c.notFound();
+
+    const headers = new Headers();
+    headers.set(
+      "Content-Type",
+      object.contentType || "application/octet-stream",
+    );
+    // Use updatedAt as ETag so browsers can cache but revalidate on change
+    const etag = `"${media.updatedAt}"`;
+    headers.set("Cache-Control", "public, no-cache");
+    headers.set("ETag", etag);
+
+    if (c.req.header("If-None-Match") === etag) {
+      return new Response(null, { status: 304, headers });
+    }
+
+    return new Response(object.body, { headers });
+  });
+
   // Media files from storage (path matches storage key: media/YYYY/MM/uuid.ext)
+  // Supports HTTP Range requests for seekable audio/video playback.
   app.get("/media/*", async (c) => {
     const storage = c.var.storage;
     if (!storage) {
       return c.notFound();
     }
 
-    // The storage key is the full path without the leading "/"
     const storageKey = c.req.path.slice(1);
+    if (storageKey.includes("..") || !storageKey.startsWith("media/")) {
+      return c.notFound();
+    }
+
+    const rangeHeader = c.req.header("Range");
+
+    // First fetch without range to get the total size
+    if (rangeHeader) {
+      // Get total size via a full request first
+      const full = await storage.get(storageKey);
+      if (!full) return c.notFound();
+
+      const totalSize = full.size;
+      if (!totalSize) {
+        // Driver doesn't report size — fall back to full response
+        const headers = new Headers();
+        headers.set(
+          "Content-Type",
+          full.contentType || "application/octet-stream",
+        );
+        headers.set("Cache-Control", "public, max-age=31536000, immutable");
+        return new Response(full.body, { headers });
+      }
+
+      // Cancel the full stream — we'll re-fetch with the range
+      await full.body.cancel();
+
+      // Parse "bytes=START-END" (END is optional)
+      const match = /^bytes=(\d+)-(\d*)$/.exec(rangeHeader);
+      if (!match) {
+        return new Response("Invalid Range", {
+          status: 416,
+          headers: { "Content-Range": `bytes */${totalSize}` },
+        });
+      }
+
+      const start = parseInt(match[1] ?? "0", 10);
+      const end = match[2]
+        ? Math.min(parseInt(match[2], 10), totalSize - 1)
+        : totalSize - 1;
+
+      if (start > end || start >= totalSize) {
+        return new Response("Range Not Satisfiable", {
+          status: 416,
+          headers: { "Content-Range": `bytes */${totalSize}` },
+        });
+      }
+
+      const rangeObj = await storage.get(storageKey, {
+        range: { offset: start, length: end - start + 1 },
+      });
+      if (!rangeObj) return c.notFound();
+
+      const headers = new Headers();
+      headers.set(
+        "Content-Type",
+        rangeObj.contentType || "application/octet-stream",
+      );
+      headers.set("Cache-Control", "public, max-age=31536000, immutable");
+      headers.set("Accept-Ranges", "bytes");
+      headers.set("Content-Range", `bytes ${start}-${end}/${totalSize}`);
+      headers.set("Content-Length", String(end - start + 1));
+
+      return new Response(rangeObj.body, { status: 206, headers });
+    }
+
+    // No Range header — serve full file
     const object = await storage.get(storageKey);
     if (!object) {
       return c.notFound();
@@ -149,6 +275,10 @@ export function createApp(): App {
       object.contentType || "application/octet-stream",
     );
     headers.set("Cache-Control", "public, max-age=31536000, immutable");
+    headers.set("Accept-Ranges", "bytes");
+    if (object.size) {
+      headers.set("Content-Length", String(object.size));
+    }
 
     return new Response(object.body, { headers });
   });
@@ -204,7 +334,7 @@ export function createApp(): App {
     await next();
   });
 
-  // Redirect middleware
+  // Redirect middleware — only handles redirect-type custom URLs
   app.use("*", async (c, next) => {
     const path = new URL(c.req.url).pathname;
     // Skip redirect check for API routes and static assets
@@ -212,9 +342,9 @@ export function createApp(): App {
       return next();
     }
 
-    const redirect = await c.var.services.redirects.getByPath(path);
-    if (redirect) {
-      return c.redirect(redirect.toPath, redirect.type);
+    const customUrl = await c.var.services.customUrls.getByPath(path.slice(1));
+    if (customUrl?.targetType === "redirect" && customUrl.toPath) {
+      return c.redirect(customUrl.toPath, customUrl.redirectType ?? 301);
     }
 
     await next();
@@ -228,25 +358,25 @@ export function createApp(): App {
 
   // API Routes
   app.route("/api/posts", postsApiRoutes);
-  app.route("/api/pages", pagesApiRoutes);
   app.route("/api/nav-items", navItemsApiRoutes);
   app.route("/api/collections", collectionsApiRoutes);
   app.route("/api/settings", settingsApiRoutes);
+  app.route("/api/custom-urls", customUrlsApiRoutes);
+  app.route("/api/export", exportApiRoutes);
 
   // Auth routes
   app.route("/", setupRoutes);
   app.route("/", signinRoutes);
   app.route("/", resetRoutes);
 
-  // Dashboard routes (protected)
-  app.use("/dash/*", requireAuth());
-  app.route("/dash", dashIndexRoutes);
-  app.route("/dash/posts", dashPostsRoutes);
-  app.route("/dash/pages", dashPagesRoutes);
-  app.route("/dash/media", dashMediaRoutes);
-  app.route("/dash/settings", dashSettingsRoutes);
-  app.route("/dash/settings/redirects", dashRedirectsRoutes);
-  // Protected API routes
+  // Settings routes (protected)
+  app.use("/settings/*", requireAuth());
+  app.use("/settings", requireAuth());
+  app.route("/settings/custom-urls", customUrlsRoutes);
+  app.route("/settings", settingsRoutes);
+
+  // Protected API routes (multipart must be registered before base upload)
+  app.route("/api/upload/multipart", multipartUploadApiRoutes);
   app.route("/api/upload", uploadApiRoutes);
   app.route("/api/search", searchApiRoutes);
 
@@ -259,12 +389,12 @@ export function createApp(): App {
 
   // Frontend routes
   app.route("/search", searchRoutes);
+  app.route("/", newPostRoutes);
   app.route("/archive", archiveRoutes);
   app.route("/featured", featuredRoutes);
   app.route("/latest", latestRoutes);
   app.route("/c", collectionsPageRoutes);
   app.route("/c", collectionRoutes);
-  app.route("/p", postRoutes);
   app.route("/", homeRoutes);
 
   // Custom page catch-all (must be last)

package/src/auth.ts

@@ -2,7 +2,7 @@
  * Authentication with better-auth
  */
 
-import { betterAuth } from "better-auth";
+import { betterAuth, APIError } from "better-auth";
 import { drizzleAdapter } from "better-auth/adapters/drizzle";
 import { drizzle } from "drizzle-orm/d1";
 import * as schema from "./db/schema.js";
@@ -34,12 +34,30 @@ export function createAuth(
       minPasswordLength: 8,
     },
     session: {
-      expiresIn: 3600 * 24 * 366, // 366 days
+      expiresIn: 3600 * 24 * 30, // 30 days
       cookieCache: {
         enabled: true,
         maxAge: 60 * 5, // 5 minutes
       },
     },
+    databaseHooks: {
+      user: {
+        create: {
+          before: async (userData) => {
+            const existing = await db
+              .select({ id: schema.user.id })
+              .from(schema.user)
+              .limit(1);
+            if (existing.length > 0) {
+              throw new APIError("FORBIDDEN", {
+                message: "Registration is closed.",
+              });
+            }
+            return { data: { ...userData, role: "admin" } };
+          },
+        },
+      },
+    },
   });
 }