npm - @jant/core - Versions diffs - 0.3.36 → 0.3.38 - Mend

@jant/core 0.3.36 → 0.3.38

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (271) hide show

package/bin/commands/export.js +1 -1
package/bin/commands/import-site.js +529 -0
package/bin/commands/reset-password.js +3 -2
package/dist/client/assets/heic-to-DIRPI3VF.js +1 -0
package/dist/client/assets/url-FWFqPJPb.js +1 -0
package/dist/client/client.css +1 -1
package/dist/client/client.js +4012 -3276
package/dist/index.js +10285 -5809
package/package.json +11 -3
package/src/__tests__/helpers/app.ts +9 -9
package/src/__tests__/helpers/db.ts +91 -93
package/src/app.tsx +157 -27
package/src/auth.ts +20 -2
package/src/client/archive-nav.js +187 -0
package/src/client/audio-player.ts +478 -0
package/src/client/audio-processor.ts +84 -0
package/src/client/avatar-upload.ts +3 -2
package/src/client/components/__tests__/jant-compose-dialog.test.ts +645 -49
package/src/client/components/__tests__/jant-compose-editor.test.ts +208 -16
package/src/client/components/__tests__/jant-post-form.test.ts +19 -9
package/src/client/components/__tests__/jant-settings-avatar.test.ts +2 -2
package/src/client/components/__tests__/jant-settings-general.test.ts +3 -3
package/src/client/components/collection-sidebar-types.ts +7 -9
package/src/client/components/compose-types.ts +101 -4
package/src/client/components/jant-collection-form.ts +43 -7
package/src/client/components/jant-collection-sidebar.ts +88 -84
package/src/client/components/jant-compose-dialog.ts +1655 -219
package/src/client/components/jant-compose-editor.ts +732 -168
package/src/client/components/jant-compose-fullscreen.ts +23 -78
package/src/client/components/jant-media-lightbox.ts +2 -0
package/src/client/components/jant-nav-manager.ts +24 -284
package/src/client/components/jant-post-form.ts +89 -9
package/src/client/components/jant-post-menu.ts +1019 -0
package/src/client/components/jant-settings-avatar.ts +3 -3
package/src/client/components/jant-settings-general.ts +38 -4
package/src/client/components/jant-text-preview.ts +232 -0
package/src/client/components/nav-manager-types.ts +4 -19
package/src/client/components/post-form-template.ts +107 -12
package/src/client/components/post-form-types.ts +11 -4
package/src/client/compose-bridge.ts +410 -109
package/src/client/image-processor.ts +26 -8
package/src/client/media-metadata.ts +247 -0
package/src/client/multipart-upload.ts +160 -0
package/src/client/post-form-bridge.ts +52 -1
package/src/client/settings-bridge.ts +0 -12
package/src/client/thread-context.ts +140 -0
package/src/client/tiptap/create-editor.ts +46 -0
package/src/client/tiptap/extensions.ts +5 -0
package/src/client/tiptap/image-node.ts +2 -8
package/src/client/tiptap/paste-image.ts +2 -13
package/src/client/tiptap/slash-commands.ts +173 -63
package/src/client/toast.ts +101 -3
package/src/client/types/sortablejs.d.ts +15 -0
package/src/client/upload-with-metadata.ts +54 -0
package/src/client/video-processor.ts +207 -0
package/src/client.ts +5 -2
package/src/db/__tests__/migrations.test.ts +118 -0
package/src/db/index.ts +52 -0
package/src/db/migrations/0000_baseline.sql +269 -0
package/src/db/migrations/0001_fts_setup.sql +31 -0
package/src/db/migrations/meta/0000_snapshot.json +703 -119
package/src/db/migrations/meta/0001_snapshot.json +1337 -0
package/src/db/migrations/meta/_journal.json +4 -39
package/src/db/schema.ts +409 -145
package/src/i18n/__tests__/detect.test.ts +115 -0
package/src/i18n/context.tsx +2 -2
package/src/i18n/detect.ts +85 -1
package/src/i18n/i18n.ts +1 -1
package/src/i18n/index.ts +2 -1
package/src/i18n/locales/en.po +487 -1217
package/src/i18n/locales/en.ts +1 -1
package/src/i18n/locales/zh-Hans.po +613 -996
package/src/i18n/locales/zh-Hans.ts +1 -1
package/src/i18n/locales/zh-Hant.po +624 -1007
package/src/i18n/locales/zh-Hant.ts +1 -1
package/src/i18n/middleware.ts +6 -0
package/src/index.ts +5 -7
package/src/lib/__tests__/blurhash-placeholder.test.ts +75 -0
package/src/lib/__tests__/constants.test.ts +0 -1
package/src/lib/__tests__/markdown-to-tiptap.test.ts +358 -0
package/src/lib/__tests__/nanoid.test.ts +26 -0
package/src/lib/__tests__/schemas.test.ts +181 -63
package/src/lib/__tests__/slug.test.ts +126 -0
package/src/lib/__tests__/sse.test.ts +6 -6
package/src/lib/__tests__/summary.test.ts +264 -0
package/src/lib/__tests__/theme.test.ts +1 -1
package/src/lib/__tests__/timeline.test.ts +33 -30
package/src/lib/__tests__/tiptap-to-markdown.test.ts +346 -0
package/src/lib/__tests__/view.test.ts +141 -66
package/src/lib/blurhash-placeholder.ts +102 -0
package/src/lib/constants.ts +3 -1
package/src/lib/emoji-catalog.ts +885 -68
package/src/lib/errors.ts +11 -8
package/src/lib/feed.ts +78 -32
package/src/lib/html.ts +2 -1
package/src/lib/icon-catalog.ts +5033 -1
package/src/lib/icons.ts +3 -2
package/src/lib/index.ts +0 -1
package/src/lib/markdown-to-tiptap.ts +286 -0
package/src/lib/media-helpers.ts +12 -3
package/src/lib/nanoid.ts +29 -0
package/src/lib/navigation.ts +1 -1
package/src/lib/render.tsx +20 -2
package/src/lib/resolve-config.ts +6 -2
package/src/lib/schemas.ts +224 -55
package/src/lib/search-snippet.ts +34 -0
package/src/lib/slug.ts +96 -0
package/src/lib/sse.ts +6 -6
package/src/lib/storage.ts +115 -7
package/src/lib/summary.ts +66 -0
package/src/lib/theme.ts +11 -8
package/src/lib/timeline.ts +74 -34
package/src/lib/tiptap-render.ts +5 -10
package/src/lib/tiptap-to-markdown.ts +305 -0
package/src/lib/upload.ts +190 -29
package/src/lib/url.ts +31 -0
package/src/lib/view.ts +204 -37
package/src/middleware/__tests__/auth.test.ts +191 -11
package/src/middleware/__tests__/onboarding.test.ts +12 -10
package/src/middleware/auth.ts +63 -9
package/src/middleware/onboarding.ts +1 -1
package/src/middleware/secure-headers.ts +40 -0
package/src/preset.css +45 -2
package/src/routes/__tests__/compose.test.ts +17 -24
package/src/routes/api/__tests__/collections.test.ts +109 -61
package/src/routes/api/__tests__/nav-items.test.ts +46 -29
package/src/routes/api/__tests__/posts.test.ts +132 -68
package/src/routes/api/__tests__/search.test.ts +15 -2
package/src/routes/api/__tests__/upload-multipart.test.ts +534 -0
package/src/routes/api/collections.ts +51 -42
package/src/routes/api/custom-urls.ts +80 -0
package/src/routes/api/export.ts +31 -0
package/src/routes/api/nav-items.ts +23 -19
package/src/routes/api/posts.ts +43 -39
package/src/routes/api/search.ts +3 -4
package/src/routes/api/upload-multipart.ts +245 -0
package/src/routes/api/upload.ts +85 -19
package/src/routes/auth/__tests__/setup.test.ts +20 -60
package/src/routes/auth/setup.tsx +26 -33
package/src/routes/auth/signin.tsx +3 -7
package/src/routes/compose.tsx +10 -55
package/src/routes/dash/__tests__/settings-avatar.test.ts +1 -1
package/src/routes/dash/custom-urls.tsx +414 -0
package/src/routes/dash/settings.tsx +304 -232
package/src/routes/feed/__tests__/rss.test.ts +27 -28
package/src/routes/feed/rss.ts +6 -4
package/src/routes/feed/sitemap.ts +2 -12
package/src/routes/pages/__tests__/collections.test.ts +5 -6
package/src/routes/pages/__tests__/featured.test.ts +41 -22
package/src/routes/pages/archive.tsx +175 -39
package/src/routes/pages/collection.tsx +22 -10
package/src/routes/pages/collections.tsx +3 -3
package/src/routes/pages/featured.tsx +28 -4
package/src/routes/pages/home.tsx +16 -15
package/src/routes/pages/latest.tsx +1 -11
package/src/routes/pages/new.tsx +39 -0
package/src/routes/pages/page.tsx +95 -49
package/src/routes/pages/search.tsx +1 -1
package/src/services/__tests__/api-token.test.ts +135 -0
package/src/services/__tests__/collection.test.ts +275 -227
package/src/services/__tests__/custom-url.test.ts +213 -0
package/src/services/__tests__/media.test.ts +162 -22
package/src/services/__tests__/navigation.test.ts +109 -68
package/src/services/__tests__/post-timeline.test.ts +205 -32
package/src/services/__tests__/post.test.ts +713 -234
package/src/services/__tests__/search.test.ts +67 -10
package/src/services/api-token.ts +166 -0
package/src/services/auth.ts +17 -2
package/src/services/collection.ts +397 -131
package/src/services/custom-url.ts +188 -0
package/src/services/export.ts +802 -0
package/src/services/index.ts +26 -19
package/src/services/media.ts +100 -22
package/src/services/navigation.ts +158 -47
package/src/services/path.ts +339 -0
package/src/services/post.ts +687 -154
package/src/services/search.ts +160 -75
package/src/styles/components.css +58 -7
package/src/styles/tokens.css +84 -6
package/src/styles/ui.css +2964 -457
package/src/types/bindings.ts +4 -1
package/src/types/config.ts +12 -4
package/src/types/constants.ts +15 -3
package/src/types/entities.ts +74 -35
package/src/types/operations.ts +11 -24
package/src/types/props.ts +51 -16
package/src/types/views.ts +45 -22
package/src/ui/color-themes.ts +133 -23
package/src/ui/compose/ComposeDialog.tsx +239 -17
package/src/ui/compose/ComposePrompt.tsx +1 -1
package/src/ui/dash/CrudPageHeader.tsx +1 -1
package/src/ui/dash/ListItemRow.tsx +1 -1
package/src/ui/dash/StatusBadge.tsx +3 -1
package/src/ui/dash/appearance/AdvancedContent.tsx +22 -1
package/src/ui/dash/appearance/ColorThemeContent.tsx +22 -2
package/src/ui/dash/appearance/FontThemeContent.tsx +1 -1
package/src/ui/dash/appearance/NavigationContent.tsx +5 -45
package/src/ui/dash/index.ts +0 -3
package/src/ui/dash/settings/AccountContent.tsx +3 -57
package/src/ui/dash/settings/AccountMenuContent.tsx +147 -0
package/src/ui/dash/settings/ApiTokensContent.tsx +232 -0
package/src/ui/dash/settings/AvatarContent.tsx +8 -0
package/src/ui/dash/settings/SessionsContent.tsx +159 -0
package/src/ui/dash/settings/SettingsRootContent.tsx +45 -15
package/src/ui/feed/LinkCard.tsx +89 -40
package/src/ui/feed/NoteCard.tsx +39 -25
package/src/ui/feed/PostStatusBadges.tsx +67 -0
package/src/ui/feed/QuoteCard.tsx +38 -23
package/src/ui/feed/ThreadPreview.tsx +90 -26
package/src/ui/feed/TimelineFeed.tsx +3 -2
package/src/ui/feed/TimelineItem.tsx +15 -6
package/src/ui/feed/__tests__/thread-preview.test.ts +107 -0
package/src/ui/feed/thread-preview-state.ts +61 -0
package/src/ui/font-themes.ts +2 -2
package/src/ui/layouts/BaseLayout.tsx +2 -2
package/src/ui/layouts/SiteLayout.tsx +105 -92
package/src/ui/pages/ArchivePage.tsx +923 -98
package/src/ui/pages/ComposePage.tsx +54 -0
package/src/ui/pages/PostPage.tsx +30 -45
package/src/ui/pages/SearchPage.tsx +181 -37
package/src/ui/shared/AdminBreadcrumb.tsx +29 -0
package/src/ui/shared/CollectionsSidebar.tsx +47 -37
package/src/ui/shared/MediaGallery.tsx +445 -149
package/src/ui/shared/PostFooter.tsx +204 -0
package/src/ui/shared/StarRating.tsx +27 -0
package/src/ui/shared/__tests__/format-chars.test.ts +35 -0
package/src/ui/shared/index.ts +0 -1
package/dist/client/assets/url-8Dj-5CLW.js +0 -1
package/src/client/media-upload.ts +0 -161
package/src/client/page-slug-bridge.ts +0 -42
package/src/db/migrations/0000_square_wallflower.sql +0 -118
package/src/db/migrations/0001_add_search_fts.sql +0 -34
package/src/db/migrations/0002_add_media_attachments.sql +0 -3
package/src/db/migrations/0003_add_navigation_links.sql +0 -8
package/src/db/migrations/0004_add_storage_provider.sql +0 -3
package/src/db/migrations/0005_v2_schema_migration.sql +0 -268
package/src/db/migrations/0006_rename_slug_to_path.sql +0 -5
package/src/db/migrations/0007_post_collections_m2m.sql +0 -94
package/src/db/migrations/0008_add_collection_dividers.sql +0 -8
package/src/db/migrations/0009_drop_collection_show_divider.sql +0 -2
package/src/db/migrations/0010_add_performance_indexes.sql +0 -16
package/src/db/migrations/0011_add_path_registry.sql +0 -23
package/src/db/migrations/0012_add_tiptap_columns.sql +0 -2
package/src/db/migrations/0013_replace_featured_with_visibility.sql +0 -8
package/src/db/migrations/meta/0003_snapshot.json +0 -821
package/src/lib/__tests__/sqid.test.ts +0 -65
package/src/lib/sqid.ts +0 -79
package/src/routes/api/__tests__/pages.test.ts +0 -218
package/src/routes/api/pages.ts +0 -73
package/src/routes/dash/__tests__/pages.test.ts +0 -226
package/src/routes/dash/index.tsx +0 -109
package/src/routes/dash/media.tsx +0 -135
package/src/routes/dash/pages.tsx +0 -245
package/src/routes/dash/posts.tsx +0 -338
package/src/routes/dash/redirects.tsx +0 -263
package/src/routes/pages/post.tsx +0 -59
package/src/services/__tests__/page.test.ts +0 -298
package/src/services/__tests__/path-registry.test.ts +0 -165
package/src/services/__tests__/redirect.test.ts +0 -159
package/src/services/page.ts +0 -216
package/src/services/path-registry.ts +0 -160
package/src/services/redirect.ts +0 -97
package/src/ui/dash/PageForm.tsx +0 -187
package/src/ui/dash/PostList.tsx +0 -95
package/src/ui/dash/media/MediaListContent.tsx +0 -206
package/src/ui/dash/media/ViewMediaContent.tsx +0 -208
package/src/ui/dash/pages/PagesContent.tsx +0 -75
package/src/ui/dash/posts/PostForm.tsx +0 -260
package/src/ui/layouts/DashLayout.tsx +0 -247
package/src/ui/pages/SinglePage.tsx +0 -23
package/src/ui/shared/ThreadView.tsx +0 -136

package/src/services/__tests__/search.test.ts CHANGED Viewed

@@ -2,10 +2,22 @@ import { describe, it, expect, beforeEach } from "vitest";
 import { createTestDatabase } from "../../__tests__/helpers/db.js";
 import { createSearchService } from "../search.js";
 import { createPostService } from "../post.js";
-import { createPathRegistryService } from "../path-registry.js";
 import type { Database } from "../../db/index.js";
 import type BetterSqlite3 from "better-sqlite3";
+/** Wraps plain text in a minimal valid TipTap JSON document. */
+function tiptapDoc(text: string): string {
+  return JSON.stringify({
+    type: "doc",
+    content: [
+      {
+        type: "paragraph",
+        content: [{ type: "text", text }],
+      },
+    ],
+  });
+}
 describe("SearchService", () => {
   let db: Database;
   let sqlite: BetterSqlite3.Database;
@@ -34,7 +46,7 @@ describe("SearchService", () => {
     const testDb = createTestDatabase({ fts: true });
     db = testDb.db as unknown as Database;
     sqlite = testDb.sqlite;
-    postService = createPostService(db, createPathRegistryService(db));
+    postService = createPostService(db, { slugIdLength: 5 });
   });
   it("returns empty results for empty query", async () => {
@@ -56,11 +68,11 @@ describe("SearchService", () => {
   it("finds posts by content", async () => {
     await postService.create({
       format: "note",
-      body: "Hello world from jant",
+      body: tiptapDoc("Hello world from jant"),
     });
     await postService.create({
       format: "note",
-      body: "Another post entirely",
+      body: tiptapDoc("Another post entirely"),
     });
     const d1 = createMockD1(sqlite);
@@ -68,14 +80,14 @@ describe("SearchService", () => {
     const results = await searchService.search("jant");
     expect(results.length).toBeGreaterThanOrEqual(1);
-    expect(results[0]?.post.body).toContain("jant");
+    expect(results[0]?.post.bodyText).toContain("jant");
   });
   it("finds posts by title", async () => {
     await postService.create({
       format: "note",
       title: "Introduction to TypeScript",
-      body: "Some article body",
+      body: tiptapDoc("Some article body"),
     });
     const d1 = createMockD1(sqlite);
@@ -89,11 +101,11 @@ describe("SearchService", () => {
   it("respects status filter", async () => {
     await postService.create({
       format: "note",
-      body: "published post about testing",
+      body: tiptapDoc("published post about testing"),
     });
     await postService.create({
       format: "note",
-      body: "draft post about testing",
+      body: tiptapDoc("draft post about testing"),
       status: "draft",
     });
@@ -110,7 +122,7 @@ describe("SearchService", () => {
   it("excludes deleted posts", async () => {
     const post = await postService.create({
       format: "note",
-      body: "deleted post with unique search term xyzzy",
+      body: tiptapDoc("deleted post with unique search term xyzzy"),
     });
     await postService.delete(post.id);
@@ -125,7 +137,7 @@ describe("SearchService", () => {
     for (let i = 0; i < 5; i++) {
       await postService.create({
         format: "note",
-        body: `searchable post number ${i}`,
+        body: tiptapDoc(`searchable post number ${i}`),
       });
     }
@@ -135,4 +147,49 @@ describe("SearchService", () => {
     const limited = await searchService.search("searchable", { limit: 2 });
     expect(limited.length).toBeLessThanOrEqual(2);
   });
+  it("finds link posts by URL", async () => {
+    await postService.create({
+      format: "link",
+      title: "Example Site",
+      url: "https://example.com/article",
+    });
+    const d1 = createMockD1(sqlite);
+    const searchService = createSearchService(d1);
+    const results = await searchService.search("example.com");
+    expect(results.length).toBeGreaterThanOrEqual(1);
+    expect(results[0]?.post.url).toContain("example.com");
+  });
+  it("finds posts with short queries (< 3 chars) via LIKE fallback", async () => {
+    await postService.create({
+      format: "note",
+      body: tiptapDoc("自由软件"),
+    });
+    const d1 = createMockD1(sqlite);
+    const searchService = createSearchService(d1);
+    // "自由" is 2 Chinese characters — below trigram minimum, uses LIKE
+    const results = await searchService.search("自由");
+    expect(results.length).toBeGreaterThanOrEqual(1);
+    // LIKE fallback returns no snippet
+    expect(results[0]?.snippet).toBeUndefined();
+  });
+  it("does not match TipTap JSON structural tokens", async () => {
+    await postService.create({
+      format: "note",
+      body: tiptapDoc("Hello world"),
+    });
+    const d1 = createMockD1(sqlite);
+    const searchService = createSearchService(d1);
+    // "paragraph" is a JSON key in TipTap but not user content
+    const results = await searchService.search("paragraph");
+    expect(results).toHaveLength(0);
+  });
 });

package/src/services/api-token.ts ADDED Viewed

@@ -0,0 +1,166 @@
+/**
+ * API Token Service
+ *
+ * Manages long-lived Bearer tokens for programmatic API access.
+ * Tokens are stored as SHA-256 hashes — the plaintext is shown only once at creation.
+ */
+import { eq } from "drizzle-orm";
+import { uuidv7 } from "uuidv7";
+import type { Database } from "../db/index.js";
+import { apiTokens } from "../db/schema.js";
+import { now } from "../lib/time.js";
+import type { ApiToken } from "../types/entities.js";
+const TOKEN_PREFIX = "jnt_";
+export interface ApiTokenService {
+  /**
+   * Creates a new API token.
+   *
+   * @param name - User-assigned label for the token
+   * @returns The created token metadata and the plaintext (shown only once)
+   *
+   * @example
+   * ```ts
+   * const { token, plaintext } = await apiTokens.create("iOS Shortcuts");
+   * // plaintext: "jnt_a1b2c3d4..." — display once, never stored
+   * ```
+   */
+  create(name: string): Promise<{ token: ApiToken; plaintext: string }>;
+  /**
+   * Lists all active API tokens (without hashes).
+   *
+   * @returns Array of tokens sorted by creation date (newest first)
+   */
+  list(): Promise<ApiToken[]>;
+  /**
+   * Deletes an API token by ID.
+   *
+   * @param id - Token ID (UUIDv7)
+   * @returns `true` if a token was deleted, `false` if not found
+   */
+  delete(id: string): Promise<boolean>;
+  /**
+   * Verifies a raw Bearer token against stored hashes.
+   *
+   * @param rawToken - The full token string (e.g. "jnt_a1b2c3d4...")
+   * @returns The token ID if valid, `null` if invalid or not found
+   */
+  verify(rawToken: string): Promise<string | null>;
+  /**
+   * Updates the last-used timestamp for a token.
+   * Intended to be called fire-and-forget after successful verification.
+   *
+   * @param id - Token ID (UUIDv7)
+   */
+  updateLastUsed(id: string): Promise<void>;
+}
+/**
+ * Hashes a raw token string using SHA-256.
+ *
+ * @param raw - The raw token bytes as a hex string (without prefix)
+ * @returns Hex-encoded SHA-256 hash
+ */
+async function hashToken(raw: string): Promise<string> {
+  const encoded = new TextEncoder().encode(raw);
+  const digest = await crypto.subtle.digest("SHA-256", encoded);
+  return Array.from(new Uint8Array(digest))
+    .map((b) => b.toString(16).padStart(2, "0"))
+    .join("");
+}
+/**
+ * Generates cryptographically random hex bytes.
+ *
+ * @param byteCount - Number of random bytes
+ * @returns Hex string of the random bytes
+ */
+function randomHex(byteCount: number): string {
+  const bytes = new Uint8Array(byteCount);
+  crypto.getRandomValues(bytes);
+  return Array.from(bytes)
+    .map((b) => b.toString(16).padStart(2, "0"))
+    .join("");
+}
+function toApiToken(row: typeof apiTokens.$inferSelect): ApiToken {
+  return {
+    id: row.id,
+    name: row.name,
+    prefix: row.prefix,
+    lastUsedAt: row.lastUsedAt,
+    createdAt: row.createdAt,
+    updatedAt: row.updatedAt,
+  };
+}
+export function createApiTokenService(db: Database): ApiTokenService {
+  return {
+    async create(name: string) {
+      const id = uuidv7();
+      const timestamp = now();
+      const hex = randomHex(32); // 64 hex chars
+      const plaintext = `${TOKEN_PREFIX}${hex}`;
+      const tokenHash = await hashToken(plaintext);
+      const prefix = hex.slice(0, 8);
+      const result = await db
+        .insert(apiTokens)
+        .values({
+          id,
+          name,
+          tokenHash,
+          prefix,
+          lastUsedAt: null,
+          createdAt: timestamp,
+          updatedAt: timestamp,
+        })
+        .returning();
+      // eslint-disable-next-line @typescript-eslint/no-non-null-assertion -- DB insert with .returning() always returns
+      return { token: toApiToken(result[0]!), plaintext };
+    },
+    async list() {
+      const rows = await db
+        .select()
+        .from(apiTokens)
+        .orderBy(apiTokens.createdAt);
+      return rows.map(toApiToken);
+    },
+    async delete(id: string) {
+      const result = await db
+        .delete(apiTokens)
+        .where(eq(apiTokens.id, id))
+        .returning();
+      return result.length > 0;
+    },
+    async verify(rawToken: string) {
+      if (!rawToken.startsWith(TOKEN_PREFIX)) return null;
+      const tokenHash = await hashToken(rawToken);
+      const rows = await db
+        .select({ id: apiTokens.id })
+        .from(apiTokens)
+        .where(eq(apiTokens.tokenHash, tokenHash))
+        .limit(1);
+      return rows[0]?.id ?? null;
+    },
+    async updateLastUsed(id: string) {
+      await db
+        .update(apiTokens)
+        .set({ lastUsedAt: now(), updatedAt: now() })
+        .where(eq(apiTokens.id, id));
+    },
+  };
+}

package/src/services/auth.ts CHANGED Viewed

@@ -45,11 +45,26 @@ export function createAuthService(
     if (!stored) return false;
     const separatorIndex = stored.lastIndexOf(":");
-    const storedToken = stored.substring(0, separatorIndex);
+    const storedHash = stored.substring(0, separatorIndex);
     const expiry = parseInt(stored.substring(separatorIndex + 1), 10);
     const now = Math.floor(Date.now() / 1000);
-    return token === storedToken && now <= expiry;
+    if (now > expiry) return false;
+    const hashBuffer = await crypto.subtle.digest(
+      "SHA-256",
+      new TextEncoder().encode(token),
+    );
+    const tokenHash = Array.from(new Uint8Array(hashBuffer))
+      .map((b) => b.toString(16).padStart(2, "0"))
+      .join("");
+    const encoder = new TextEncoder();
+    const a = encoder.encode(tokenHash);
+    const b = encoder.encode(storedHash);
+    if (a.byteLength !== b.byteLength) return false;
+    return crypto.subtle.timingSafeEqual(a, b);
   }
   return {