@jant/core 0.3.42 → 0.3.43

package/src/middleware/__tests__/auth.test.ts

@@ -7,6 +7,7 @@ import {
   isLocalHostname,
   hasValidLocalDevToken,
 } from "../auth.js";
+import { attachSession } from "../session.js";
 import { errorHandler } from "../error-handler.js";
 import { DEFAULT_APP_PORT } from "../../lib/env.js";
 import type { Bindings } from "../../types.js";
@@ -135,6 +136,7 @@ describe("requireAuth", () => {
       } as AppVariables["services"]);
       await next();
     });
+    app.use("*", attachSession());
     app.get("/settings", requireAuth(), (c) => c.text("Settings"));
 
     const res = await app.request("/settings");
@@ -142,7 +144,7 @@ describe("requireAuth", () => {
     expect(await res.text()).toBe("Settings");
   });
 
-  it("redirects unauthenticated requests to /signin", async () => {
+  it("redirects unauthenticated requests to /signin with the original path", async () => {
     const app = createTestHonoApp();
     app.use("*", async (c, next) => {
       c.set("auth", createMockAuth(false));
@@ -151,14 +153,38 @@ describe("requireAuth", () => {
       } as AppVariables["services"]);
       await next();
     });
+    app.use("*", attachSession());
+    app.get("/settings/general", requireAuth(), (c) => c.text("Settings"));
+
+    const res = await app.request("/settings/general", { redirect: "manual" });
+    expect(res.status).toBe(302);
+    expect(res.headers.get("Location")).toBe(
+      "/signin?redirect=%2Fsettings%2Fgeneral",
+    );
+  });
+
+  it("preserves query string when redirecting to /signin", async () => {
+    const app = createTestHonoApp();
+    app.use("*", async (c, next) => {
+      c.set("auth", createMockAuth(false));
+      c.set("services", {
+        siteMembers: createMockSiteMembers(),
+      } as AppVariables["services"]);
+      await next();
+    });
+    app.use("*", attachSession());
     app.get("/settings", requireAuth(), (c) => c.text("Settings"));
 
-    const res = await app.request("/settings", { redirect: "manual" });
+    const res = await app.request("/settings?tab=profile", {
+      redirect: "manual",
+    });
     expect(res.status).toBe(302);
-    expect(res.headers.get("Location")).toBe("/signin");
+    expect(res.headers.get("Location")).toBe(
+      "/signin?redirect=%2Fsettings%3Ftab%3Dprofile",
+    );
   });
 
-  it("redirects to custom path", async () => {
+  it("does not add a redirect query when requireAuth targets a custom path", async () => {
     const app = createTestHonoApp();
     app.use("*", async (c, next) => {
       c.set("auth", createMockAuth(false));
@@ -167,6 +193,7 @@ describe("requireAuth", () => {
       } as AppVariables["services"]);
       await next();
     });
+    app.use("*", attachSession());
     app.get("/settings", requireAuth("/login"), (c) => c.text("Settings"));
 
     const res = await app.request("/settings", { redirect: "manual" });
@@ -187,6 +214,7 @@ describe("requireAuthApi", () => {
       } as AppVariables["services"]);
       await next();
     });
+    app.use("*", attachSession());
     app.get("/api/data", requireAuthApi(), (c) => c.json({ data: "secret" }));
 
     const res = await app.request("/api/data");
@@ -207,6 +235,7 @@ describe("requireAuthApi", () => {
       } as AppVariables["services"]);
       await next();
     });
+    app.use("*", attachSession());
     app.get("/api/data", requireAuthApi(), (c) => c.json({ data: "secret" }));
 
     const res = await app.request("/api/data");
@@ -234,6 +263,7 @@ describe("requireAuthApi", () => {
       } as AppVariables["services"]);
       await next();
     });
+    app.use("*", attachSession());
     app.get("/api/data", requireAuthApi(), (c) => c.json({ data: "secret" }));
 
     const res = await app.request("/api/data");
@@ -254,6 +284,7 @@ describe("requireAuthApi", () => {
       } as AppVariables["services"]);
       await next();
     });
+    app.use("*", attachSession());
     app.get("/api/data", requireAuthApi(), (c) => c.json({ data: "secret" }));
 
     const res = await app.request("/api/data", {
@@ -281,6 +312,7 @@ describe("requireAuthApi", () => {
       } as AppVariables["services"]);
       await next();
     });
+    app.use("*", attachSession());
     app.get("/api/data", requireAuthApi(), (c) => c.json({ data: "secret" }));
 
     const res = await app.request("/api/data", {
@@ -304,6 +336,7 @@ describe("requireAuthApi", () => {
       } as AppVariables["services"]);
       await next();
     });
+    app.use("*", attachSession());
     app.get("/api/data", requireAuthApi(), (c) => c.json({ data: "secret" }));
 
     const res = await app.request("/api/data", {
@@ -330,6 +363,7 @@ describe("requireAuthApi", () => {
       } as AppVariables["services"]);
       await next();
     });
+    app.use("*", attachSession());
     app.get("/api/data", requireAuthApi(), (c) => c.json({ data: "secret" }));
 
     const res = await app.request(LOCAL_API_URL, {
@@ -356,6 +390,7 @@ describe("requireAuthApi", () => {
       } as AppVariables["services"]);
       await next();
     });
+    app.use("*", attachSession());
     app.get("/api/data", requireAuthApi(), (c) => c.json({ data: "secret" }));
 
     const res = await app.request("https://myblog.com/api/data", {
@@ -382,6 +417,7 @@ describe("requireAuthApi", () => {
       } as AppVariables["services"]);
       await next();
     });
+    app.use("*", attachSession());
     app.get("/api/data", requireAuthApi(), (c) => c.json({ data: "secret" }));
 
     const res = await app.request("https://jant.localtest.me/api/data", {
@@ -410,6 +446,7 @@ describe("requireAuthApi", () => {
       } as AppVariables["services"]);
       await next();
     });
+    app.use("*", attachSession());
     app.get("/api/data", requireAuthApi(), (c) => c.json({ data: "secret" }));
 
     const res = await app.request("https://jant.me/api/data", {
@@ -436,6 +473,7 @@ describe("requireInternalAdminApi", () => {
       } as AppVariables["services"]);
       await next();
     });
+    app.use("*", attachSession());
     app.post("/api/internal/demo", requireInternalAdminApi(), (c) =>
       c.json({ ok: true }),
     );
@@ -459,6 +497,7 @@ describe("requireInternalAdminApi", () => {
       } as AppVariables["services"]);
       await next();
     });
+    app.use("*", attachSession());
     app.post("/api/internal/demo", requireInternalAdminApi(), (c) =>
       c.json({ ok: true }),
     );
@@ -485,6 +524,7 @@ describe("requireInternalAdminApi", () => {
       } as AppVariables["services"]);
       await next();
     });
+    app.use("*", attachSession());
     app.post("/api/internal/demo", requireInternalAdminApi(), (c) =>
       c.json({ ok: true }),
     );

package/src/middleware/__tests__/rate-limit.test.ts

@@ -0,0 +1,113 @@
+import { describe, it, expect } from "vitest";
+import { Hono } from "hono";
+import { rateLimit } from "../rate-limit.js";
+import type { RateLimiter } from "../../lib/rate-limit.js";
+import type { Bindings } from "../../types.js";
+import type { AppVariables } from "../../types/app-context.js";
+
+type Env = { Bindings: Bindings; Variables: AppVariables };
+
+/**
+ * Build a tiny Hono app that seeds just the slice of `c.var` the
+ * rate-limit middleware reads — keeps the blast radius of each test
+ * minimal and independent of the full `createTestApp` fixture.
+ */
+function buildApp(options: {
+  limiter: RateLimiter;
+  disabled?: boolean;
+}): Hono<Env> {
+  const app = new Hono<Env>();
+  app.use("*", async (c, next) => {
+    c.set("rateLimiter", options.limiter);
+    c.set("appConfig", {
+      rateLimit: {
+        disabled: options.disabled ?? false,
+        searchPerMinute: 30,
+      },
+    } as AppVariables["appConfig"]);
+    await next();
+  });
+  app.use("*", rateLimit({ name: "test", limit: 2, windowSec: 60 }));
+  app.get("/", (c) => c.text("ok"));
+  return app;
+}
+
+/** Fake limiter that lets us script results without real timing. */
+function scriptedLimiter(
+  outcomes: Array<{ ok: boolean; retryAfterSec?: number }>,
+) {
+  const keys: string[] = [];
+  let i = 0;
+  const limiter: RateLimiter = {
+    async check(key) {
+      keys.push(key);
+      const out = outcomes[i++] ?? { ok: true };
+      return out;
+    },
+  };
+  return { limiter, keys: () => keys };
+}
+
+describe("rateLimit middleware", () => {
+  it("passes the request through when under limit", async () => {
+    const { limiter } = scriptedLimiter([{ ok: true }]);
+    const app = buildApp({ limiter });
+
+    const res = await app.request("/");
+    expect(res.status).toBe(200);
+    expect(await res.text()).toBe("ok");
+  });
+
+  it("responds 429 with Retry-After when the limiter rejects", async () => {
+    const { limiter } = scriptedLimiter([{ ok: false, retryAfterSec: 42 }]);
+    const app = buildApp({ limiter });
+
+    const res = await app.request("/");
+    expect(res.status).toBe(429);
+    expect(res.headers.get("retry-after")).toBe("42");
+    expect(await res.json()).toEqual({
+      error: "Too many requests. Please slow down.",
+    });
+  });
+
+  it("falls back to the window size when retryAfterSec is missing", async () => {
+    const { limiter } = scriptedLimiter([{ ok: false }]);
+    const app = buildApp({ limiter });
+
+    const res = await app.request("/");
+    expect(res.headers.get("retry-after")).toBe("60");
+  });
+
+  it("short-circuits when rateLimit.disabled is true", async () => {
+    const { limiter, keys } = scriptedLimiter([{ ok: false }]);
+    const app = buildApp({ limiter, disabled: true });
+
+    const res = await app.request("/");
+    expect(res.status).toBe(200);
+    // Limiter should not have been consulted at all when disabled.
+    expect(keys()).toEqual([]);
+  });
+
+  it("prefers cf-connecting-ip over x-forwarded-for for the bucket key", async () => {
+    const { limiter, keys } = scriptedLimiter([{ ok: true }]);
+    const app = buildApp({ limiter });
+
+    await app.request("/", {
+      headers: {
+        "cf-connecting-ip": "1.2.3.4",
+        "x-forwarded-for": "5.6.7.8",
+      },
+    });
+    expect(keys()).toEqual(["test:1.2.3.4"]);
+  });
+
+  it("falls back to x-forwarded-for (first entry) when cf header is absent", async () => {
+    const { limiter, keys } = scriptedLimiter([{ ok: true }]);
+    const app = buildApp({ limiter });
+
+    await app.request("/", {
+      headers: { "x-forwarded-for": "10.0.0.1, 10.0.0.2" },
+    });
+    expect(keys()).toEqual(["test:10.0.0.1"]);
+  });
+});

package/src/middleware/__tests__/session.test.ts

@@ -0,0 +1,85 @@
+import { describe, it, expect } from "vitest";
+import { Hono } from "hono";
+import { attachSession } from "../session.js";
+import type { Bindings } from "../../types.js";
+import type { AppVariables } from "../../types/app-context.js";
+
+type Env = { Bindings: Bindings; Variables: AppVariables };
+
+function createAppWithAuth(mockAuth: AppVariables["auth"]): Hono<Env> & {
+  // ensures tests see session/isAuthenticated via c.var
+  _lastSession?: AppVariables["session"];
+  _lastIsAuthenticated?: boolean;
+} {
+  const app = new Hono<Env>();
+  app.use("*", async (c, next) => {
+    c.set("auth", mockAuth);
+    await next();
+  });
+  app.use("*", attachSession());
+  return app;
+}
+
+function buildSessionMock(
+  impl: () => Promise<AppVariables["session"]>,
+): AppVariables["auth"] {
+  return {
+    api: {
+      getSession: impl,
+    },
+  } as unknown as AppVariables["auth"];
+}
+
+describe("attachSession", () => {
+  it("populates c.var.session and isAuthenticated on a valid session", async () => {
+    const mockAuth = buildSessionMock(
+      async () =>
+        ({
+          user: { id: "user-1", email: "x@y.z", name: "X" },
+          session: { id: "sess-1" },
+        }) as unknown as AppVariables["session"],
+    );
+    const app = createAppWithAuth(mockAuth);
+    app.get("/", (c) =>
+      c.json({
+        authed: c.var.isAuthenticated,
+        userId: (c.var.session?.user as { id?: string } | undefined)?.id,
+      }),
+    );
+
+    const res = await app.request("/");
+    expect(res.status).toBe(200);
+    expect(await res.json()).toEqual({ authed: true, userId: "user-1" });
+  });
+
+  it("sets isAuthenticated=false and session=null when no session is present", async () => {
+    const mockAuth = buildSessionMock(async () => null);
+    const app = createAppWithAuth(mockAuth);
+    app.get("/", (c) =>
+      c.json({
+        authed: c.var.isAuthenticated,
+        session: c.var.session,
+      }),
+    );
+
+    const res = await app.request("/");
+    expect(await res.json()).toEqual({ authed: false, session: null });
+  });
+
+  it("swallows errors from getSession and treats the request as unauthenticated", async () => {
+    const mockAuth = buildSessionMock(async () => {
+      throw new Error("session lookup failed");
+    });
+    const app = createAppWithAuth(mockAuth);
+    app.get("/", (c) =>
+      c.json({
+        authed: c.var.isAuthenticated,
+        session: c.var.session,
+      }),
+    );
+
+    const res = await app.request("/");
+    expect(res.status).toBe(200);
+    expect(await res.json()).toEqual({ authed: false, session: null });
+  });
+});

package/src/middleware/auth.ts

@@ -11,7 +11,7 @@ import type { AppVariables } from "../types/app-context.js";
 import { getDevApiToken, getInternalAdminToken } from "../lib/env.js";
 import { NotFoundError, UnauthorizedError } from "../lib/errors.js";
 import { getRuntimeSitePathPrefix } from "../lib/site-resolution.js";
-import { toPublicHref } from "../lib/url.js";
+import { isSafeInternalRedirect, toPublicHref } from "../lib/url.js";
 
 type Env = { Bindings: Bindings; Variables: AppVariables };
 
@@ -78,6 +78,38 @@ export function hasValidLocalDevToken(
   return hostname ? isLocalHostname(hostname) : false;
 }
 
+/**
+ * Paths that should never be used as post-signin redirect targets (would
+ * either loop back to signin or hit an unauthenticated endpoint).
+ */
+const POST_SIGNIN_REDIRECT_BLOCKLIST = new Set([
+  "/signin",
+  "/signout",
+  "/setup",
+  "/reset",
+  "/__sso",
+]);
+
+function getPostSigninRedirect(requestUrl: string): string | null {
+  // `c.req.url` is already the app-internal URL — `prepareRequestForRouting`
+  // strips any configured site path prefix before Hono sees it, so we just
+  // need to preserve pathname + query and validate it as a safe same-origin
+  // redirect target.
+  let url: URL;
+  try {
+    url = new URL(requestUrl);
+  } catch {
+    return null;
+  }
+
+  const pathname = url.pathname || "/";
+  if (POST_SIGNIN_REDIRECT_BLOCKLIST.has(pathname)) return null;
+  if (pathname.startsWith("/api/")) return null;
+
+  const candidate = `${pathname}${url.search}`;
+  return isSafeInternalRedirect(candidate) ? candidate : null;
+}
+
 /**
  * Middleware that requires authentication.
  * Redirects to signin page if not authenticated.
@@ -90,28 +122,38 @@ export function requireAuth(redirectTo = "/signin"): MiddlewareHandler<Env> {
       appConfig: c.var.appConfig,
       currentSiteDomain: c.var.currentSiteDomain,
     });
-    const redirectTarget = toPublicHref(redirectTo, sitePathPrefix);
 
-    try {
-      const session = await c.var.auth.api.getSession({
-        headers: c.req.raw.headers,
-      });
+    const buildRedirectTarget = () => {
+      const publicHref = toPublicHref(redirectTo, sitePathPrefix);
+      // Only append `?redirect=...` when redirecting to the default signin flow.
+      // Callers passing a custom path get it untouched.
+      if (redirectTo !== "/signin") return publicHref;
 
-      if (!session?.user) {
-        return c.redirect(redirectTarget);
-      }
+      const postSignin = getPostSigninRedirect(c.req.url);
+      if (!postSignin) return publicHref;
+
+      const separator = publicHref.includes("?") ? "&" : "?";
+      return `${publicHref}${separator}redirect=${encodeURIComponent(postSignin)}`;
+    };
+
+    // Session was already fetched by `attachSession` middleware.
+    const session = c.var.session;
+    if (!session?.user) {
+      return c.redirect(buildRedirectTarget());
+    }
 
+    try {
       const membership = await c.var.services.siteMembers.get(
         c.var.currentSite.id,
         session.user.id,
       );
       if (!membership) {
-        return c.redirect(redirectTarget);
+        return c.redirect(buildRedirectTarget());
       }
 
       await next();
     } catch {
-      return c.redirect(redirectTarget);
+      return c.redirect(buildRedirectTarget());
     }
   };
 }
@@ -123,26 +165,21 @@ export function requireAuth(redirectTo = "/signin"): MiddlewareHandler<Env> {
  */
 export function requireAuthApi(): MiddlewareHandler<Env> {
   return async (c, next) => {
-    // 1. Try session auth (existing behavior)
-    try {
-      const session = await c.var.auth.api.getSession({
-        headers: c.req.raw.headers,
-      });
-
-      if (session?.user) {
+    // 1. Try session auth (session is pre-fetched by `attachSession` middleware).
+    const session = c.var.session;
+    if (session?.user) {
+      try {
         const membership = await c.var.services.siteMembers.get(
           c.var.currentSite.id,
           session.user.id,
         );
-        if (!membership) {
-          throw new UnauthorizedError();
+        if (membership) {
+          await next();
+          return;
         }
-
-        await next();
-        return;
+      } catch {
+        // Membership check failed — fall through to Bearer token
       }
-    } catch {
-      // Session check failed — fall through to Bearer token
     }
 
     // 2. Try Bearer token auth

package/src/middleware/rate-limit.ts

@@ -0,0 +1,54 @@
+/**
+ * Rate-Limit Middleware
+ *
+ * Applies a per-IP rate limit to the routes it wraps. Which storage
+ * backs the limiter (D1 or in-memory) is decided upstream by the
+ * runtime; this middleware only reads `c.var.rateLimiter` and doesn't
+ * care.
+ *
+ * When the limit is exceeded, responds with HTTP 429 and a
+ * `Retry-After` header. When `appConfig.rateLimit.disabled` is true the
+ * middleware short-circuits to `next()` so test and dev environments
+ * don't have to reason about bucket state.
+ */
+
+import type { MiddlewareHandler } from "hono";
+import { getClientIp } from "../lib/rate-limit.js";
+import type { Bindings } from "../types.js";
+import type { AppVariables } from "../types/app-context.js";
+
+type Env = { Bindings: Bindings; Variables: AppVariables };
+
+export interface RateLimitMiddlewareOptions {
+  /**
+   * Storage-key prefix scoping this limit (e.g. "search"). Keeps
+   * counters for different endpoints independent when they share a
+   * storage backend.
+   */
+  name: string;
+  /** Max requests per IP within `windowSec`. */
+  limit: number;
+  /** Sliding window size in seconds. */
+  windowSec: number;
+}
+
+export function rateLimit(
+  opts: RateLimitMiddlewareOptions,
+): MiddlewareHandler<Env> {
+  return async (c, next) => {
+    if (c.var.appConfig.rateLimit.disabled) return next();
+
+    const ip = getClientIp(c);
+    const result = await c.var.rateLimiter.check(`${opts.name}:${ip}`, {
+      limit: opts.limit,
+      windowSec: opts.windowSec,
+    });
+
+    if (!result.ok) {
+      c.header("Retry-After", String(result.retryAfterSec ?? opts.windowSec));
+      return c.json({ error: "Too many requests. Please slow down." }, 429);
+    }
+
+    return next();
+  };
+}

package/src/middleware/session.ts

@@ -0,0 +1,36 @@
+/**
+ * Session Middleware
+ *
+ * Runs once per request (after runtime init) to look up the better-auth
+ * session and stash it on `c.var.session` / `c.var.isAuthenticated`.
+ *
+ * This replaces ad-hoc `auth.api.getSession()` calls scattered across
+ * view helpers (e.g. `lib/navigation.ts`) so each request only parses
+ * the session cookie once. better-auth's own cookieCache (5 min) still
+ * keeps this cheap, but centralizing the call also unlocks `Promise.all`
+ * patterns in routes that previously serialized on a hidden session fetch.
+ *
+ * Never throws — any lookup error is treated as "not authenticated".
+ */
+
+import type { MiddlewareHandler } from "hono";
+import type { Bindings } from "../types.js";
+import type { AppVariables } from "../types/app-context.js";
+
+type Env = { Bindings: Bindings; Variables: AppVariables };
+
+export function attachSession(): MiddlewareHandler<Env> {
+  return async (c, next) => {
+    try {
+      const session = await c.var.auth.api.getSession({
+        headers: c.req.raw.headers,
+      });
+      c.set("session", session ?? null);
+      c.set("isAuthenticated", !!session?.user);
+    } catch {
+      c.set("session", null);
+      c.set("isAuthenticated", false);
+    }
+    await next();
+  };
+}

package/src/routes/__tests__/compose.test.ts

@@ -45,7 +45,7 @@ describe("Compose Routes", () => {
       });
 
       expect(res.status).toBe(302);
-      expect(res.headers.get("Location")).toBe("/signin");
+      expect(res.headers.get("Location")).toBe("/signin?redirect=%2Fcompose");
     });
 
     it("creates a note post and returns timeline card via SSE", async () => {

package/src/routes/api/__tests__/search.test.ts

@@ -110,4 +110,52 @@ describe("Search API Routes", () => {
     // Should not return 401
     expect(res.status).not.toBe(401);
   });
+
+  it("rate-limits repeated requests from the same IP", async () => {
+    // Test app uses in-memory defaults (30/min). Send 31 requests from
+    // the same spoofed IP and confirm the tail gets a 429 with Retry-After.
+    const { app } = createTestApp({ fts: true });
+    app.route("/api/search", searchApiRoutes);
+
+    const headers = { "cf-connecting-ip": "203.0.113.7" };
+    let ok = 0;
+    let throttled = 0;
+    let lastRetryAfter: string | null = null;
+
+    for (let i = 0; i < 31; i++) {
+      const res = await app.request("/api/search?q=hi", { headers });
+      if (res.status === 429) {
+        throttled += 1;
+        lastRetryAfter = res.headers.get("retry-after");
+      } else if (res.status === 200) {
+        ok += 1;
+      }
+    }
+
+    expect(ok).toBe(30);
+    expect(throttled).toBe(1);
+    expect(Number(lastRetryAfter)).toBeGreaterThan(0);
+  });
+
+  it("does not rate-limit when appConfig.rateLimit.disabled is true", async () => {
+    const { app } = createTestApp({ fts: true });
+
+    // Flip the disabled flag after the test-app middleware seeds
+    // appConfig, but before the search route runs. Middleware order:
+    // createTestApp's global use → this override → search route.
+    app.use("/api/search/*", async (c, next) => {
+      c.set("appConfig", {
+        ...c.var.appConfig,
+        rateLimit: { ...c.var.appConfig.rateLimit, disabled: true },
+      });
+      await next();
+    });
+    app.route("/api/search", searchApiRoutes);
+
+    const headers = { "cf-connecting-ip": "203.0.113.8" };
+    for (let i = 0; i < 40; i++) {
+      const res = await app.request("/api/search?q=hi", { headers });
+      expect(res.status).not.toBe(429);
+    }
+  });
 });