@jant/core 0.3.42 → 0.3.43

package/src/routes/api/__tests__/upload-multipart.test.ts

@@ -19,6 +19,7 @@ import { createSiteMemberService } from "../../../services/site-member.js";
 import { errorHandler } from "../../../middleware/error-handler.js";
 import { createI18n } from "../../../i18n/i18n.js";
 import { DEFAULT_APP_PORT } from "../../../lib/env.js";
+import { createMemoryRateLimiter } from "../../../lib/rate-limit-memory.js";
 import { resolveConfig } from "../../../lib/resolve-config.js";
 import type { Database } from "../../../db/index.js";
 import type { StorageDriver, UploadedPart } from "../../../lib/storage.js";
@@ -265,6 +266,7 @@ function createTestAppWithStorage(options: {
     c.set("allSettings", allSettings);
     c.set("appConfig", resolveConfig(c.env, allSettings));
     c.set("storage", options.storage);
+    c.set("rateLimiter", createMemoryRateLimiter());
 
     const i18n = createI18n("en");
     c.set("lang", "en");
@@ -276,20 +278,25 @@ function createTestAppWithStorage(options: {
         "test-user",
         "owner",
       );
+      const session = {
+        user: { id: "test-user", email: "test@test.com", name: "Test" },
+        session: { id: "test-session" },
+      } as unknown as AppVariables["session"];
       c.set("auth", {
         api: {
-          getSession: async () => ({
-            user: { id: "test-user", email: "test@test.com", name: "Test" },
-            session: { id: "test-session" },
-          }),
+          getSession: async () => session,
         },
       } as AppVariables["auth"]);
+      c.set("session", session);
+      c.set("isAuthenticated", true);
     } else {
       c.set("auth", {
         api: {
           getSession: async () => null,
         },
       } as AppVariables["auth"]);
+      c.set("session", null);
+      c.set("isAuthenticated", false);
     }
 
     await next();

package/src/routes/api/internal/search-reindex.ts

@@ -0,0 +1,40 @@
+import { Hono } from "hono";
+import { z } from "zod";
+import { requireInternalAdminApi } from "../../../middleware/auth.js";
+import { parseValidated } from "../../../lib/schemas.js";
+import type { Bindings } from "../../../types.js";
+import type { AppVariables } from "../../../types/app-context.js";
+
+type Env = { Bindings: Bindings; Variables: AppVariables };
+
+const ReindexSchema = z.object({
+  limit: z.number().int().positive().max(500).optional(),
+  cursor: z.string().min(1).optional(),
+});
+
+export const internalSearchReindexRoutes = new Hono<Env>();
+
+/**
+ * Rebuild `post.body_text` for a batch of non-deleted posts. FTS indexes
+ * (SQLite trigger / Postgres generated column) refresh automatically when
+ * `body_text` changes.
+ *
+ * Idempotent. Callers loop with the returned `nextCursor` until `done: true`.
+ * Used by the `jant search-reindex` CLI to backfill search indexes for
+ * existing posts after changes to the text extraction logic (e.g. including
+ * link mark hrefs so inline URLs become searchable).
+ */
+internalSearchReindexRoutes.post("/", requireInternalAdminApi(), async (c) => {
+  const contentType = c.req.header("Content-Type") || "";
+  const rawBody = contentType.includes("application/json")
+    ? await c.req.json().catch(() => ({}))
+    : {};
+  const body = parseValidated(ReindexSchema, rawBody);
+
+  const result = await c.var.services.posts.reindexBodyText({
+    limit: body.limit,
+    cursor: body.cursor,
+  });
+
+  return c.json(result);
+});

package/src/routes/api/search.ts

@@ -7,11 +7,24 @@ import type { Bindings } from "../../types.js";
 import type { AppVariables } from "../../types/app-context.js";
 import { ValidationError, ExternalServiceError } from "../../lib/errors.js";
 import { toSearchApiResult } from "../../lib/api-search.js";
+import { rateLimit } from "../../middleware/rate-limit.js";
 
 type Env = { Bindings: Bindings; Variables: AppVariables };
 
 export const searchApiRoutes = new Hono<Env>();
 
+// Per-IP rate limit. The request-time wrapper is needed because the
+// per-minute cap is pulled from `appConfig` which is only available on
+// `c.var`; constructing the middleware once at module load would capture
+// an undefined value.
+searchApiRoutes.use("*", async (c, next) =>
+  rateLimit({
+    name: "search",
+    limit: c.var.appConfig.rateLimit.searchPerMinute,
+    windowSec: 60,
+  })(c, next),
+);
+
 // Search posts
 searchApiRoutes.get("/", async (c) => {
   const query = c.req.query("q");

package/src/routes/auth/dev.ts

@@ -65,7 +65,7 @@ devAuthRoutes.get("/__dev/login", async (c) => {
     });
   } catch {
     return c.text(
-      "Dev login failed. Finish /setup once or run `mise run db-local-rebuild-demo`, then retry.",
+      "Dev login failed. Finish /setup once or run `mise run db-wrangler-rebuild-demo`, then retry.",
       500,
     );
   }

package/src/routes/auth/signin.tsx

@@ -14,7 +14,7 @@ import { SigninSchema } from "../../lib/schemas.js";
 import { buildPageTitle } from "../../lib/page-title.js";
 import { getI18n } from "../../i18n/index.js";
 import { getHostedControlPlaneSigninUrl } from "../../lib/hosted-signin.js";
-import { toPublicPath } from "../../lib/url.js";
+import { isSafeInternalRedirect, toPublicPath } from "../../lib/url.js";
 
 type Env = { Bindings: Bindings; Variables: AppVariables };
 
@@ -22,11 +22,13 @@ const SigninContent: FC<{
   demoEmail?: string;
   demoPassword?: string;
   sitePathPrefix?: string;
-}> = ({ demoEmail, demoPassword, sitePathPrefix = "" }) => {
+  redirect?: string;
+}> = ({ demoEmail, demoPassword, sitePathPrefix = "", redirect }) => {
   const { i18n } = useLingui();
   const signals = JSON.stringify({
     email: demoEmail || "",
     password: demoPassword || "",
+    ...(redirect ? { redirect } : {}),
   }).replace(/</g, "\\u003c");
 
   return (
@@ -121,9 +123,15 @@ const SigninContent: FC<{
 export const signinRoutes = new Hono<Env>();
 
 signinRoutes.get("/signin", async (c) => {
+  const rawRedirect = c.req.query("redirect");
+  const redirect = isSafeInternalRedirect(rawRedirect)
+    ? rawRedirect
+    : undefined;
+
   const hostedSigninUrl = getHostedControlPlaneSigninUrl(
     c.env,
     c.var.publicRequestUrl,
+    redirect,
   );
   if (hostedSigninUrl) {
     return c.redirect(hostedSigninUrl);
@@ -157,6 +165,7 @@ signinRoutes.get("/signin", async (c) => {
         demoEmail={c.var.appConfig.demoEmail}
         demoPassword={c.var.appConfig.demoPassword}
         sitePathPrefix={c.var.appConfig.sitePathPrefix}
+        redirect={redirect}
       />
     </BaseLayout>,
   );
@@ -195,6 +204,14 @@ signinRoutes.post("/signin", async (c) => {
   }
 
   const { email, password } = parsed.data;
+  const rawRedirect =
+    body && typeof body === "object" && "redirect" in body
+      ? (body as { redirect?: unknown }).redirect
+      : undefined;
+  const redirectTarget =
+    typeof rawRedirect === "string" && isSafeInternalRedirect(rawRedirect)
+      ? rawRedirect
+      : "/";
 
   try {
     const { headers } = await c.var.auth.api.signInEmail({
@@ -203,9 +220,10 @@ signinRoutes.post("/signin", async (c) => {
       headers: c.req.raw.headers,
     });
 
-    return dsRedirect(toPublicPath("/", c.var.appConfig.sitePathPrefix), {
-      headers,
-    });
+    return dsRedirect(
+      toPublicPath(redirectTarget, c.var.appConfig.sitePathPrefix),
+      { headers },
+    );
   } catch {
     return dsToast(
       i18n._(

package/src/routes/dash/settings.tsx

@@ -1016,11 +1016,9 @@ settingsRoutes.get("/account/sessions", async (c) => {
 
   const navData = await getNavigationData(c);
 
-  // Get current session to mark it
-  const currentSession = await c.var.auth.api.getSession({
-    headers: c.req.raw.headers,
-  });
-  const currentToken = currentSession?.session?.token ?? "";
+  // Session was pre-fetched by `attachSession`; this route is behind
+  // `requireAuth`, so it's guaranteed to be present here.
+  const currentToken = c.var.session?.session?.token ?? "";
 
   // List all active sessions
   const rawSessions = await c.var.auth.api.listSessions({

package/src/routes/feed/__tests__/sitemap.test.ts

@@ -4,15 +4,18 @@ import type { Bindings } from "../../../types.js";
 import type { AppVariables } from "../../../types/app-context.js";
 import { DEFAULT_APP_PORT } from "../../../lib/env.js";
 import { resolveConfig } from "../../../lib/resolve-config.js";
+import { createTestApp } from "../../../__tests__/helpers/app.js";
 import { sitemapRoutes } from "../sitemap.js";
+import { SITEMAP_SHARD_SIZE } from "../../../lib/feed.js";
 
 type Env = { Bindings: Bindings; Variables: AppVariables };
 const TEST_SITE_ORIGIN = `http://localhost:${DEFAULT_APP_PORT}`;
 
-function createSitemapTestApp(
+function createRobotsTestApp(
   allSettings: Record<string, string> = {},
   envOverrides: Partial<Bindings> = {},
 ) {
+  // robots.txt doesn't need service wiring; keep a minimal harness for it.
   const app = new Hono<Env>();
 
   app.use("*", async (c, next) => {
@@ -27,14 +30,19 @@ function createSitemapTestApp(
   });
 
   app.route("/", sitemapRoutes);
-
   return app;
 }
 
+function createSitemapTestApp() {
+  const testApp = createTestApp();
+  testApp.app.route("/", sitemapRoutes);
+  return testApp;
+}
+
 describe("Sitemap Routes", () => {
   describe("/robots.txt", () => {
     it("disallows internal utility routes while allowing the public site", async () => {
-      const app = createSitemapTestApp();
+      const app = createRobotsTestApp();
 
       const res = await app.request("/robots.txt");
 
@@ -49,7 +57,7 @@ describe("Sitemap Routes", () => {
     });
 
     it("disallows the entire site when global noindex is enabled", async () => {
-      const app = createSitemapTestApp({ NOINDEX: "true" });
+      const app = createRobotsTestApp({ NOINDEX: "true" });
 
       const res = await app.request("/robots.txt");
 
@@ -61,4 +69,312 @@ describe("Sitemap Routes", () => {
       expect(robots).not.toContain("Disallow: /_/");
     });
   });
+
+  describe("/sitemap.xml (index)", () => {
+    it("lists pages shard + one post shard when there are a few posts", async () => {
+      const { app, services } = createSitemapTestApp();
+      for (let i = 0; i < 3; i++) {
+        await services.posts.create({
+          format: "note",
+          bodyMarkdown: `post ${i}`,
+          status: "published",
+        });
+      }
+
+      const res = await app.request("/sitemap.xml");
+      expect(res.status).toBe(200);
+      expect(res.headers.get("Content-Type")).toContain("application/xml");
+
+      const xml = await res.text();
+      expect(xml).toContain("<sitemapindex");
+      expect(xml).toContain("/sitemap-pages.xml");
+      expect(xml).toContain("/sitemap-posts-1.xml");
+      expect(xml).not.toContain("/sitemap-posts-2.xml");
+      // No collections → no collections shard entry
+      expect(xml).not.toContain("/sitemap-collections.xml");
+    });
+
+    it("lists multiple post shards when post count exceeds shard size", async () => {
+      const { app, services } = createSitemapTestApp();
+      // Create enough posts to span 2 shards. Use shard_size + 1 to minimize
+      // work while still forcing a second shard.
+      for (let i = 0; i < SITEMAP_SHARD_SIZE + 1; i++) {
+        await services.posts.create({
+          format: "note",
+          bodyMarkdown: `p${i}`,
+          status: "published",
+        });
+      }
+
+      const res = await app.request("/sitemap.xml");
+      const xml = await res.text();
+      expect(xml).toContain("/sitemap-posts-1.xml");
+      expect(xml).toContain("/sitemap-posts-2.xml");
+      expect(xml).not.toContain("/sitemap-posts-3.xml");
+    });
+
+    it("includes the collections shard when collections exist", async () => {
+      const { app, services } = createSitemapTestApp();
+      await services.collections.create({
+        slug: "reading",
+        title: "Reading",
+      });
+
+      const res = await app.request("/sitemap.xml");
+      const xml = await res.text();
+      expect(xml).toContain("/sitemap-collections.xml");
+    });
+  });
+
+  describe("/sitemap-posts-N.xml", () => {
+    it("emits <url> entries for page 1 in ascending id order", async () => {
+      const { app, services } = createSitemapTestApp();
+      const created: string[] = [];
+      for (let i = 0; i < 3; i++) {
+        const post = await services.posts.create({
+          format: "note",
+          bodyMarkdown: `post ${i}`,
+          title: `Post ${i}`,
+          status: "published",
+        });
+        created.push(post.slug);
+      }
+
+      const res = await app.request("/sitemap-posts-1.xml");
+      expect(res.status).toBe(200);
+
+      const xml = await res.text();
+      expect(xml).toContain("<urlset");
+      for (const slug of created) {
+        expect(xml).toContain(`/${slug}`);
+      }
+
+      // Slugs appear in id-ascending order (== creation order for TypeIDs).
+      const indices = created.map((slug) => xml.indexOf(`/${slug}`));
+      expect(indices).toEqual([...indices].sort((a, b) => a - b));
+    });
+
+    it("excludes private posts, replies, and drafts", async () => {
+      const { app, services } = createSitemapTestApp();
+      const root = await services.posts.create({
+        format: "note",
+        bodyMarkdown: "root",
+        status: "published",
+      });
+      const reply = await services.posts.create({
+        format: "note",
+        bodyMarkdown: "reply",
+        replyToId: root.id,
+        status: "published",
+      });
+      const priv = await services.posts.create({
+        format: "note",
+        bodyMarkdown: "private",
+        visibility: "private",
+        status: "published",
+      });
+      const draft = await services.posts.create({
+        format: "note",
+        bodyMarkdown: "draft",
+        status: "draft",
+      });
+
+      const xml = await (await app.request("/sitemap-posts-1.xml")).text();
+      expect(xml).toContain(`/${root.slug}`);
+      expect(xml).not.toContain(`/${reply.slug}`);
+      expect(xml).not.toContain(`/${priv.slug}`);
+      expect(xml).not.toContain(`/${draft.slug}`);
+    });
+
+    it("includes latest_hidden posts (they are public URLs)", async () => {
+      const { app, services } = createSitemapTestApp();
+      const hidden = await services.posts.create({
+        format: "note",
+        bodyMarkdown: "hidden",
+        visibility: "latest_hidden",
+        status: "published",
+      });
+
+      const xml = await (await app.request("/sitemap-posts-1.xml")).text();
+      expect(xml).toContain(`/${hidden.slug}`);
+    });
+
+    it("splits content across shards at SITEMAP_SHARD_SIZE boundaries", async () => {
+      const { app, services } = createSitemapTestApp();
+      const created: string[] = [];
+      for (let i = 0; i < SITEMAP_SHARD_SIZE + 2; i++) {
+        const post = await services.posts.create({
+          format: "note",
+          bodyMarkdown: `p${i}`,
+          status: "published",
+        });
+        created.push(post.slug);
+      }
+
+      const page1 = await (await app.request("/sitemap-posts-1.xml")).text();
+      const page2 = await (await app.request("/sitemap-posts-2.xml")).text();
+
+      // First 500 slugs in page 1
+      expect(page1).toContain(`/${created[0]}`);
+      expect(page1).toContain(`/${created[SITEMAP_SHARD_SIZE - 1]}`);
+      expect(page1).not.toContain(`/${created[SITEMAP_SHARD_SIZE]}`);
+
+      // Remainder in page 2
+      expect(page2).toContain(`/${created[SITEMAP_SHARD_SIZE]}`);
+      expect(page2).toContain(`/${created[SITEMAP_SHARD_SIZE + 1]}`);
+      expect(page2).not.toContain(`/${created[0]}`);
+    });
+
+    it("returns 404 for a shard beyond the last page", async () => {
+      const { app, services } = createSitemapTestApp();
+      await services.posts.create({
+        format: "note",
+        bodyMarkdown: "only",
+        status: "published",
+      });
+
+      const res = await app.request("/sitemap-posts-2.xml");
+      expect(res.status).toBe(404);
+    });
+
+    it("uses long cache for a full shard and short cache for a partial shard", async () => {
+      const { app, services } = createSitemapTestApp();
+      // Exactly one full shard followed by one post in the next shard.
+      for (let i = 0; i < SITEMAP_SHARD_SIZE + 1; i++) {
+        await services.posts.create({
+          format: "note",
+          bodyMarkdown: `p${i}`,
+          status: "published",
+        });
+      }
+
+      const full = await app.request("/sitemap-posts-1.xml");
+      expect(full.headers.get("Cache-Control")).toContain("86400");
+
+      const partial = await app.request("/sitemap-posts-2.xml");
+      expect(partial.headers.get("Cache-Control")).toContain("max-age=180");
+    });
+
+    it("uses alias in <loc> when a post has one", async () => {
+      const { app, services } = createSitemapTestApp();
+      const post = await services.posts.create({
+        format: "note",
+        bodyMarkdown: "body",
+        status: "published",
+      });
+      await services.customUrls.create({
+        path: "my-alias",
+        targetType: "post",
+        targetId: post.id,
+      });
+
+      const xml = await (await app.request("/sitemap-posts-1.xml")).text();
+      expect(xml).toContain(`<loc>${TEST_SITE_ORIGIN}/my-alias</loc>`);
+      expect(xml).not.toContain(`/${post.slug}<`);
+    });
+
+    it("emits absolute URLs anchored to the site origin for nested aliases", async () => {
+      // Regression: `getPostAliases` returns aliases with a leading "/", so
+      // blindly prepending another "/" produces "//blog/foo", which
+      // `new URL()` resolves as protocol-relative and hijacks the hostname
+      // (e.g. `https://blog/foo`).
+      const { app, services } = createSitemapTestApp();
+      const post = await services.posts.create({
+        format: "note",
+        bodyMarkdown: "body",
+        status: "published",
+      });
+      await services.customUrls.create({
+        path: "blog/about-notes",
+        targetType: "post",
+        targetId: post.id,
+      });
+
+      const xml = await (await app.request("/sitemap-posts-1.xml")).text();
+      expect(xml).toContain(`<loc>${TEST_SITE_ORIGIN}/blog/about-notes</loc>`);
+      expect(xml).not.toMatch(/<loc>https?:\/\/blog\//);
+    });
+  });
+
+  describe("/sitemap-collections.xml", () => {
+    it("lists public collections", async () => {
+      const { app, services } = createSitemapTestApp();
+      await services.collections.create({ slug: "reading", title: "Reading" });
+      await services.collections.create({ slug: "movies", title: "Movies" });
+
+      const xml = await (await app.request("/sitemap-collections.xml")).text();
+      expect(xml).toContain("<urlset");
+      expect(xml).toContain("/reading");
+      expect(xml).toContain("/movies");
+    });
+
+    it("does not include the /collections directory page (lives in pages shard)", async () => {
+      const { app, services } = createSitemapTestApp();
+      await services.collections.create({ slug: "reading", title: "Reading" });
+
+      const xml = await (await app.request("/sitemap-collections.xml")).text();
+      // Only per-collection URLs should appear here; the directory landing
+      // is emitted by `/sitemap-pages.xml`.
+      expect(xml).not.toContain("<loc>http://localhost:8787/collections</loc>");
+    });
+
+    it("returns an empty urlset when there are no collections", async () => {
+      const { app } = createSitemapTestApp();
+      const res = await app.request("/sitemap-collections.xml");
+      expect(res.status).toBe(200);
+      const xml = await res.text();
+      expect(xml).toContain("<urlset");
+      expect(xml).not.toContain("<url>");
+    });
+  });
+
+  describe("/sitemap-pages.xml", () => {
+    it("lists the homepage with priority 1.0", async () => {
+      const { app } = createSitemapTestApp();
+      const res = await app.request("/sitemap-pages.xml");
+      expect(res.status).toBe(200);
+      const xml = await res.text();
+      expect(xml).toContain("<urlset");
+      expect(xml).toContain("<priority>1.0</priority>");
+      expect(xml).toContain("<changefreq>daily</changefreq>");
+    });
+
+    it("includes the archive aggregate page", async () => {
+      const { app } = createSitemapTestApp();
+      const xml = await (await app.request("/sitemap-pages.xml")).text();
+      expect(xml).toContain(`${TEST_SITE_ORIGIN}/archive`);
+    });
+
+    it("includes /latest when the homepage default is 'featured'", async () => {
+      const { app, services } = createSitemapTestApp();
+      await services.settings.set("HOME_DEFAULT_VIEW", "featured");
+
+      const xml = await (await app.request("/sitemap-pages.xml")).text();
+      expect(xml).toContain(`${TEST_SITE_ORIGIN}/latest`);
+      expect(xml).not.toContain(`${TEST_SITE_ORIGIN}/featured`);
+    });
+
+    it("includes /featured when the homepage default is 'latest'", async () => {
+      const { app, services } = createSitemapTestApp();
+      await services.settings.set("HOME_DEFAULT_VIEW", "latest");
+
+      const xml = await (await app.request("/sitemap-pages.xml")).text();
+      expect(xml).toContain(`${TEST_SITE_ORIGIN}/featured`);
+      expect(xml).not.toContain(`${TEST_SITE_ORIGIN}/latest`);
+    });
+
+    it("includes /collections only when collections exist", async () => {
+      const { app, services } = createSitemapTestApp();
+
+      const emptyXml = await (await app.request("/sitemap-pages.xml")).text();
+      expect(emptyXml).not.toContain(`${TEST_SITE_ORIGIN}/collections`);
+
+      await services.collections.create({ slug: "reading", title: "Reading" });
+
+      const populatedXml = await (
+        await app.request("/sitemap-pages.xml")
+      ).text();
+      expect(populatedXml).toContain(`${TEST_SITE_ORIGIN}/collections`);
+    });
+  });
 });