@jant/core 0.3.42 → 0.3.44

package/src/middleware/auth.ts

@@ -11,7 +11,7 @@ import type { AppVariables } from "../types/app-context.js";
 import { getDevApiToken, getInternalAdminToken } from "../lib/env.js";
 import { NotFoundError, UnauthorizedError } from "../lib/errors.js";
 import { getRuntimeSitePathPrefix } from "../lib/site-resolution.js";
-import { toPublicHref } from "../lib/url.js";
+import { isSafeInternalRedirect, toPublicHref } from "../lib/url.js";
 
 type Env = { Bindings: Bindings; Variables: AppVariables };
 
@@ -78,6 +78,38 @@ export function hasValidLocalDevToken(
   return hostname ? isLocalHostname(hostname) : false;
 }
 
+/**
+ * Paths that should never be used as post-signin redirect targets (would
+ * either loop back to signin or hit an unauthenticated endpoint).
+ */
+const POST_SIGNIN_REDIRECT_BLOCKLIST = new Set([
+  "/signin",
+  "/signout",
+  "/setup",
+  "/reset",
+  "/__sso",
+]);
+
+function getPostSigninRedirect(requestUrl: string): string | null {
+  // `c.req.url` is already the app-internal URL — `prepareRequestForRouting`
+  // strips any configured site path prefix before Hono sees it, so we just
+  // need to preserve pathname + query and validate it as a safe same-origin
+  // redirect target.
+  let url: URL;
+  try {
+    url = new URL(requestUrl);
+  } catch {
+    return null;
+  }
+
+  const pathname = url.pathname || "/";
+  if (POST_SIGNIN_REDIRECT_BLOCKLIST.has(pathname)) return null;
+  if (pathname.startsWith("/api/")) return null;
+
+  const candidate = `${pathname}${url.search}`;
+  return isSafeInternalRedirect(candidate) ? candidate : null;
+}
+
 /**
  * Middleware that requires authentication.
  * Redirects to signin page if not authenticated.
@@ -90,28 +122,38 @@ export function requireAuth(redirectTo = "/signin"): MiddlewareHandler<Env> {
       appConfig: c.var.appConfig,
       currentSiteDomain: c.var.currentSiteDomain,
     });
-    const redirectTarget = toPublicHref(redirectTo, sitePathPrefix);
 
-    try {
-      const session = await c.var.auth.api.getSession({
-        headers: c.req.raw.headers,
-      });
+    const buildRedirectTarget = () => {
+      const publicHref = toPublicHref(redirectTo, sitePathPrefix);
+      // Only append `?redirect=...` when redirecting to the default signin flow.
+      // Callers passing a custom path get it untouched.
+      if (redirectTo !== "/signin") return publicHref;
 
-      if (!session?.user) {
-        return c.redirect(redirectTarget);
-      }
+      const postSignin = getPostSigninRedirect(c.req.url);
+      if (!postSignin) return publicHref;
+
+      const separator = publicHref.includes("?") ? "&" : "?";
+      return `${publicHref}${separator}redirect=${encodeURIComponent(postSignin)}`;
+    };
+
+    // Session was already fetched by `attachSession` middleware.
+    const session = c.var.session;
+    if (!session?.user) {
+      return c.redirect(buildRedirectTarget());
+    }
 
+    try {
       const membership = await c.var.services.siteMembers.get(
         c.var.currentSite.id,
         session.user.id,
       );
       if (!membership) {
-        return c.redirect(redirectTarget);
+        return c.redirect(buildRedirectTarget());
       }
 
       await next();
     } catch {
-      return c.redirect(redirectTarget);
+      return c.redirect(buildRedirectTarget());
     }
   };
 }
@@ -123,26 +165,21 @@ export function requireAuth(redirectTo = "/signin"): MiddlewareHandler<Env> {
  */
 export function requireAuthApi(): MiddlewareHandler<Env> {
   return async (c, next) => {
-    // 1. Try session auth (existing behavior)
-    try {
-      const session = await c.var.auth.api.getSession({
-        headers: c.req.raw.headers,
-      });
-
-      if (session?.user) {
+    // 1. Try session auth (session is pre-fetched by `attachSession` middleware).
+    const session = c.var.session;
+    if (session?.user) {
+      try {
         const membership = await c.var.services.siteMembers.get(
           c.var.currentSite.id,
           session.user.id,
         );
-        if (!membership) {
-          throw new UnauthorizedError();
+        if (membership) {
+          await next();
+          return;
         }
-
-        await next();
-        return;
+      } catch {
+        // Membership check failed — fall through to Bearer token
       }
-    } catch {
-      // Session check failed — fall through to Bearer token
     }
 
     // 2. Try Bearer token auth

package/src/middleware/rate-limit.ts

@@ -0,0 +1,54 @@
+/**
+ * Rate-Limit Middleware
+ *
+ * Applies a per-IP rate limit to the routes it wraps. Which storage
+ * backs the limiter (D1 or in-memory) is decided upstream by the
+ * runtime; this middleware only reads `c.var.rateLimiter` and doesn't
+ * care.
+ *
+ * When the limit is exceeded, responds with HTTP 429 and a
+ * `Retry-After` header. When `appConfig.rateLimit.disabled` is true the
+ * middleware short-circuits to `next()` so test and dev environments
+ * don't have to reason about bucket state.
+ */
+
+import type { MiddlewareHandler } from "hono";
+import { getClientIp } from "../lib/rate-limit.js";
+import type { Bindings } from "../types.js";
+import type { AppVariables } from "../types/app-context.js";
+
+type Env = { Bindings: Bindings; Variables: AppVariables };
+
+export interface RateLimitMiddlewareOptions {
+  /**
+   * Storage-key prefix scoping this limit (e.g. "search"). Keeps
+   * counters for different endpoints independent when they share a
+   * storage backend.
+   */
+  name: string;
+  /** Max requests per IP within `windowSec`. */
+  limit: number;
+  /** Sliding window size in seconds. */
+  windowSec: number;
+}
+
+export function rateLimit(
+  opts: RateLimitMiddlewareOptions,
+): MiddlewareHandler<Env> {
+  return async (c, next) => {
+    if (c.var.appConfig.rateLimit.disabled) return next();
+
+    const ip = getClientIp(c);
+    const result = await c.var.rateLimiter.check(`${opts.name}:${ip}`, {
+      limit: opts.limit,
+      windowSec: opts.windowSec,
+    });
+
+    if (!result.ok) {
+      c.header("Retry-After", String(result.retryAfterSec ?? opts.windowSec));
+      return c.json({ error: "Too many requests. Please slow down." }, 429);
+    }
+
+    return next();
+  };
+}

package/src/middleware/session.ts

@@ -0,0 +1,36 @@
+/**
+ * Session Middleware
+ *
+ * Runs once per request (after runtime init) to look up the better-auth
+ * session and stash it on `c.var.session` / `c.var.isAuthenticated`.
+ *
+ * This replaces ad-hoc `auth.api.getSession()` calls scattered across
+ * view helpers (e.g. `lib/navigation.ts`) so each request only parses
+ * the session cookie once. better-auth's own cookieCache (5 min) still
+ * keeps this cheap, but centralizing the call also unlocks `Promise.all`
+ * patterns in routes that previously serialized on a hidden session fetch.
+ *
+ * Never throws — any lookup error is treated as "not authenticated".
+ */
+
+import type { MiddlewareHandler } from "hono";
+import type { Bindings } from "../types.js";
+import type { AppVariables } from "../types/app-context.js";
+
+type Env = { Bindings: Bindings; Variables: AppVariables };
+
+export function attachSession(): MiddlewareHandler<Env> {
+  return async (c, next) => {
+    try {
+      const session = await c.var.auth.api.getSession({
+        headers: c.req.raw.headers,
+      });
+      c.set("session", session ?? null);
+      c.set("isAuthenticated", !!session?.user);
+    } catch {
+      c.set("session", null);
+      c.set("isAuthenticated", false);
+    }
+    await next();
+  };
+}

package/src/routes/__tests__/compose.test.ts

@@ -45,7 +45,7 @@ describe("Compose Routes", () => {
       });
 
       expect(res.status).toBe(302);
-      expect(res.headers.get("Location")).toBe("/signin");
+      expect(res.headers.get("Location")).toBe("/signin?redirect=%2Fcompose");
     });
 
     it("creates a note post and returns timeline card via SSE", async () => {

package/src/routes/api/__tests__/search.test.ts

@@ -110,4 +110,52 @@ describe("Search API Routes", () => {
     // Should not return 401
     expect(res.status).not.toBe(401);
   });
+
+  it("rate-limits repeated requests from the same IP", async () => {
+    // Test app uses in-memory defaults (30/min). Send 31 requests from
+    // the same spoofed IP and confirm the tail gets a 429 with Retry-After.
+    const { app } = createTestApp({ fts: true });
+    app.route("/api/search", searchApiRoutes);
+
+    const headers = { "cf-connecting-ip": "203.0.113.7" };
+    let ok = 0;
+    let throttled = 0;
+    let lastRetryAfter: string | null = null;
+
+    for (let i = 0; i < 31; i++) {
+      const res = await app.request("/api/search?q=hi", { headers });
+      if (res.status === 429) {
+        throttled += 1;
+        lastRetryAfter = res.headers.get("retry-after");
+      } else if (res.status === 200) {
+        ok += 1;
+      }
+    }
+
+    expect(ok).toBe(30);
+    expect(throttled).toBe(1);
+    expect(Number(lastRetryAfter)).toBeGreaterThan(0);
+  });
+
+  it("does not rate-limit when appConfig.rateLimit.disabled is true", async () => {
+    const { app } = createTestApp({ fts: true });
+
+    // Flip the disabled flag after the test-app middleware seeds
+    // appConfig, but before the search route runs. Middleware order:
+    // createTestApp's global use → this override → search route.
+    app.use("/api/search/*", async (c, next) => {
+      c.set("appConfig", {
+        ...c.var.appConfig,
+        rateLimit: { ...c.var.appConfig.rateLimit, disabled: true },
+      });
+      await next();
+    });
+    app.route("/api/search", searchApiRoutes);
+
+    const headers = { "cf-connecting-ip": "203.0.113.8" };
+    for (let i = 0; i < 40; i++) {
+      const res = await app.request("/api/search?q=hi", { headers });
+      expect(res.status).not.toBe(429);
+    }
+  });
 });

package/src/routes/api/__tests__/upload-multipart.test.ts

@@ -19,6 +19,7 @@ import { createSiteMemberService } from "../../../services/site-member.js";
 import { errorHandler } from "../../../middleware/error-handler.js";
 import { createI18n } from "../../../i18n/i18n.js";
 import { DEFAULT_APP_PORT } from "../../../lib/env.js";
+import { createMemoryRateLimiter } from "../../../lib/rate-limit-memory.js";
 import { resolveConfig } from "../../../lib/resolve-config.js";
 import type { Database } from "../../../db/index.js";
 import type { StorageDriver, UploadedPart } from "../../../lib/storage.js";
@@ -265,6 +266,7 @@ function createTestAppWithStorage(options: {
     c.set("allSettings", allSettings);
     c.set("appConfig", resolveConfig(c.env, allSettings));
     c.set("storage", options.storage);
+    c.set("rateLimiter", createMemoryRateLimiter());
 
     const i18n = createI18n("en");
     c.set("lang", "en");
@@ -276,20 +278,25 @@ function createTestAppWithStorage(options: {
         "test-user",
         "owner",
       );
+      const session = {
+        user: { id: "test-user", email: "test@test.com", name: "Test" },
+        session: { id: "test-session" },
+      } as unknown as AppVariables["session"];
       c.set("auth", {
         api: {
-          getSession: async () => ({
-            user: { id: "test-user", email: "test@test.com", name: "Test" },
-            session: { id: "test-session" },
-          }),
+          getSession: async () => session,
         },
       } as AppVariables["auth"]);
+      c.set("session", session);
+      c.set("isAuthenticated", true);
     } else {
       c.set("auth", {
         api: {
           getSession: async () => null,
         },
       } as AppVariables["auth"]);
+      c.set("session", null);
+      c.set("isAuthenticated", false);
     }
 
     await next();

package/src/routes/api/internal/search-reindex.ts

@@ -0,0 +1,40 @@
+import { Hono } from "hono";
+import { z } from "zod";
+import { requireInternalAdminApi } from "../../../middleware/auth.js";
+import { parseValidated } from "../../../lib/schemas.js";
+import type { Bindings } from "../../../types.js";
+import type { AppVariables } from "../../../types/app-context.js";
+
+type Env = { Bindings: Bindings; Variables: AppVariables };
+
+const ReindexSchema = z.object({
+  limit: z.number().int().positive().max(500).optional(),
+  cursor: z.string().min(1).optional(),
+});
+
+export const internalSearchReindexRoutes = new Hono<Env>();
+
+/**
+ * Rebuild `post.body_text` for a batch of non-deleted posts. FTS indexes
+ * (SQLite trigger / Postgres generated column) refresh automatically when
+ * `body_text` changes.
+ *
+ * Idempotent. Callers loop with the returned `nextCursor` until `done: true`.
+ * Used by the `jant search-reindex` CLI to backfill search indexes for
+ * existing posts after changes to the text extraction logic (e.g. including
+ * link mark hrefs so inline URLs become searchable).
+ */
+internalSearchReindexRoutes.post("/", requireInternalAdminApi(), async (c) => {
+  const contentType = c.req.header("Content-Type") || "";
+  const rawBody = contentType.includes("application/json")
+    ? await c.req.json().catch(() => ({}))
+    : {};
+  const body = parseValidated(ReindexSchema, rawBody);
+
+  const result = await c.var.services.posts.reindexBodyText({
+    limit: body.limit,
+    cursor: body.cursor,
+  });
+
+  return c.json(result);
+});

package/src/routes/api/internal/sites.ts

@@ -33,6 +33,7 @@ const CreateManagedSiteSchema = z.object({
   siteName: z.string().trim().min(1).max(120),
   siteLanguage: z.string().trim().max(35).optional(),
   timeZone: z.string().trim().max(100).optional(),
+  idempotencyKey: z.string().trim().min(1).max(128).optional(),
 });
 
 const ManagedSiteDomainSchema = z.object({

package/src/routes/api/search.ts

@@ -7,11 +7,24 @@ import type { Bindings } from "../../types.js";
 import type { AppVariables } from "../../types/app-context.js";
 import { ValidationError, ExternalServiceError } from "../../lib/errors.js";
 import { toSearchApiResult } from "../../lib/api-search.js";
+import { rateLimit } from "../../middleware/rate-limit.js";
 
 type Env = { Bindings: Bindings; Variables: AppVariables };
 
 export const searchApiRoutes = new Hono<Env>();
 
+// Per-IP rate limit. The request-time wrapper is needed because the
+// per-minute cap is pulled from `appConfig` which is only available on
+// `c.var`; constructing the middleware once at module load would capture
+// an undefined value.
+searchApiRoutes.use("*", async (c, next) =>
+  rateLimit({
+    name: "search",
+    limit: c.var.appConfig.rateLimit.searchPerMinute,
+    windowSec: 60,
+  })(c, next),
+);
+
 // Search posts
 searchApiRoutes.get("/", async (c) => {
   const query = c.req.query("q");

package/src/routes/auth/dev.ts

@@ -65,7 +65,7 @@ devAuthRoutes.get("/__dev/login", async (c) => {
     });
   } catch {
     return c.text(
-      "Dev login failed. Finish /setup once or run `mise run db-local-rebuild-demo`, then retry.",
+      "Dev login failed. Finish /setup once or run `mise run db-wrangler-rebuild-demo`, then retry.",
       500,
     );
   }

package/src/routes/auth/signin.tsx

@@ -14,7 +14,7 @@ import { SigninSchema } from "../../lib/schemas.js";
 import { buildPageTitle } from "../../lib/page-title.js";
 import { getI18n } from "../../i18n/index.js";
 import { getHostedControlPlaneSigninUrl } from "../../lib/hosted-signin.js";
-import { toPublicPath } from "../../lib/url.js";
+import { isSafeInternalRedirect, toPublicPath } from "../../lib/url.js";
 
 type Env = { Bindings: Bindings; Variables: AppVariables };
 
@@ -22,11 +22,13 @@ const SigninContent: FC<{
   demoEmail?: string;
   demoPassword?: string;
   sitePathPrefix?: string;
-}> = ({ demoEmail, demoPassword, sitePathPrefix = "" }) => {
+  redirect?: string;
+}> = ({ demoEmail, demoPassword, sitePathPrefix = "", redirect }) => {
   const { i18n } = useLingui();
   const signals = JSON.stringify({
     email: demoEmail || "",
     password: demoPassword || "",
+    ...(redirect ? { redirect } : {}),
   }).replace(/</g, "\\u003c");
 
   return (
@@ -121,9 +123,15 @@ const SigninContent: FC<{
 export const signinRoutes = new Hono<Env>();
 
 signinRoutes.get("/signin", async (c) => {
+  const rawRedirect = c.req.query("redirect");
+  const redirect = isSafeInternalRedirect(rawRedirect)
+    ? rawRedirect
+    : undefined;
+
   const hostedSigninUrl = getHostedControlPlaneSigninUrl(
     c.env,
     c.var.publicRequestUrl,
+    redirect,
   );
   if (hostedSigninUrl) {
     return c.redirect(hostedSigninUrl);
@@ -157,6 +165,7 @@ signinRoutes.get("/signin", async (c) => {
         demoEmail={c.var.appConfig.demoEmail}
         demoPassword={c.var.appConfig.demoPassword}
         sitePathPrefix={c.var.appConfig.sitePathPrefix}
+        redirect={redirect}
       />
     </BaseLayout>,
   );
@@ -195,6 +204,14 @@ signinRoutes.post("/signin", async (c) => {
   }
 
   const { email, password } = parsed.data;
+  const rawRedirect =
+    body && typeof body === "object" && "redirect" in body
+      ? (body as { redirect?: unknown }).redirect
+      : undefined;
+  const redirectTarget =
+    typeof rawRedirect === "string" && isSafeInternalRedirect(rawRedirect)
+      ? rawRedirect
+      : "/";
 
   try {
     const { headers } = await c.var.auth.api.signInEmail({
@@ -203,9 +220,10 @@ signinRoutes.post("/signin", async (c) => {
       headers: c.req.raw.headers,
     });
 
-    return dsRedirect(toPublicPath("/", c.var.appConfig.sitePathPrefix), {
-      headers,
-    });
+    return dsRedirect(
+      toPublicPath(redirectTarget, c.var.appConfig.sitePathPrefix),
+      { headers },
+    );
   } catch {
     return dsToast(
       i18n._(

package/src/routes/dash/settings.tsx

@@ -1016,11 +1016,9 @@ settingsRoutes.get("/account/sessions", async (c) => {
 
   const navData = await getNavigationData(c);
 
-  // Get current session to mark it
-  const currentSession = await c.var.auth.api.getSession({
-    headers: c.req.raw.headers,
-  });
-  const currentToken = currentSession?.session?.token ?? "";
+  // Session was pre-fetched by `attachSession`; this route is behind
+  // `requireAuth`, so it's guaranteed to be present here.
+  const currentToken = c.var.session?.session?.token ?? "";
 
   // List all active sessions
   const rawSessions = await c.var.auth.api.listSessions({