@jant/core 0.3.42 → 0.3.44

package/src/routes/pages/__tests__/page-canonical.test.ts

@@ -0,0 +1,101 @@
+/**
+ * Tests for the `<link rel="canonical">` tag on post pages.
+ *
+ * Reply URLs render the full thread, so each reply URL would otherwise look
+ * like duplicate content to crawlers. The canonical tag points every page in
+ * the thread back to the thread root.
+ */
+
+import { describe, expect, it } from "vitest";
+import { createTestApp } from "../../../__tests__/helpers/app.js";
+import { pageRoutes } from "../page.js";
+
+function createPageTestApp() {
+  const testApp = createTestApp();
+  const { app } = testApp;
+
+  app.use("*", async (c, next) => {
+    c.set("publicPath", c.req.path);
+    c.set("publicRequestUrl", c.req.url);
+    await next();
+  });
+
+  app.route("/", pageRoutes);
+
+  return testApp;
+}
+
+function extractCanonicalHref(html: string): string | null {
+  const match = html.match(/<link\s+rel="canonical"\s+href="([^"]+)"\s*\/?>/i);
+  return match?.[1] ?? null;
+}
+
+describe("Post page canonical link", () => {
+  it("root post canonical points at its own permalink", async () => {
+    const { app, services } = createPageTestApp();
+
+    const root = await services.posts.create({
+      format: "note",
+      title: "Root post",
+      bodyMarkdown: "Root body",
+      status: "published",
+    });
+
+    const res = await app.request(`/${root.slug}`);
+    expect(res.status).toBe(200);
+
+    const html = await res.text();
+    const canonical = extractCanonicalHref(html);
+    expect(canonical).not.toBeNull();
+    expect(canonical).toMatch(new RegExp(`/${root.slug}$`));
+  });
+
+  it("reply canonical points back to the thread root", async () => {
+    const { app, services } = createPageTestApp();
+
+    const root = await services.posts.create({
+      format: "note",
+      title: "Thread root",
+      bodyMarkdown: "Root body",
+      status: "published",
+    });
+    const reply = await services.posts.create({
+      format: "note",
+      bodyMarkdown: "Reply body",
+      replyToId: root.id,
+      status: "published",
+    });
+
+    // Visiting the reply URL should canonicalize to the root URL.
+    const replyRes = await app.request(`/${reply.slug}`);
+    expect(replyRes.status).toBe(200);
+
+    const replyHtml = await replyRes.text();
+    const replyCanonical = extractCanonicalHref(replyHtml);
+    expect(replyCanonical).not.toBeNull();
+    expect(replyCanonical).toMatch(new RegExp(`/${root.slug}$`));
+    expect(replyCanonical).not.toMatch(new RegExp(`/${reply.slug}$`));
+
+    // And the root URL should canonicalize to itself.
+    const rootRes = await app.request(`/${root.slug}`);
+    const rootCanonical = extractCanonicalHref(await rootRes.text());
+    expect(rootCanonical).toMatch(new RegExp(`/${root.slug}$`));
+  });
+
+  it("canonical is absolute when siteUrl is configured", async () => {
+    const { app, services } = createPageTestApp();
+
+    const post = await services.posts.create({
+      format: "note",
+      title: "Absolute test",
+      bodyMarkdown: "Body",
+      status: "published",
+    });
+
+    const res = await app.request(`/${post.slug}`);
+    const canonical = extractCanonicalHref(await res.text());
+    // SITE_ORIGIN in the test harness is http://localhost:<port>
+    expect(canonical).toMatch(/^https?:\/\//);
+    expect(canonical).toContain(`/${post.slug}`);
+  });
+});

package/src/routes/pages/home.tsx

@@ -12,7 +12,10 @@ import { Hono } from "hono";
 import { msg } from "@lingui/core/macro";
 import type { Bindings } from "../../types.js";
 import type { AppVariables } from "../../types/app-context.js";
-import { getNavigationData } from "../../lib/navigation.js";
+import {
+  getHomeDefaultViewFromNavItems,
+  getNavigationData,
+} from "../../lib/navigation.js";
 import { getI18n } from "../../i18n/index.js";
 import { formatPageLabel, parsePageNumber } from "../../lib/pagination.js";
 import { buildPageTitle } from "../../lib/page-title.js";
@@ -30,25 +33,36 @@ type Env = { Bindings: Bindings; Variables: AppVariables };
 export const homeRoutes = new Hono<Env>();
 
 homeRoutes.get("/", async (c) => {
-  const navData = await getNavigationData(c);
   const i18n = getI18n(c);
   const page = parsePageNumber(c.req.query("page"));
   const paginatedPageTitle = formatPageLabel(page);
+  const isAuthenticated = c.var.isAuthenticated;
+
+  // Fetch nav items once — we need `homeDefaultView` to decide which timeline
+  // to assemble, but `getNavigationData` also consumes them. Passing them
+  // through avoids a duplicate DB query and unlocks the Promise.all below.
+  const navItems = await c.var.services.navItems.list();
+  const homeDefaultView = getHomeDefaultViewFromNavItems(navItems);
+
+  const timelinePromise =
+    homeDefaultView === "featured"
+      ? assembleFeaturedTimeline(c, { page, isAuthenticated })
+      : assembleTimeline(c, { page, isAuthenticated });
+
+  const [navData, timeline] = await Promise.all([
+    getNavigationData(c, { preloadedItems: navItems }),
+    timelinePromise,
+  ]);
 
-  if (navData.homeDefaultView === "featured") {
+  const { items, currentPage, totalPages } = timeline;
+
+  if (homeDefaultView === "featured") {
     const featuredTitle = i18n._(
       msg({
         message: "Featured",
         comment: "@context: Browser page title for the featured feed",
       }),
     );
-    const { items, currentPage, totalPages } = await assembleFeaturedTimeline(
-      c,
-      {
-        page,
-        isAuthenticated: navData.isAuthenticated,
-      },
-    );
 
     return renderPublicPage(c, {
       title:
@@ -76,11 +90,6 @@ homeRoutes.get("/", async (c) => {
     }),
   );
 
-  const { items, currentPage, totalPages } = await assembleTimeline(c, {
-    page,
-    isAuthenticated: navData.isAuthenticated,
-  });
-
   return renderPublicPage(c, {
     title:
       page > 1

package/src/routes/pages/page.tsx

@@ -33,6 +33,28 @@ interface TextPreviewAutoOpen {
   mediaId: string;
 }
 
+/**
+ * Build the canonical absolute URL for a post page.
+ *
+ * Reply URLs render the full thread, so search engines see overlapping
+ * content at every reply URL. Point the canonical to the thread root so
+ * crawlers consolidate ranking on one URL.
+ *
+ * The root post is always at index 0 of `threadPostViews` (getThread orders
+ * by createdAt ASC, and the DB check constraint guarantees root has the
+ * smallest createdAt in its thread). When `threadPostViews` is undefined the
+ * post is not part of a multi-post thread, so the post itself is the root.
+ */
+function buildPostCanonicalHref(
+  postView: { permalink: string },
+  threadPostViews: Array<{ permalink: string }> | undefined,
+  siteUrl: string,
+): string {
+  const rootPermalink = threadPostViews?.[0]?.permalink ?? postView.permalink;
+  if (!siteUrl) return rootPermalink;
+  return new URL(rootPermalink, siteUrl).toString();
+}
+
 async function renderPostWithTextPreview(
   c: Context<Env>,
   post: Post,
@@ -48,6 +70,11 @@ async function renderPostWithTextPreview(
 
   const navData = await navDataPromise;
   const meta = buildPostMeta(post, navData.siteName);
+  const canonicalHref = buildPostCanonicalHref(
+    display.postView,
+    display.threadPostViews,
+    c.var.appConfig.siteUrl,
+  );
 
   // Use the attachment summary as the page title (for OG/link previews),
   // and pass the post title in the payload so the client can restore it
@@ -68,6 +95,7 @@ async function renderPostWithTextPreview(
   return renderPublicPage(c, {
     title: pageTitle,
     description: meta.description,
+    canonicalHref,
     navData,
     content: (
       <>
@@ -127,10 +155,16 @@ async function renderPost(c: Context<Env>, post: Post) {
 
   const navData = await navDataPromise;
   const meta = buildPostMeta(post, navData.siteName);
+  const canonicalHref = buildPostCanonicalHref(
+    display.postView,
+    display.threadPostViews,
+    c.var.appConfig.siteUrl,
+  );
 
   return renderPublicPage(c, {
     title: meta.title,
     description: meta.description,
+    canonicalHref,
     navData,
     content: (
       <PostPage post={display.postView} threadPosts={display.threadPostViews} />

package/src/routes/pages/partials.tsx

@@ -1,4 +1,4 @@
-import { Hono, type Context } from "hono";
+import { Hono } from "hono";
 import { I18nProvider } from "../../i18n/index.js";
 import { parseIdParam } from "../../lib/errors.js";
 import { ID_PREFIX } from "../../lib/ids.js";
@@ -18,17 +18,6 @@ type Env = { Bindings: Bindings; Variables: AppVariables };
 
 export const partialPageRoutes = new Hono<Env>();
 
-async function getIsAuthenticated(c: Context<Env>): Promise<boolean> {
-  try {
-    const session = await c.var.auth.api.getSession({
-      headers: c.req.raw.headers,
-    });
-    return !!session?.user;
-  } catch {
-    return false;
-  }
-}
-
 partialPageRoutes.get("/_/version", (c) => {
   return c.json({ version: CORE_VERSION });
 });
@@ -39,7 +28,7 @@ partialPageRoutes.get("/_/timeline-item/:threadRootId", async (c) => {
     ID_PREFIX.post,
   );
   const item = await assembleTimelineItem(c, threadRootId, {
-    isAuthenticated: await getIsAuthenticated(c),
+    isAuthenticated: c.var.isAuthenticated,
   });
 
   if (!item) {
@@ -56,7 +45,7 @@ partialPageRoutes.get("/_/timeline-item/:threadRootId", async (c) => {
 partialPageRoutes.get("/_/post-card/:postId", async (c) => {
   const postId = parseIdParam(c.req.param("postId"), ID_PREFIX.post);
   const postView = await assemblePostCardView(c, postId, {
-    isAuthenticated: await getIsAuthenticated(c),
+    isAuthenticated: c.var.isAuthenticated,
   });
 
   if (!postView) {
@@ -73,7 +62,7 @@ partialPageRoutes.get("/_/post-card/:postId", async (c) => {
 partialPageRoutes.get("/_/post-view/:postId", async (c) => {
   const postId = parseIdParam(c.req.param("postId"), ID_PREFIX.post);
   const display = await assemblePostPageDisplay(c, postId, {
-    isAuthenticated: await getIsAuthenticated(c),
+    isAuthenticated: c.var.isAuthenticated,
   });
 
   if (!display) {

package/src/runtime/cloudflare.ts

@@ -10,6 +10,8 @@ import {
   shouldUseSecureCookies,
 } from "../lib/env.js";
 import { createHostedControlPlaneClient } from "../lib/hosted-control-plane.js";
+import { createD1RateLimiter } from "../lib/rate-limit-d1.js";
+import type { RateLimiter } from "../lib/rate-limit.js";
 import { createStorageDriver, type StorageDriver } from "../lib/storage.js";
 import {
   createHostedHandoffService,
@@ -30,6 +32,7 @@ export interface CloudflareRequestRuntime {
   currentSiteDomain: SiteDomain | null;
   db: Database;
   hostedHandoff: HostedHandoffService;
+  rateLimiter: RateLimiter;
   services: Services;
   storage: StorageDriver | null;
 }
@@ -88,6 +91,7 @@ export async function createCloudflareRequestRuntime(
       schema: sqliteSchemaBundle,
       secret: hostedControlPlaneSsoSecret,
     }),
+    rateLimiter: createD1RateLimiter(db, sqliteSchemaBundle),
     services: createServices(db, session, siteLookup.site.id, {
       databaseDialect: "sqlite",
       bootstrapSite: getSingleSiteBootstrapOptions(env),

package/src/runtime/node.ts

@@ -12,6 +12,8 @@ import {
   shouldUseSecureCookies,
 } from "../lib/env.js";
 import { createHostedControlPlaneClient } from "../lib/hosted-control-plane.js";
+import { createMemoryRateLimiter } from "../lib/rate-limit-memory.js";
+import type { RateLimiter } from "../lib/rate-limit.js";
 import { createStorageDriver, type StorageDriver } from "../lib/storage.js";
 import {
   createHostedHandoffService,
@@ -33,10 +35,23 @@ export interface NodeRequestRuntime {
   currentSiteDomain: SiteDomain | null;
   db: Database;
   hostedHandoff: HostedHandoffService;
+  rateLimiter: RateLimiter;
   services: Services;
   storage: StorageDriver | null;
 }
 
+/**
+ * Single process-wide rate limiter for the Node runtime. Node serves all
+ * requests out of one persistent process, so in-memory counters are
+ * reliable and avoid per-request D1 round-trips. Constructed lazily on
+ * first use so tests that never build a request runtime don't pay for it.
+ */
+let sharedNodeRateLimiter: RateLimiter | null = null;
+function getNodeRateLimiter(): RateLimiter {
+  sharedNodeRateLimiter ??= createMemoryRateLimiter();
+  return sharedNodeRateLimiter;
+}
+
 export interface NodeCliRuntime {
   currentSite: Site;
   currentSiteDomain: SiteDomain | null;
@@ -131,6 +146,7 @@ export async function createNodeRequestRuntime(
       schema: databaseSchema,
       secret: hostedControlPlaneSsoSecret,
     }),
+    rateLimiter: getNodeRateLimiter(),
     services: createServices(db, rawQuery, siteLookup.site.id, {
       databaseDialect,
       bootstrapSite: getSingleSiteBootstrapOptions(env),

package/src/services/__tests__/post.test.ts

@@ -2073,4 +2073,209 @@ describe("PostService", () => {
       expect(updatedRoot?.lastActivityAt).toBe(1000);
     });
   });
+
+  describe("reindexBodyText", () => {
+    function bodyWithLink(text: string, href: string): string {
+      return JSON.stringify({
+        type: "doc",
+        content: [
+          {
+            type: "paragraph",
+            content: [
+              {
+                type: "text",
+                text,
+                marks: [{ type: "link", attrs: { href } }],
+              },
+            ],
+          },
+        ],
+      });
+    }
+
+    it("recomputes body_text and updates only rows that differ", async () => {
+      const post = await postService.create({
+        format: "note",
+        body: bodyWithLink("docs", "https://rebuild.example/page"),
+      });
+
+      // Simulate the pre-fix state by stripping URLs from body_text directly.
+      await db
+        .update(posts)
+        .set({ bodyText: "docs" })
+        .where(eq(posts.id, post.id));
+
+      const firstPass = await postService.reindexBodyText();
+      expect(firstPass.processed).toBe(1);
+      expect(firstPass.updated).toBe(1);
+      expect(firstPass.skipped).toBe(0);
+      expect(firstPass.done).toBe(true);
+      expect(firstPass.nextCursor).toBeNull();
+
+      const reindexed = await postService.getById(post.id);
+      expect(reindexed?.bodyText).toContain("rebuild.example");
+
+      // Idempotent: re-running immediately should be a no-op.
+      const secondPass = await postService.reindexBodyText();
+      expect(secondPass.updated).toBe(0);
+      expect(secondPass.skipped).toBe(1);
+      expect(secondPass.done).toBe(true);
+    });
+
+    it("skips soft-deleted posts", async () => {
+      const live = await postService.create({
+        format: "note",
+        body: bodyWithLink("a", "https://live.example"),
+      });
+      const gone = await postService.create({
+        format: "note",
+        body: bodyWithLink("b", "https://gone.example"),
+      });
+
+      // Strip body_text on both to force an update on the next pass.
+      await db
+        .update(posts)
+        .set({ bodyText: "a" })
+        .where(eq(posts.id, live.id));
+      await db
+        .update(posts)
+        .set({ bodyText: "b" })
+        .where(eq(posts.id, gone.id));
+      await postService.delete(gone.id);
+
+      const result = await postService.reindexBodyText();
+      expect(result.processed).toBe(1);
+      expect(result.updated).toBe(1);
+      expect(result.done).toBe(true);
+    });
+
+    it("paginates with cursor when more posts remain", async () => {
+      for (let i = 0; i < 3; i++) {
+        await postService.create({
+          format: "note",
+          body: bodyWithLink(`p${i}`, `https://p${i}.example`),
+        });
+      }
+
+      const first = await postService.reindexBodyText({ limit: 2 });
+      expect(first.processed).toBe(2);
+      expect(first.done).toBe(false);
+      expect(first.nextCursor).not.toBeNull();
+
+      const second = await postService.reindexBodyText({
+        limit: 2,
+        cursor: first.nextCursor ?? undefined,
+      });
+      expect(second.processed).toBe(1);
+      expect(second.done).toBe(true);
+      expect(second.nextCursor).toBeNull();
+    });
+  });
+
+  describe("listForSitemap", () => {
+    it("returns published non-reply non-private non-deleted posts", async () => {
+      const root = await postService.create({
+        format: "note",
+        bodyMarkdown: "root",
+        status: "published",
+      });
+      await postService.create({
+        format: "note",
+        bodyMarkdown: "reply",
+        replyToId: root.id,
+        status: "published",
+      });
+      await postService.create({
+        format: "note",
+        bodyMarkdown: "private",
+        visibility: "private",
+        status: "published",
+      });
+      await postService.create({
+        format: "note",
+        bodyMarkdown: "draft",
+        status: "draft",
+      });
+      await postService.create({
+        format: "note",
+        bodyMarkdown: "latest hidden",
+        visibility: "latest_hidden",
+        status: "published",
+      });
+
+      const entries = await postService.listForSitemap({ limit: 100 });
+      const ids = entries.map((e) => e.id);
+      // Root post and latest_hidden post should be included; reply/private/draft excluded.
+      expect(ids).toHaveLength(2);
+      expect(ids).toContain(root.id);
+    });
+
+    it("returns entries in ascending id order", async () => {
+      const created: string[] = [];
+      for (let i = 0; i < 5; i++) {
+        const post = await postService.create({
+          format: "note",
+          bodyMarkdown: `post ${i}`,
+          status: "published",
+        });
+        created.push(post.id);
+      }
+
+      const entries = await postService.listForSitemap({ limit: 100 });
+      const ids = entries.map((e) => e.id);
+      // TypeIDs embed a UUIDv7 timestamp, so creation order == ascending id.
+      expect(ids).toEqual([...ids].sort());
+      expect(ids).toEqual(created);
+    });
+
+    it("respects afterId as an exclusive cursor", async () => {
+      const posts = [];
+      for (let i = 0; i < 5; i++) {
+        posts.push(
+          await postService.create({
+            format: "note",
+            bodyMarkdown: `post ${i}`,
+            status: "published",
+          }),
+        );
+      }
+
+      const firstPage = await postService.listForSitemap({ limit: 2 });
+      expect(firstPage).toHaveLength(2);
+
+      const cursor = firstPage[firstPage.length - 1]?.id;
+      const secondPage = await postService.listForSitemap({
+        afterId: cursor,
+        limit: 2,
+      });
+      expect(secondPage.map((e) => e.id)).toEqual([posts[2]?.id, posts[3]?.id]);
+
+      const thirdPage = await postService.listForSitemap({
+        afterId: secondPage[secondPage.length - 1]?.id,
+        limit: 2,
+      });
+      expect(thirdPage.map((e) => e.id)).toEqual([posts[4]?.id]);
+    });
+
+    it("countForSitemap matches listForSitemap without a cursor", async () => {
+      for (let i = 0; i < 3; i++) {
+        await postService.create({
+          format: "note",
+          bodyMarkdown: `p${i}`,
+          status: "published",
+        });
+      }
+      await postService.create({
+        format: "note",
+        bodyMarkdown: "private",
+        visibility: "private",
+        status: "published",
+      });
+
+      const count = await postService.countForSitemap();
+      const entries = await postService.listForSitemap({ limit: 100 });
+      expect(count).toBe(entries.length);
+      expect(count).toBe(3);
+    });
+  });
 });

package/src/services/__tests__/search.test.ts

@@ -204,6 +204,50 @@ describe("SearchService", () => {
     expect(results[0]?.post.url).toContain("example.com");
   });
 
+  it("finds posts by URL embedded in inline markdown links", async () => {
+    // TipTap stores markdown links as marks on text nodes. Their href
+    // must reach body_text so users can search for the URL, not just
+    // the visible link text.
+    const bodyWithLink = JSON.stringify({
+      type: "doc",
+      content: [
+        {
+          type: "paragraph",
+          content: [
+            { type: "text", text: "See " },
+            {
+              type: "text",
+              text: "this page",
+              marks: [
+                {
+                  type: "link",
+                  attrs: { href: "https://inline-link.example/article" },
+                },
+              ],
+            },
+            { type: "text", text: " for details." },
+          ],
+        },
+      ],
+    });
+
+    await postService.create({
+      format: "note",
+      body: bodyWithLink,
+    });
+
+    const d1 = createMockD1(sqlite);
+    const searchService = createSearchService(d1, DEFAULT_TEST_SITE_ID);
+
+    // Searching by the link's URL host should match.
+    const byUrl = await searchService.search("inline-link.example");
+    expect(byUrl.length).toBeGreaterThanOrEqual(1);
+
+    // Regression guard: the visible link text still matches too.
+    const byText = await searchService.search("this page");
+    expect(byText.length).toBeGreaterThanOrEqual(1);
+  });
+
   it("finds posts with short queries (< 3 chars) via LIKE fallback", async () => {
     await postService.create({
       format: "note",