emdash 0.10.0 → 0.11.1

package/src/api/handlers/validate-media-fields.ts

@@ -0,0 +1,125 @@
+import type { Kysely } from "kysely";
+
+import type { Database } from "../../database/types.js";
+import { matchesMimeAllowlist, parseAllowedMimeTypes } from "../../media/mime.js";
+import { requestCached } from "../../request-cache.js";
+import { chunks, SQL_BATCH_SIZE } from "../../utils/chunks.js";
+import type { ApiResult } from "../types.js";
+
+interface FieldRow {
+	slug: string;
+	type: string;
+	allowedMimeTypes: string[];
+}
+
+interface MediaRefValue {
+	id?: unknown;
+	provider?: unknown;
+	mimeType?: unknown;
+}
+
+function asMediaRef(value: unknown): MediaRefValue | null {
+	if (value === null || value === undefined) return null;
+	if (typeof value !== "object" || Array.isArray(value)) return null;
+	return value as MediaRefValue;
+}
+
+function fail(message: string): ApiResult<never> {
+	return { success: false, error: { code: "INVALID_MIME_FOR_FIELD", message } };
+}
+
+async function loadMediaFieldsForCollection(
+	db: Kysely<Database>,
+	collectionSlug: string,
+): Promise<FieldRow[]> {
+	const rows = await db
+		.selectFrom("_emdash_fields")
+		.innerJoin("_emdash_collections", "_emdash_collections.id", "_emdash_fields.collection_id")
+		.select(["_emdash_fields.slug", "_emdash_fields.type", "_emdash_fields.validation"])
+		.where("_emdash_collections.slug", "=", collectionSlug)
+		.where("_emdash_fields.type", "in", ["file", "image"])
+		.execute();
+
+	const out: FieldRow[] = [];
+	for (const row of rows) {
+		const list = parseAllowedMimeTypes(row.validation);
+		if (!list) continue;
+		out.push({ slug: row.slug, type: row.type, allowedMimeTypes: list });
+	}
+	return out;
+}
+
+export async function validateMediaFields(
+	db: Kysely<Database>,
+	collectionSlug: string,
+	data: Record<string, unknown>,
+): Promise<ApiResult<true>> {
+	// Cache is keyed on slug only. If a handler creates/modifies a field and
+	// then writes content in the same request (e.g. bulk import), the cached
+	// list will be stale for that request. This is an edge case in normal use.
+	const fields = await requestCached(`mediaFields:${collectionSlug}`, () =>
+		loadMediaFieldsForCollection(db, collectionSlug),
+	);
+	if (fields.length === 0) return { success: true, data: true };
+
+	// Collect local media ids that need a MIME lookup
+	const localIds = new Set<string>();
+	for (const field of fields) {
+		const ref = asMediaRef(data[field.slug]);
+		if (!ref) continue;
+		const provider = typeof ref.provider === "string" ? ref.provider : "local";
+		if (provider === "local" && typeof ref.id === "string") {
+			localIds.add(ref.id);
+		}
+	}
+
+	// Batch-load local media MIMEs
+	const idList = [...localIds];
+	const mimeById = new Map<string, string>();
+	if (idList.length > 0) {
+		for (const batch of chunks(idList, SQL_BATCH_SIZE)) {
+			const rows = await db
+				.selectFrom("media")
+				.select(["id", "mime_type"])
+				.where("id", "in", batch)
+				.execute();
+			for (const r of rows) mimeById.set(r.id, r.mime_type);
+		}
+	}
+
+	for (const field of fields) {
+		const value = data[field.slug];
+		if (value === null || value === undefined) continue;
+		const ref = asMediaRef(value);
+		if (!ref) continue;
+
+		const provider = typeof ref.provider === "string" ? ref.provider : "local";
+
+		// External providers carry mimeType in the ref; trust it as-is.
+		// Local media: look up the stored mimeType by id.
+		let mime: string | undefined;
+		if (provider === "local") {
+			if (typeof ref.id !== "string") {
+				return fail(`Field '${field.slug}' references media with an invalid id`);
+			}
+			mime = mimeById.get(ref.id);
+			if (!mime) {
+				return fail(`Field '${field.slug}' references media with unknown MIME type`);
+			}
+		} else {
+			if (typeof ref.mimeType !== "string") {
+				return fail(`Field '${field.slug}' requires a mimeType declaration for non-local media`);
+			}
+			// TODO: long-term, consider a server-side HEAD probe or provider-vouched
+			// MIMEs for non-local refs; for now the constraint is only as strong as
+			// the client that constructed the ref.
+			mime = ref.mimeType;
+		}
+
+		if (!matchesMimeAllowlist(mime, field.allowedMimeTypes)) {
+			return fail(`Field '${field.slug}' does not accept ${mime}`);
+		}
+	}
+
+	return { success: true, data: true };
+}

package/src/api/schemas/media.ts

@@ -6,9 +6,21 @@ import { cursorPaginationQuery } from "./common.js";
 // Media: Input schemas
 // ---------------------------------------------------------------------------
 
+/**
+ * Accepts a comma-separated string (from URL query params) or an array of
+ * strings (from JSON body or programmatic use) and normalises to string[].
+ */
+const mimeTypeFilter = z
+	.union([z.string(), z.array(z.string())])
+	.transform((v) => {
+		const arr = Array.isArray(v) ? v : v.split(",");
+		return arr.map((s) => s.trim()).filter((s) => s.length > 0);
+	})
+	.optional();
+
 export const mediaListQuery = cursorPaginationQuery
 	.extend({
-		mimeType: z.string().optional(),
+		mimeType: mimeTypeFilter,
 	})
 	.meta({ id: "MediaListQuery" });
 
@@ -30,6 +42,10 @@ export function formatFileSize(bytes: number): string {
 	return `${Math.floor(bytes / 1024 / 1024)}MB`;
 }
 
+// Matches a full MIME type (type/subtype) with an optional semicolon-delimited
+// parameter section. Forbids CR/LF to prevent header injection.
+const CONTENT_TYPE_RE = /^[a-z0-9][a-z0-9!#$&^_+\-.]*\/[a-z0-9!#$&^_+\-.]+(\s*;[^\r\n]*)?$/i;
+
 export function mediaUploadUrlBody(maxSize: number) {
 	if (!Number.isFinite(maxSize) || maxSize <= 0) {
 		throw new Error(`EmDash: maxUploadSize must be a positive finite number, got ${maxSize}`);
@@ -37,13 +53,17 @@ export function mediaUploadUrlBody(maxSize: number) {
 	return z
 		.object({
 			filename: z.string().min(1, "filename is required"),
-			contentType: z.string().min(1, "contentType is required"),
+			contentType: z
+				.string()
+				.min(1, "contentType is required")
+				.regex(CONTENT_TYPE_RE, "Invalid content type"),
 			size: z
 				.number()
 				.int()
 				.positive()
 				.max(maxSize, `File size must not exceed ${formatFileSize(maxSize)}`),
 			contentHash: z.string().optional(),
+			fieldId: z.string().optional(),
 		})
 		.meta({ id: "MediaUploadUrlBody" });
 }
@@ -59,7 +79,7 @@ export const mediaConfirmBody = z
 export const mediaProviderListQuery = cursorPaginationQuery
 	.extend({
 		query: z.string().optional(),
-		mimeType: z.string().optional(),
+		mimeType: mimeTypeFilter,
 	})
 	.meta({ id: "MediaProviderListQuery" });
 

package/src/api/schemas/schema.ts

@@ -49,6 +49,15 @@ const fieldValidation = z
 		subFields: z.array(repeaterSubFieldSchema).min(1).optional(),
 		minItems: z.number().int().min(0).optional(),
 		maxItems: z.number().int().min(1).optional(),
+		allowedMimeTypes: z
+			.array(
+				z
+					.string()
+					.regex(/^[a-z0-9][a-z0-9!#$&^_+\-.]*\/[a-z0-9!#$&^_+\-.]*$/i, "Invalid MIME type"),
+			)
+			.min(1, "allowedMimeTypes must not be empty — omit the field to allow all types")
+			.max(64, "allowedMimeTypes may contain at most 64 entries")
+			.optional(),
 	})
 	.optional();
 
@@ -92,7 +101,7 @@ export const createFieldBody = z
 		required: z.boolean().optional(),
 		unique: z.boolean().optional(),
 		defaultValue: z.unknown().optional(),
-		validation: fieldValidation,
+		validation: fieldValidation.nullable(),
 		widget: z.string().optional(),
 		options: fieldWidgetOptions,
 		sortOrder: z.number().int().min(0).optional(),
@@ -107,7 +116,7 @@ export const updateFieldBody = z
 		required: z.boolean().optional(),
 		unique: z.boolean().optional(),
 		defaultValue: z.unknown().optional(),
-		validation: fieldValidation,
+		validation: fieldValidation.nullable(),
 		widget: z.string().optional(),
 		options: fieldWidgetOptions,
 		sortOrder: z.number().int().min(0).optional(),

package/src/astro/middleware.ts

@@ -47,7 +47,12 @@ import { createPublicMediaUrlResolver } from "../media/url.js";
 import type { SandboxRunner } from "../plugins/sandbox/types.js";
 import type { ResolvedPlugin } from "../plugins/types.js";
 import { invalidateUrlPatternCache } from "../query.js";
-import { getRequestContext, runWithContext } from "../request-context.js";
+import {
+	createRequestMetrics,
+	getRequestContext,
+	type RequestMetrics,
+	runWithContext,
+} from "../request-context.js";
 import type { EmDashConfig } from "./integration/runtime.js";
 import type { EmDashHandlers } from "./types.js";
 
@@ -209,6 +214,33 @@ function finalizeResponse(
 	return res;
 }
 
+/**
+ * Append always-on counters (db.*, cache.*) to the Server-Timing list.
+ *
+ * dur values for `count`, `hit`, `miss` are integer counts — Server-Timing
+ * spec only models milliseconds, but browsers show whatever number is given,
+ * which is the convention most projects use for non-time samples.
+ */
+function pushMetricsTimings(
+	timings: Array<{ name: string; dur: number; desc?: string }>,
+	metrics: RequestMetrics,
+): void {
+	if (metrics.dbCount > 0) {
+		timings.push({ name: "db.total", dur: metrics.dbTotalMs, desc: "DB total" });
+		timings.push({ name: "db.count", dur: metrics.dbCount, desc: "Query count" });
+		if (metrics.dbFirstOffset !== null) {
+			timings.push({ name: "db.first", dur: metrics.dbFirstOffset, desc: "First query at" });
+		}
+		if (metrics.dbLastOffset !== null) {
+			timings.push({ name: "db.last", dur: metrics.dbLastOffset, desc: "Last query at" });
+		}
+	}
+	if (metrics.cacheHits + metrics.cacheMisses > 0) {
+		timings.push({ name: "cache.hit", dur: metrics.cacheHits, desc: "Cache hits" });
+		timings.push({ name: "cache.miss", dur: metrics.cacheMisses, desc: "Cache misses" });
+	}
+}
+
 /** Public routes that require the runtime (sitemap, robots.txt, etc.) */
 const PUBLIC_RUNTIME_ROUTES = new Set(["/sitemap.xml", "/robots.txt"]);
 const SITEMAP_COLLECTION_RE = /^\/sitemap-[a-z][a-z0-9_]*\.xml$/;
@@ -252,6 +284,8 @@ export const onRequest = defineMiddleware(async (context, next) => {
 		? createRecorder(url.pathname, request.method, request.headers.get("x-perf-phase") ?? "default")
 		: undefined;
 
+	const metrics = createRequestMetrics(performance.now());
+
 	const run = async (): Promise<Response> => {
 		// Process /_emdash routes and public routes with an active session
 		// (logged-in editors need the runtime for toolbar/visual editing on public pages)
@@ -355,13 +389,14 @@ export const onRequest = defineMiddleware(async (context, next) => {
 					const response = await next();
 					timings.push({ name: "render", dur: performance.now() - t0, desc: "Page render" });
 					timings.push({ name: "mw", dur: performance.now() - mwStart, desc: "Total middleware" });
+					pushMetricsTimings(timings, metrics);
 					return finalizeResponse(response, timings);
 				};
 				if (anonScoped) {
 					const parent = getRequestContext();
 					const ctx = parent
 						? { ...parent, db: anonScoped.db }
-						: { editMode: false, db: anonScoped.db };
+						: { editMode: false, db: anonScoped.db, metrics };
 					return runWithContext(ctx, async () => {
 						const response = await runAnon();
 						anonScoped.commit();
@@ -516,12 +551,15 @@ export const onRequest = defineMiddleware(async (context, next) => {
 				const response = await next();
 				timings.push({ name: "render", dur: performance.now() - t0, desc: "Page render" });
 				timings.push({ name: "mw", dur: performance.now() - mwStart, desc: "Total middleware" });
+				pushMetricsTimings(timings, metrics);
 				return finalizeResponse(response, timings);
 			};
 
 			if (scoped) {
 				const parent = getRequestContext();
-				const ctx = parent ? { ...parent, db: scoped.db } : { editMode: false, db: scoped.db };
+				const ctx = parent
+					? { ...parent, db: scoped.db }
+					: { editMode: false, db: scoped.db, metrics };
 				return runWithContext(ctx, async () => {
 					const response = await renderAndFinalize();
 					scoped.commit();
@@ -542,20 +580,17 @@ export const onRequest = defineMiddleware(async (context, next) => {
 			const parent = getRequestContext();
 			const ctx = parent
 				? { ...parent, editMode, db: playgroundDb, dbIsIsolated: true }
-				: { editMode, db: playgroundDb, dbIsIsolated: true };
+				: { editMode, db: playgroundDb, dbIsIsolated: true, metrics };
 			return runWithContext(ctx, doInit);
 		}
 		return doInit();
 	};
 
-	if (queryRecorder) {
-		try {
-			return await runWithContext({ editMode: false, queryRecorder }, run);
-		} finally {
-			flushRecorder(queryRecorder);
-		}
+	try {
+		return await runWithContext({ editMode: false, queryRecorder, metrics }, run);
+	} finally {
+		if (queryRecorder) flushRecorder(queryRecorder);
 	}
-	return run();
 });
 
 export default onRequest;

package/src/astro/routes/api/content/[collection]/[id]/discard-draft.ts

@@ -50,7 +50,7 @@ export const POST: APIRoute = async ({ params, locals, cache }) => {
 
 	if (!result.success) return unwrapResult(result);
 
-	if (cache.enabled) await cache.invalidate({ tags: [collection, resolvedId] });
+	if (cache?.enabled) await cache.invalidate({ tags: [collection, resolvedId] });
 
 	return unwrapResult(result);
 };

package/src/astro/routes/api/content/[collection]/[id]/duplicate.ts

@@ -55,7 +55,7 @@ export const POST: APIRoute = async ({ params, locals, cache }) => {
 
 	if (!result.success) return unwrapResult(result);
 
-	if (cache.enabled) await cache.invalidate({ tags: [collection] });
+	if (cache?.enabled) await cache.invalidate({ tags: [collection] });
 
 	return unwrapResult(result, 201);
 };

package/src/astro/routes/api/content/[collection]/[id]/permanent.ts

@@ -27,7 +27,7 @@ export const DELETE: APIRoute = async ({ params, locals, cache }) => {
 
 	if (!result.success) return unwrapResult(result);
 
-	if (cache.enabled) await cache.invalidate({ tags: [collection, id] });
+	if (cache?.enabled) await cache.invalidate({ tags: [collection, id] });
 
 	return unwrapResult(result);
 };

package/src/astro/routes/api/content/[collection]/[id]/publish.ts

@@ -80,7 +80,7 @@ export const POST: APIRoute = async ({ params, request, locals, cache }) => {
 
 	if (!result.success) return unwrapResult(result);
 
-	if (cache.enabled) await cache.invalidate({ tags: [collection, resolvedId] });
+	if (cache?.enabled) await cache.invalidate({ tags: [collection, resolvedId] });
 
 	return unwrapResult(result);
 };

package/src/astro/routes/api/content/[collection]/[id]/restore.ts

@@ -50,7 +50,7 @@ export const POST: APIRoute = async ({ params, locals, cache }) => {
 
 	if (!result.success) return unwrapResult(result);
 
-	if (cache.enabled) await cache.invalidate({ tags: [collection, resolvedId] });
+	if (cache?.enabled) await cache.invalidate({ tags: [collection, resolvedId] });
 
 	return unwrapResult(result);
 };

package/src/astro/routes/api/content/[collection]/[id]/schedule.ts

@@ -63,7 +63,7 @@ export const POST: APIRoute = async ({ params, request, locals, cache }) => {
 
 	if (!result.success) return unwrapResult(result);
 
-	if (cache.enabled) await cache.invalidate({ tags: [collection, resolvedId ?? id] });
+	if (cache?.enabled) await cache.invalidate({ tags: [collection, resolvedId ?? id] });
 
 	return unwrapResult(result);
 };
@@ -95,7 +95,7 @@ export const DELETE: APIRoute = async ({ params, locals, cache }) => {
 
 	if (!result.success) return unwrapResult(result);
 
-	if (cache.enabled) await cache.invalidate({ tags: [collection, resolvedId ?? id] });
+	if (cache?.enabled) await cache.invalidate({ tags: [collection, resolvedId ?? id] });
 
 	return unwrapResult(result);
 };

package/src/astro/routes/api/content/[collection]/[id]/unpublish.ts

@@ -50,7 +50,7 @@ export const POST: APIRoute = async ({ params, locals, cache }) => {
 
 	if (!result.success) return unwrapResult(result);
 
-	if (cache.enabled) await cache.invalidate({ tags: [collection, resolvedId] });
+	if (cache?.enabled) await cache.invalidate({ tags: [collection, resolvedId] });
 
 	return unwrapResult(result);
 };

package/src/astro/routes/api/content/[collection]/[id].ts

@@ -125,7 +125,7 @@ export const PUT: APIRoute = async ({ params, request, locals, cache }) => {
 
 	if (!result.success) return unwrapResult(result);
 
-	if (cache.enabled) await cache.invalidate({ tags: [collection, resolvedId] });
+	if (cache?.enabled) await cache.invalidate({ tags: [collection, resolvedId] });
 
 	return unwrapResult(result);
 };
@@ -171,7 +171,7 @@ export const DELETE: APIRoute = async ({ params, locals, cache }) => {
 
 	if (!result.success) return unwrapResult(result);
 
-	if (cache.enabled) await cache.invalidate({ tags: [collection, resolvedId] });
+	if (cache?.enabled) await cache.invalidate({ tags: [collection, resolvedId] });
 
 	return unwrapResult(result);
 };

package/src/astro/routes/api/content/[collection]/index.ts

@@ -91,7 +91,7 @@ export const POST: APIRoute = async ({ params, request, locals, cache }) => {
 
 	if (!result.success) return unwrapResult(result);
 
-	if (cache.enabled) await cache.invalidate({ tags: [collection] });
+	if (cache?.enabled) await cache.invalidate({ tags: [collection] });
 
 	return unwrapResult(result, 201);
 };

package/src/astro/routes/api/media/upload-url.ts

@@ -15,8 +15,10 @@ import { ulid } from "ulidx";
 
 import { requirePerm } from "#api/authorize.js";
 import { apiError, apiSuccess, handleError } from "#api/error.js";
+import { GLOBAL_UPLOAD_ALLOWLIST, resolveFieldAllowlist } from "#api/handlers/media-allowlist.js";
 import { isParseError, parseBody } from "#api/parse.js";
 import { DEFAULT_MAX_UPLOAD_SIZE, mediaUploadUrlBody } from "#api/schemas.js";
+import { matchesMimeAllowlist, normalizeMime } from "#media/mime.js";
 
 export const prerender = false;
 
@@ -70,9 +72,13 @@ export const POST: APIRoute = async ({ request, locals }) => {
 		const body = await parseBody(request, mediaUploadUrlBody(maxSize));
 		if (isParseError(body)) return body;
 
-		// Validate content type
-		const allowedTypes = ["image/", "video/", "audio/", "application/pdf"];
-		if (!allowedTypes.some((type) => body.contentType.startsWith(type))) {
+		// Validate content type (field-aware widening)
+		const fieldAllowlist = body.fieldId
+			? await resolveFieldAllowlist(emdash.db, body.fieldId)
+			: null;
+		const allowlist = fieldAllowlist ?? [...GLOBAL_UPLOAD_ALLOWLIST];
+
+		if (!matchesMimeAllowlist(body.contentType, allowlist)) {
 			return apiError("INVALID_TYPE", "File type not allowed", 400);
 		}
 
@@ -100,7 +106,7 @@ export const POST: APIRoute = async ({ request, locals }) => {
 		// Create pending media record with content hash
 		const mediaItem = await repo.createPending({
 			filename: body.filename,
-			mimeType: body.contentType,
+			mimeType: normalizeMime(body.contentType),
 			size: body.size,
 			storageKey,
 			contentHash: body.contentHash,

package/src/astro/routes/api/media.ts

@@ -12,9 +12,11 @@ import { ulid } from "ulidx";
 
 import { requirePerm } from "#api/authorize.js";
 import { apiError, apiSuccess, handleError, unwrapResult } from "#api/error.js";
+import { GLOBAL_UPLOAD_ALLOWLIST, resolveFieldAllowlist } from "#api/handlers/media-allowlist.js";
 import { isParseError, parseQuery } from "#api/parse.js";
 import { DEFAULT_MAX_UPLOAD_SIZE, formatFileSize, mediaListQuery } from "#api/schemas.js";
 import { MediaRepository } from "#db/repositories/media.js";
+import { matchesMimeAllowlist, normalizeMime } from "#media/mime.js";
 import { generatePlaceholder } from "#media/placeholder.js";
 import { computeContentHash } from "#utils/hash.js";
 
@@ -106,9 +108,15 @@ export const POST: APIRoute = async ({ request, locals }) => {
 			return apiError("NO_FILE", "No file provided", 400);
 		}
 
-		// Validate file type
-		const allowedTypes = ["image/", "video/", "audio/", "application/pdf"];
-		if (!allowedTypes.some((type) => file.type.startsWith(type))) {
+		// Validate file type — widen the allowlist when a field-specific list is configured
+		const fieldIdEntry = formData.get("fieldId");
+		const fieldId =
+			typeof fieldIdEntry === "string" && fieldIdEntry.length > 0 ? fieldIdEntry : null;
+
+		const fieldAllowlist = fieldId ? await resolveFieldAllowlist(emdash.db, fieldId) : null;
+		const allowlist = fieldAllowlist ?? [...GLOBAL_UPLOAD_ALLOWLIST];
+
+		if (!matchesMimeAllowlist(file.type, allowlist)) {
 			return apiError("INVALID_TYPE", "File type not allowed", 400);
 		}
 
@@ -174,7 +182,7 @@ export const POST: APIRoute = async ({ request, locals }) => {
 		// Create media record
 		const result = await emdash.handleMediaCreate({
 			filename: file.name,
-			mimeType: file.type,
+			mimeType: normalizeMime(file.type),
 			size: file.size,
 			width,
 			height,

package/src/astro/types.ts

@@ -43,6 +43,10 @@ export interface ManifestCollection {
 			 *     (e.g. a checkbox grid receiving its column definitions)
 			 */
 			options?: Array<{ value: string; label: string }> | Record<string, unknown>;
+			/** The `_emdash_fields` row ID. Used by the admin to forward to upload/media-list API calls. */
+			id?: string;
+			/** Validation config for the field (e.g. `allowedMimeTypes` for file/image fields, subFields for repeater). */
+			validation?: Record<string, unknown>;
 		}
 	>;
 }
@@ -292,7 +296,7 @@ export interface EmDashHandlers {
 	handleMediaList: (params: {
 		cursor?: string;
 		limit?: number;
-		mimeType?: string;
+		mimeType?: string | readonly string[];
 	}) => Promise<HandlerResponse>;
 
 	handleMediaGet: (id: string) => Promise<HandlerResponse>;

package/src/auth/rate-limit.ts

@@ -63,9 +63,9 @@ export async function checkRateLimit(
 
 	// Atomic upsert: insert or increment, return current count
 	const result = await sql<{ count: number }>`
-		INSERT INTO _emdash_rate_limits (key, window, count)
+		INSERT INTO _emdash_rate_limits (key, "window", count)
 		VALUES (${key}, ${windowStart}, 1)
-		ON CONFLICT (key, window)
+		ON CONFLICT (key, "window")
 		DO UPDATE SET count = _emdash_rate_limits.count + 1
 		RETURNING count
 	`.execute(db);
@@ -179,7 +179,7 @@ export async function cleanupExpiredRateLimits(
 	const cutoff = new Date(Date.now() - maxAgeSeconds * 1000).toISOString();
 
 	const result = await sql`
-		DELETE FROM _emdash_rate_limits WHERE window < ${cutoff}
+		DELETE FROM _emdash_rate_limits WHERE "window" < ${cutoff}
 	`.execute(db);
 
 	return Number(result.numAffectedRows ?? 0);