emdash 0.5.0 → 0.7.0

package/src/astro/integration/runtime.ts

@@ -256,6 +256,19 @@ export interface EmDashConfig {
 	 */
 	marketplace?: string;
 
+	/**
+	 * Maximum allowed media file upload size in bytes.
+	 *
+	 * Applies to both direct multipart uploads and signed-URL uploads.
+	 * When unset, defaults to 52_428_800 (50 MB).
+	 *
+	 * @example
+	 * ```ts
+	 * emdash({ maxUploadSize: 100 * 1024 * 1024 }) // 100 MB
+	 * ```
+	 */
+	maxUploadSize?: number;
+
 	/**
 	 * Public browser-facing origin for the site.
 	 *
@@ -271,6 +284,32 @@ export interface EmDashConfig {
 	 */
 	siteUrl?: string;
 
+	/**
+	 * Headers to trust for client IP resolution when running behind a reverse
+	 * proxy. The first header in this list that is present on the request
+	 * wins. Applies to rate limiting for auth endpoints and comment
+	 * submission.
+	 *
+	 * Common values:
+	 * - `x-real-ip` — nginx, Caddy, Traefik
+	 * - `fly-client-ip` — Fly.io
+	 * - `x-forwarded-for` — generic (first entry is used)
+	 *
+	 * Only set this when you **control the reverse proxy**. Untrusted
+	 * clients can set any header they like; trusting headers from an open
+	 * network is an IP-spoofing vulnerability that defeats rate limiting.
+	 *
+	 * On Cloudflare the `cf` object on the request is used automatically —
+	 * you normally don't need to set this. Leave unset (or empty) to
+	 * preserve the default: IP is resolved only when the request came
+	 * through Cloudflare's edge.
+	 *
+	 * Falls back to `EMDASH_TRUSTED_PROXY_HEADERS` env var (comma-separated)
+	 * when this option is not set, so operators can configure at deploy
+	 * time without touching the Astro config.
+	 */
+	trustedProxyHeaders?: string[];
+
 	/**
 	 * Enable playground mode for ephemeral "try EmDash" sites.
 	 *
@@ -322,6 +361,84 @@ export interface EmDashConfig {
 	 * ```
 	 */
 	mediaProviders?: MediaProviderDescriptor[];
+
+	/**
+	 * Admin UI font configuration.
+	 *
+	 * By default, EmDash loads Noto Sans via the Astro Font API, covering
+	 * Latin, Latin Extended, Cyrillic, Cyrillic Extended, Greek, Greek
+	 * Extended, Devanagari, and Vietnamese. Fonts are downloaded from
+	 * Google at build time and self-hosted, so there are no runtime CDN
+	 * requests.
+	 *
+	 * To add support for additional writing systems (Arabic, CJK, etc.),
+	 * pass script names. EmDash resolves the matching Noto Sans variant
+	 * from Google Fonts and merges all script faces under a single
+	 * font-family, so the browser downloads only the glyphs it needs
+	 * via unicode-range.
+	 *
+	 * Set to `false` to disable font injection entirely and use system fonts.
+	 *
+	 * @example
+	 * ```ts
+	 * // Add Arabic and Japanese support
+	 * emdash({
+	 *   fonts: {
+	 *     scripts: ["arabic", "japanese"],
+	 *   },
+	 * })
+	 * ```
+	 *
+	 * @example
+	 * ```ts
+	 * // Disable web fonts entirely (use system fonts)
+	 * emdash({
+	 *   fonts: false,
+	 * })
+	 * ```
+	 */
+	fonts?:
+		| false
+		| {
+				/**
+				 * Additional Noto Sans script families to include.
+				 *
+				 * Available scripts: arabic, armenian, bengali, chinese-simplified,
+				 * chinese-traditional, chinese-hongkong, devanagari, ethiopic, farsi,
+				 * georgian, gujarati, gurmukhi, hebrew, japanese, kannada, khmer,
+				 * korean, lao, malayalam, myanmar, oriya, sinhala, tamil, telugu,
+				 * thai, tibetan.
+				 */
+				scripts?: string[];
+		  };
+
+	/**
+	 * Admin UI branding (white-labeling).
+	 *
+	 * Overrides the default EmDash logo and name in the admin panel.
+	 * Use this to white-label the CMS for agency or enterprise deployments.
+	 * These settings are separate from the public site settings (title, logo,
+	 * favicon) which remain available for SEO and front-end use.
+	 *
+	 * @example
+	 * ```ts
+	 * emdash({
+	 *   admin: {
+	 *     logo: "/images/agency-logo.webp",
+	 *     siteName: "AgencyX CMS",
+	 *     favicon: "/favicon.ico",
+	 *   },
+	 * })
+	 * ```
+	 */
+	admin?: {
+		/** URL or path to a custom logo image for the admin UI (login page, sidebar). */
+		logo?: string;
+		/** Custom name displayed in the admin sidebar and browser tab. */
+		siteName?: string;
+		/** URL or path to a custom favicon for the admin panel. */
+		favicon?: string;
+	};
 }
 
 /**

package/src/astro/integration/virtual-modules.ts

@@ -56,6 +56,9 @@ export const RESOLVED_VIRTUAL_BLOCK_COMPONENTS_ID = "\0" + VIRTUAL_BLOCK_COMPONE
 export const VIRTUAL_SEED_ID = "virtual:emdash/seed";
 export const RESOLVED_VIRTUAL_SEED_ID = "\0" + VIRTUAL_SEED_ID;
 
+export const VIRTUAL_WAIT_UNTIL_ID = "virtual:emdash/wait-until";
+export const RESOLVED_VIRTUAL_WAIT_UNTIL_ID = "\0" + VIRTUAL_WAIT_UNTIL_ID;
+
 /**
  * Generates the config virtual module.
  */
@@ -65,62 +68,42 @@ export function generateConfigModule(serializableConfig: Record<string, unknown>
 
 /**
  * Generates the dialect virtual module.
- * Statically imports the configured database dialect and exports the dialect type.
- *
- * For D1 adapters, also re-exports session helpers (isSessionEnabled, getD1Binding,
- * getDefaultConstraint, getBookmarkCookieName, createSessionDialect) used by
- * middleware for per-request read replica sessions.
  *
- * For non-D1 adapters, session exports are no-ops.
+ * Adapters that set `supportsRequestScope: true` on their descriptor are
+ * expected to export `createRequestScopedDb` from their runtime entrypoint;
+ * the generator re-exports it so middleware can ask for a per-request Kysely
+ * (used for D1 Sessions API, bookmark cookies, read-replica routing). Other
+ * adapters get a stub that returns null.
  */
-export function generateDialectModule(
-	dbEntrypoint?: string,
-	dbType?: string,
-	dbConfig?: unknown,
-): string {
-	if (!dbEntrypoint) {
+export function generateDialectModule(opts: {
+	entrypoint?: string;
+	type?: string;
+	supportsRequestScope: boolean;
+}): string {
+	const { entrypoint, supportsRequestScope } = opts;
+	if (!entrypoint) {
 		return [
 			`export const createDialect = undefined;`,
 			`export const dialectType = "sqlite";`,
-			`export const isSessionEnabled = () => false;`,
-			`export const getD1Binding = () => null;`,
-			`export const getDefaultConstraint = () => "first-unconstrained";`,
-			`export const getBookmarkCookieName = () => "";`,
-			`export const createSessionDialect = undefined;`,
+			`export const createRequestScopedDb = (_opts) => null;`,
 		].join("\n");
 	}
-	const type = dbType ?? "sqlite";
+	const type = opts.type ?? "sqlite";
 
-	// Check if the adapter is D1 (has session helpers)
-	const isD1 = dbEntrypoint.includes("cloudflare") && dbEntrypoint.includes("d1");
-
-	// Check if sessions are enabled in the config
-	const sessionMode =
-		isD1 && dbConfig && typeof dbConfig === "object" && "session" in dbConfig
-			? // eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- runtime-checked above
-				(dbConfig as { session?: string }).session
-			: undefined;
-	const sessionEnabled = !!sessionMode && sessionMode !== "disabled";
-
-	if (isD1 && sessionEnabled) {
+	if (supportsRequestScope) {
 		return `
-import { createDialect as _createDialect } from "${dbEntrypoint}";
-export { isSessionEnabled, getD1Binding, getDefaultConstraint, getBookmarkCookieName, createSessionDialect } from "${dbEntrypoint}";
+import { createDialect as _createDialect } from "${entrypoint}";
+export { createRequestScopedDb } from "${entrypoint}";
 export const createDialect = _createDialect;
 export const dialectType = ${JSON.stringify(type)};
 `;
 	}
 
-	// Non-D1 or sessions disabled: export no-ops
 	return `
-import { createDialect as _createDialect } from "${dbEntrypoint}";
+import { createDialect as _createDialect } from "${entrypoint}";
 export const createDialect = _createDialect;
 export const dialectType = ${JSON.stringify(type)};
-export const isSessionEnabled = () => false;
-export const getD1Binding = () => null;
-export const getDefaultConstraint = () => "first-unconstrained";
-export const getBookmarkCookieName = () => "";
-export const createSessionDialect = undefined;
+export const createRequestScopedDb = (_opts) => null;
 `;
 }
 
@@ -353,6 +336,25 @@ export function generateBlockComponentsModule(descriptors: PluginDescriptor[]):
 	return `${imports.join("\n")}\nexport const pluginBlockComponents = { ${spreads.join(", ")} };`;
 }
 
+/**
+ * Generates the wait-until virtual module.
+ *
+ * Under @astrojs/cloudflare, re-exports `waitUntil` from `cloudflare:workers`
+ * so `after(fn)` in core can extend the worker's lifetime past the response
+ * for deferred bookkeeping. For any other adapter, exports `undefined` —
+ * Node's long-lived event loop keeps deferred promises running without a
+ * lifetime extender.
+ *
+ * Keeping the adapter check here — rather than in core — means core itself
+ * has no Cloudflare-specific imports or code paths.
+ */
+export function generateWaitUntilModule(adapterName: string | undefined): string {
+	if (adapterName === "@astrojs/cloudflare") {
+		return `export { waitUntil } from "cloudflare:workers";`;
+	}
+	return `export const waitUntil = undefined;`;
+}
+
 /**
  * Generates the seed virtual module.
  * Reads the user's seed file at build time (in Node context) and embeds it,

package/src/astro/integration/vite-config.ts

@@ -38,7 +38,10 @@ import {
 	RESOLVED_VIRTUAL_BLOCK_COMPONENTS_ID,
 	VIRTUAL_SEED_ID,
 	RESOLVED_VIRTUAL_SEED_ID,
+	VIRTUAL_WAIT_UNTIL_ID,
+	RESOLVED_VIRTUAL_WAIT_UNTIL_ID,
 	generateSeedModule,
+	generateWaitUntilModule,
 	generateConfigModule,
 	generateDialectModule,
 	generateStorageModule,
@@ -176,6 +179,9 @@ export function createVirtualModulesPlugin(options: VitePluginOptions): Plugin {
 			if (id === VIRTUAL_SEED_ID) {
 				return RESOLVED_VIRTUAL_SEED_ID;
 			}
+			if (id === VIRTUAL_WAIT_UNTIL_ID) {
+				return RESOLVED_VIRTUAL_WAIT_UNTIL_ID;
+			}
 		},
 		load(id: string) {
 			if (id === RESOLVED_VIRTUAL_CONFIG_ID) {
@@ -184,11 +190,11 @@ export function createVirtualModulesPlugin(options: VitePluginOptions): Plugin {
 			// Generate a module that statically imports the configured dialect
 			// This allows Vite to properly resolve and bundle it
 			if (id === RESOLVED_VIRTUAL_DIALECT_ID) {
-				return generateDialectModule(
-					resolvedConfig.database?.entrypoint,
-					resolvedConfig.database?.type,
-					resolvedConfig.database?.config,
-				);
+				return generateDialectModule({
+					entrypoint: resolvedConfig.database?.entrypoint,
+					type: resolvedConfig.database?.type,
+					supportsRequestScope: resolvedConfig.database?.supportsRequestScope ?? false,
+				});
 			}
 			// Generate a module that statically imports the configured storage
 			if (id === RESOLVED_VIRTUAL_STORAGE_ID) {
@@ -235,6 +241,11 @@ export function createVirtualModulesPlugin(options: VitePluginOptions): Plugin {
 				const projectRoot = fileURLToPath(astroConfig.root);
 				return generateSeedModule(projectRoot);
 			}
+			// Generate wait-until module — re-exports cloudflare:workers'
+			// waitUntil under the Cloudflare adapter, undefined otherwise.
+			if (id === RESOLVED_VIRTUAL_WAIT_UNTIL_ID) {
+				return generateWaitUntilModule(astroConfig.adapter?.name);
+			}
 		},
 	};
 }

package/src/astro/middleware/auth.ts

@@ -102,6 +102,7 @@ const PUBLIC_API_PREFIXES = [
 	"/_emdash/api/oauth/device/token",
 	"/_emdash/api/oauth/device/code",
 	"/_emdash/api/oauth/token",
+	"/_emdash/api/oauth/register",
 	"/_emdash/api/comments/",
 	"/_emdash/api/media/file/",
 	"/_emdash/.well-known/",
@@ -118,6 +119,30 @@ const PUBLIC_API_EXACT = new Set([
 	"/_emdash/api/search",
 ]);
 
+/**
+ * OAuth protocol endpoints that are CSRF-exempt by design.
+ *
+ * These are RFC-defined endpoints (RFC 6749 §3.2, RFC 7591 §3, RFC 8628 §3.1/§3.4)
+ * specified to be called cross-origin by external clients (MCP clients, CLIs,
+ * native apps). They authenticate each request on its own merits:
+ *
+ * - /oauth/token: requires PKCE code_verifier, device_code, or refresh_token
+ * - /oauth/register: RFC 7591 dynamic client registration — anonymous by design
+ * - /oauth/device/code: RFC 8628 device flow initiation — anonymous by design
+ * - /oauth/device/token: requires device_code the client already holds
+ *
+ * None of these rely on ambient cookie credentials, so browser-based CSRF
+ * attacks have nothing to exploit. The endpoints themselves advertise
+ * `Access-Control-Allow-Origin: *`. Note: /oauth/device/authorize (the user
+ * consent step) is NOT in this list — it is session-authenticated.
+ */
+const CSRF_EXEMPT_PUBLIC_ROUTES = new Set([
+	"/_emdash/api/oauth/token",
+	"/_emdash/api/oauth/register",
+	"/_emdash/api/oauth/device/code",
+	"/_emdash/api/oauth/device/token",
+]);
+
 function isPublicEmDashRoute(pathname: string): boolean {
 	if (PUBLIC_API_EXACT.has(pathname)) return true;
 	if (PUBLIC_API_PREFIXES.some((p) => pathname.startsWith(p))) return true;
@@ -125,6 +150,10 @@ function isPublicEmDashRoute(pathname: string): boolean {
 	return false;
 }
 
+function isCsrfExemptPublicRoute(pathname: string): boolean {
+	return CSRF_EXEMPT_PUBLIC_ROUTES.has(pathname);
+}
+
 export const onRequest = defineMiddleware(async (context, next) => {
 	const { url } = context;
 
@@ -141,7 +170,10 @@ export const onRequest = defineMiddleware(async (context, next) => {
 	// This prevents cross-origin form submissions and fetch requests from malicious sites.
 	if (isPublicApiRoute) {
 		const method = context.request.method.toUpperCase();
-		if (method !== "GET" && method !== "HEAD" && method !== "OPTIONS") {
+		if (
+			isUnsafeMethod(method) &&
+			!isCsrfExemptPublicRoute(url.pathname) // OAuth protocol endpoints — cross-origin by design
+		) {
 			const publicOrigin = getPublicOrigin(url, context.locals.emdash?.config);
 			const csrfError = checkPublicCsrf(context.request, url, publicOrigin);
 			if (csrfError) return csrfError;

package/src/astro/middleware/request-context.ts

@@ -13,7 +13,7 @@
 import { defineMiddleware } from "astro:middleware";
 
 import { verifyPreviewToken, parseContentId } from "../../preview/tokens.js";
-import { runWithContext } from "../../request-context.js";
+import { getRequestContext, runWithContext } from "../../request-context.js";
 import { renderToolbar } from "../../visual-editing/toolbar.js";
 
 /**
@@ -49,11 +49,18 @@ export const onRequest = defineMiddleware(async (context, next) => {
 	// Playground mode: the playground middleware (from @emdash-cms/cloudflare) stashes
 	// the per-session DO database on locals.__playgroundDb. We set it via ALS here
 	// (same module instance as the loader) so getDb() picks it up correctly.
+	//
+	// `dbIsIsolated: true` tells schema-derived caches (manifest, taxonomy defs,
+	// byline/term existence probes) to bypass module-scope memoization — each
+	// playground session is its own database with its own schema, so a cached
+	// value from another session would be wrong.
 	const playgroundDb = context.locals.__playgroundDb;
 	if (playgroundDb) {
 		// Check if playground user has toggled edit mode on
 		const hasEditCookie = cookies.get("emdash-edit-mode")?.value === "true";
-		return runWithContext({ editMode: hasEditCookie, db: playgroundDb }, () => next());
+		return runWithContext({ editMode: hasEditCookie, db: playgroundDb, dbIsIsolated: true }, () =>
+			next(),
+		);
 	}
 
 	// Fast path: check for CMS signals before doing any work
@@ -90,7 +97,12 @@ export const onRequest = defineMiddleware(async (context, next) => {
 	const needsContext = hasEditCookie || hasPreviewToken;
 
 	if (needsContext) {
-		return runWithContext({ editMode, preview, locale }, async () => {
+		// Merge with any outer ALS context (e.g. the per-request D1 session db
+		// set by the runtime middleware). `storage.run()` replaces the store
+		// wholesale, so without the spread the outer `db` would be lost and
+		// loaders would fall back to the singleton non-session dialect.
+		const parent = getRequestContext();
+		return runWithContext({ ...parent, editMode, preview, locale }, async () => {
 			let response = await next();
 
 			// Preview responses must not be cached -- draft content could leak past token expiry.