emdash 0.5.0 → 0.7.0

package/src/database/repositories/redirect.ts

@@ -11,6 +11,32 @@ import { currentTimestampValue } from "../dialect-helpers.js";
 import type { Database, RedirectTable } from "../types.js";
 import { encodeCursor, decodeCursor, type FindManyResult } from "./types.js";
 
+// ---------------------------------------------------------------------------
+// Bounded 404 logging
+// ---------------------------------------------------------------------------
+
+/**
+ * Hard cap on rows stored in `_emdash_404_log`. When exceeded, the oldest
+ * rows (by `last_seen_at`) are evicted on insert. Prevents an unauthenticated
+ * attacker from growing the table without bound by requesting unique URLs.
+ */
+export const MAX_404_LOG_ROWS = 10_000;
+
+/** Max stored length for the `Referer` header — truncated on insert. */
+export const REFERRER_MAX_LENGTH = 512;
+
+/** Max stored length for the `User-Agent` header — truncated on insert. */
+export const USER_AGENT_MAX_LENGTH = 256;
+
+/**
+ * Truncate a header-derived string to `max` chars, preserving `null`/`undefined`
+ * as `null`. Empty strings stay empty (the caller decides whether to coerce).
+ */
+function truncateOrNull(value: string | null | undefined, max: number): string | null {
+	if (value === null || value === undefined) return null;
+	return value.length > max ? value.slice(0, max) : value;
+}
+
 // ---------------------------------------------------------------------------
 // Types
 // ---------------------------------------------------------------------------
@@ -369,22 +395,97 @@ export class RedirectRepository {
 
 	// --- 404 log ------------------------------------------------------------
 
+	/**
+	 * Record a 404 hit for `entry.path`.
+	 *
+	 * Dedups by path: repeat hits increment `hits` and refresh `last_seen_at`
+	 * on the existing row instead of inserting a new one. Referrer and
+	 * user-agent are truncated to bounded lengths so a malicious client can't
+	 * blow up storage with huge headers. When the table would exceed
+	 * MAX_404_LOG_ROWS, the oldest entries (by `last_seen_at`) are evicted.
+	 *
+	 * This is called from the public redirect middleware on every 404 and
+	 * must never throw for an unauthenticated caller — failures bubble up to
+	 * the middleware, which swallows them.
+	 */
 	async log404(entry: {
 		path: string;
 		referrer?: string | null;
 		userAgent?: string | null;
 		ip?: string | null;
 	}): Promise<void> {
+		const now = new Date().toISOString();
+		const referrer = truncateOrNull(entry.referrer, REFERRER_MAX_LENGTH);
+		const userAgent = truncateOrNull(entry.userAgent, USER_AGENT_MAX_LENGTH);
+		const ip = entry.ip ?? null;
+
+		// Atomic upsert by path. The UNIQUE index on `path` makes this safe
+		// under concurrency: two requests for the same new path can't both
+		// insert — the second one hits the conflict branch and increments
+		// hits instead of failing with a uniqueness error.
 		await this.db
 			.insertInto("_emdash_404_log")
 			.values({
 				id: ulid(),
 				path: entry.path,
-				referrer: entry.referrer ?? null,
-				user_agent: entry.userAgent ?? null,
-				ip: entry.ip ?? null,
-				created_at: new Date().toISOString(),
+				referrer,
+				user_agent: userAgent,
+				ip,
+				hits: 1,
+				last_seen_at: now,
+				created_at: now,
 			})
+			.onConflict((oc) =>
+				oc.column("path").doUpdateSet({
+					hits: sql`hits + 1`,
+					last_seen_at: now,
+					referrer,
+					user_agent: userAgent,
+					ip,
+				}),
+			)
+			.execute();
+
+		// Enforce the row cap. Cheap when the table is under cap (single
+		// COUNT(*) query); evicts oldest rows if we're over. Updates (dedup
+		// hits) don't grow the table so this is a no-op for repeat paths.
+		await this.enforce404Cap();
+	}
+
+	/**
+	 * Delete the oldest rows from `_emdash_404_log` if the row count exceeds
+	 * MAX_404_LOG_ROWS. "Oldest" is by `last_seen_at`, so a path that keeps
+	 * getting hit stays in the table even if it was first seen long ago.
+	 *
+	 * Private — callers use `log404`, which invokes this after every upsert.
+	 */
+	private async enforce404Cap(): Promise<void> {
+		const countRow = await this.db
+			.selectFrom("_emdash_404_log")
+			.select((eb) => eb.fn.countAll<number>().as("c"))
+			.executeTakeFirst();
+		const count = Number(countRow?.c ?? 0);
+		if (count <= MAX_404_LOG_ROWS) return;
+
+		const excess = count - MAX_404_LOG_ROWS;
+
+		// Evict the oldest rows in a single SQL statement. Using a subquery
+		// (rather than materialising the victim IDs in JS and passing them
+		// back as bind parameters) keeps the statement bounded regardless of
+		// how far over cap the table is — important for existing installs
+		// that crossed the threshold before this cap was introduced.
+		await this.db
+			.deleteFrom("_emdash_404_log")
+			.where(
+				"id",
+				"in",
+				this.db
+					.selectFrom("_emdash_404_log")
+					.select("id")
+					.orderBy("last_seen_at", "asc")
+					.orderBy("id", "asc")
+					.limit(excess),
+			)
 			.execute();
 	}
 
@@ -438,6 +539,10 @@ export class RedirectRepository {
 	}
 
 	async get404Summary(limit = 50): Promise<NotFoundSummary[]> {
+		// Since rows are now deduped by path, each path has exactly one row
+		// with `hits` as the running count and `last_seen_at` as the latest
+		// timestamp. The subquery for `top_referrer` collapses to a simple
+		// pick of the row's stored referrer (the most recent one seen).
 		const rows = await sql<{
 			path: string;
 			count: number;
@@ -446,14 +551,12 @@ export class RedirectRepository {
 		}>`
 			SELECT
 				path,
-				COUNT(*) as count,
-				MAX(created_at) as last_seen,
+				SUM(hits) as count,
+				MAX(last_seen_at) as last_seen,
 				(
 					SELECT referrer FROM _emdash_404_log AS inner_log
 					WHERE inner_log.path = _emdash_404_log.path
 						AND referrer IS NOT NULL AND referrer != ''
-					GROUP BY referrer
-					ORDER BY COUNT(*) DESC
 					LIMIT 1
 				) as top_referrer
 			FROM _emdash_404_log

package/src/database/types.ts

@@ -466,6 +466,15 @@ export interface NotFoundLogTable {
 	referrer: string | null;
 	user_agent: string | null;
 	ip: string | null;
+	hits: number;
+	/**
+	 * Migration 035 adds this as a nullable column (SQLite can't add a
+	 * NOT NULL column with a non-constant default to an existing table).
+	 * The `log404` upsert always writes a value, so new and updated rows
+	 * always have one, but existing rows pre-migration were backfilled
+	 * without a NOT NULL constraint. Typed as nullable to match the schema.
+	 */
+	last_seen_at: string | null;
 	created_at: string;
 }
 

package/src/db/adapters.ts

@@ -33,6 +33,21 @@ export interface DatabaseDescriptor {
 	entrypoint: string;
 	config: unknown;
 	type: DatabaseDialectType;
+	/**
+	 * When true, the adapter's runtime entrypoint MUST export a named
+	 * `createRequestScopedDb` function matching the signature declared in
+	 * `virtual:emdash/dialect`. The virtual-module generator re-exports it
+	 * by name, so a missing export becomes a build-time bundler error.
+	 *
+	 * The function is called once per request and decides — based on its own
+	 * runtime config (e.g. whether the user opted into D1 sessions) — whether
+	 * to return a per-request Kysely or null. Use this for features like D1
+	 * read-replica sessions, bookmark cookies, or any per-request DB handle.
+	 *
+	 * When false or absent, the generator emits a stub that returns null and
+	 * the middleware takes its default (singleton) path.
+	 */
+	supportsRequestScope?: boolean;
 }
 
 export interface SqliteConfig {