emdash 0.5.0 → 0.7.0

package/src/plugins/context.ts

@@ -16,7 +16,11 @@ import { SeoRepository } from "../database/repositories/seo.js";
 import { UserRepository } from "../database/repositories/user.js";
 import { withTransaction } from "../database/transaction.js";
 import type { Database } from "../database/types.js";
-import { validateExternalUrl, SsrfError, stripCredentialHeaders } from "../import/ssrf.js";
+import {
+	resolveAndValidateExternalUrl,
+	SsrfError,
+	stripCredentialHeaders,
+} from "../import/ssrf.js";
 import type { Storage } from "../storage/types.js";
 import { CronAccessImpl } from "./cron.js";
 import type { EmailPipeline } from "./email.js";
@@ -599,9 +603,10 @@ export function createUnrestrictedHttpAccess(pluginId: string): HttpAccess {
 			let currentInit = init;
 
 			for (let i = 0; i <= MAX_PLUGIN_REDIRECTS; i++) {
-				// Validate each URL against SSRF rules (private IPs, metadata endpoints)
+				// Validate each URL against SSRF rules (private IPs, metadata
+				// endpoints, wildcard DNS, resolved-IP private ranges).
 				try {
-					validateExternalUrl(currentUrl);
+					await resolveAndValidateExternalUrl(currentUrl);
 				} catch (e) {
 					const msg = e instanceof SsrfError ? e.message : "SSRF validation failed";
 					throw new Error(
@@ -849,6 +854,13 @@ export interface PluginContextFactoryOptions {
 	 * If not provided (or no provider configured), ctx.email will be undefined.
 	 */
 	emailPipeline?: EmailPipeline;
+	/**
+	 * Pre-resolved list of trusted proxy header names (from the runtime
+	 * `EmDashConfig.trustedProxyHeaders` or the env var). Plugin route
+	 * handlers pass this to `extractRequestMeta` so plugins see the same
+	 * client IP the core auth path does.
+	 */
+	trustedProxyHeaders?: string[];
 }
 
 /**

package/src/plugins/manager.ts

@@ -62,6 +62,11 @@ export interface PluginManagerOptions {
 		filename: string,
 		contentType: string,
 	) => Promise<{ uploadUrl: string; mediaId: string }>;
+	/**
+	 * Pre-resolved list of trusted proxy header names for client-IP
+	 * resolution in plugin route handlers. Thread through from the runtime.
+	 */
+	trustedProxyHeaders?: string[];
 }
 
 /**
@@ -81,6 +86,7 @@ export class PluginManager {
 			db: options.db,
 			storage: options.storage,
 			getUploadUrl: options.getUploadUrl,
+			trustedProxyHeaders: options.trustedProxyHeaders,
 		};
 	}
 

package/src/plugins/request-meta.ts

@@ -7,6 +7,8 @@
  *
  */
 
+import type { EmDashConfig } from "../astro/integration/runtime.js";
+import { getTrustedProxyHeaders, normalizeTrustedHeaders } from "../auth/trusted-proxy.js";
 import type { GeoInfo, RequestMeta } from "./types.js";
 
 /**
@@ -40,6 +42,23 @@ function parseFirstForwardedIp(header: string): string | null {
 	return IP_PATTERN.test(trimmed) ? trimmed : null;
 }
 
+/**
+ * Read an IP from an operator-declared trusted header. XFF-style headers
+ * (any name ending in `forwarded-for`) are parsed as comma-separated lists
+ * and the first entry is used; everything else is treated as a single
+ * trimmed value.
+ */
+function readIpFromHeader(headers: Headers, name: string): string | null {
+	const value = headers.get(name);
+	if (!value) return null;
+	if (name.endsWith("forwarded-for")) {
+		return parseFirstForwardedIp(value);
+	}
+	const trimmed = value.trim();
+	if (!trimmed) return null;
+	return IP_PATTERN.test(trimmed) ? trimmed : null;
+}
+
 /**
  * Get the Cloudflare `cf` object from the request, if present.
  * Returns undefined when not running on Cloudflare Workers.
@@ -69,32 +88,52 @@ function extractGeo(cf: CfProperties | undefined): GeoInfo | null {
  * Extract normalized request metadata from a Request object.
  *
  * IP resolution order:
- * 1. `CF-Connecting-IP` header — only trusted when a `cf` object is
- *    present on the request (proving the request came through Cloudflare's
- *    edge, which strips/overwrites client-supplied values).
- * 2. `X-Forwarded-For` header (first entry) — best-effort, spoofable
- *    when there is no trusted reverse proxy.
- * 3. `null`
+ * 1. `CF-Connecting-IP` — trusted only when a `cf` object is present on the
+ *    request. CF edge overwrites any client-supplied value, so this is the
+ *    cryptographically trustworthy path on Workers. Operator-declared
+ *    trusted headers cannot override it.
+ * 2. `X-Forwarded-For` first entry — trusted only with a `cf` object.
+ * 3. Operator-declared trusted proxy headers (from `config.trustedProxyHeaders`
+ *    or the `EMDASH_TRUSTED_PROXY_HEADERS` env var), tried in order. Used as
+ *    the primary source off-CF and as a fill-in on CF.
+ * 4. `null`
+ *
+ * The second argument accepts either the EmDash config or a pre-resolved
+ * list of trusted headers, so callers that already have the list don't have
+ * to round-trip through the config every request.
  */
-export function extractRequestMeta(request: Request): RequestMeta {
+export function extractRequestMeta(
+	request: Request,
+	configOrTrustedHeaders?: EmDashConfig | null | { trustedProxyHeaders?: string[] } | string[],
+): RequestMeta {
 	const headers = request.headers;
 	const cf = getCfObject(request);
+	const trusted = resolveTrustedHeaders(configOrTrustedHeaders);
 
-	// IP: only trust headers when the cf object confirms we're on Cloudflare.
-	// Without a trusted reverse proxy, X-Forwarded-For is trivially spoofable.
 	let ip: string | null = null;
+
+	// On Cloudflare, prefer the cryptographically trustworthy headers first.
 	if (cf) {
 		const cfIp = headers.get("cf-connecting-ip")?.trim();
 		if (cfIp && IP_PATTERN.test(cfIp)) {
 			ip = cfIp;
 		}
+		if (!ip) {
+			const xff = headers.get("x-forwarded-for");
+			ip = xff ? parseFirstForwardedIp(xff) : null;
+		}
 	}
-	if (!ip && cf) {
-		// Only trust X-Forwarded-For when we're behind Cloudflare (which
-		// overwrites the header). In standalone deployments without a trusted
-		// proxy, XFF is trivially spoofable.
-		const xff = headers.get("x-forwarded-for");
-		ip = xff ? parseFirstForwardedIp(xff) : null;
+
+	// Fall through to operator-declared trusted headers. On CF this fills
+	// in when the CF headers are absent; off-CF it's the primary source.
+	if (!ip) {
+		for (const name of trusted) {
+			const value = readIpFromHeader(headers, name);
+			if (value) {
+				ip = value;
+				break;
+			}
+		}
 	}
 
 	const userAgent = headers.get("user-agent")?.trim() || null;
@@ -104,6 +143,18 @@ export function extractRequestMeta(request: Request): RequestMeta {
 	return { ip, userAgent, referer, geo };
 }
 
+function resolveTrustedHeaders(
+	value: EmDashConfig | null | { trustedProxyHeaders?: string[] } | string[] | undefined,
+): string[] {
+	if (Array.isArray(value)) {
+		// Apply the same RFC 7230 validation the config/env path does so a
+		// caller passing a pre-resolved list with bad entries can't crash
+		// `Headers.get()` downstream.
+		return normalizeTrustedHeaders(value);
+	}
+	return getTrustedProxyHeaders(value);
+}
+
 // =============================================================================
 // Header Sanitization for Sandbox
 // =============================================================================

package/src/plugins/routes.ts

@@ -50,10 +50,12 @@ export interface InvokeRouteOptions {
 export class PluginRouteHandler {
 	private contextFactory: PluginContextFactory;
 	private plugin: ResolvedPlugin;
+	private trustedProxyHeaders: string[];
 
 	constructor(plugin: ResolvedPlugin, factoryOptions: PluginContextFactoryOptions) {
 		this.plugin = plugin;
 		this.contextFactory = new PluginContextFactory(factoryOptions);
+		this.trustedProxyHeaders = factoryOptions.trustedProxyHeaders ?? [];
 	}
 
 	/**
@@ -99,7 +101,7 @@ export class PluginRouteHandler {
 			...baseContext,
 			input: validatedInput,
 			request: options.request,
-			requestMeta: extractRequestMeta(options.request),
+			requestMeta: extractRequestMeta(options.request, this.trustedProxyHeaders),
 		};
 
 		// Execute handler

package/src/query.ts

@@ -13,7 +13,9 @@
  */
 
 import { getFallbackChain, getI18nConfig, isI18nEnabled } from "./i18n/config.js";
+import { requestCached } from "./request-cache.js";
 import { getRequestContext } from "./request-context.js";
+import { isMissingTableError } from "./utils/db-errors.js";
 import {
 	createEditable,
 	createNoop,
@@ -269,6 +271,51 @@ function entryEditOptions(entry: { data?: unknown }): EditableOptions {
 export async function getEmDashCollection<T extends string, D = InferCollectionData<T>>(
 	type: T,
 	filter?: CollectionFilter,
+): Promise<CollectionResult<D>> {
+	// Cache per (type, filter) within a single request. Edit mode and
+	// preview are request-scoped and stable, so they don't need to be
+	// part of the key. Widgets and layouts frequently request the same
+	// collection shape as the page itself (e.g. a "recent posts" list
+	// appears on the home page AND in the sidebar) — caching collapses
+	// those duplicate queries, along with the bylines and taxonomy-term
+	// hydration each call would otherwise re-do.
+	return requestCached(collectionCacheKey(type, filter), () =>
+		getEmDashCollectionUncached<T, D>(type, filter),
+	);
+}
+
+/**
+ * Build a canonical cache key for `getEmDashCollection`.
+ *
+ * `JSON.stringify` is insertion-order-sensitive, so two callers passing
+ * semantically identical filters with different key orders would miss
+ * the cache. We fix the top-level field order and sort `where` keys
+ * (order there is irrelevant), while preserving `orderBy` key order
+ * because that's the sort priority.
+ */
+function collectionCacheKey(type: string, filter?: CollectionFilter): string {
+	if (!filter) return `collection:${type}:`;
+	const parts = [
+		filter.status ?? "",
+		filter.limit ?? "",
+		filter.cursor ?? "",
+		filter.where ? stableStringify(filter.where) : "",
+		filter.orderBy ? JSON.stringify(filter.orderBy) : "",
+		filter.locale ?? "",
+	];
+	return `collection:${type}:${parts.join("|")}`;
+}
+
+function stableStringify(value: Record<string, unknown>): string {
+	const keys = Object.keys(value).toSorted();
+	const ordered: Record<string, unknown> = {};
+	for (const k of keys) ordered[k] = value[k];
+	return JSON.stringify(ordered);
+}
+
+async function getEmDashCollectionUncached<T extends string, D = InferCollectionData<T>>(
+	type: T,
+	filter?: CollectionFilter,
 ): Promise<CollectionResult<D>> {
 	// Dynamic import to avoid build-time issues
 	const { getLiveCollection } = await import("astro:content");
@@ -313,8 +360,13 @@ export async function getEmDashCollection<T extends string, D = InferCollectionD
 		};
 	});
 
-	// Eagerly hydrate bylines for all entries
-	await hydrateEntryBylines(type, entriesWithEdit);
+	// Eagerly hydrate bylines and taxonomy terms for all entries in parallel.
+	// Both are independent queries, so running them concurrently halves the
+	// round-trip cost on remote databases (D1 replicas, etc.).
+	await Promise.all([
+		hydrateEntryBylines(type, entriesWithEdit),
+		hydrateEntryTerms(type, entriesWithEdit),
+	]);
 
 	return { entries: entriesWithEdit, nextCursor, cacheHint: cacheHint ?? {} };
 }
@@ -386,12 +438,12 @@ export async function getEmDashEntry<T extends string, D = InferCollectionData<T
 	const localeChain =
 		requestedLocale && isI18nEnabled() ? getFallbackChain(requestedLocale) : [requestedLocale];
 
-	/** Return a successful EntryResult with bylines hydrated */
+	/** Return a successful EntryResult with bylines and taxonomy terms hydrated */
 	async function successResult(
 		wrapped: ContentEntry<D>,
 		opts: { isPreview: boolean; fallbackLocale?: string; cacheHint: CacheHint },
 	): Promise<EntryResult<D>> {
-		await hydrateEntryBylines(type, [wrapped]);
+		await Promise.all([hydrateEntryBylines(type, [wrapped]), hydrateEntryTerms(type, [wrapped])]);
 		return {
 			entry: wrapped,
 			isPreview: opts.isPreview,
@@ -525,14 +577,59 @@ async function hydrateEntryBylines<D>(type: string, entries: ContentEntry<D>[]):
 			data.byline = credits[0]?.byline ?? null;
 		}
 	} catch (err) {
-		// Only swallow "table not found" errors from pre-migration databases
-		const msg = err instanceof Error ? err.message : "";
-		if (!msg.includes("no such table")) {
+		// Only swallow "table not found" errors from pre-migration databases.
+		// Matches SQLite/D1 ("no such table") and PostgreSQL ("relation/table
+		// ... does not exist") via the shared helper.
+		if (!isMissingTableError(err)) {
+			const msg = err instanceof Error ? err.message : String(err);
 			console.warn("[emdash] Failed to hydrate bylines:", msg);
 		}
 	}
 }
 
+/**
+ * Eagerly hydrate taxonomy term data onto entry.data for one or more entries.
+ *
+ * Attaches `terms` (Record keyed by taxonomy name with an array of TaxonomyTerm
+ * values) to each entry's data object. Uses a single batched JOIN query across
+ * all taxonomies so the cost is O(1) regardless of the number of entries or
+ * taxonomies on the site.
+ *
+ * This eliminates the common N+1 pattern where templates loop over list
+ * results and call getEntryTerms() per entry. With hydration, the list page
+ * stays at a single round-trip for term data.
+ *
+ * Fails silently if the taxonomy tables don't exist yet (pre-migration).
+ */
+async function hydrateEntryTerms<D>(type: string, entries: ContentEntry<D>[]): Promise<void> {
+	if (entries.length === 0) return;
+
+	try {
+		const { getAllTermsForEntries } = await import("./taxonomies/index.js");
+
+		const ids = entries.map((e) => dataStr(entryData(e), "id")).filter(Boolean);
+		if (ids.length === 0) return;
+
+		const termsMap = await getAllTermsForEntries(type, ids);
+
+		for (const entry of entries) {
+			const data = entryData(entry);
+			const dbId = dataStr(data, "id");
+			if (!dbId) continue;
+
+			data.terms = termsMap.get(dbId) ?? {};
+		}
+	} catch (err) {
+		// Only swallow "table not found" errors from pre-migration databases.
+		// Matches SQLite/D1 ("no such table") and PostgreSQL ("relation/table
+		// ... does not exist") via the shared helper.
+		if (!isMissingTableError(err)) {
+			const msg = err instanceof Error ? err.message : String(err);
+			console.warn("[emdash] Failed to hydrate terms:", msg);
+		}
+	}
+}
+
 /**
  * Translation summary for a single locale variant
  */

package/src/request-cache.ts

@@ -0,0 +1,106 @@
+/**
+ * Per-request query cache
+ *
+ * Deduplicates identical database queries within a single page render.
+ * Uses the ALS request context as a WeakMap key so the cache is
+ * automatically GC'd when the request completes.
+ *
+ * When no request context is available (e.g. local dev without D1
+ * replicas), queries bypass the cache — local SQLite is fast enough
+ * that deduplication doesn't matter.
+ *
+ * The WeakMap is stored on globalThis with a Symbol key to guarantee
+ * a singleton even when bundlers duplicate this module across chunks
+ * (same pattern as request-context.ts).
+ */
+
+import type { EmDashRequestContext } from "./request-context.js";
+import { getRequestContext } from "./request-context.js";
+
+type CacheStore = WeakMap<EmDashRequestContext, Map<string, Promise<unknown>>>;
+
+const STORE_KEY = Symbol.for("emdash:request-cache");
+const g = globalThis as Record<symbol, unknown>;
+const store: CacheStore =
+	(g[STORE_KEY] as CacheStore | undefined) ??
+	(() => {
+		const wm: CacheStore = new WeakMap();
+		g[STORE_KEY] = wm;
+		return wm;
+	})();
+
+/**
+ * Return a cached result for `key` if one exists in the current
+ * request scope, otherwise call `fn`, cache its promise, and return it.
+ *
+ * Caches the *promise*, not the resolved value, so concurrent calls
+ * with the same key share a single in-flight query.
+ */
+export function requestCached<T>(key: string, fn: () => Promise<T>): Promise<T> {
+	const ctx = getRequestContext();
+	if (!ctx) return fn();
+
+	let cache = store.get(ctx);
+	if (!cache) {
+		cache = new Map();
+		store.set(ctx, cache);
+	}
+
+	const existing = cache.get(key);
+	if (existing) return existing as Promise<T>;
+
+	const promise = Promise.resolve()
+		.then(fn)
+		.catch((error) => {
+			cache.delete(key);
+			throw error;
+		});
+	cache.set(key, promise);
+	return promise;
+}
+
+/**
+ * Look up an entry in the request-scoped cache without inserting one.
+ *
+ * Returns the in-flight or resolved promise if the key exists in the
+ * current request, otherwise `undefined`. Callers can use this to
+ * opportunistically satisfy a narrower query (e.g. `getSiteSetting("seo")`)
+ * from a broader one (`getSiteSettings()`) that's already been loaded
+ * by a parent template — avoiding a redundant round-trip.
+ *
+ * No-ops outside a request context.
+ */
+export function peekRequestCache<T>(key: string): Promise<T> | undefined {
+	const ctx = getRequestContext();
+	if (!ctx) return undefined;
+	const cache = store.get(ctx);
+	return cache?.get(key) as Promise<T> | undefined;
+}
+
+/**
+ * Pre-populate the request-scoped cache with a resolved value.
+ *
+ * Internal helper shared between hydration paths (taxonomy terms,
+ * bylines, etc.) that already have the data in hand and want downstream
+ * callers using `requestCached(key, ...)` to skip the database entirely.
+ * Not exported from the package entrypoint — keep it internal until we
+ * have a documented plugin/extension surface for hydration.
+ *
+ * No-ops outside a request context (local dev without ALS).
+ *
+ * Does not overwrite an existing entry — if a query for this key is already
+ * in flight, its promise wins.
+ */
+export function setRequestCacheEntry<T>(key: string, value: T): void {
+	const ctx = getRequestContext();
+	if (!ctx) return;
+
+	let cache = store.get(ctx);
+	if (!cache) {
+		cache = new Map();
+		store.set(ctx, cache);
+	}
+
+	if (cache.has(key)) return;
+	cache.set(key, Promise.resolve(value));
+}

package/src/request-context.ts

@@ -17,6 +17,8 @@
 
 import { AsyncLocalStorage } from "node:async_hooks";
 
+import type { QueryRecorder } from "./database/instrumentation.js";
+
 export interface EmDashRequestContext {
 	/** Whether the current request is in visual editing mode */
 	editMode: boolean;
@@ -35,6 +37,23 @@ export interface EmDashRequestContext {
 	 * the singleton instance. Also used by the DO preview pattern.
 	 */
 	db?: unknown;
+	/**
+	 * Indicates the per-request `db` points at an isolated database
+	 * instance whose schema may diverge from the configured one
+	 * (playground, DO preview sessions). When true, schema-derived caches
+	 * (manifest, taxonomy defs, etc.) must not be reused across requests.
+	 *
+	 * Plain D1 Sessions API routing does NOT set this — sessions are just
+	 * a routing hint over the same schema, so the module-scoped manifest
+	 * cache remains valid.
+	 */
+	dbIsIsolated?: boolean;
+	/**
+	 * Query recorder attached by middleware when EMDASH_QUERY_LOG_FILE is set.
+	 * The Kysely `log` hook appends an event per query; middleware flushes
+	 * to NDJSON after the response.
+	 */
+	queryRecorder?: QueryRecorder;
 }
 
 const ALS_KEY = Symbol.for("emdash:request-context");

package/src/schema/query.ts

@@ -8,6 +8,7 @@ import type { Kysely } from "kysely";
 
 import type { Database } from "../database/types.js";
 import { getDb } from "../loader.js";
+import { requestCached } from "../request-cache.js";
 import { SchemaRegistry } from "./registry.js";
 import type { Collection } from "./types.js";
 
@@ -25,8 +26,10 @@ import type { Collection } from "./types.js";
  * ```
  */
 export async function getCollectionInfo(slug: string): Promise<Collection | null> {
-	const db = await getDb();
-	return getCollectionInfoWithDb(db, slug);
+	return requestCached(`collection-info:${slug}`, async () => {
+		const db = await getDb();
+		return getCollectionInfoWithDb(db, slug);
+	});
 }
 
 /**