emdash 0.6.0 → 0.7.0

package/dist/{search-DI4bM2w9.mjs → search-B0effn3j.mjs}

@@ -1,12 +1,12 @@
 import { n as validateJsonFieldName, r as validatePluginIdentifier, t as validateIdentifier } from "./validate-VPnKoIzW.mjs";
 import { o as jsonExtractExpr } from "./dialect-helpers-DhTzaUxP.mjs";
-import { a as slugify, r as RevisionRepository, t as ContentRepository } from "./content-BsBoyj8G.mjs";
+import { a as slugify, r as RevisionRepository, t as ContentRepository } from "./content-D7J5y73J.mjs";
 import { r as encodeBase64, t as decodeBase64 } from "./base64-MBPo9ozB.mjs";
 import { n as decodeCursor, r as encodeCursor, t as EmDashValidationError } from "./types-CMMN0pNg.mjs";
 import { t as MediaRepository } from "./media-DqHVh136.mjs";
-import { a as stripCredentialHeaders, f as OptionsRepository, i as ssrfSafeFetch, o as validateExternalUrl, r as SsrfError } from "./apply-B4MsLM-w.mjs";
+import { a as ssrfSafeFetch, i as resolveAndValidateExternalUrl, o as stripCredentialHeaders, p as OptionsRepository, r as SsrfError, s as validateExternalUrl } from "./apply-5uslYdUu.mjs";
 import { t as withTransaction } from "./transaction-Cn2rjY78.mjs";
-import { t as RedirectRepository } from "./redirect-7lGhLBNZ.mjs";
+import { t as RedirectRepository } from "./redirect-CN0Rt9Ob.mjs";
 import { n as chunks, t as SQL_BATCH_SIZE } from "./chunks-HGz06Soa.mjs";
 import { t as BylineRepository } from "./byline-C4OVd8b3.mjs";
 import { r as isI18nEnabled } from "./config-BXwuX8Bx.mjs";
@@ -1298,7 +1298,8 @@ async function handleContentUpdate(db, collection, id, body) {
 				data: body.data,
 				slug: body.slug,
 				status: body.status,
-				authorId: body.authorId
+				authorId: body.authorId,
+				publishedAt: body.publishedAt
 			});
 			if (body.bylines !== void 0) {
 				await bylineRepo.setContentBylines(collection, resolvedId, body.bylines);
@@ -2640,6 +2641,11 @@ const contentListQuery = cursorPaginationQuery.extend({
 	order: z$1.enum(["asc", "desc"]).optional(),
 	locale: localeCode.optional()
 }).meta({ id: "ContentListQuery" });
+/** ISO 8601 datetime for `publishedAt` / `createdAt`. Routes gate writes behind `content:publish_any`. */
+const contentDateOverride = z$1.iso.datetime({
+	offset: true,
+	message: "must be an ISO 8601 datetime"
+}).nullish();
 const contentCreateBody = z$1.object({
 	data: z$1.record(z$1.string(), z$1.unknown()),
 	slug: z$1.string().nullish(),
@@ -2647,7 +2653,9 @@ const contentCreateBody = z$1.object({
 	bylines: z$1.array(contentBylineInputSchema).optional(),
 	locale: localeCode.optional(),
 	translationOf: z$1.string().optional(),
-	seo: contentSeoInput.optional()
+	seo: contentSeoInput.optional(),
+	publishedAt: contentDateOverride,
+	createdAt: contentDateOverride
 }).meta({ id: "ContentCreateBody" });
 const contentUpdateBody = z$1.object({
 	data: z$1.record(z$1.string(), z$1.unknown()).optional(),
@@ -2657,7 +2665,8 @@ const contentUpdateBody = z$1.object({
 	bylines: z$1.array(contentBylineInputSchema).optional(),
 	_rev: z$1.string().optional().meta({ description: "Opaque revision token for optimistic concurrency" }),
 	skipRevision: z$1.boolean().optional(),
-	seo: contentSeoInput.optional()
+	seo: contentSeoInput.optional(),
+	publishedAt: contentDateOverride
 }).meta({ id: "ContentUpdateBody" });
 const contentScheduleBody = z$1.object({ scheduledAt: z$1.string().min(1, "scheduledAt is required").meta({
 	description: "ISO 8601 datetime for scheduled publishing",
@@ -4983,6 +4992,55 @@ function resolveHook(hook, pluginId) {
 	};
 }
 
+//#endregion
+//#region src/auth/trusted-proxy.ts
+/**
+* RFC 7230 token — valid characters for an HTTP header name. Invalid names
+* passed to `Headers.get()` throw a TypeError at runtime, which would
+* otherwise surface as a 500 from every auth route.
+*/
+const HEADER_NAME_PATTERN = /^[!#$%&'*+\-.^_`|~0-9a-z]+$/;
+/**
+* Normalise a list of header names the way both the config path and any
+* caller passing a pre-resolved list should do: trim, lowercase, drop
+* empty, drop anything that isn't a valid RFC 7230 token. Invalid names
+* would crash `Headers.get()` at runtime.
+*/
+function normalizeTrustedHeaders(names) {
+	return names.map((h) => h.trim().toLowerCase()).filter((h) => h.length > 0 && HEADER_NAME_PATTERN.test(h));
+}
+function isValidHeaderName(name) {
+	return HEADER_NAME_PATTERN.test(name);
+}
+/** Cache for the env-derived value. `null` means "not yet parsed". */
+let _envCache = null;
+function getEnvTrustedHeaders() {
+	if (_envCache !== null) return _envCache;
+	let raw;
+	try {
+		const importMetaEnv = import.meta.env;
+		raw = (typeof process !== "undefined" ? process.env?.EMDASH_TRUSTED_PROXY_HEADERS : void 0) || importMetaEnv?.EMDASH_TRUSTED_PROXY_HEADERS;
+	} catch {
+		raw = void 0;
+	}
+	if (!raw) {
+		_envCache = [];
+		return _envCache;
+	}
+	_envCache = raw.split(",").map((s) => s.trim().toLowerCase()).filter((s) => s.length > 0 && isValidHeaderName(s));
+	return _envCache;
+}
+/**
+* Return the lowercased list of headers to trust for client-IP resolution.
+*
+* When `config?.trustedProxyHeaders` is explicitly set (even to `[]`), it
+* wins. Otherwise fall through to the env var, then to `[]`.
+*/
+function getTrustedProxyHeaders(config) {
+	if (config && config.trustedProxyHeaders !== void 0) return config.trustedProxyHeaders.map((h) => h.trim().toLowerCase()).filter((h) => h.length > 0 && isValidHeaderName(h));
+	return getEnvTrustedHeaders();
+}
+
 //#endregion
 //#region src/plugins/request-meta.ts
 /**
@@ -5004,6 +5062,20 @@ function parseFirstForwardedIp(header) {
 	return IP_PATTERN.test(trimmed) ? trimmed : null;
 }
 /**
+* Read an IP from an operator-declared trusted header. XFF-style headers
+* (any name ending in `forwarded-for`) are parsed as comma-separated lists
+* and the first entry is used; everything else is treated as a single
+* trimmed value.
+*/
+function readIpFromHeader(headers, name) {
+	const value = headers.get(name);
+	if (!value) return null;
+	if (name.endsWith("forwarded-for")) return parseFirstForwardedIp(value);
+	const trimmed = value.trim();
+	if (!trimmed) return null;
+	return IP_PATTERN.test(trimmed) ? trimmed : null;
+}
+/**
 * Get the Cloudflare `cf` object from the request, if present.
 * Returns undefined when not running on Cloudflare Workers.
 */
@@ -5030,24 +5102,39 @@ function extractGeo(cf) {
 * Extract normalized request metadata from a Request object.
 *
 * IP resolution order:
-* 1. `CF-Connecting-IP` header — only trusted when a `cf` object is
-*    present on the request (proving the request came through Cloudflare's
-*    edge, which strips/overwrites client-supplied values).
-* 2. `X-Forwarded-For` header (first entry) — best-effort, spoofable
-*    when there is no trusted reverse proxy.
-* 3. `null`
-*/
-function extractRequestMeta(request) {
+* 1. `CF-Connecting-IP` — trusted only when a `cf` object is present on the
+*    request. CF edge overwrites any client-supplied value, so this is the
+*    cryptographically trustworthy path on Workers. Operator-declared
+*    trusted headers cannot override it.
+* 2. `X-Forwarded-For` first entry — trusted only with a `cf` object.
+* 3. Operator-declared trusted proxy headers (from `config.trustedProxyHeaders`
+*    or the `EMDASH_TRUSTED_PROXY_HEADERS` env var), tried in order. Used as
+*    the primary source off-CF and as a fill-in on CF.
+* 4. `null`
+*
+* The second argument accepts either the EmDash config or a pre-resolved
+* list of trusted headers, so callers that already have the list don't have
+* to round-trip through the config every request.
+*/
+function extractRequestMeta(request, configOrTrustedHeaders) {
 	const headers = request.headers;
 	const cf = getCfObject(request);
+	const trusted = resolveTrustedHeaders(configOrTrustedHeaders);
 	let ip = null;
 	if (cf) {
 		const cfIp = headers.get("cf-connecting-ip")?.trim();
 		if (cfIp && IP_PATTERN.test(cfIp)) ip = cfIp;
+		if (!ip) {
+			const xff = headers.get("x-forwarded-for");
+			ip = xff ? parseFirstForwardedIp(xff) : null;
+		}
 	}
-	if (!ip && cf) {
-		const xff = headers.get("x-forwarded-for");
-		ip = xff ? parseFirstForwardedIp(xff) : null;
+	if (!ip) for (const name of trusted) {
+		const value = readIpFromHeader(headers, name);
+		if (value) {
+			ip = value;
+			break;
+		}
 	}
 	const userAgent = headers.get("user-agent")?.trim() || null;
 	const referer = headers.get("referer")?.trim() || null;
@@ -5059,6 +5146,10 @@ function extractRequestMeta(request) {
 		geo
 	};
 }
+function resolveTrustedHeaders(value) {
+	if (Array.isArray(value)) return normalizeTrustedHeaders(value);
+	return getTrustedProxyHeaders(value);
+}
 /**
 * Headers that must never cross the RPC boundary to sandboxed plugins.
 * Session tokens, auth credentials, and infrastructure headers are stripped
@@ -5707,7 +5798,7 @@ function createUnrestrictedHttpAccess(pluginId) {
 		let currentInit = init;
 		for (let i = 0; i <= MAX_PLUGIN_REDIRECTS; i++) {
 			try {
-				validateExternalUrl(currentUrl);
+				await resolveAndValidateExternalUrl(currentUrl);
 			} catch (e) {
 				const msg = e instanceof SsrfError ? e.message : "SSRF validation failed";
 				throw new Error(`Plugin "${pluginId}": blocked fetch to "${new URL(currentUrl).hostname}": ${msg}`, { cause: e });
@@ -7001,9 +7092,11 @@ async function devConsoleEmailDeliver(event, _ctx) {
 var PluginRouteHandler = class {
 	contextFactory;
 	plugin;
+	trustedProxyHeaders;
 	constructor(plugin, factoryOptions) {
 		this.plugin = plugin;
 		this.contextFactory = new PluginContextFactory(factoryOptions);
+		this.trustedProxyHeaders = factoryOptions.trustedProxyHeaders ?? [];
 	}
 	/**
 	* Invoke a route by name
@@ -7036,7 +7129,7 @@ var PluginRouteHandler = class {
 			...this.contextFactory.createContext(this.plugin),
 			input: validatedInput,
 			request: options.request,
-			requestMeta: extractRequestMeta(options.request)
+			requestMeta: extractRequestMeta(options.request, this.trustedProxyHeaders)
 		};
 		try {
 			return {
@@ -7215,7 +7308,8 @@ var PluginManager = class {
 		this.factoryOptions = {
 			db: options.db,
 			storage: options.storage,
-			getUploadUrl: options.getUploadUrl
+			getUploadUrl: options.getUploadUrl,
+			trustedProxyHeaders: options.trustedProxyHeaders
 		};
 	}
 	/**
@@ -7712,7 +7806,7 @@ async function probeUrl(url) {
 	let normalizedUrl = url.trim();
 	if (!normalizedUrl.startsWith("http")) normalizedUrl = `https://${normalizedUrl}`;
 	normalizedUrl = normalizedUrl.replace(TRAILING_SLASHES_PATTERN, "");
-	validateExternalUrl(normalizedUrl);
+	await resolveAndValidateExternalUrl(normalizedUrl);
 	const results = [];
 	const probePromises = getUrlSources().map(async (source) => {
 		try {
@@ -9396,5 +9490,5 @@ function extractSearchableFields(entry, fields) {
 }
 
 //#endregion
-export { isSafeHref as $, isStandardPluginDefinition as A, handleContentRestore as At, EmailPipeline as B, getAllSources as C, handleContentDuplicate as Ct, probeUrl as D, handleContentListTrashed as Dt, getUrlSources as E, handleContentList as Et, createPluginManager as F, handleContentUpdate as Ft, extractRequestMeta as G, createHookPipeline as H, PluginRouteError as I, validateRev as It, parseWxr as J, sanitizeHeadersForSandbox as K, PluginRouteRegistry as L, portableText as Lt, SandboxNotAvailableError as M, handleContentTranslations as Mt, createNoopSandboxRunner as N, handleContentUnpublish as Nt, registerSource as O, handleContentPermanentDelete as Ot, PluginManager as P, handleContentUnschedule as Pt, prosemirrorToPortableText as Q, DEV_CONSOLE_EMAIL_PLUGIN_ID as R, reference as Rt, clearSources as S, handleContentDiscardDraft as St, getSource as T, handleContentGetIncludingTrashed as Tt, resolveExclusiveHooks as U, HookPipeline as V, CronExecutor as W, after as X, parseWxrString as Y, portableTextToProsemirror as Z, buildPreviewUrl as _, handleContentCompare as _t, search as a, getCollectionInfo as at, parseWxrDate as b, handleContentCreate as bt, getWidgetArea as c, handleMediaGet as ct, getMenu as d, handleRevisionGet as dt, sanitizeHref as et, getMenus as f, handleRevisionList as ft, isPreviewRequest as g, hashString as gt, getPreviewToken as h, computeContentHash as ht, getSuggestions as i, PluginStateRepository as it, NoopSandboxRunner as j, handleContentSchedule as jt, importReusableBlocksAsSections as k, handleContentPublish as kt, getWidgetAreas as l, handleMediaList as lt, getComments as m, generateManifest as mt, extractSearchableFields as n, getSection as nt, searchCollection as o, handleMediaCreate as ot, getCommentCount as p, handleRevisionRestore as pt, definePlugin as q, getSearchStats as r, getSections as rt, searchWithDb as s, handleMediaDelete as st, extractPlainText as t, loadBundleFromR2 as tt, getWidgetComponents as u, handleMediaUpdate as ut, getPreviewUrl as v, handleContentCountScheduled as vt, getFileSources as w, handleContentGet as wt, wxrSource as x, handleContentDelete as xt, wordpressRestSource as y, handleContentCountTrashed as yt, devConsoleEmailDeliver as z, image as zt };
-//# sourceMappingURL=search-DI4bM2w9.mjs.map
+export { prosemirrorToPortableText as $, isStandardPluginDefinition as A, handleContentPublish as At, EmailPipeline as B, image as Bt, getAllSources as C, handleContentDiscardDraft as Ct, probeUrl as D, handleContentList as Dt, getUrlSources as E, handleContentGetIncludingTrashed as Et, createPluginManager as F, handleContentUnschedule as Ft, extractRequestMeta as G, createHookPipeline as H, PluginRouteError as I, handleContentUpdate as It, definePlugin as J, sanitizeHeadersForSandbox as K, PluginRouteRegistry as L, validateRev as Lt, SandboxNotAvailableError as M, handleContentSchedule as Mt, createNoopSandboxRunner as N, handleContentTranslations as Nt, registerSource as O, handleContentListTrashed as Ot, PluginManager as P, handleContentUnpublish as Pt, portableTextToProsemirror as Q, DEV_CONSOLE_EMAIL_PLUGIN_ID as R, portableText as Rt, clearSources as S, handleContentDelete as St, getSource as T, handleContentGet as Tt, resolveExclusiveHooks as U, HookPipeline as V, CronExecutor as W, parseWxrString as X, parseWxr as Y, after as Z, buildPreviewUrl as _, hashString as _t, search as a, PluginStateRepository as at, parseWxrDate as b, handleContentCountTrashed as bt, getWidgetArea as c, handleMediaDelete as ct, getMenu as d, handleMediaUpdate as dt, isSafeHref as et, getMenus as f, handleRevisionGet as ft, isPreviewRequest as g, computeContentHash as gt, getPreviewToken as h, generateManifest as ht, getSuggestions as i, getSections as it, NoopSandboxRunner as j, handleContentRestore as jt, importReusableBlocksAsSections as k, handleContentPermanentDelete as kt, getWidgetAreas as l, handleMediaGet as lt, getComments as m, handleRevisionRestore as mt, extractSearchableFields as n, loadBundleFromR2 as nt, searchCollection as o, getCollectionInfo as ot, getCommentCount as p, handleRevisionList as pt, getTrustedProxyHeaders as q, getSearchStats as r, getSection as rt, searchWithDb as s, handleMediaCreate as st, extractPlainText as t, sanitizeHref as tt, getWidgetComponents as u, handleMediaList as ut, getPreviewUrl as v, handleContentCompare as vt, getFileSources as w, handleContentDuplicate as wt, wxrSource as x, handleContentCreate as xt, wordpressRestSource as y, handleContentCountScheduled as yt, devConsoleEmailDeliver as z, reference as zt };
+//# sourceMappingURL=search-B0effn3j.mjs.map