emdash 0.6.0 → 1.0.0

package/src/astro/routes/api/auth/oauth/[provider].ts

@@ -71,16 +71,22 @@ export const GET: APIRoute = async ({ params, request, locals, redirect }) => {
 	const { emdash } = locals;
 	const provider = params.provider;
 
+	// Determine where to redirect errors (setup wizard or login page)
+	const referer = request.headers.get("referer") ?? "";
+	const errorRedirectBase = referer.includes("/setup")
+		? "/_emdash/admin/setup"
+		: "/_emdash/admin/login";
+
 	// Validate provider
 	if (!provider || !isValidProvider(provider)) {
 		return redirect(
-			`/_emdash/admin/login?error=invalid_provider&message=${encodeURIComponent("Invalid OAuth provider")}`,
+			`${errorRedirectBase}?error=invalid_provider&message=${encodeURIComponent("Invalid OAuth provider")}`,
 		);
 	}
 
 	if (!emdash?.db) {
 		return redirect(
-			`/_emdash/admin/login?error=server_error&message=${encodeURIComponent("Database not configured")}`,
+			`${errorRedirectBase}?error=server_error&message=${encodeURIComponent("Database not configured")}`,
 		);
 	}
 
@@ -97,7 +103,7 @@ export const GET: APIRoute = async ({ params, request, locals, redirect }) => {
 
 		if (!providers[provider]) {
 			return redirect(
-				`/_emdash/admin/login?error=provider_not_configured&message=${encodeURIComponent(`OAuth provider ${provider} is not configured`)}`,
+				`${errorRedirectBase}?error=provider_not_configured&message=${encodeURIComponent(`OAuth provider ${provider} is not configured. Set either EMDASH_OAUTH_${provider.toUpperCase()}_CLIENT_ID and EMDASH_OAUTH_${provider.toUpperCase()}_CLIENT_SECRET, or ${provider.toUpperCase()}_CLIENT_ID and ${provider.toUpperCase()}_CLIENT_SECRET.`)}`,
 			);
 		}
 
@@ -114,7 +120,7 @@ export const GET: APIRoute = async ({ params, request, locals, redirect }) => {
 	} catch (error) {
 		console.error("OAuth initiation error:", error);
 		return redirect(
-			`/_emdash/admin/login?error=oauth_error&message=${encodeURIComponent("Failed to start OAuth flow. Please try again.")}`,
+			`${errorRedirectBase}?error=oauth_error&message=${encodeURIComponent("Failed to start OAuth flow. Please try again.")}`,
 		);
 	}
 };

package/src/astro/routes/api/auth/passkey/options.ts

@@ -20,6 +20,7 @@ import { passkeyOptionsBody } from "#api/schemas.js";
 import { createChallengeStore, cleanupExpiredChallenges } from "#auth/challenge-store.js";
 import { getPasskeyConfig } from "#auth/passkey-config.js";
 import { checkRateLimit, getClientIp, rateLimitResponse } from "#auth/rate-limit.js";
+import { getTrustedProxyHeaders } from "#auth/trusted-proxy.js";
 import { OptionsRepository } from "#db/repositories/options.js";
 
 export const POST: APIRoute = async ({ request, locals }) => {
@@ -38,7 +39,7 @@ export const POST: APIRoute = async ({ request, locals }) => {
 		if (isParseError(body)) return body;
 
 		// Rate limit: 10 requests per 60 seconds per IP
-		const ip = getClientIp(request);
+		const ip = getClientIp(request, getTrustedProxyHeaders(emdash.config));
 		const rateLimit = await checkRateLimit(emdash.db, ip, "passkey/options", 10, 60);
 		if (!rateLimit.allowed) {
 			return rateLimitResponse(60);

package/src/astro/routes/api/auth/signup/request.ts

@@ -3,6 +3,8 @@
  *
  * Request self-signup. Sends verification email if domain is allowed.
  * Always returns 200 to prevent email enumeration.
+ *
+ * Rate limited: 3 requests per 5 minutes per IP. Mirrors magic-link/send.
  */
 
 import type { APIRoute } from "astro";
@@ -16,8 +18,18 @@ import { apiError, apiSuccess } from "#api/error.js";
 import { isParseError, parseBody } from "#api/parse.js";
 import { signupRequestBody } from "#api/schemas.js";
 import { getSiteBaseUrl } from "#api/site-url.js";
+import { checkRateLimit, getClientIp } from "#auth/rate-limit.js";
+import { getTrustedProxyHeaders } from "#auth/trusted-proxy.js";
 import { OptionsRepository } from "#db/repositories/options.js";
 
+// Generic response body used for both the real success path and the
+// rate-limited / domain-disallowed paths. Keeping them identical prevents
+// the caller from distinguishing between them.
+const GENERIC_SUCCESS = {
+	success: true,
+	message: "If your email domain is allowed, you'll receive a verification email.",
+};
+
 export const POST: APIRoute = async ({ request, locals }) => {
 	const { emdash } = locals;
 
@@ -35,9 +47,21 @@ export const POST: APIRoute = async ({ request, locals }) => {
 	}
 
 	try {
+		// Parse the body first — this avoids burning a rate-limit slot on
+		// malformed input and keeps the timing of the rate-limited and
+		// real paths aligned.
 		const body = await parseBody(request, signupRequestBody);
 		if (isParseError(body)) return body;
 
+		// Rate limit: 3 requests per 300 seconds per IP. Matches magic-link/send.
+		const ip = getClientIp(request, getTrustedProxyHeaders(emdash.config));
+		const rateLimit = await checkRateLimit(emdash.db, ip, "signup/request", 3, 300);
+		if (!rateLimit.allowed) {
+			// Return success-shaped response to avoid revealing rate limiting
+			// (and by extension, the fact that the caller is probing).
+			return apiSuccess(GENERIC_SUCCESS);
+		}
+
 		const adapter = createKyselyAdapter(emdash.db);
 
 		// Get site config for signup email
@@ -60,18 +84,12 @@ export const POST: APIRoute = async ({ request, locals }) => {
 		);
 
 		// Always return success to prevent email enumeration
-		return apiSuccess({
-			success: true,
-			message: "If your email domain is allowed, you'll receive a verification email.",
-		});
+		return apiSuccess(GENERIC_SUCCESS);
 	} catch (error) {
 		console.error("Signup request error:", error);
 
 		// Don't reveal internal errors - just return generic success
 		// to prevent information leakage
-		return apiSuccess({
-			success: true,
-			message: "If your email domain is allowed, you'll receive a verification email.",
-		});
+		return apiSuccess(GENERIC_SUCCESS);
 	}
 };

package/src/astro/routes/api/comments/[collection]/[contentId]/index.ts

@@ -139,18 +139,22 @@ export const POST: APIRoute = async ({ params, request, locals }) => {
 		}
 
 		// Anti-spam: Rate limiting
-		const meta = extractRequestMeta(request);
+		const meta = extractRequestMeta(request, emdash.config);
 		const ipSalt =
 			import.meta.env.EMDASH_AUTH_SECRET || import.meta.env.AUTH_SECRET || "emdash-ip-salt";
 		let ipHash: string;
 		if (meta.ip) {
 			ipHash = await hashIp(meta.ip, ipSalt);
-		} else if (meta.userAgent) {
-			// Fallback: hash user-agent as a rough identifier when IP is unavailable
-			ipHash = await hashIp(`ua:${meta.userAgent}`, ipSalt);
 		} else {
-			// Fail closed: all unidentifiable requests share one rate-limit bucket.
-			// Use a larger limit since this bucket is shared across all anonymous users.
+			// No trusted IP — fail closed by bucketing all unidentifiable
+			// requests together. A larger limit reflects the shared bucket.
+			//
+			// Self-hosted operators behind a reverse proxy should set
+			// `trustedProxyHeaders` in the EmDash config (or the
+			// EMDASH_TRUSTED_PROXY_HEADERS env var) so this path isn't hit
+			// for legitimate traffic. UA-hashing was previously used here
+			// but was trivially rotatable — the shared bucket is stricter
+			// and forces operators toward a real fix.
 			ipHash = "unknown";
 		}
 		const unknownBucketLimit = ipHash === "unknown" ? 20 : undefined;

package/src/astro/routes/api/content/[collection]/[id]/compare.ts

@@ -13,7 +13,7 @@ export const prerender = false;
 
 export const GET: APIRoute = async ({ params, locals }) => {
 	const { emdash, user } = locals;
-	const denied = requirePerm(user, "content:read");
+	const denied = requirePerm(user, "content:read_drafts");
 	if (denied) return denied;
 	const collection = params.collection!;
 	const id = params.id!;

package/src/astro/routes/api/content/[collection]/[id]/preview-url.ts

@@ -30,7 +30,7 @@ const DURATION_PATTERN = /^(\d+)([smhdw])$/;
 
 export const POST: APIRoute = async ({ params, request, locals }) => {
 	const { emdash, user } = locals;
-	const denied = requirePerm(user, "content:read");
+	const denied = requirePerm(user, "content:read_drafts");
 	if (denied) return denied;
 	const collection = params.collection!;
 	const id = params.id!;

package/src/astro/routes/api/content/[collection]/[id]/revisions.ts

@@ -13,7 +13,7 @@ export const prerender = false;
 
 export const GET: APIRoute = async ({ params, url, locals }) => {
 	const { emdash, user } = locals;
-	const denied = requirePerm(user, "content:read");
+	const denied = requirePerm(user, "content:read_drafts");
 	if (denied) return denied;
 	const collection = params.collection!;
 	const id = params.id!;

package/src/astro/routes/api/content/[collection]/[id]/translations.ts

@@ -6,6 +6,7 @@
  * Returns all locale variants linked to the same translation group.
  */
 
+import { hasPermission } from "@emdash-cms/auth";
 import type { APIRoute } from "astro";
 
 import { requirePerm } from "#api/authorize.js";
@@ -13,6 +14,15 @@ import { apiError, unwrapResult } from "#api/error.js";
 
 export const prerender = false;
 
+function isPublished(t: unknown): boolean {
+	return (
+		typeof t === "object" &&
+		t !== null &&
+		"status" in t &&
+		(t as Record<string, unknown>).status === "published"
+	);
+}
+
 export const GET: APIRoute = async ({ params, locals }) => {
 	const { emdash, user } = locals;
 	const denied = requirePerm(user, "content:read");
@@ -26,5 +36,21 @@ export const GET: APIRoute = async ({ params, locals }) => {
 
 	const result = await emdash.handleContentTranslations(collection, id);
 
+	// Filter out non-published translations for users without read_drafts so a
+	// subscriber can't enumerate locales that aren't yet live.
+	if (result.success && !hasPermission(user, "content:read_drafts")) {
+		const data =
+			result.data && typeof result.data === "object"
+				? // eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- handler returns unknown data; narrowed by typeof check
+					(result.data as Record<string, unknown>)
+				: undefined;
+		const translations = Array.isArray(data?.translations) ? data.translations : [];
+		const filtered = translations.filter(isPublished);
+		return unwrapResult({
+			success: true,
+			data: { ...data, translations: filtered },
+		});
+	}
+
 	return unwrapResult(result);
 };

package/src/astro/routes/api/content/[collection]/[id].ts

@@ -6,7 +6,7 @@
  * DELETE /_emdash/api/content/{collection}/{id} - Delete content
  */
 
-import { hasPermission, type Permission } from "@emdash-cms/auth";
+import { hasPermission } from "@emdash-cms/auth";
 import type { APIRoute } from "astro";
 
 import { requirePerm, requireOwnerPerm } from "#api/authorize.js";
@@ -30,6 +30,25 @@ export const GET: APIRoute = async ({ params, url, locals }) => {
 
 	const result = await emdash.handleContentGet(collection, id, locale);
 
+	// Hide non-published items from users without content:read_drafts. Return
+	// 404 (not 403) so subscribers can't enumerate draft IDs by status code.
+	if (result.success && !hasPermission(user, "content:read_drafts")) {
+		const data =
+			result.data && typeof result.data === "object"
+				? // eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- handler returns unknown data; narrowed by typeof check
+					(result.data as Record<string, unknown>)
+				: undefined;
+		const item =
+			data?.item && typeof data.item === "object"
+				? // eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- narrowed by typeof check
+					(data.item as Record<string, unknown>)
+				: undefined;
+		const status = typeof item?.status === "string" ? item.status : null;
+		if (status !== "published") {
+			return apiError("NOT_FOUND", `Content item not found: ${id}`, 404);
+		}
+	}
+
 	return unwrapResult(result);
 };
 
@@ -69,12 +88,21 @@ export const PUT: APIRoute = async ({ params, request, locals, cache }) => {
 	const editDenied = requireOwnerPerm(user, authorId, "content:edit_own", "content:edit_any");
 	if (editDenied) return editDenied;
 
+	// Only EDITOR+ can write publishedAt directly — incl. clearing to null.
+	if (body.publishedAt !== undefined && !hasPermission(user, "content:publish_any")) {
+		return apiError(
+			"FORBIDDEN",
+			"Writing publishedAt requires content:publish_any permission",
+			403,
+		);
+	}
+
 	// Use the resolved ID (handles slug → ID resolution)
 	const resolvedId = typeof existingItem?.id === "string" ? existingItem.id : id;
 
 	// Only allow authorId changes if user has content:edit_any permission (editor+)
 	const canChangeAuthor =
-		body.authorId !== undefined && user && hasPermission(user, "content:edit_any" as Permission);
+		body.authorId !== undefined && user && hasPermission(user, "content:edit_any");
 	const updateBody = canChangeAuthor ? body : { ...body, authorId: undefined };
 
 	// Pass _rev through for optimistic concurrency validation

package/src/astro/routes/api/content/[collection]/index.ts

@@ -5,6 +5,7 @@
  * POST /_emdash/api/content/{collection} - Create content
  */
 
+import { hasPermission } from "@emdash-cms/auth";
 import type { APIRoute } from "astro";
 
 import { requirePerm, requireOwnerPerm } from "#api/authorize.js";
@@ -26,7 +27,14 @@ export const GET: APIRoute = async ({ params, url, locals }) => {
 		return apiError("NOT_CONFIGURED", "EmDash is not initialized", 500);
 	}
 
-	const result = await emdash.handleContentList(collection, query);
+	// Subscribers must only see published content; force the status filter
+	// regardless of caller-supplied value. Any user with content:read_drafts
+	// (CONTRIBUTOR+) keeps the requested filter.
+	const params_ = hasPermission(user, "content:read_drafts")
+		? query
+		: { ...query, status: "published" };
+
+	const result = await emdash.handleContentList(collection, params_);
 
 	return unwrapResult(result);
 };
@@ -53,15 +61,7 @@ export const POST: APIRoute = async ({ params, request, locals, cache }) => {
 				mapErrorStatus(source.error?.code),
 			);
 		}
-		const sourceData =
-			source.data && typeof source.data === "object"
-				? (source.data as Record<string, unknown>)
-				: undefined;
-		const sourceItem =
-			sourceData?.item && typeof sourceData.item === "object"
-				? (sourceData.item as Record<string, unknown>)
-				: sourceData;
-		const sourceAuthor = typeof sourceItem?.authorId === "string" ? sourceItem.authorId : "";
+		const sourceAuthor = source.data.item.authorId ?? "";
 		const translationDenied = requireOwnerPerm(
 			user,
 			sourceAuthor,
@@ -71,6 +71,16 @@ export const POST: APIRoute = async ({ params, request, locals, cache }) => {
 		if (translationDenied) return translationDenied;
 	}
 
+	// Only EDITOR+ can write publishedAt / createdAt directly — incl. clearing to null.
+	const hasDateOverride = body.publishedAt !== undefined || body.createdAt !== undefined;
+	if (hasDateOverride && !hasPermission(user, "content:publish_any")) {
+		return apiError(
+			"FORBIDDEN",
+			"Writing publishedAt or createdAt requires content:publish_any permission",
+			403,
+		);
+	}
+
 	// Auto-set authorId to current user when creating content
 	const result = await emdash.handleContentCreate(collection, {
 		...body,

package/src/astro/routes/api/content/[collection]/trash.ts

@@ -17,7 +17,7 @@ export const GET: APIRoute = async ({ params, url, locals }) => {
 	const { emdash, user } = locals;
 	const collection = params.collection!;
 
-	const denied = requirePerm(user, "content:read");
+	const denied = requirePerm(user, "content:read_drafts");
 	if (denied) return denied;
 
 	if (!emdash?.handleContentListTrashed) {

package/src/astro/routes/api/import/wordpress/media.ts

@@ -92,7 +92,6 @@ export const POST: APIRoute = async ({ request, locals }) => {
 						attachments,
 						emdash.db,
 						emdash.storage,
-						request.url,
 						sendProgress,
 					);
 
@@ -117,7 +116,6 @@ export const POST: APIRoute = async ({ request, locals }) => {
 			attachments,
 			emdash.db,
 			emdash.storage,
-			request.url,
 			() => {}, // No-op progress callback
 		);
 
@@ -131,12 +129,9 @@ async function importMediaWithProgress(
 	attachments: AttachmentInfo[],
 	db: NonNullable<EmDashHandlers["db"]>,
 	storage: NonNullable<EmDashHandlers["storage"]>,
-	requestUrl: string,
 	onProgress: (progress: MediaImportProgress) => void,
 ): Promise<MediaImportResult> {
 	const repo = new MediaRepository(db);
-	const url = new URL(requestUrl);
-	const baseUrl = `${url.protocol}//${url.host}`;
 	const total = attachments.length;
 
 	const result: MediaImportResult = {
@@ -237,7 +232,7 @@ async function importMediaWithProgress(
 			const existing = await repo.findByContentHash(contentHash);
 			if (existing) {
 				// Same content already exists - reuse it
-				const existingUrl = `${baseUrl}/_emdash/api/media/file/${existing.storageKey}`;
+				const existingUrl = `/_emdash/api/media/file/${existing.storageKey}`;
 				result.urlMap[attachment.url] = existingUrl;
 				result.imported.push({
 					wpId: attachment.id,
@@ -290,7 +285,7 @@ async function importMediaWithProgress(
 			});
 
 			// Build the new URL
-			const newUrl = `${baseUrl}/_emdash/api/media/file/${storageKey}`;
+			const newUrl = `/_emdash/api/media/file/${storageKey}`;
 
 			result.imported.push({
 				wpId: attachment.id,

package/src/astro/routes/api/import/wordpress/prepare.ts

@@ -58,6 +58,16 @@ export const POST: APIRoute = async ({ request, locals }) => {
 		// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- Zod schema output narrowed to PrepareRequest
 		const result = await prepareImport(emdash.db, body as PrepareRequest);
 
+		// If prepare created any new collections or fields, invalidate the
+		// persisted manifest cache (`emdash:manifest_cache` in the options
+		// table) so that the execute endpoint -- a separate request -- sees
+		// the new schema. Without this the execute step reads a stale
+		// manifest and reports `Collection "<slug>" does not exist` for
+		// every item destined for a freshly-created collection. See #747.
+		if (result.collectionsCreated.length > 0 || result.fieldsCreated.length > 0) {
+			emdash.invalidateManifest();
+		}
+
 		return apiSuccess(result, result.success ? 200 : 400);
 	} catch (error) {
 		return handleError(error, "Failed to prepare import", "WXR_PREPARE_ERROR");

package/src/astro/routes/api/import/wordpress-plugin/analyze.ts

@@ -15,7 +15,7 @@ import { apiError, apiSuccess, handleError } from "#api/error.js";
 import { isParseError, parseBody } from "#api/parse.js";
 import { wpPluginAnalyzeBody } from "#api/schemas.js";
 import { getSource } from "#import/index.js";
-import { validateExternalUrl, SsrfError } from "#import/ssrf.js";
+import { resolveAndValidateExternalUrl, SsrfError } from "#import/ssrf.js";
 import type { ImportAnalysis } from "#import/types.js";
 import type { EmDashHandlers } from "#types";
 
@@ -37,9 +37,10 @@ export const POST: APIRoute = async ({ request, locals }) => {
 		const body = await parseBody(request, wpPluginAnalyzeBody);
 		if (isParseError(body)) return body;
 
-		// SSRF: reject internal/private network targets
+		// SSRF: reject internal/private network targets. Uses DNS resolution
+		// to catch hostnames that resolve to private addresses.
 		try {
-			validateExternalUrl(body.url);
+			await resolveAndValidateExternalUrl(body.url);
 		} catch (e) {
 			const msg = e instanceof SsrfError ? e.message : "Invalid URL";
 			return apiError("SSRF_BLOCKED", msg, 400);

package/src/astro/routes/api/import/wordpress-plugin/execute.ts

@@ -15,7 +15,7 @@ import { isParseError, parseBody } from "#api/parse.js";
 import { wpPluginExecuteBody } from "#api/schemas.js";
 import { BylineRepository } from "#db/repositories/byline.js";
 import { getSource } from "#import/index.js";
-import { validateExternalUrl, SsrfError } from "#import/ssrf.js";
+import { resolveAndValidateExternalUrl, SsrfError } from "#import/ssrf.js";
 import type { ImportConfig, ImportResult, NormalizedItem } from "#import/types.js";
 import { resolveImportByline } from "#import/utils.js";
 import type { FieldType } from "#schema/types.js";
@@ -49,9 +49,10 @@ export const POST: APIRoute = async ({ request, locals }) => {
 		const body = await parseBody(request, wpPluginExecuteBody);
 		if (isParseError(body)) return body;
 
-		// SSRF: reject internal/private network targets
+		// SSRF: reject internal/private network targets. Uses DNS resolution
+		// to catch hostnames that resolve to private addresses.
 		try {
-			validateExternalUrl(body.url);
+			await resolveAndValidateExternalUrl(body.url);
 		} catch (e) {
 			const msg = e instanceof SsrfError ? e.message : "Invalid URL";
 			return apiError("SSRF_BLOCKED", msg, 400);

package/src/astro/routes/api/manifest.ts

@@ -12,6 +12,7 @@ import type { APIRoute } from "astro";
 import { getAuthMode } from "#auth/mode.js";
 
 import { COMMIT, VERSION } from "../../../version.js";
+import { getStoredConfig } from "../../integration/runtime.js";
 import type { EmDashManifest } from "../../types.js";
 
 export const prerender = false;
@@ -22,6 +23,10 @@ export const GET: APIRoute = async ({ locals }) => {
 	// Determine auth mode from config
 	const authMode = getAuthMode(emdash?.config);
 
+	// Read admin branding from build-time config
+	const storedConfig = getStoredConfig();
+	const adminBranding = storedConfig?.admin;
+
 	// Check if self-signup is enabled (any allowed domain with enabled = 1)
 	// Only relevant for passkey auth — external auth providers handle their own signup
 	let signupEnabled = false;
@@ -42,6 +47,7 @@ export const GET: APIRoute = async ({ locals }) => {
 				...emdashManifest,
 				authMode: authMode.type === "external" ? authMode.providerType : "passkey",
 				signupEnabled,
+				admin: adminBranding,
 			}
 		: {
 				version: VERSION,
@@ -52,6 +58,7 @@ export const GET: APIRoute = async ({ locals }) => {
 				taxonomies: [],
 				authMode: "passkey",
 				signupEnabled,
+				admin: adminBranding,
 			};
 
 	return Response.json(

package/src/astro/routes/api/oauth/device/code.ts

@@ -15,6 +15,7 @@ import { handleDeviceCodeRequest } from "#api/handlers/device-flow.js";
 import { isParseError, parseBody } from "#api/parse.js";
 import { getPublicOrigin } from "#api/public-url.js";
 import { checkRateLimit, getClientIp, rateLimitResponse } from "#auth/rate-limit.js";
+import { getTrustedProxyHeaders } from "#auth/trusted-proxy.js";
 
 export const prerender = false;
 
@@ -35,7 +36,7 @@ export const POST: APIRoute = async ({ request, locals, url }) => {
 		if (isParseError(body)) return body;
 
 		// Rate limit: 10 requests per 60 seconds per IP
-		const ip = getClientIp(request);
+		const ip = getClientIp(request, getTrustedProxyHeaders(emdash.config));
 		const rateLimit = await checkRateLimit(emdash.db, ip, "device/code", 10, 60);
 		if (!rateLimit.allowed) {
 			return rateLimitResponse(60);

package/src/astro/routes/api/oauth/device/token.ts

@@ -17,6 +17,7 @@ import { apiError, handleError, unwrapResult } from "#api/error.js";
 import { handleDeviceTokenExchange } from "#api/handlers/device-flow.js";
 import { isParseError, parseBody } from "#api/parse.js";
 import { checkRateLimit, getClientIp, rateLimitResponse } from "#auth/rate-limit.js";
+import { getTrustedProxyHeaders } from "#auth/trusted-proxy.js";
 
 export const prerender = false;
 
@@ -37,7 +38,7 @@ export const POST: APIRoute = async ({ request, locals }) => {
 		if (isParseError(body)) return body;
 
 		// Rate limit: 12 requests per 60 seconds per IP
-		const ip = getClientIp(request);
+		const ip = getClientIp(request, getTrustedProxyHeaders(emdash.config));
 		const rateLimit = await checkRateLimit(emdash.db, ip, "device/token", 12, 60);
 		if (!rateLimit.allowed) {
 			return rateLimitResponse(60);

package/src/astro/routes/api/settings/email.ts

@@ -49,20 +49,15 @@ export const GET: APIRoute = async ({ locals }) => {
 			`emdash:exclusive_hook:${EMAIL_DELIVER_HOOK}`,
 		);
 
-		// Get middleware hooks (beforeSend / afterSend)
+		// Get middleware hooks (beforeSend / afterSend). These are non-exclusive —
+		// many plugins can subscribe — so we enumerate non-exclusive providers.
 		const beforeSendPlugins = pipeline
-			.getExclusiveHookProviders(EMAIL_BEFORE_SEND_HOOK)
+			.getHookProviders(EMAIL_BEFORE_SEND_HOOK)
 			.map((p) => p.pluginId);
 		const afterSendPlugins = pipeline
-			.getExclusiveHookProviders(EMAIL_AFTER_SEND_HOOK)
+			.getHookProviders(EMAIL_AFTER_SEND_HOOK)
 			.map((p) => p.pluginId);
 
-		// Note: beforeSend/afterSend are NOT exclusive hooks, but getExclusiveHookProviders
-		// only finds exclusive ones. We need all hooks for those names.
-		// For now, report what we can from the exclusive hook system.
-		// Middleware is non-exclusive so we'd need a different query.
-		// TODO: Add getHookProviders() for non-exclusive hooks to the pipeline.
-
 		return apiSuccess({
 			available: emdash.email?.isAvailable() ?? false,
 			providers: providers.map((p) => ({

package/src/astro/routes/api/setup/admin-verify.ts

@@ -8,7 +8,7 @@ import type { APIRoute } from "astro";
 
 export const prerender = false;
 
-import { Role } from "@emdash-cms/auth";
+import { Role, secureCompare } from "@emdash-cms/auth";
 import { createKyselyAdapter } from "@emdash-cms/auth/adapters/kysely";
 import { verifyRegistrationResponse, registerPasskey } from "@emdash-cms/auth/passkey";
 
@@ -18,9 +18,10 @@ import { getPublicOrigin } from "#api/public-url.js";
 import { setupAdminVerifyBody } from "#api/schemas.js";
 import { createChallengeStore } from "#auth/challenge-store.js";
 import { getPasskeyConfig } from "#auth/passkey-config.js";
+import { SETUP_NONCE_COOKIE } from "#auth/setup-nonce.js";
 import { OptionsRepository } from "#db/repositories/options.js";
 
-export const POST: APIRoute = async ({ request, locals }) => {
+export const POST: APIRoute = async ({ cookies, request, locals }) => {
 	const { emdash } = locals;
 
 	if (!emdash?.db) {
@@ -45,12 +46,35 @@ export const POST: APIRoute = async ({ request, locals }) => {
 		}
 
 		// Get setup state
-		const setupState = await options.get("emdash:setup_state");
+		const setupState = await options.get<{
+			step?: string;
+			email?: string;
+			name?: string | null;
+			nonce?: string;
+		}>("emdash:setup_state");
 
 		if (!setupState || setupState.step !== "admin") {
 			return apiError("INVALID_STATE", "Invalid setup state. Please restart setup.", 400);
 		}
 
+		// Verify the session nonce. The cookie was minted by POST /setup/admin
+		// and stored alongside setup_state; presenting a matching cookie is
+		// proof that this verify call comes from the same browser that
+		// started the admin step. Constant-time compare to avoid leaking the
+		// stored value through timing.
+		const cookieNonce = cookies.get(SETUP_NONCE_COOKIE)?.value;
+		if (!setupState.nonce || !cookieNonce || !secureCompare(cookieNonce, setupState.nonce)) {
+			return apiError(
+				"INVALID_STATE",
+				"Setup session expired or tampered with. Please restart the admin step.",
+				400,
+			);
+		}
+
+		if (!setupState.email) {
+			return apiError("INVALID_STATE", "Invalid setup state. Please restart setup.", 400);
+		}
+
 		// Parse request body
 		const body = await parseBody(request, setupAdminVerifyBody);
 		if (isParseError(body)) return body;
@@ -73,7 +97,7 @@ export const POST: APIRoute = async ({ request, locals }) => {
 		// Create the admin user
 		const user = await adapter.createUser({
 			email: setupState.email,
-			name: setupState.name,
+			name: setupState.name ?? null,
 			role: Role.ADMIN,
 			emailVerified: false, // No email verification for first user
 		});
@@ -84,8 +108,9 @@ export const POST: APIRoute = async ({ request, locals }) => {
 		// Mark setup as complete
 		await options.set("emdash:setup_complete", true);
 
-		// Clean up setup state
+		// Clean up setup state and the session nonce cookie
 		await options.delete("emdash:setup_state");
+		cookies.delete(SETUP_NONCE_COOKIE, { path: "/_emdash/" });
 
 		return apiSuccess({
 			success: true,