emdash 0.8.0 → 0.10.0

package/src/astro/routes/api/menus/[name]/reorder.ts

@@ -9,8 +9,8 @@ import type { APIRoute } from "astro";
 import { requirePerm } from "#api/authorize.js";
 import { handleError, unwrapResult } from "#api/error.js";
 import { handleMenuItemReorder } from "#api/handlers/menus.js";
-import { isParseError, parseBody } from "#api/parse.js";
-import { reorderMenuItemsBody } from "#api/schemas.js";
+import { isParseError, parseBody, parseQuery } from "#api/parse.js";
+import { localeFilterQuery, reorderMenuItemsBody } from "#api/schemas.js";
 
 export const prerender = false;
 
@@ -21,11 +21,16 @@ export const POST: APIRoute = async ({ params, request, locals }) => {
 	const denied = requirePerm(user, "menus:manage");
 	if (denied) return denied;
 
+	const localeQ = parseQuery(new URL(request.url), localeFilterQuery);
+	if (isParseError(localeQ)) return localeQ;
+
 	try {
 		const body = await parseBody(request, reorderMenuItemsBody);
 		if (isParseError(body)) return body;
 
-		const result = await handleMenuItemReorder(emdash.db, name, body.items);
+		const result = await handleMenuItemReorder(emdash.db, name, body.items, {
+			locale: localeQ.locale,
+		});
 		return unwrapResult(result);
 	} catch (error) {
 		return handleError(error, "Failed to reorder menu items", "MENU_REORDER_ERROR");

package/src/astro/routes/api/menus/[name]/translations.ts

@@ -0,0 +1,82 @@
+/**
+ * Menu translation endpoints
+ *
+ * GET  /_emdash/api/menus/:name/translations       — list translations for a menu (uses any locale row)
+ * POST /_emdash/api/menus/:name/translations       — create a new locale translation (body: { locale, label })
+ */
+
+import type { APIRoute } from "astro";
+import { z } from "zod";
+
+import { requirePerm } from "#api/authorize.js";
+import { handleError, requireDb, unwrapResult } from "#api/error.js";
+import { handleMenuCreate, handleMenuGet, handleMenuTranslations } from "#api/handlers/menus.js";
+import { isParseError, parseBody, parseQuery } from "#api/parse.js";
+import { localeFilterQuery } from "#api/schemas.js";
+
+export const prerender = false;
+
+const createTranslationBody = z
+	.object({
+		locale: z.string().min(1),
+		label: z.string().min(1).optional(),
+	})
+	.meta({ id: "CreateMenuTranslationBody" });
+
+export const GET: APIRoute = async ({ params, request, locals }) => {
+	const { emdash, user } = locals;
+	const name = params.name!;
+
+	const dbErr = requireDb(emdash?.db);
+	if (dbErr) return dbErr;
+
+	const denied = requirePerm(user, "menus:read");
+	if (denied) return denied;
+
+	const localeQ = parseQuery(new URL(request.url), localeFilterQuery);
+	if (isParseError(localeQ)) return localeQ;
+
+	try {
+		// Look up any menu row matching the name so we can get its translation_group.
+		const anchor = await handleMenuGet(emdash.db, name, { locale: localeQ.locale });
+		if (!anchor.success) return unwrapResult(anchor);
+		const result = await handleMenuTranslations(emdash.db, anchor.data.id);
+		return unwrapResult(result);
+	} catch (error) {
+		return handleError(error, "Failed to fetch menu translations", "MENU_TRANSLATIONS_ERROR");
+	}
+};
+
+export const POST: APIRoute = async ({ params, request, locals }) => {
+	const { emdash, user } = locals;
+	const name = params.name!;
+
+	const dbErr = requireDb(emdash?.db);
+	if (dbErr) return dbErr;
+
+	const denied = requirePerm(user, "menus:manage");
+	if (denied) return denied;
+
+	const localeQ = parseQuery(new URL(request.url), localeFilterQuery);
+	if (isParseError(localeQ)) return localeQ;
+
+	try {
+		const body = await parseBody(request, createTranslationBody);
+		if (isParseError(body)) return body;
+
+		// Resolve the source menu (either by explicit locale in query, or the
+		// first matching row). Its id becomes the `translationOf` for the new row.
+		const source = await handleMenuGet(emdash.db, name, { locale: localeQ.locale });
+		if (!source.success) return unwrapResult(source);
+
+		const result = await handleMenuCreate(emdash.db, {
+			name,
+			label: body.label ?? source.data.label,
+			locale: body.locale,
+			translationOf: source.data.id,
+		});
+		return unwrapResult(result, 201);
+	} catch (error) {
+		return handleError(error, "Failed to create menu translation", "MENU_TRANSLATION_CREATE_ERROR");
+	}
+};

package/src/astro/routes/api/menus/[name].ts

@@ -1,9 +1,9 @@
 /**
  * Single menu endpoint
  *
- * GET    /_emdash/api/menus/:name - Get menu with items
- * PUT    /_emdash/api/menus/:name - Update menu metadata
- * DELETE /_emdash/api/menus/:name - Delete menu
+ * GET    /_emdash/api/menus/:name[?locale=xx]
+ * PUT    /_emdash/api/menus/:name[?locale=xx]
+ * DELETE /_emdash/api/menus/:name[?locale=xx]
  */
 
 import type { APIRoute } from "astro";
@@ -11,20 +11,23 @@ import type { APIRoute } from "astro";
 import { requirePerm } from "#api/authorize.js";
 import { handleError, unwrapResult } from "#api/error.js";
 import { handleMenuDelete, handleMenuGet, handleMenuUpdate } from "#api/handlers/menus.js";
-import { isParseError, parseBody } from "#api/parse.js";
-import { updateMenuBody } from "#api/schemas.js";
+import { isParseError, parseBody, parseQuery } from "#api/parse.js";
+import { localeFilterQuery, updateMenuBody } from "#api/schemas.js";
 
 export const prerender = false;
 
-export const GET: APIRoute = async ({ params, locals }) => {
+export const GET: APIRoute = async ({ params, request, locals }) => {
 	const { emdash, user } = locals;
 	const name = params.name!;
 
 	const denied = requirePerm(user, "menus:read");
 	if (denied) return denied;
 
+	const query = parseQuery(new URL(request.url), localeFilterQuery);
+	if (isParseError(query)) return query;
+
 	try {
-		const result = await handleMenuGet(emdash.db, name);
+		const result = await handleMenuGet(emdash.db, name, { locale: query.locale });
 		return unwrapResult(result);
 	} catch (error) {
 		return handleError(error, "Failed to fetch menu", "MENU_GET_ERROR");
@@ -38,26 +41,32 @@ export const PUT: APIRoute = async ({ params, request, locals }) => {
 	const denied = requirePerm(user, "menus:manage");
 	if (denied) return denied;
 
+	const query = parseQuery(new URL(request.url), localeFilterQuery);
+	if (isParseError(query)) return query;
+
 	try {
 		const body = await parseBody(request, updateMenuBody);
 		if (isParseError(body)) return body;
 
-		const result = await handleMenuUpdate(emdash.db, name, body);
+		const result = await handleMenuUpdate(emdash.db, name, { ...body, locale: query.locale });
 		return unwrapResult(result);
 	} catch (error) {
 		return handleError(error, "Failed to update menu", "MENU_UPDATE_ERROR");
 	}
 };
 
-export const DELETE: APIRoute = async ({ params, locals }) => {
+export const DELETE: APIRoute = async ({ params, request, locals }) => {
 	const { emdash, user } = locals;
 	const name = params.name!;
 
 	const denied = requirePerm(user, "menus:manage");
 	if (denied) return denied;
 
+	const query = parseQuery(new URL(request.url), localeFilterQuery);
+	if (isParseError(query)) return query;
+
 	try {
-		const result = await handleMenuDelete(emdash.db, name);
+		const result = await handleMenuDelete(emdash.db, name, { locale: query.locale });
 		return unwrapResult(result);
 	} catch (error) {
 		return handleError(error, "Failed to delete menu", "MENU_DELETE_ERROR");

package/src/astro/routes/api/menus/index.ts

@@ -1,8 +1,8 @@
 /**
  * Menus list and create endpoints
  *
- * GET  /_emdash/api/menus - List all menus
- * POST /_emdash/api/menus - Create menu
+ * GET  /_emdash/api/menus[?locale=xx] - List menus (optionally filtered by locale)
+ * POST /_emdash/api/menus              - Create menu (body may include locale & translationOf)
  */
 
 import type { APIRoute } from "astro";
@@ -10,19 +10,22 @@ import type { APIRoute } from "astro";
 import { requirePerm } from "#api/authorize.js";
 import { handleError, unwrapResult } from "#api/error.js";
 import { handleMenuCreate, handleMenuList } from "#api/handlers/menus.js";
-import { isParseError, parseBody } from "#api/parse.js";
-import { createMenuBody } from "#api/schemas.js";
+import { isParseError, parseBody, parseQuery } from "#api/parse.js";
+import { createMenuBody, localeFilterQuery } from "#api/schemas.js";
 
 export const prerender = false;
 
-export const GET: APIRoute = async ({ locals }) => {
+export const GET: APIRoute = async ({ request, locals }) => {
 	const { emdash, user } = locals;
 
 	const denied = requirePerm(user, "menus:read");
 	if (denied) return denied;
 
+	const query = parseQuery(new URL(request.url), localeFilterQuery);
+	if (isParseError(query)) return query;
+
 	try {
-		const result = await handleMenuList(emdash.db);
+		const result = await handleMenuList(emdash.db, { locale: query.locale });
 		return unwrapResult(result);
 	} catch (error) {
 		return handleError(error, "Failed to fetch menus", "MENU_LIST_ERROR");

package/src/astro/routes/api/openapi.json.ts

@@ -9,33 +9,50 @@
 
 import type { APIRoute } from "astro";
 
+import { handleError } from "../../../api/error.js";
 import { generateOpenApiDocument } from "../../../api/openapi/index.js";
 
 export const prerender = false;
 
-let cachedSpec: string | null = null;
+// Use globalThis with Symbol.for to survive Vite's SSR module duplication
+const OPENAPI_CACHE_KEY = Symbol.for("emdash.openapi.cachedSpec");
+
+function getCachedSpec(): string | null {
+	const val = (globalThis as Record<symbol, unknown>)[OPENAPI_CACHE_KEY];
+	return typeof val === "string" ? val : null;
+}
+
+function setCachedSpec(spec: string): void {
+	(globalThis as Record<symbol, unknown>)[OPENAPI_CACHE_KEY] = spec;
+}
 
 export const GET: APIRoute = async ({ locals }) => {
 	const { emdash } = locals;
-	if (!cachedSpec && emdash) {
+
+	let spec = getCachedSpec();
+	if (!spec && emdash) {
 		try {
 			const doc = generateOpenApiDocument({ maxUploadSize: emdash.config.maxUploadSize });
-			cachedSpec = JSON.stringify(doc);
-		} catch {
-			return new Response(
-				JSON.stringify({ error: "Failed to generate OpenAPI document: invalid configuration" }),
-				{ status: 500, headers: { "Content-Type": "application/json" } },
-			);
+			spec = JSON.stringify(doc);
+			setCachedSpec(spec);
+		} catch (error) {
+			return handleError(error, "Failed to generate OpenAPI document", "OPENAPI_ERROR");
 		}
 	}
 
-	const spec = cachedSpec ?? JSON.stringify(generateOpenApiDocument());
+	if (!spec) {
+		try {
+			spec = JSON.stringify(generateOpenApiDocument());
+		} catch (error) {
+			return handleError(error, "Failed to generate OpenAPI document", "OPENAPI_ERROR");
+		}
+	}
 
 	return new Response(spec, {
 		status: 200,
 		headers: {
 			"Content-Type": "application/json",
-			"Cache-Control": "public, max-age=3600",
+			"Cache-Control": "private, no-store",
 			"Access-Control-Allow-Origin": "*",
 		},
 	});

package/src/astro/routes/api/redirects/404s/index.ts

@@ -9,7 +9,7 @@
 import type { APIRoute } from "astro";
 
 import { requirePerm } from "#api/authorize.js";
-import { handleError, unwrapResult } from "#api/error.js";
+import { handleError, requireDb, unwrapResult } from "#api/error.js";
 import {
 	handleNotFoundClear,
 	handleNotFoundList,
@@ -22,7 +22,9 @@ export const prerender = false;
 
 export const GET: APIRoute = async ({ url, locals }) => {
 	const { emdash, user } = locals;
-	const db = emdash.db;
+	const dbErr = requireDb(emdash?.db);
+	if (dbErr) return dbErr;
+	const db = emdash!.db;
 
 	const denied = requirePerm(user, "redirects:read");
 	if (denied) return denied;
@@ -40,7 +42,9 @@ export const GET: APIRoute = async ({ url, locals }) => {
 
 export const DELETE: APIRoute = async ({ locals }) => {
 	const { emdash, user } = locals;
-	const db = emdash.db;
+	const dbErr = requireDb(emdash?.db);
+	if (dbErr) return dbErr;
+	const db = emdash!.db;
 
 	const denied = requirePerm(user, "redirects:manage");
 	if (denied) return denied;
@@ -55,7 +59,9 @@ export const DELETE: APIRoute = async ({ locals }) => {
 
 export const POST: APIRoute = async ({ request, locals }) => {
 	const { emdash, user } = locals;
-	const db = emdash.db;
+	const dbErr = requireDb(emdash?.db);
+	if (dbErr) return dbErr;
+	const db = emdash!.db;
 
 	const denied = requirePerm(user, "redirects:manage");
 	if (denied) return denied;

package/src/astro/routes/api/redirects/404s/summary.ts

@@ -7,7 +7,7 @@
 import type { APIRoute } from "astro";
 
 import { requirePerm } from "#api/authorize.js";
-import { handleError, unwrapResult } from "#api/error.js";
+import { handleError, requireDb, unwrapResult } from "#api/error.js";
 import { handleNotFoundSummary } from "#api/handlers/redirects.js";
 import { isParseError, parseQuery } from "#api/parse.js";
 import { notFoundSummaryQuery } from "#api/schemas.js";
@@ -16,7 +16,9 @@ export const prerender = false;
 
 export const GET: APIRoute = async ({ url, locals }) => {
 	const { emdash, user } = locals;
-	const db = emdash.db;
+	const dbErr = requireDb(emdash?.db);
+	if (dbErr) return dbErr;
+	const db = emdash!.db;
 
 	const denied = requirePerm(user, "redirects:read");
 	if (denied) return denied;

package/src/astro/routes/api/redirects/[id].ts

@@ -9,7 +9,7 @@
 import type { APIRoute } from "astro";
 
 import { requirePerm } from "#api/authorize.js";
-import { apiError, handleError, unwrapResult } from "#api/error.js";
+import { apiError, handleError, requireDb, unwrapResult } from "#api/error.js";
 import {
 	handleRedirectDelete,
 	handleRedirectGet,
@@ -23,7 +23,9 @@ export const prerender = false;
 
 export const GET: APIRoute = async ({ params, locals }) => {
 	const { emdash, user } = locals;
-	const db = emdash.db;
+	const dbErr = requireDb(emdash?.db);
+	if (dbErr) return dbErr;
+	const db = emdash!.db;
 	const { id } = params;
 
 	const denied = requirePerm(user, "redirects:read");
@@ -43,7 +45,9 @@ export const GET: APIRoute = async ({ params, locals }) => {
 
 export const PUT: APIRoute = async ({ params, request, locals }) => {
 	const { emdash, user } = locals;
-	const db = emdash.db;
+	const dbErr = requireDb(emdash?.db);
+	if (dbErr) return dbErr;
+	const db = emdash!.db;
 	const { id } = params;
 
 	const denied = requirePerm(user, "redirects:manage");
@@ -67,7 +71,9 @@ export const PUT: APIRoute = async ({ params, request, locals }) => {
 
 export const DELETE: APIRoute = async ({ params, locals }) => {
 	const { emdash, user } = locals;
-	const db = emdash.db;
+	const dbErr = requireDb(emdash?.db);
+	if (dbErr) return dbErr;
+	const db = emdash!.db;
 	const { id } = params;
 
 	const denied = requirePerm(user, "redirects:manage");

package/src/astro/routes/api/redirects/index.ts

@@ -8,7 +8,7 @@
 import type { APIRoute } from "astro";
 
 import { requirePerm } from "#api/authorize.js";
-import { handleError, unwrapResult } from "#api/error.js";
+import { handleError, requireDb, unwrapResult } from "#api/error.js";
 import { handleRedirectCreate, handleRedirectList } from "#api/handlers/redirects.js";
 import { isParseError, parseBody, parseQuery } from "#api/parse.js";
 import { createRedirectBody, redirectsListQuery } from "#api/schemas.js";
@@ -18,7 +18,9 @@ export const prerender = false;
 
 export const GET: APIRoute = async ({ url, locals }) => {
 	const { emdash, user } = locals;
-	const db = emdash.db;
+	const dbErr = requireDb(emdash?.db);
+	if (dbErr) return dbErr;
+	const db = emdash!.db;
 
 	const denied = requirePerm(user, "redirects:read");
 	if (denied) return denied;
@@ -36,7 +38,9 @@ export const GET: APIRoute = async ({ url, locals }) => {
 
 export const POST: APIRoute = async ({ request, locals }) => {
 	const { emdash, user } = locals;
-	const db = emdash.db;
+	const dbErr = requireDb(emdash?.db);
+	if (dbErr) return dbErr;
+	const db = emdash!.db;
 
 	const denied = requirePerm(user, "redirects:manage");
 	if (denied) return denied;

package/src/astro/routes/api/revisions/[revisionId]/index.ts

@@ -16,7 +16,7 @@ export const GET: APIRoute = async ({ params, locals }) => {
 	const { emdash, user } = locals;
 	const revisionId = params.revisionId!;
 
-	const denied = requirePerm(user, "content:read");
+	const denied = requirePerm(user, "content:read_drafts");
 	if (denied) return denied;
 
 	if (!emdash?.handleRevisionGet) {

package/src/astro/routes/api/schema/collections/[slug]/fields/[fieldSlug].ts

@@ -57,7 +57,6 @@ export const PUT: APIRoute = async ({ params, request, locals }) => {
 		fieldSlug,
 		body as UpdateFieldInput,
 	);
-	if (result.success) emdash!.invalidateManifest();
 	return unwrapResult(result);
 };
 
@@ -73,6 +72,5 @@ export const DELETE: APIRoute = async ({ params, locals }) => {
 	if (denied) return denied;
 
 	const result = await handleSchemaFieldDelete(emdash!.db, collectionSlug, fieldSlug);
-	if (result.success) emdash!.invalidateManifest();
 	return unwrapResult(result);
 };

package/src/astro/routes/api/schema/collections/[slug]/fields/index.ts

@@ -48,6 +48,5 @@ export const POST: APIRoute = async ({ params, request, locals }) => {
 		collectionSlug,
 		body as CreateFieldInput,
 	);
-	if (result.success) emdash!.invalidateManifest();
 	return unwrapResult(result, 201);
 };

package/src/astro/routes/api/schema/collections/[slug]/fields/reorder.ts

@@ -28,6 +28,5 @@ export const POST: APIRoute = async ({ params, request, locals }) => {
 	if (isParseError(body)) return body;
 
 	const result = await handleSchemaFieldReorder(emdash!.db, collectionSlug, body.fieldSlugs);
-	if (result.success) emdash!.invalidateManifest();
 	return unwrapResult(result);
 };

package/src/astro/routes/api/schema/collections/[slug]/index.ts

@@ -59,7 +59,7 @@ export const PUT: APIRoute = async ({ params, request, locals }) => {
 		// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- parseBody validates via Zod
 		body as UpdateCollectionInput,
 	);
-	emdash!.invalidateManifest();
+	emdash!.invalidateUrlPatternCache();
 	return unwrapResult(result);
 };
 
@@ -77,6 +77,6 @@ export const DELETE: APIRoute = async ({ params, url, locals }) => {
 	const result = await handleSchemaCollectionDelete(emdash!.db, slug, {
 		force,
 	});
-	emdash!.invalidateManifest();
+	emdash!.invalidateUrlPatternCache();
 	return unwrapResult(result);
 };

package/src/astro/routes/api/schema/collections/index.ts

@@ -43,6 +43,6 @@ export const POST: APIRoute = async ({ request, locals }) => {
 
 	// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- Zod schema output narrowed to CreateCollectionInput
 	const result = await handleSchemaCollectionCreate(emdash!.db, body as CreateCollectionInput);
-	emdash!.invalidateManifest();
+	emdash!.invalidateUrlPatternCache();
 	return unwrapResult(result, 201);
 };

package/src/astro/routes/api/search/index.ts

@@ -4,6 +4,7 @@
  * GET /_emdash/api/search?q=query&collections=posts,pages&limit=20
  */
 
+import { hasPermission } from "@emdash-cms/auth";
 import type { APIRoute } from "astro";
 
 import { apiError, apiSuccess, handleError } from "#api/error.js";
@@ -23,7 +24,7 @@ export const prerender = false;
  * - limit: Maximum results (optional, defaults to 20)
  */
 export const GET: APIRoute = async ({ url, locals }) => {
-	const { emdash } = locals;
+	const { emdash, user } = locals;
 
 	if (!emdash?.db) {
 		return apiError("NOT_CONFIGURED", "EmDash not configured", 500);
@@ -36,6 +37,13 @@ export const GET: APIRoute = async ({ url, locals }) => {
 		? query.collections.split(",").map((c: string) => c.trim())
 		: undefined;
 
+	// Only users with content:read_drafts may search non-published statuses.
+	// Anonymous and subscriber requests are forced to "published".
+	const status =
+		query.status && query.status !== "published" && hasPermission(user, "content:read_drafts")
+			? query.status
+			: "published";
+
 	try {
 		// Verify FTS indexes are healthy on first use. At most once per worker
 		// lifetime; no-op after that. Moved off the cold-start hot path to
@@ -44,7 +52,7 @@ export const GET: APIRoute = async ({ url, locals }) => {
 
 		const result = await searchWithDb(emdash.db, query.q, {
 			collections,
-			status: query.status,
+			status,
 			locale: query.locale,
 			limit: query.limit,
 		});

package/src/astro/routes/api/sections/[slug].ts

@@ -9,7 +9,7 @@
 import type { APIRoute } from "astro";
 
 import { requirePerm } from "#api/authorize.js";
-import { apiError, handleError, unwrapResult } from "#api/error.js";
+import { apiError, handleError, requireDb, unwrapResult } from "#api/error.js";
 import {
 	handleSectionDelete,
 	handleSectionGet,
@@ -22,7 +22,9 @@ export const prerender = false;
 
 export const GET: APIRoute = async ({ params, locals }) => {
 	const { emdash, user } = locals;
-	const db = emdash.db;
+	const dbErr = requireDb(emdash?.db);
+	if (dbErr) return dbErr;
+	const db = emdash!.db;
 	const { slug } = params;
 
 	const denied = requirePerm(user, "sections:read");
@@ -42,7 +44,9 @@ export const GET: APIRoute = async ({ params, locals }) => {
 
 export const PUT: APIRoute = async ({ params, request, locals }) => {
 	const { emdash, user } = locals;
-	const db = emdash.db;
+	const dbErr = requireDb(emdash?.db);
+	if (dbErr) return dbErr;
+	const db = emdash!.db;
 	const { slug } = params;
 
 	const denied = requirePerm(user, "sections:manage");
@@ -65,7 +69,9 @@ export const PUT: APIRoute = async ({ params, request, locals }) => {
 
 export const DELETE: APIRoute = async ({ params, locals }) => {
 	const { emdash, user } = locals;
-	const db = emdash.db;
+	const dbErr = requireDb(emdash?.db);
+	if (dbErr) return dbErr;
+	const db = emdash!.db;
 	const { slug } = params;
 
 	const denied = requirePerm(user, "sections:manage");

package/src/astro/routes/api/sections/index.ts

@@ -8,7 +8,7 @@
 import type { APIRoute } from "astro";
 
 import { requirePerm } from "#api/authorize.js";
-import { handleError, unwrapResult } from "#api/error.js";
+import { handleError, requireDb, unwrapResult } from "#api/error.js";
 import { handleSectionCreate, handleSectionList } from "#api/handlers/sections.js";
 import { isParseError, parseBody, parseQuery } from "#api/parse.js";
 import { createSectionBody, sectionsListQuery } from "#api/schemas.js";
@@ -17,7 +17,9 @@ export const prerender = false;
 
 export const GET: APIRoute = async ({ url, locals }) => {
 	const { emdash, user } = locals;
-	const db = emdash.db;
+	const dbErr = requireDb(emdash?.db);
+	if (dbErr) return dbErr;
+	const db = emdash!.db;
 
 	const denied = requirePerm(user, "sections:read");
 	if (denied) return denied;
@@ -35,7 +37,9 @@ export const GET: APIRoute = async ({ url, locals }) => {
 
 export const POST: APIRoute = async ({ request, locals }) => {
 	const { emdash, user } = locals;
-	const db = emdash.db;
+	const dbErr = requireDb(emdash?.db);
+	if (dbErr) return dbErr;
+	const db = emdash!.db;
 
 	const denied = requirePerm(user, "sections:manage");
 	if (denied) return denied;

package/src/astro/routes/api/setup/admin-verify.ts

@@ -16,6 +16,7 @@ import { apiError, apiSuccess, handleError } from "#api/error.js";
 import { isParseError, parseBody } from "#api/parse.js";
 import { getPublicOrigin } from "#api/public-url.js";
 import { setupAdminVerifyBody } from "#api/schemas.js";
+import { getConfiguredAllowedOrigins, validateAllowedOrigins } from "#auth/allowed-origins.js";
 import { createChallengeStore } from "#auth/challenge-store.js";
 import { getPasskeyConfig } from "#auth/passkey-config.js";
 import { SETUP_NONCE_COOKIE } from "#auth/setup-nonce.js";
@@ -83,7 +84,11 @@ export const POST: APIRoute = async ({ cookies, request, locals }) => {
 		const url = new URL(request.url);
 		const siteName = (await options.get<string>("emdash:site_title")) ?? undefined;
 		const siteUrl = getPublicOrigin(url, emdash?.config);
-		const passkeyConfig = getPasskeyConfig(url, siteName, siteUrl);
+		const allowedOrigins = validateAllowedOrigins(
+			siteUrl,
+			getConfiguredAllowedOrigins(emdash?.config),
+		);
+		const passkeyConfig = getPasskeyConfig(url, siteName, siteUrl, allowedOrigins);
 
 		// Verify the registration response
 		const challengeStore = createChallengeStore(emdash.db);