v3: fixes to database schema and user registration

api/model/db.ts

@@ -1,3 +1,4 @@
+import { randomBytes, scryptSync } from "node:crypto";
 import { DatabaseSync, type SQLOutputValue } from "node:sqlite";
 import {
   type Comment,
@@ -17,6 +18,20 @@ db.prepare(
   `DELETE FROM invites WHERE used_at IS NULL AND created_at < datetime('now', '-7 days');`,
 ).run();
 
+// Create default admin user if no users exist
+const userCount = db.prepare(`SELECT COUNT(*) as count FROM users`).get() as {
+  count: number;
+};
+if (userCount.count === 0) {
+  const salt = randomBytes(16).toString("hex");
+  const hash = scryptSync("admin", salt, 64).toString("hex");
+  const passwordHash = `${hash}.${salt}`;
+  db.prepare(
+    `INSERT INTO users (id, username, password_hash, is_admin, created_at) VALUES (?, 'admin', ?, 1, datetime('now'))`,
+  ).run(crypto.randomUUID(), passwordHash);
+  console.log("Created default admin user (username: admin, password: admin)");
+}
+
 /**
  * Database Row Types
  */
@@ -70,6 +85,9 @@ export function isDumpRow(obj: Record<string, SQLOutputValue>): obj is DumpRow {
     (typeof obj.comment === "string" || obj.comment === null) &&
     "user_id" in obj && typeof obj.user_id === "string" &&
     "created_at" in obj && typeof obj.created_at === "string" &&
+    "updated_at" in obj &&
+    (typeof obj.updated_at === "string" || obj.updated_at === null) &&
+    "slug" in obj && (typeof obj.slug === "string" || obj.slug === null) &&
     "url" in obj && (typeof obj.url === "string" || obj.url === null) &&
     "rich_content" in obj &&
     (typeof obj.rich_content === "string" || obj.rich_content === null) &&
@@ -92,10 +110,14 @@ export function isUserRow(obj: Record<string, SQLOutputValue>): obj is UserRow {
     "password_hash" in obj && typeof obj.password_hash === "string" &&
     "is_admin" in obj && typeof obj.is_admin === "number" &&
     "created_at" in obj && typeof obj.created_at === "string" &&
+    "updated_at" in obj &&
+    (typeof obj.updated_at === "string" || obj.updated_at === null) &&
     "avatar_mime" in obj &&
     (typeof obj.avatar_mime === "string" || obj.avatar_mime === null) &&
     "description" in obj &&
-    (typeof obj.description === "string" || obj.description === null);
+    (typeof obj.description === "string" || obj.description === null) &&
+    "invited_by" in obj &&
+    (typeof obj.invited_by === "string" || obj.invited_by === null);
 }
 
 /**
@@ -108,11 +130,11 @@ export function dumpRowToApi(row: DumpRow): Dump {
     kind: row.kind as "url" | "file",
     title: row.title,
     slug: row.slug ?? undefined,
+    url: row.url ?? undefined,
     comment: row.comment ?? undefined,
     userId: row.user_id,
     createdAt: new Date(row.created_at),
     updatedAt: row.updated_at ? new Date(row.updated_at) : undefined,
-    url: row.url ?? undefined,
     richContent: row.rich_content
       ? (JSON.parse(row.rich_content) as RichContent)
       : undefined,
@@ -201,6 +223,7 @@ export function isCommentRow(
     (typeof obj.parent_id === "string" || obj.parent_id === null) &&
     typeof obj.body === "string" &&
     typeof obj.created_at === "string" &&
+    (typeof obj.updated_at === "string" || obj.updated_at === null) &&
     typeof obj.deleted === "number" &&
     typeof obj.author_username === "string" &&
     (typeof obj.author_avatar_mime === "string" ||
@@ -241,8 +264,12 @@ export function isPlaylistRow(
   return !!obj && typeof obj.id === "string" &&
     typeof obj.user_id === "string" &&
     typeof obj.title === "string" &&
+    (typeof obj.slug === "string" || obj.slug === null) &&
+    (typeof obj.description === "string" || obj.description === null) &&
     typeof obj.is_public === "number" &&
-    typeof obj.created_at === "string";
+    typeof obj.created_at === "string" &&
+    (typeof obj.updated_at === "string" || obj.updated_at === null) &&
+    (typeof obj.image_mime === "string" || obj.image_mime === null);
 }
 
 export function playlistRowToApi(row: PlaylistRow): Playlist {
@@ -307,7 +334,8 @@ export function isNotificationRow(
     typeof obj.type === "string" &&
     typeof obj.data === "string" &&
     typeof obj.read === "number" &&
-    typeof obj.created_at === "string";
+    typeof obj.created_at === "string" &&
+    (typeof obj.source_key === "string" || obj.source_key === null);
 }
 
 export function notificationRowToApi(row: NotificationRow): Notification {

api/model/interfaces.ts

@@ -89,16 +89,33 @@ export function isLoginUserRequest(obj: unknown): obj is LoginUserRequest {
 export function isRegisterUserRequest(
   obj: unknown,
 ): obj is RegisterUserRequest {
+  return validateRegisterUserRequest(obj) === null;
+}
+
+/** Returns a human-readable error string, or null if the request is valid. */
+export function validateRegisterUserRequest(obj: unknown): string | null {
   if (
     !obj || typeof obj !== "object" ||
     !("username" in obj) || typeof obj.username !== "string" ||
     !("password" in obj) || typeof obj.password !== "string" ||
     !("inviteToken" in obj) || typeof obj.inviteToken !== "string"
-  ) return false;
+  ) return "Invalid request";
   const { username, password } = obj as RegisterUserRequest;
-  return /^[a-zA-Z0-9_]{1,32}$/.test(username) &&
-    password.length >= VALIDATION.PASSWORD_MIN &&
-    password.length <= VALIDATION.PASSWORD_MAX;
+  if (
+    !new RegExp(
+      `^[a-zA-Z0-9_]{${VALIDATION.USERNAME_MIN},${VALIDATION.USERNAME_MAX}}$`,
+    )
+      .test(username)
+  ) {
+    return `Username must be ${VALIDATION.USERNAME_MIN}–${VALIDATION.USERNAME_MAX} characters and contain only letters, numbers, or underscores`;
+  }
+  if (password.length < VALIDATION.PASSWORD_MIN) {
+    return `Password must be at least ${VALIDATION.PASSWORD_MIN} characters`;
+  }
+  if (password.length > VALIDATION.PASSWORD_MAX) {
+    return `Password must be at most ${VALIDATION.PASSWORD_MAX} characters`;
+  }
+  return null;
 }
 
 export function isUpdateUserRequest(obj: unknown): obj is UpdateUserRequest {
@@ -310,7 +327,10 @@ export function isCreatePlaylistRequest(
     !("isPublic" in obj) || typeof obj.isPublic !== "boolean"
   ) return false;
   const o = obj as Record<string, unknown>;
-  if ((o.title as string).length === 0 || (o.title as string).length > VALIDATION.PLAYLIST_TITLE_MAX) return false;
+  if (
+    (o.title as string).length === 0 ||
+    (o.title as string).length > VALIDATION.PLAYLIST_TITLE_MAX
+  ) return false;
   if (
     "description" in o && typeof o.description !== "string" &&
     o.description !== null
@@ -329,7 +349,10 @@ export function isUpdatePlaylistRequest(
   const o = obj as Record<string, unknown>;
   if ("title" in o) {
     if (typeof o.title !== "string") return false;
-    if ((o.title as string).length === 0 || (o.title as string).length > VALIDATION.PLAYLIST_TITLE_MAX) return false;
+    if (
+      (o.title as string).length === 0 ||
+      (o.title as string).length > VALIDATION.PLAYLIST_TITLE_MAX
+    ) return false;
   }
   if (
     "description" in o && typeof o.description !== "string" &&

api/routes/users.ts

@@ -4,9 +4,9 @@ import {
   APIErrorCode,
   APIException,
   isLoginUserRequest,
-  isRegisterUserRequest,
   isUpdateUserRequest,
   type PaginatedData,
+  validateRegisterUserRequest,
 } from "../model/interfaces.ts";
 
 import { createJWT, verifyPassword } from "../lib/jwt.ts";
@@ -36,12 +36,9 @@ const router = new Router({ prefix: "/api/users" });
 router.post("/register", async (ctx) => {
   const body = await ctx.request.body.json();
 
-  if (!isRegisterUserRequest(body)) {
-    throw new APIException(
-      APIErrorCode.VALIDATION_ERROR,
-      400,
-      "Invalid request",
-    );
+  const registerError = validateRegisterUserRequest(body);
+  if (registerError) {
+    throw new APIException(APIErrorCode.VALIDATION_ERROR, 400, registerError);
   }
 
   // Validate invite — throws 404/409 if bad

api/services/dump-service.ts

@@ -49,13 +49,13 @@ function titleFromUrl(url: string): string {
 }
 
 const BASE_COLS =
-  "id, kind, title, slug, comment, user_id, created_at, url, rich_content, file_name, file_mime, file_size, vote_count, is_private";
+  "id, kind, title, slug, comment, user_id, created_at, updated_at, url, rich_content, file_name, file_mime, file_size, vote_count, is_private";
 
 const SELECT_COLS = `${BASE_COLS},
   (SELECT COUNT(*) FROM comments WHERE dump_id = dumps.id AND deleted = 0) as comment_count`;
 
 const SELECT_COLS_ALIASED =
-  "d.id, d.kind, d.title, d.slug, d.comment, d.user_id, d.created_at, d.url, d.rich_content, d.file_name, d.file_mime, d.file_size, d.vote_count, d.is_private," +
+  "d.id, d.kind, d.title, d.slug, d.comment, d.user_id, d.created_at, d.updated_at, d.url, d.rich_content, d.file_name, d.file_mime, d.file_size, d.vote_count, d.is_private," +
   " (SELECT COUNT(*) FROM comments WHERE dump_id = d.id AND deleted = 0) as comment_count";
 
 export async function createUrlDump(

api/services/follow-service.ts

@@ -20,7 +20,7 @@ import {
 
 // Mirrors dump-service SELECT_COLS_ALIASED — kept local to avoid circular imports
 const SELECT_COLS_ALIASED =
-  "d.id, d.kind, d.title, d.comment, d.user_id, d.created_at, d.url, d.rich_content, " +
+  "d.id, d.kind, d.title, d.slug, d.comment, d.user_id, d.created_at, d.updated_at, d.url, d.rich_content, " +
   "d.file_name, d.file_mime, d.file_size, d.vote_count, d.is_private," +
   " (SELECT COUNT(*) FROM comments WHERE dump_id = d.id AND deleted = 0) as comment_count";
 

api/sql/schema.sql

@@ -7,6 +7,7 @@ CREATE TABLE dumps (
   created_at  TEXT    NOT NULL,
   updated_at  TEXT,
   url         TEXT,
+  slug        TEXT,
   rich_content TEXT,
   file_name   TEXT,
   file_mime   TEXT,
@@ -41,6 +42,7 @@ CREATE TABLE playlists (
   id          TEXT    PRIMARY KEY,
   user_id     TEXT    NOT NULL,
   title       TEXT    NOT NULL,
+  slug        TEXT,
   description TEXT,
   is_public   INTEGER NOT NULL DEFAULT 1,
   created_at  TEXT    NOT NULL,