panda-cms 0.10.0 → 0.10.3

data/app/controllers/panda/cms/form_submissions_controller.rb

@@ -3,23 +3,146 @@
 module Panda
   module CMS
     class FormSubmissionsController < ApplicationController
-      invisible_captcha only: [:create]
+      # Spam protection - invisible honeypot field
+      invisible_captcha only: [:create], on_spam: :log_spam
 
-      def create
-        vars = params.except(:authenticity_token, :controller, :action, :id)
+      # Rate limiting to prevent spam
+      before_action :check_rate_limit, only: [:create]
 
+      def create
         form = Panda::CMS::Form.find(params[:id])
-        form_submission = Panda::CMS::FormSubmission.create(form_id: params[:id], data: vars.to_unsafe_h)
-        form.update(submission_count: form.submission_count + 1)
 
-        Panda::CMS::FormMailer.notification_email(form: form, form_submission: form_submission).deliver_now
+        # Additional spam checks
+        if looks_like_spam?(params)
+          log_spam_attempt(form, "content")
+          redirect_to_fallback(form, spam: true)
+          return
+        end
+
+        # Timing-based spam detection (honeypot timing)
+        if submitted_too_quickly?(params)
+          log_spam_attempt(form, "timing")
+          redirect_to_fallback(form, spam: true)
+          return
+        end
+
+        # Clean parameters - exclude system params and honeypot field
+        vars = params.except(:authenticity_token, :controller, :action, :id, :_form_timestamp, :spinner)
+
+        # Create submission
+        form_submission = Panda::CMS::FormSubmission.create!(
+          form_id: form.id,
+          data: vars.to_unsafe_h,
+          ip_address: request.remote_ip,
+          user_agent: request.user_agent
+        )
+
+        # Update submission count
+        form.increment!(:submission_count)
+
+        # Send notification email (in background if possible)
+        begin
+          Panda::CMS::FormMailer.notification_email(form: form, form_submission: form_submission).deliver_now
+        rescue => e
+          Rails.logger&.error "Failed to send form notification email: #{e.message}"
+          # Don't fail the submission if email fails
+        end
+
+        redirect_to_fallback(form, success: true)
+      rescue ActiveRecord::RecordInvalid => e
+        Rails.logger&.error "Form submission validation failed: #{e.message}"
+        redirect_to_fallback(form, error: true)
+      end
+
+      private
+
+      # Check for basic spam indicators
+      def looks_like_spam?(params)
+        # Check for too many URLs in message fields
+        message_fields = params.values.select { |v| v.is_a?(String) && v.length > 20 }
+        message_fields.any? { |field| field.scan(/https?:\/\//).length > 3 }
+      end
+
+      # Timing-based spam detection
+      # Rejects submissions that are too fast (< 3 seconds) or too stale (> 24 hours)
+      def submitted_too_quickly?(params)
+        return false unless params[:_form_timestamp].present?
+
+        begin
+          form_loaded_at = Time.zone.at(params[:_form_timestamp].to_i)
+          time_elapsed = Time.current - form_loaded_at
+
+          # Too fast - likely a bot (< 3 seconds)
+          if time_elapsed < 3.seconds
+            Rails.logger&.warn "Form submitted too quickly: #{time_elapsed.round(2)}s from IP: #{request.remote_ip}"
+            return true
+          end
+
+          # Too stale - form held too long without interaction (> 24 hours)
+          if time_elapsed > 24.hours
+            Rails.logger&.warn "Form submission too old: #{(time_elapsed / 1.hour).round(1)}h from IP: #{request.remote_ip}"
+            return true
+          end
+
+          false
+        rescue ArgumentError, TypeError => e
+          Rails.logger&.warn "Invalid form timestamp from IP #{request.remote_ip}: #{e.message}"
+          # Don't reject on invalid timestamp - might be legitimate user with modified form
+          false
+        end
+      end
+
+      # Rate limiting - max 3 submissions per IP per 5 minutes
+      def check_rate_limit
+        cache_key = "form_submission_rate_limit:#{request.remote_ip}"
+        count = Rails.cache.read(cache_key) || 0
+
+        if count >= 3
+          Rails.logger&.warn "Rate limit exceeded for IP: #{request.remote_ip}"
+          render plain: "Too many requests. Please try again later.", status: :too_many_requests
+          return
+        end
+
+        Rails.cache.write(cache_key, count + 1, expires_in: 5.minutes)
+      end
+
+      # Log spam attempt with reason
+      def log_spam_attempt(form, reason)
+        Rails.logger&.warn "Spam detected (#{reason}) for form #{form.id} from IP: #{request.remote_ip}"
+      end
+
+      # Callback for invisible_captcha spam detection
+      def log_spam
+        Rails.logger&.warn "Invisible captcha triggered from IP: #{request.remote_ip}"
+      end
+
+      # Safe redirect that works in engine context
+      def redirect_to_fallback(form, success: false, spam: false, error: false)
+        fallback = "/"
 
-        if (completion_path = form&.completion_path)
-          redirect_to completion_path
+        if spam
+          # Redirect to same page to appear successful (don't tell spammers)
+          redirect_back(fallback_location: fallback, allow_other_host: false)
+        elsif success && form.completion_path.present?
+          # Redirect to custom completion path
+          redirect_to form.completion_path, notice: "Thank you for your submission!"
+        elsif success
+          # Redirect back to referring page with success message
+          redirect_back(
+            fallback_location: fallback,
+            notice: "Thank you for your submission!",
+            allow_other_host: false
+          )
+        elsif error
+          # Redirect back with error message
+          redirect_back(
+            fallback_location: fallback,
+            alert: "There was an error submitting your form. Please try again.",
+            allow_other_host: false
+          )
         else
-          # TODO: This isn't a great fallback, we should do something nice here...
-          # Perhaps a simple JS alert when sent?
-          redirect_to "/"
+          # Default fallback
+          redirect_back(fallback_location: fallback, allow_other_host: false)
         end
       end
     end

data/app/controllers/panda/cms/pages_controller.rb

@@ -16,9 +16,9 @@ module Panda
 
       def show
         page = if @overrides&.dig(:page_path_match)
-          Panda::CMS::Page.includes(:template).find_by(path: @overrides[:page_path_match])
+          Panda::CMS::Page.includes(:template, :block_contents).find_by(path: @overrides[:page_path_match])
         else
-          Panda::CMS::Page.includes(:template).find_by(path: "/#{params[:path]}")
+          Panda::CMS::Page.includes(:template, :block_contents).find_by(path: "/#{params[:path]}")
         end
 
         Panda::CMS::Current.page = page || Panda::CMS::Page.find_by(path: "/404")
@@ -31,6 +31,11 @@ module Panda
           render file: "#{Rails.root}/public/404.html", layout: false, status: :not_found and return
         end
 
+        # HTTP caching: Send ETag and Last-Modified headers for efficient caching
+        # Use cached_last_updated_at which includes block content updates
+        # Returns 304 Not Modified if client's cached version is still valid
+        fresh_when(page, last_modified: page.last_updated_at, public: true)
+
         template_vars = {
           page: page,
           title: Panda::CMS::Current.page&.title || Panda::CMS.config.title

data/app/controllers/panda/cms/posts_controller.rb

@@ -7,6 +7,12 @@ module Panda
       # inside a /panda/cms/posts/... structure in the application
       def index
         @posts = Panda::CMS::Post.includes(:author).order(published_at: :desc)
+
+        # HTTP caching: Use the most recent post's updated_at for conditional requests
+        # Returns 304 Not Modified if no posts have changed since client's last request
+        latest_post_timestamp = @posts.maximum(:updated_at) || Time.current
+        fresh_when(etag: [@posts.to_a, latest_post_timestamp], last_modified: latest_post_timestamp, public: true)
+
         render inline: "", layout: Panda::CMS.config.posts[:layouts][:index]
       end
 
@@ -19,6 +25,11 @@ module Panda
           # For non-date URLs
           Panda::CMS::Post.find_by!(slug: "/#{params[:slug]}")
         end
+
+        # HTTP caching: Send ETag and Last-Modified headers for individual posts
+        # Returns 304 Not Modified if client's cached version is still valid
+        fresh_when(@post, last_modified: @post.updated_at, public: true)
+
         render inline: "", layout: Panda::CMS.config.posts[:layouts][:show]
       end
 
@@ -30,6 +41,11 @@ module Panda
           .includes(:author)
           .ordered
 
+        # HTTP caching: Use the most recent post in this month for conditional requests
+        # Returns 304 Not Modified if no posts in this month have changed
+        latest_month_timestamp = @posts.maximum(:updated_at) || @month
+        fresh_when(etag: [@posts.to_a, @month], last_modified: latest_month_timestamp, public: true)
+
         render inline: "", layout: Panda::CMS.config.posts[:layouts][:by_month]
       end
     end

data/app/helpers/panda/cms/application_helper.rb

@@ -2,8 +2,7 @@ module Panda
   module CMS
     module ApplicationHelper
       #
-      # Helper method to render a ViewComponent
-      # @see ViewComponent::Rendering#render
+      # Helper method to render a component
       # @usage <%= component "example", title: "Hello World!" %>
       #
       def component(name, *, **, &)
@@ -60,7 +59,7 @@ module Panda
 
       def panda_cms_form_with(**options, &)
         options[:builder] = Panda::Core::FormBuilder
-        options[:class] = ["block visible p-6 bg-mid/5 rounded-lg border-mid border", options[:class]].compact.join(" ")
+        options[:class] = ["block visible px-4 sm:px-6 pt-4", options[:class]].compact.join(" ")
         form_with(**options, &)
       end
 

data/app/helpers/panda/cms/asset_helper.rb

@@ -24,51 +24,9 @@ module Panda
       end
 
       # Include only Panda CMS JavaScript
-      def panda_cms_javascript
-        js_url = Panda::CMS::AssetLoader.javascript_url
-        return "" unless js_url
-
-        if Panda::CMS::AssetLoader.use_github_assets?
-          # GitHub-hosted assets with integrity check
-          version = Panda::CMS::AssetLoader.send(:asset_version)
-          integrity = asset_integrity(version, "panda-cms-#{version}.js")
-
-          tag_options = {
-            src: js_url
-          }
-          # In CI environment, don't use defer to ensure immediate execution
-          tag_options[:defer] = true unless ENV["GITHUB_ACTIONS"] == "true"
-          # Standalone bundles should NOT use type: "module" - they're regular scripts
-          # Only use type: "module" for importmap/ES module assets
-          if !js_url.include?("panda-cms-assets")
-            tag_options[:type] = "module"
-          end
-          tag_options[:integrity] = integrity if integrity
-          tag_options[:crossorigin] = "anonymous" if integrity
-
-          content_tag(:script, "", tag_options)
-        elsif js_url.include?("panda-cms-assets")
-          # Development assets - check if it's a standalone bundle or importmap
-          defer_option = (ENV["GITHUB_ACTIONS"] == "true") ? {} : {defer: true}
-          javascript_include_tag(js_url, **defer_option)
-        # Standalone bundle - don't use type: "module"
-        else
-          # Development mode - Load JavaScript with import map
-          # Files are served by Rack::Static middleware from engine's app/javascript
-          importmap_html = <<~HTML
-            <script type="importmap">
-              {
-                "imports": {
-                  "@hotwired/stimulus": "/panda/core/vendor/@hotwired--stimulus.js",
-                  "@hotwired/turbo": "/panda/core/vendor/@hotwired--turbo.js"
-                }
-              }
-            </script>
-            <script type="module" src="/panda/cms/application_panda_cms.js"></script>
-          HTML
-          importmap_html.html_safe
-        end
-      end
+      #
+      # Delegates to Core's helper which automatically includes all registered modules.
+      alias_method :panda_cms_javascript, :panda_core_javascript
 
       # Include only Panda CMS CSS
       def panda_cms_stylesheet
@@ -117,39 +75,16 @@ module Panda
         version = Panda::CMS::VERSION
         js_url = Panda::CMS::AssetLoader.javascript_url
         css_url = Panda::CMS::AssetLoader.css_url
-        using_github = Panda::CMS::AssetLoader.use_github_assets?
-        compiled_available = Panda::CMS::AssetLoader.send(:compiled_assets_available?)
-
-        # Additional CI debugging
-        asset_file_exists = js_url && File.exist?(Rails.root.join("public#{js_url}"))
-        ci_env = ENV["GITHUB_ACTIONS"] == "true"
-
-        # Check what script tag will be generated
-        script_tag_preview = if using_github
-          tag_options = {src: js_url}
-          tag_options[:defer] = true unless ci_env
-          if !js_url.include?("panda-cms-assets")
-            tag_options[:type] = "module"
-          end
-          "Script tag: <script#{tag_options.map { |k, v| (v == true) ? " #{k}" : " #{k}=\"#{v}\"" }.join}></script>"
-        else
-          "Using development assets"
-        end
+        Panda::CMS::AssetLoader.use_github_assets?
 
         debug_info = [
           "<!-- Panda CMS Asset Debug Info -->",
           "<!-- Version: #{version} -->",
-          "<!-- Using GitHub assets: #{using_github} -->",
-          "<!-- Compiled assets available: #{compiled_available} -->",
+          "<!-- Using importmaps: true (no compilation) -->",
           "<!-- JavaScript URL: #{js_url} -->",
-          "<!-- CSS URL: #{css_url || "none"} -->",
+          "<!-- CSS URL: #{css_url || "CSS from panda-core"} -->",
           "<!-- Rails environment: #{Rails.env} -->",
-          "<!-- Asset file exists: #{asset_file_exists} -->",
-          "<!-- Rails root: #{Rails.root} -->",
-          "<!-- CI environment: #{ci_env} -->",
-          "<!-- #{script_tag_preview} -->",
-          "<!-- Params embed_id: #{params[:embed_id] if respond_to?(:params)} -->",
-          "<!-- Compiled at: #{Time.now.utc.iso8601} -->"
+          "<!-- Rails root: #{Rails.root} -->"
         ]
 
         debug_info.join("\n").html_safe
@@ -194,6 +129,13 @@ module Panda
         ].join("\n").html_safe
       end
 
+      # Returns asset HTML for injection into iframe
+      # Used by editor_iframe_controller to inject assets dynamically
+      # Returns the raw HTML string (not JSON-encoded)
+      def panda_cms_injectable_assets
+        panda_cms_complete_assets.to_s
+      end
+
       private
 
       def asset_integrity(version, filename)

data/app/helpers/panda/cms/forms_helper.rb

@@ -0,0 +1,60 @@
+# frozen_string_literal: true
+
+module Panda
+  module CMS
+    module FormsHelper
+      # Generates a hidden timing field for spam protection
+      # This should be included in all forms that submit to Panda::CMS::FormSubmissionsController
+      #
+      # @example In your form
+      #   <%= form_with url: form_submissions_path(form.id), method: :post do |f| %>
+      #     <%= panda_cms_form_timestamp %>
+      #     <%= f.text_field :name %>
+      #     <%= f.submit "Submit" %>
+      #   <% end %>
+      #
+      # @return [String] HTML hidden input with current timestamp
+      def panda_cms_form_timestamp
+        hidden_field_tag "_form_timestamp", Time.current.to_i
+      end
+
+      # Generates a complete spam-protected form wrapper
+      # Includes timing protection and invisible captcha honeypot
+      #
+      # @param form [Panda::CMS::Form] The form model
+      # @param options [Hash] Additional options for form_with
+      # @yield [FormBuilder] The form builder
+      #
+      # @example
+      #   <%= panda_cms_protected_form(form) do |f| %>
+      #     <%= f.text_field :name %>
+      #     <%= f.email_field :email %>
+      #     <%= f.text_area :message %>
+      #     <%= f.submit "Send Message" %>
+      #   <% end %>
+      def panda_cms_protected_form(form, options = {}, &block)
+        default_options = {
+          url: "/forms/#{form.id}",
+          method: :post,
+          data: {turbo: false}
+        }
+
+        form_with(**default_options.merge(options)) do |f|
+          concat panda_cms_form_timestamp
+          concat invisible_captcha_field
+          yield f
+        end
+      end
+
+      # Generates the invisible captcha honeypot field
+      # This is a hidden field that bots typically fill out but humans don't
+      #
+      # @return [String] HTML for invisible captcha field
+      def invisible_captcha_field
+        # invisible_captcha gem automatically adds this, but we can add it manually if needed
+        # The field name "spinner" is configured in invisible_captcha initializer
+        text_field_tag :spinner, nil, style: "position: absolute; left: -9999px; width: 1px; height: 1px;", tabindex: -1, autocomplete: "off", aria_hidden: true
+      end
+    end
+  end
+end

data/app/helpers/panda/cms/seo_helper.rb

@@ -0,0 +1,85 @@
+# frozen_string_literal: true
+
+module Panda
+  module CMS
+    module SEOHelper
+      #
+      # Renders all SEO meta tags for a given page or post
+      #
+      # @param resource [Panda::CMS::Page, Panda::CMS::Post] The page or post to render meta tags for
+      # @return [String] HTML meta tags
+      # @visibility public
+      #
+      def render_seo_meta_tags(resource)
+        return "" if resource.blank?
+
+        tags = []
+
+        # Basic SEO tags
+        tags << tag.meta(name: "description", content: resource.effective_seo_description) if resource.effective_seo_description.present?
+        tags << tag.meta(name: "keywords", content: resource.seo_keywords) if resource.seo_keywords.present?
+        tags << tag.meta(name: "robots", content: resource.robots_meta_content)
+        tags << tag.link(rel: "canonical", href: canonical_url_for(resource))
+
+        # Open Graph tags
+        tags << tag.meta(property: "og:title", content: resource.effective_og_title)
+        tags << tag.meta(property: "og:description", content: resource.effective_og_description) if resource.effective_og_description.present?
+        tags << tag.meta(property: "og:type", content: resource.og_type)
+        tags << tag.meta(property: "og:url", content: canonical_url_for(resource))
+
+        # Open Graph image
+        if resource.og_image.attached?
+          og_image_url = url_for(resource.og_image.variant(:og_share))
+          tags << tag.meta(property: "og:image", content: og_image_url)
+          tags << tag.meta(property: "og:image:width", content: "1200")
+          tags << tag.meta(property: "og:image:height", content: "630")
+        end
+
+        # Twitter Card tags (with fallback to OG)
+        tags << tag.meta(name: "twitter:card", content: "summary_large_image")
+        tags << tag.meta(name: "twitter:title", content: resource.effective_og_title)
+        tags << tag.meta(name: "twitter:description", content: resource.effective_og_description) if resource.effective_og_description.present?
+
+        # Twitter image (same as OG)
+        if resource.og_image.attached?
+          tags << tag.meta(name: "twitter:image", content: url_for(resource.og_image.variant(:og_share)))
+        end
+
+        safe_join(tags, "\n")
+      end
+
+      #
+      # Renders just the page title with SEO optimization
+      #
+      # @param resource [Panda::CMS::Page, Panda::CMS::Post] The page or post
+      # @param separator [String] Separator between page title and site name
+      # @param site_name [String] The site name (optional)
+      # @return [String] Formatted page title
+      # @visibility public
+      #
+      def seo_title(resource, separator: " · ", site_name: nil)
+        parts = [resource.effective_seo_title]
+        parts << site_name if site_name.present?
+        safe_join(parts, separator)
+      end
+
+      private
+
+      #
+      # Generates the full canonical URL for a resource
+      #
+      # @param resource [Panda::CMS::Page, Panda::CMS::Post] The page or post
+      # @return [String] Full canonical URL
+      # @visibility private
+      #
+      def canonical_url_for(resource)
+        # If canonical_url is a full URL, use it as-is
+        return resource.canonical_url if resource.canonical_url&.match?(%r{\Ahttps?://})
+
+        # Otherwise, construct from the path
+        path = resource.effective_canonical_url
+        "#{request.protocol}#{request.host_with_port}#{path}"
+      end
+    end
+  end
+end

data/app/javascript/panda/cms/{application_panda_cms.js → application.js}

@@ -3,5 +3,9 @@ console.debug("[Panda CMS] Controllers loading...");
 import "./controllers/index.js"
 console.debug("[Panda CMS] Controllers loaded...");
 
+// Mark that Panda CMS JavaScript has loaded
+window.pandaCmsLoaded = true
+console.debug("[Panda CMS] Ready!");
+
 // Editor resources are now handled by panda-editor gem
 // The panda-editor gem will load its own resources when needed

data/app/javascript/panda/cms/controllers/editor_form_controller.js

@@ -1,6 +1,6 @@
 import { Controller } from "@hotwired/stimulus";
-import { EDITOR_JS_RESOURCES, EDITOR_JS_CSS } from "panda/cms/editor/editor_js_config";
-import { ResourceLoader } from "panda/cms/editor/resource_loader";
+import { EDITOR_JS_RESOURCES, EDITOR_JS_CSS } from "panda/editor/editor_js_config";
+import { ResourceLoader } from "panda/editor/resource_loader";
 
 export default class extends Controller {
   static targets = ["editorContainer", "hiddenField"];
@@ -50,7 +50,7 @@ export default class extends Controller {
       this.editorContainerTarget.appendChild(holderDiv);
 
       const { getEditorConfig } = await import(
-        "panda/cms/editor/editor_js_config"
+        "panda/editor/editor_js_config"
       );
 
       // Get initial content before creating config

data/app/javascript/panda/cms/controllers/editor_iframe_controller.js

@@ -1,14 +1,15 @@
 import { Controller } from "@hotwired/stimulus"
-import { PlainTextEditor } from "panda/cms/editor/plain_text_editor"
-import { EditorJSInitializer } from "panda/cms/editor/editor_js_initializer"
-import { EDITOR_JS_RESOURCES, EDITOR_JS_CSS } from "panda/cms/editor/editor_js_config"
-import { ResourceLoader } from "panda/cms/editor/resource_loader"
+import { PlainTextEditor } from "panda/editor/plain_text_editor"
+import { EditorJSInitializer } from "panda/editor/editor_js_initializer"
+import { EDITOR_JS_RESOURCES, EDITOR_JS_CSS } from "panda/editor/editor_js_config"
+import { ResourceLoader } from "panda/editor/resource_loader"
 
 export default class extends Controller {
   static values = {
     pageId: Number,
     adminPath: String,
-    autosave: Boolean
+    autosave: Boolean,
+    assets: String
   }
 
   connect() {
@@ -65,6 +66,33 @@ export default class extends Controller {
       this.body = this.frameDocument.body
       this.head = this.frameDocument.head
 
+      // Inject CMS assets into the iframe head
+      if (this.hasAssetsValue && this.assetsValue) {
+        console.debug("[Panda CMS] Injecting assets into iframe", {
+          assetsLength: this.assetsValue.length,
+          assetsPreview: this.assetsValue.substring(0, 200)
+        })
+        const assetsHTML = this.assetsValue
+        const tempDiv = document.createElement('div')
+        tempDiv.innerHTML = assetsHTML
+
+        // Append each node to the iframe's head
+        Array.from(tempDiv.childNodes).forEach(node => {
+          if (node.nodeType === Node.ELEMENT_NODE || node.nodeType === Node.TEXT_NODE) {
+            const importedNode = this.frameDocument.importNode(node, true)
+            this.head.appendChild(importedNode)
+            console.debug("[Panda CMS] Injected node:", node.nodeName)
+          }
+        })
+
+        console.debug("[Panda CMS] Assets injected successfully - head element count:", this.head.children.length)
+      } else {
+        console.warn("[Panda CMS] No assets to inject", {
+          hasAssetsValue: this.hasAssetsValue,
+          assetsValue: this.assetsValue
+        })
+      }
+
       // Ensure iframe content is properly positioned but doesn't block UI
       this.body.style.position = "relative"
       this.body.style.zIndex = "1"
@@ -545,11 +573,10 @@ export default class extends Controller {
   }
 
   setupSlideoverHandling() {
-    // Watch for slideover toggle
-    const slideoverToggle = document.getElementById('slideover-toggle')
+    // Watch for slideover visibility changes
     const slideover = document.getElementById('slideover')
 
-    if (slideoverToggle && slideover) {
+    if (slideover) {
       const observer = new MutationObserver((mutations) => {
         mutations.forEach((mutation) => {
           if (mutation.attributeName === 'class') {