railspress-engine 1.2.1 → 1.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 620cf1a81acefe35aedfda0894686721073bdad83c405be7b9fcb967df04829d
-  data.tar.gz: 6ffab1d40c3dade6d4fed057174754d1caecc854e0415d634d49e160ab8bcc3f
+  metadata.gz: 24a6b9398ebd465a15fd0d1346127c45d2264c1f479cc9d866ebd52565ed6a7e
+  data.tar.gz: 6b410cc6ee303f2c2ef33f438517f1bab2850a695ca31c82e1ec035acbcd2e5b
 SHA512:
-  metadata.gz: dfe7e288c00fefbfbb8d23999bdff5211154ec68e00b79a3e6d7269b957fd99a2d784ea414243399fdfff43a684f635dd3d3be99e05fa31d628341c480e9a3aa
-  data.tar.gz: 3ff12ea74a82a33ebb1fe504944540e8ddb72dd599f7e85042c27ea144764ab6ba7116aba693cbabb037ebe474d52b23529f8509dd8db04a155289f37701a232
+  metadata.gz: cd5cb3183c073a9b35234add1862126b62c8055faf799ff28209cb896d563c020ccf0ed6dc06e2ba8ce65a30f727e3627c237cabebae13b717630a7403ddfd73
+  data.tar.gz: dd7e0c8a24cb6b1bc7d9f32c184c3b1806b19bd68a51010c63789b639baef1b99abed3de8306ff380445bca9c3287772a749d64aa3f90cb440642881c747a42e

data/app/assets/javascripts/railspress/admin.js

@@ -227,6 +227,59 @@
     });
   }
 
+  // ============================================
+  // Copy-to-Clipboard Buttons
+  // ============================================
+
+  function initCopyButtons() {
+    const copyButtons = document.querySelectorAll('[data-copy-target]');
+
+    if (!copyButtons.length) return;
+
+    function copyText(text) {
+      if (navigator.clipboard && navigator.clipboard.writeText) {
+        return navigator.clipboard.writeText(text);
+      }
+
+      return new Promise(function(resolve, reject) {
+        const textarea = document.createElement('textarea');
+        textarea.value = text;
+        textarea.setAttribute('readonly', '');
+        textarea.style.position = 'absolute';
+        textarea.style.left = '-9999px';
+        document.body.appendChild(textarea);
+        textarea.select();
+        textarea.setSelectionRange(0, textarea.value.length);
+
+        try {
+          const copied = document.execCommand('copy');
+          document.body.removeChild(textarea);
+          copied ? resolve() : reject(new Error('Copy failed'));
+        } catch (error) {
+          document.body.removeChild(textarea);
+          reject(error);
+        }
+      });
+    }
+
+    copyButtons.forEach(function(button) {
+      button.addEventListener('click', function() {
+        const targetId = button.dataset.copyTarget;
+        const source = document.getElementById(targetId);
+        if (!source) return;
+
+        const originalLabel = button.textContent;
+        copyText(source.value || source.textContent || '').then(function() {
+          button.textContent = 'Copied';
+          setTimeout(function() { button.textContent = originalLabel; }, 1500);
+        }).catch(function() {
+          button.textContent = 'Copy failed';
+          setTimeout(function() { button.textContent = originalLabel; }, 1500);
+        });
+      });
+    });
+  }
+
   // ============================================
   // Initialize on DOM Ready
   // ============================================
@@ -238,6 +291,7 @@
     initDeleteConfirmation();
     initFlashMessages();
     initFormValidation();
+    initCopyButtons();
   }
 
   if (document.readyState === 'loading') {

data/app/assets/stylesheets/railspress/admin/buttons.css

@@ -59,6 +59,18 @@
   background: #8f3436;
 }
 
+.rp-btn--accent {
+  background: var(--rp-success-light);
+  color: var(--rp-success);
+  border-color: rgba(74, 124, 89, 0.28);
+}
+
+.rp-btn--accent:hover {
+  background: #dbeadf;
+  border-color: rgba(74, 124, 89, 0.5);
+  color: #365f45;
+}
+
 .rp-btn--text {
   background: none;
   border: none;

data/app/assets/stylesheets/railspress/admin/cards.css

@@ -14,6 +14,14 @@
   padding: var(--rp-space-xl);
 }
 
+.rp-card--spaced {
+  margin-bottom: var(--rp-space-2xl);
+}
+
+.rp-card--section + .rp-card--section {
+  margin-top: var(--rp-space-2xl);
+}
+
 /* Detail list for show views */
 .rp-detail-list {
   padding: var(--rp-space-lg);

data/app/assets/stylesheets/railspress/admin/forms.css

@@ -9,6 +9,10 @@
   flex-direction: column;
 }
 
+.rp-form--spacious {
+  gap: var(--rp-space-lg);
+}
+
 .rp-form--narrow {
   max-width: 560px;
 }
@@ -132,6 +136,23 @@
   font-size: 0.875rem;
 }
 
+.rp-input--code {
+  background: var(--rp-sidebar-bg);
+  color: var(--rp-sidebar-text-active);
+  border-color: var(--rp-sidebar-hover);
+  box-shadow: inset 0 1px 2px rgba(0, 0, 0, 0.18);
+  line-height: 1.6;
+}
+
+.rp-input--code::placeholder {
+  color: var(--rp-sidebar-text);
+}
+
+.rp-input--code:focus {
+  border-color: var(--rp-primary);
+  box-shadow: 0 0 0 3px var(--rp-primary-light), inset 0 1px 2px rgba(0, 0, 0, 0.18);
+}
+
 textarea.rp-input {
   min-height: 100px;
   resize: vertical;

data/app/controllers/railspress/admin/agent_bootstrap_keys_controller.rb

@@ -0,0 +1,109 @@
+# frozen_string_literal: true
+
+module Railspress
+  module Admin
+    class AgentBootstrapKeysController < BaseController
+      DEFAULT_BOOTSTRAP_TTL = 1.hour
+
+      before_action :ensure_api_enabled!
+      before_action :require_api_actor!
+      before_action :set_agent_bootstrap_key, only: [ :revoke ]
+
+      def new
+        @agent_bootstrap_key = AgentBootstrapKey.new(expires_at: default_bootstrap_expires_at)
+      end
+
+      def create
+        @agent_bootstrap_key, @plain_bootstrap_token = AgentBootstrapKey.issue!(
+          name: agent_bootstrap_key_params[:name],
+          actor: current_api_actor,
+          owner: current_api_actor,
+          expires_at: parsed_expires_at || default_bootstrap_expires_at
+        )
+        set_bootstrap_instructions
+
+        render :reveal, status: :created
+      rescue ActiveRecord::RecordInvalid => e
+        @agent_bootstrap_key = e.record
+        render :new, status: :unprocessable_content
+      end
+
+      def revoke
+        @agent_bootstrap_key.revoke!(
+          actor: current_api_actor,
+          reason: params[:reason].presence || "revoked"
+        )
+
+        redirect_to admin_api_keys_path, notice: "Agent bootstrap key revoked."
+      end
+
+      private
+
+      def ensure_api_enabled!
+        raise ActionController::RoutingError, "Not Found" unless Railspress.api_enabled?
+      end
+
+      def require_api_actor!
+        return if current_api_actor.present?
+
+        redirect_to admin_root_path, alert: "You must be signed in to manage API keys."
+      end
+
+      def set_agent_bootstrap_key
+        @agent_bootstrap_key = AgentBootstrapKey.find(params[:id])
+      end
+
+      def agent_bootstrap_key_params
+        params.require(:agent_bootstrap_key).permit(:name, :expires_at)
+      end
+
+      def parsed_expires_at
+        value = agent_bootstrap_key_params[:expires_at]
+        return nil if value.blank?
+
+        Time.zone.parse(value)
+      rescue ArgumentError
+        nil
+      end
+
+      def default_bootstrap_expires_at
+        DEFAULT_BOOTSTRAP_TTL.from_now
+      end
+
+      def set_bootstrap_instructions
+        base_url = instruction_base_url
+
+        @bootstrap_quick_start = <<~TEXT
+          export RAILSPRESS_BOOTSTRAP_TOKEN="#{@plain_bootstrap_token}"
+          export RAILSPRESS_TOKEN=$(curl -s -X POST -H "Authorization: Bearer $RAILSPRESS_BOOTSTRAP_TOKEN" #{base_url}#{exchange_api_v1_agent_keys_path} | ruby -rjson -e 'print JSON.parse(STDIN.read).dig("data","api_key","token")')
+          printf '%s\n' "$RAILSPRESS_TOKEN" > ~/.railspress_token
+          chmod 600 ~/.railspress_token
+          curl -H "Authorization: Bearer $RAILSPRESS_TOKEN" #{base_url}#{api_v1_prime_path}
+        TEXT
+
+        @bootstrap_instructions = <<~TEXT
+          I use Railspress for blog publishing. Here's the secure agent setup:
+
+          Host: #{base_url}
+          Bootstrap Token (one-time): #{@plain_bootstrap_token}
+          Exchange Endpoint: #{base_url}#{exchange_api_v1_agent_keys_path}
+
+          1) Exchange bootstrap for API token:
+            export RAILSPRESS_BOOTSTRAP_TOKEN="#{@plain_bootstrap_token}"
+            export RAILSPRESS_TOKEN=$(curl -s -X POST -H "Authorization: Bearer $RAILSPRESS_BOOTSTRAP_TOKEN" #{base_url}#{exchange_api_v1_agent_keys_path} | ruby -rjson -e 'print JSON.parse(STDIN.read).dig("data","api_key","token")')
+
+          2) Optional local token file:
+            printf '%s\n' "$RAILSPRESS_TOKEN" > ~/.railspress_token
+            chmod 600 ~/.railspress_token
+            export RAILSPRESS_TOKEN="$(cat ~/.railspress_token)"
+
+          3) Verify connectivity:
+            curl -H "Authorization: Bearer $RAILSPRESS_TOKEN" #{base_url}#{api_v1_prime_path}
+
+          4) Create a draft post:
+            curl -X POST -H "Authorization: Bearer $RAILSPRESS_TOKEN" -H "Content-Type: application/json" -d '{"post":{"title":"Agent draft","content":"<p>Hello</p>"}}' #{base_url}#{api_v1_posts_path}
+        TEXT
+      end
+    end
+  end
+end

data/app/controllers/railspress/admin/api_keys_controller.rb

@@ -0,0 +1,165 @@
+# frozen_string_literal: true
+
+module Railspress
+  module Admin
+    class ApiKeysController < BaseController
+      before_action :ensure_api_enabled!
+      before_action :require_api_actor!
+      before_action :set_api_key, only: [ :rotate, :revoke ]
+      before_action :set_generic_agent_instructions, only: [ :index ]
+
+      def index
+        @api_keys = ApiKey.recent
+        @agent_bootstrap_keys = AgentBootstrapKey.recent
+      end
+
+      def new
+        @api_key = ApiKey.new
+      end
+
+      def create
+        @api_key, @plain_token = ApiKey.issue!(
+          name: api_key_params[:name],
+          actor: current_api_actor,
+          owner: current_api_actor,
+          expires_at: parsed_expires_at
+        )
+        set_api_key_instructions
+
+        render :reveal, status: :created
+      rescue ActiveRecord::RecordInvalid => e
+        @api_key = e.record
+        render :new, status: :unprocessable_content
+      end
+
+      def rotate
+        @api_key, @plain_token = @api_key.rotate!(
+          actor: current_api_actor,
+          expires_at: @api_key.expires_at
+        )
+        set_api_key_instructions
+        render :reveal, status: :created
+      end
+
+      def revoke
+        @api_key.revoke!(
+          actor: current_api_actor,
+          reason: params[:reason].presence || "revoked"
+        )
+
+        redirect_to admin_api_keys_path, notice: "API key revoked."
+      end
+
+      private
+
+      def ensure_api_enabled!
+        raise ActionController::RoutingError, "Not Found" unless Railspress.api_enabled?
+      end
+
+      def require_api_actor!
+        return if current_api_actor.present?
+
+        redirect_to admin_root_path, alert: "You must be signed in to manage API keys."
+      end
+
+      def set_api_key
+        @api_key = ApiKey.find(params[:id])
+      end
+
+      def api_key_params
+        params.require(:api_key).permit(:name, :expires_at)
+      end
+
+      def parsed_expires_at
+        value = api_key_params[:expires_at]
+        return nil if value.blank?
+
+        Time.zone.parse(value)
+      rescue ArgumentError
+        nil
+      end
+
+      def set_api_key_instructions
+        base_url = instruction_base_url
+
+        @api_key_quick_start = <<~TEXT
+          export RAILSPRESS_TOKEN="#{@plain_token}"
+          curl -H "Authorization: Bearer $RAILSPRESS_TOKEN" #{base_url}#{api_v1_prime_path}
+        TEXT
+
+        @api_key_instructions = <<~TEXT
+          I use Railspress for blog publishing. This is a direct API key.
+
+          Host: #{base_url}
+          API Key: #{@plain_token}
+          API Base: #{base_url}#{api_v1_posts_path.delete_suffix("/posts")}
+
+          Set environment variable:
+            export RAILSPRESS_TOKEN="#{@plain_token}"
+
+          Optional local token file:
+            printf '%s\n' "#{@plain_token}" > ~/.railspress_token
+            chmod 600 ~/.railspress_token
+            export RAILSPRESS_TOKEN="$(cat ~/.railspress_token)"
+
+          Quick start:
+            #{api_key_quick_start_line}
+
+          Create a draft post (default behavior):
+            curl -X POST -H "Authorization: Bearer $RAILSPRESS_TOKEN" -H "Content-Type: application/json" -d '{"post":{"title":"Agent draft","content":"<p>Hello</p>"}}' #{base_url}#{api_v1_posts_path}
+
+          Publish explicitly:
+            set "post.status" to "published" (optionally also set "post.published_at")
+        TEXT
+      end
+
+      def set_generic_agent_instructions
+        bootstrap_token = latest_active_bootstrap_token || "<YOUR_BOOTSTRAP_TOKEN>"
+        base_url = instruction_base_url
+
+        @generic_agent_quick_start = <<~TEXT
+          export RAILSPRESS_BOOTSTRAP_TOKEN="#{bootstrap_token}"
+          export RAILSPRESS_TOKEN=$(curl -s -X POST -H "Authorization: Bearer ${RAILSPRESS_BOOTSTRAP_TOKEN}" #{base_url}#{exchange_api_v1_agent_keys_path} | ruby -rjson -e 'print JSON.parse(STDIN.read).dig("data","api_key","token")')
+          curl -H "Authorization: Bearer $RAILSPRESS_TOKEN" #{base_url}#{api_v1_prime_path}
+        TEXT
+
+        @generic_agent_instructions = <<~TEXT
+          I use Railspress for blog publishing. Here's the secure agent flow:
+
+          Host: #{base_url}
+          Bootstrap Token: #{bootstrap_token}
+          API Base: #{base_url}#{api_v1_posts_path.delete_suffix("/posts")}
+
+          Exchange bootstrap token for a real API key (one-time bootstrap):
+            export RAILSPRESS_BOOTSTRAP_TOKEN="#{bootstrap_token}"
+            export RAILSPRESS_TOKEN=$(curl -s -X POST -H "Authorization: Bearer ${RAILSPRESS_BOOTSTRAP_TOKEN}" #{base_url}#{exchange_api_v1_agent_keys_path} | ruby -rjson -e 'print JSON.parse(STDIN.read).dig("data","api_key","token")')
+
+          Optional local token file:
+            printf '%s\n' "$RAILSPRESS_TOKEN" > ~/.railspress_token
+            chmod 600 ~/.railspress_token
+            export RAILSPRESS_TOKEN="$(cat ~/.railspress_token)"
+
+          Quick start:
+            curl -H "Authorization: Bearer $RAILSPRESS_TOKEN" #{base_url}#{api_v1_prime_path}
+
+          Create a draft post (default behavior):
+            curl -X POST -H "Authorization: Bearer $RAILSPRESS_TOKEN" -H "Content-Type: application/json" -d '{"post":{"title":"Agent draft","content":"<p>Hello</p>"}}' #{base_url}#{api_v1_posts_path}
+
+          Publish explicitly:
+            set "post.status" to "published" (optionally also set "post.published_at")
+        TEXT
+      end
+
+      def api_key_quick_start_line
+        @api_key_quick_start.strip
+      end
+
+      def latest_active_bootstrap_token
+        bootstrap_key = AgentBootstrapKey.active.recent.first
+        return nil unless bootstrap_key
+
+        AgentBootstrapKey.build_token(bootstrap_key.token_prefix, bootstrap_key.secret_ciphertext)
+      end
+    end
+  end
+end

data/app/controllers/railspress/admin/base_controller.rb

@@ -1,3 +1,5 @@
+require "uri"
+
 module Railspress
   module Admin
     class BaseController < ActionController::Base
@@ -6,7 +8,7 @@ module Railspress
       layout "railspress/admin"
       helper Railspress::AdminHelper
 
-      helper_method :current_author, :available_authors, :authors_enabled?, :post_images_enabled?
+      helper_method :current_author, :available_authors, :authors_enabled?, :post_images_enabled?, :current_api_actor
 
       # Authentication hook - to be configured later
       # before_action :authenticate_admin!
@@ -41,6 +43,64 @@ module Railspress
         return [] unless authors_enabled?
         Railspress.available_authors
       end
+
+      def current_api_actor
+        if Railspress.current_api_actor_proc
+          instance_exec(&Railspress.current_api_actor_proc)
+        elsif respond_to?(Railspress.current_api_actor_method, true)
+          send(Railspress.current_api_actor_method)
+        end
+      end
+
+      def instruction_base_url
+        configured = Railspress.public_base_url.to_s.strip
+        return configured.delete_suffix("/") if configured.present?
+
+        route_default_base_url || request.base_url
+      end
+
+      def route_default_base_url
+        options = Rails.application.routes.default_url_options.to_h.symbolize_keys
+        host_value = options[:host].presence
+        return nil if host_value.blank?
+
+        fallback_protocol = request.protocol.delete_suffix("://")
+        parsed_uri = parse_host_uri(host_value, fallback_protocol)
+        return nil if parsed_uri.nil? || parsed_uri.host.blank?
+
+        protocol = options[:protocol].presence&.to_s&.delete_suffix("://") || parsed_uri.scheme || fallback_protocol
+        port = options.key?(:port) ? options[:port] : parsed_uri.port
+        script_name = options[:script_name].presence || parsed_uri.path.presence
+
+        base = +"#{protocol}://#{parsed_uri.host}"
+        base << ":#{port}" if non_default_port?(protocol, port)
+        base << normalize_script_name(script_name) if script_name.present?
+        base.delete_suffix("/")
+      end
+
+      def parse_host_uri(host_value, protocol)
+        host_string = host_value.to_s
+        host_string = "#{protocol}://#{host_string}" unless host_string.match?(/\Ahttps?:\/\//i)
+        URI.parse(host_string)
+      rescue URI::InvalidURIError
+        nil
+      end
+
+      def non_default_port?(protocol, port)
+        return false if port.blank?
+
+        port_int = port.to_i
+        return false if port_int.zero?
+
+        !((protocol == "http" && port_int == 80) || (protocol == "https" && port_int == 443))
+      end
+
+      def normalize_script_name(script_name)
+        value = script_name.to_s
+        return "" if value.blank? || value == "/"
+
+        value.start_with?("/") ? value : "/#{value}"
+      end
     end
   end
 end

data/app/controllers/railspress/api/v1/agent_key_exchanges_controller.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+module Railspress
+  module Api
+    module V1
+      class AgentKeyExchangesController < BaseController
+        include ActionController::HttpAuthentication::Token::ControllerMethods
+
+        skip_before_action :authenticate_api_key!
+        before_action :authenticate_bootstrap_key!
+
+        def create
+          api_key, plain_api_token = current_agent_bootstrap_key.exchange!(ip_address: request.remote_ip)
+
+          render json: {
+            data: {
+              api_key: {
+                id: api_key.id,
+                name: api_key.name,
+                token: plain_api_token,
+                expires_at: api_key.expires_at
+              },
+              bootstrap: {
+                id: current_agent_bootstrap_key.id,
+                used_at: current_agent_bootstrap_key.used_at
+              }
+            }
+          }, status: :created
+        rescue Railspress::AgentBootstrapKey::ExchangeError
+          render_error("Unauthorized", status: :unauthorized)
+        rescue ActiveRecord::RecordInvalid => e
+          render_validation_errors(e.record)
+        end
+
+        private
+
+        attr_reader :current_agent_bootstrap_key
+
+        def authenticate_bootstrap_key!
+          authenticated = authenticate_with_http_token do |token, _opts|
+            @current_agent_bootstrap_key = Railspress::AgentBootstrapKey.authenticate(token)
+            @current_agent_bootstrap_key.present?
+          end
+
+          render_error("Unauthorized", status: :unauthorized) unless authenticated
+        end
+      end
+    end
+  end
+end

data/app/controllers/railspress/api/v1/base_controller.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+module Railspress
+  module Api
+    module V1
+      class BaseController < ActionController::API
+        include ActionController::HttpAuthentication::Token::ControllerMethods
+
+        before_action :ensure_api_enabled!
+        before_action :authenticate_api_key!
+
+        rescue_from ActiveRecord::RecordNotFound, with: :render_not_found
+
+        attr_reader :current_api_key
+
+        private
+
+        def ensure_api_enabled!
+          render_error("API is not enabled.", status: :not_found) unless Railspress.api_enabled?
+        end
+
+        def authenticate_api_key!
+          return if authenticate_with_http_token { |token, _opts| authenticate_with_token(token) }
+
+          render_error("Unauthorized", status: :unauthorized)
+        end
+
+        def authenticate_with_token(token)
+          @current_api_key = Railspress::ApiKey.authenticate(token, ip_address: request.remote_ip)
+          @current_api_key.present?
+        end
+
+        def render_not_found
+          render_error("Resource not found.", status: :not_found)
+        end
+
+        def render_validation_errors(record)
+          render json: {
+            error: {
+              message: "Validation failed.",
+              details: record.errors.full_messages
+            }
+          }, status: :unprocessable_content
+        end
+
+        def render_error(message, status:)
+          render json: { error: { message: message } }, status: status
+        end
+      end
+    end
+  end
+end

data/app/controllers/railspress/api/v1/categories_controller.rb

@@ -0,0 +1,89 @@
+# frozen_string_literal: true
+
+module Railspress
+  module Api
+    module V1
+      class CategoriesController < BaseController
+        before_action :set_category, only: [ :show, :update, :destroy ]
+
+        def index
+          categories = Railspress::Category.ordered
+          total_count = categories.count
+          categories = categories.offset((page - 1) * per_page).limit(per_page)
+
+          render json: {
+            data: categories.map { |category| serialize_category(category) },
+            meta: {
+              page: page,
+              per: per_page,
+              total_count: total_count,
+              total_pages: (total_count.to_f / per_page).ceil
+            }
+          }
+        end
+
+        def show
+          render json: { data: serialize_category(@category) }
+        end
+
+        def create
+          category = Railspress::Category.new(category_params)
+
+          if category.save
+            render json: { data: serialize_category(category) }, status: :created
+          else
+            render_validation_errors(category)
+          end
+        end
+
+        def update
+          if @category.update(category_params)
+            render json: { data: serialize_category(@category) }
+          else
+            render_validation_errors(@category)
+          end
+        end
+
+        def destroy
+          if @category.destroy
+            head :no_content
+          else
+            render_validation_errors(@category)
+          end
+        end
+
+        private
+
+        def set_category
+          @category = Railspress::Category.find(params[:id])
+        end
+
+        def category_params
+          params.require(:category).permit(:name, :slug, :description)
+        end
+
+        def page
+          [ params.fetch(:page, 1).to_i, 1 ].max
+        end
+
+        def per_page
+          requested = params.fetch(:per, 20).to_i
+          requested = 20 if requested <= 0
+          [ requested, 100 ].min
+        end
+
+        def serialize_category(category)
+          {
+            id: category.id,
+            name: category.name,
+            slug: category.slug,
+            description: category.description,
+            posts_count: category.posts.count,
+            created_at: category.created_at,
+            updated_at: category.updated_at
+          }
+        end
+      end
+    end
+  end
+end