@aphexcms/cms-core 0.1.0

package/src/auth/auth-errors.ts

@@ -0,0 +1,23 @@
+// Custom authentication errors with error codes for better error handling
+
+export type AuthErrorCode =
+	| 'no_session'
+	| 'session_expired'
+	| 'no_organization'
+	| 'kicked_from_org'
+	| 'unauthorized';
+
+export class AuthError extends Error {
+	code: AuthErrorCode;
+
+	constructor(code: AuthErrorCode, message: string) {
+		super(message);
+		this.code = code;
+		this.name = 'AuthError';
+	}
+}
+
+// Helper function to create auth errors
+export function createAuthError(code: AuthErrorCode, message: string): AuthError {
+	return new AuthError(code, message);
+}

package/src/auth/auth-hooks.ts

@@ -0,0 +1,132 @@
+import type { RequestEvent } from '@sveltejs/kit';
+import { redirect } from '@sveltejs/kit';
+import type { DatabaseAdapter } from '../db/';
+import type { CMSConfig, Auth } from '../types/index.js';
+import type { AuthProvider } from './provider.js';
+import { AuthError } from './auth-errors.js';
+
+export async function handleAuthHook(
+	event: RequestEvent,
+	config: CMSConfig,
+	authProvider: AuthProvider,
+	db: DatabaseAdapter
+): Promise<Response | null> {
+	const path = event.url.pathname;
+
+	// 1. Admin UI routes - require session authentication
+	if (path.startsWith('/admin')) {
+		try {
+			const session = await authProvider.requireSession(event.request, db);
+			event.locals.auth = session;
+		} catch (error) {
+			// If it's an AuthError, redirect to login with error code
+			if (error instanceof AuthError) {
+				const loginUrl = config.auth?.loginUrl || '/login';
+				throw redirect(302, `${loginUrl}?error=${error.code}`);
+			}
+			// For other errors, redirect without error code
+			throw redirect(302, config.auth?.loginUrl || '/login');
+		}
+	}
+
+	// 2. Asset CDN routes - accept session OR API key OR signed token
+	// Support both /assets/ and /media/ paths (media is Sanity-style URL)
+	if (path.startsWith('/assets/') || path.startsWith('/media/')) {
+		// Try session first (for admin UI)
+		let auth: Auth | null = await authProvider.getSession(event.request, db);
+
+		// If no session, try API key
+		if (!auth) {
+			auth = await authProvider.validateApiKey(event.request, db);
+		}
+
+		// Make auth available (can be null, route will check for signed token)
+		if (auth) {
+			event.locals.auth = auth;
+		}
+	}
+
+	// 3. API routes - accept session OR API key
+	if (path.startsWith('/api/')) {
+		// Skip auth routes (Better Auth handles these)
+		if (path.startsWith('/api/auth')) {
+			return null; // Let the main hook continue
+		}
+
+		// If API key is explicitly provided, prioritize it over session
+		// This allows public content access even when user is logged in to a different org
+		const hasApiKey = event.request.headers.has('x-api-key');
+		let auth: Auth | null = null;
+
+		if (hasApiKey) {
+			// API key takes precedence when explicitly provided
+			auth = await authProvider.validateApiKey(event.request, db);
+		} else {
+			// Otherwise, try session (for admin UI making API calls)
+			auth = await authProvider.getSession(event.request, db);
+		}
+
+		// Dynamically find the GraphQL endpoint from plugins
+		let graphqlEndpoint: string | undefined;
+		const graphqlPlugin = config.plugins?.find((p) => p.name === '@aphex/graphql-plugin');
+		if (graphqlPlugin && graphqlPlugin.routes) {
+			graphqlEndpoint = Object.keys(graphqlPlugin.routes)[0];
+		}
+
+		// Require authentication for protected API routes
+		const protectedApiRoutes = [
+			'/api/documents',
+			'/api/assets',
+			'/api/schemas',
+			'/api/organizations',
+			'/api/settings'
+		];
+		if (graphqlEndpoint) {
+			protectedApiRoutes.push(graphqlEndpoint);
+		}
+		const isProtectedRoute = protectedApiRoutes.some((route) => path.startsWith(route));
+
+		if (isProtectedRoute && !auth) {
+			return new Response(JSON.stringify({ error: 'Unauthorized' }), {
+				status: 401,
+				headers: { 'Content-Type': 'application/json' }
+			});
+		}
+
+		// Check write permission for mutations
+		if (auth && ['POST', 'PUT', 'PATCH', 'DELETE'].includes(event.request.method)) {
+			// Special handling for GraphQL
+			if (graphqlEndpoint && path.startsWith(graphqlEndpoint)) {
+				// We need to read the body to check if it's a mutation.
+				// It's important to clone the request so we don't consume the body stream.
+				const requestBody = await event.request.clone().text();
+				const isMutation = requestBody.trim().startsWith('mutation');
+
+				if (isMutation && auth.type === 'api_key' && !auth.permissions.includes('write')) {
+					return new Response(
+						JSON.stringify({ error: 'Forbidden: Write permission required for mutations' }),
+						{
+							status: 403,
+							headers: { 'Content-Type': 'application/json' }
+						}
+					);
+				}
+			} else {
+				// Existing logic for other API routes
+				if (auth.type === 'api_key' && !auth.permissions.includes('write')) {
+					return new Response(JSON.stringify({ error: 'Forbidden: Write permission required' }), {
+						status: 403,
+						headers: { 'Content-Type': 'application/json' }
+					});
+				}
+			}
+		}
+
+		// Make auth available in API routes
+		if (auth) {
+			event.locals.auth = auth;
+		}
+	}
+
+	return null; // Tell the main hook to continue
+}

package/src/auth/provider.ts

@@ -0,0 +1,25 @@
+// packages/cms-core/src/auth/provider.ts
+import type { SessionAuth, ApiKeyAuth } from '../types/index.js';
+import type { DatabaseAdapter } from '../db/interfaces/index.js';
+
+export interface AuthProvider {
+	// Session auth (browser, admin UI)
+	getSession(request: Request, db: DatabaseAdapter): Promise<SessionAuth | null>;
+	requireSession(request: Request, db: DatabaseAdapter): Promise<SessionAuth>;
+
+	// API key auth (programmatic access)
+	validateApiKey(request: Request, db: DatabaseAdapter): Promise<ApiKeyAuth | null>;
+	requireApiKey(
+		request: Request,
+		db: DatabaseAdapter,
+		permission?: 'read' | 'write'
+	): Promise<ApiKeyAuth>;
+
+	// User management
+	getUserById(userId: string): Promise<{ id: string; name?: string; email: string } | null>;
+	changeUserName(userId: string, name: string): Promise<void>;
+
+	// Password reset
+	requestPasswordReset(email: string, redirectTo?: string): Promise<void>;
+	resetPassword(token: string, newPassword: string): Promise<void>;
+}

package/src/client/index.ts

@@ -0,0 +1,47 @@
+// Aphex CMS Core - Client-side exports
+// These are safe to import in the browser (no Node.js dependencies)
+
+// Core types (shared between client and server)
+export * from '../types/index.js';
+export type {
+	SidebarUser,
+	SidebarNavItem,
+	SidebarBranding,
+	SidebarData
+} from '../types/sidebar.js';
+
+// Field validation (client-side validation)
+export * from '../field-validation/rule.js';
+export * from '../field-validation/utils.js';
+
+// Content hashing utilities (for client-side change detection)
+export { createContentHash, hasUnpublishedChanges } from '../utils/content-hash.js';
+
+// Schema context (for providing schemas to components)
+export { setSchemaContext, getSchemaContext } from '../schema-context.svelte.js';
+
+// Schema utilities (for working with schemas)
+export * from '../schema-utils/index.js';
+
+// Components (UI components for the admin interface)
+export { default as DocumentEditor } from '../components/admin/DocumentEditor.svelte';
+export { default as DocumentTypesList } from '../components/admin/DocumentTypesList.svelte';
+export { default as SchemaField } from '../components/admin/SchemaField.svelte';
+export { default as AdminApp } from '../components/AdminApp.svelte';
+export { default as Sidebar } from '../components/layout/Sidebar.svelte';
+
+// Field components
+export { default as StringField } from '../components/admin/fields/StringField.svelte';
+export { default as TextareaField } from '../components/admin/fields/TextareaField.svelte';
+export { default as NumberField } from '../components/admin/fields/NumberField.svelte';
+export { default as BooleanField } from '../components/admin/fields/BooleanField.svelte';
+export { default as ImageField } from '../components/admin/fields/ImageField.svelte';
+export { default as SlugField } from '../components/admin/fields/SlugField.svelte';
+export { default as ArrayField } from '../components/admin/fields/ArrayField.svelte';
+export { default as ReferenceField } from '../components/admin/fields/ReferenceField.svelte';
+
+// Utility functions (browser-safe)
+export * from '../utils/index.js';
+
+export * from '../api/index.js';
+export type { ApiResponse } from '../api/index.js';