@aphexcms/cms-core 0.1.3 → 0.1.5

package/dist/auth/auth-errors.d.ts

@@ -0,0 +1,7 @@
+export type AuthErrorCode = 'no_session' | 'session_expired' | 'no_organization' | 'kicked_from_org' | 'unauthorized';
+export declare class AuthError extends Error {
+    code: AuthErrorCode;
+    constructor(code: AuthErrorCode, message: string);
+}
+export declare function createAuthError(code: AuthErrorCode, message: string): AuthError;
+//# sourceMappingURL=auth-errors.d.ts.map

package/dist/auth/auth-errors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-errors.d.ts","sourceRoot":"","sources":["../../src/lib/auth/auth-errors.ts"],"names":[],"mappings":"AAEA,MAAM,MAAM,aAAa,GACtB,YAAY,GACZ,iBAAiB,GACjB,iBAAiB,GACjB,iBAAiB,GACjB,cAAc,CAAC;AAElB,qBAAa,SAAU,SAAQ,KAAK;IACnC,IAAI,EAAE,aAAa,CAAC;gBAER,IAAI,EAAE,aAAa,EAAE,OAAO,EAAE,MAAM;CAKhD;AAGD,wBAAgB,eAAe,CAAC,IAAI,EAAE,aAAa,EAAE,OAAO,EAAE,MAAM,GAAG,SAAS,CAE/E"}

package/dist/auth/auth-errors.js

@@ -0,0 +1,13 @@
+// Custom authentication errors with error codes for better error handling
+export class AuthError extends Error {
+    code;
+    constructor(code, message) {
+        super(message);
+        this.code = code;
+        this.name = 'AuthError';
+    }
+}
+// Helper function to create auth errors
+export function createAuthError(code, message) {
+    return new AuthError(code, message);
+}

package/dist/auth/auth-hooks.d.ts

@@ -0,0 +1,6 @@
+import type { RequestEvent } from '@sveltejs/kit';
+import type { DatabaseAdapter } from '../db/';
+import type { CMSConfig } from '../types/index.js';
+import type { AuthProvider } from './provider.js';
+export declare function handleAuthHook(event: RequestEvent, config: CMSConfig, authProvider: AuthProvider, db: DatabaseAdapter): Promise<Response | null>;
+//# sourceMappingURL=auth-hooks.d.ts.map

package/dist/auth/auth-hooks.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-hooks.d.ts","sourceRoot":"","sources":["../../src/lib/auth/auth-hooks.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAElD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,KAAK,EAAE,SAAS,EAAQ,MAAM,mBAAmB,CAAC;AACzD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAGlD,wBAAsB,cAAc,CACnC,KAAK,EAAE,YAAY,EACnB,MAAM,EAAE,SAAS,EACjB,YAAY,EAAE,YAAY,EAC1B,EAAE,EAAE,eAAe,GACjB,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,CAuH1B"}

package/dist/auth/auth-hooks.js

@@ -0,0 +1,108 @@
+import { redirect } from '@sveltejs/kit';
+import { AuthError } from './auth-errors.js';
+export async function handleAuthHook(event, config, authProvider, db) {
+    const path = event.url.pathname;
+    // 1. Admin UI routes - require session authentication
+    if (path.startsWith('/admin')) {
+        try {
+            const session = await authProvider.requireSession(event.request, db);
+            event.locals.auth = session;
+        }
+        catch (error) {
+            // If it's an AuthError, redirect to login with error code
+            if (error instanceof AuthError) {
+                const loginUrl = config.auth?.loginUrl || '/login';
+                throw redirect(302, `${loginUrl}?error=${error.code}`);
+            }
+            // For other errors, redirect without error code
+            throw redirect(302, config.auth?.loginUrl || '/login');
+        }
+    }
+    // 2. Asset CDN routes - accept session OR API key OR signed token
+    // Support both /assets/ and /media/ paths (media is Sanity-style URL)
+    if (path.startsWith('/assets/') || path.startsWith('/media/')) {
+        // Try session first (for admin UI)
+        let auth = await authProvider.getSession(event.request, db);
+        // If no session, try API key
+        if (!auth) {
+            auth = await authProvider.validateApiKey(event.request, db);
+        }
+        // Make auth available (can be null, route will check for signed token)
+        if (auth) {
+            event.locals.auth = auth;
+        }
+    }
+    // 3. API routes - accept session OR API key
+    if (path.startsWith('/api/')) {
+        // Skip auth routes (Better Auth handles these)
+        if (path.startsWith('/api/auth')) {
+            return null; // Let the main hook continue
+        }
+        // If API key is explicitly provided, prioritize it over session
+        // This allows public content access even when user is logged in to a different org
+        const hasApiKey = event.request.headers.has('x-api-key');
+        let auth = null;
+        if (hasApiKey) {
+            // API key takes precedence when explicitly provided
+            auth = await authProvider.validateApiKey(event.request, db);
+        }
+        else {
+            // Otherwise, try session (for admin UI making API calls)
+            auth = await authProvider.getSession(event.request, db);
+        }
+        // Dynamically find the GraphQL endpoint from plugins
+        let graphqlEndpoint;
+        const graphqlPlugin = config.plugins?.find((p) => p.name === '@aphexcms/graphql-plugin');
+        if (graphqlPlugin && graphqlPlugin.routes) {
+            graphqlEndpoint = Object.keys(graphqlPlugin.routes)[0];
+        }
+        // Require authentication for protected API routes
+        const protectedApiRoutes = [
+            '/api/documents',
+            '/api/assets',
+            '/api/schemas',
+            '/api/organizations',
+            '/api/settings'
+        ];
+        if (graphqlEndpoint) {
+            protectedApiRoutes.push(graphqlEndpoint);
+        }
+        const isProtectedRoute = protectedApiRoutes.some((route) => path.startsWith(route));
+        if (isProtectedRoute && !auth) {
+            return new Response(JSON.stringify({ error: 'Unauthorized' }), {
+                status: 401,
+                headers: { 'Content-Type': 'application/json' }
+            });
+        }
+        // Check write permission for mutations
+        if (auth && ['POST', 'PUT', 'PATCH', 'DELETE'].includes(event.request.method)) {
+            // Special handling for GraphQL
+            if (graphqlEndpoint && path.startsWith(graphqlEndpoint)) {
+                // We need to read the body to check if it's a mutation.
+                // It's important to clone the request so we don't consume the body stream.
+                const requestBody = await event.request.clone().text();
+                const isMutation = requestBody.trim().startsWith('mutation');
+                if (isMutation && auth.type === 'api_key' && !auth.permissions.includes('write')) {
+                    return new Response(JSON.stringify({ error: 'Forbidden: Write permission required for mutations' }), {
+                        status: 403,
+                        headers: { 'Content-Type': 'application/json' }
+                    });
+                }
+            }
+            else {
+                // Existing logic for other API routes
+                if (auth.type === 'api_key' && !auth.permissions.includes('write')) {
+                    return new Response(JSON.stringify({ error: 'Forbidden: Write permission required' }), {
+                        status: 403,
+                        headers: { 'Content-Type': 'application/json' }
+                    });
+                }
+            }
+        }
+        // Make auth available in API routes
+        if (auth) {
+            event.locals.auth = auth;
+        }
+    }
+    return null; // Tell the main hook to continue
+}

package/dist/auth/provider.d.ts

@@ -0,0 +1,17 @@
+import type { SessionAuth, ApiKeyAuth } from '../types/index.js';
+import type { DatabaseAdapter } from '../db/interfaces/index.js';
+export interface AuthProvider {
+    getSession(request: Request, db: DatabaseAdapter): Promise<SessionAuth | null>;
+    requireSession(request: Request, db: DatabaseAdapter): Promise<SessionAuth>;
+    validateApiKey(request: Request, db: DatabaseAdapter): Promise<ApiKeyAuth | null>;
+    requireApiKey(request: Request, db: DatabaseAdapter, permission?: 'read' | 'write'): Promise<ApiKeyAuth>;
+    getUserById(userId: string): Promise<{
+        id: string;
+        name?: string;
+        email: string;
+    } | null>;
+    changeUserName(userId: string, name: string): Promise<void>;
+    requestPasswordReset(email: string, redirectTo?: string): Promise<void>;
+    resetPassword(token: string, newPassword: string): Promise<void>;
+}
+//# sourceMappingURL=provider.d.ts.map

package/dist/auth/provider.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"provider.d.ts","sourceRoot":"","sources":["../../src/lib/auth/provider.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AACjE,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAC;AAEjE,MAAM,WAAW,YAAY;IAE5B,UAAU,CAAC,OAAO,EAAE,OAAO,EAAE,EAAE,EAAE,eAAe,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;IAC/E,cAAc,CAAC,OAAO,EAAE,OAAO,EAAE,EAAE,EAAE,eAAe,GAAG,OAAO,CAAC,WAAW,CAAC,CAAC;IAG5E,cAAc,CAAC,OAAO,EAAE,OAAO,EAAE,EAAE,EAAE,eAAe,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC;IAClF,aAAa,CACZ,OAAO,EAAE,OAAO,EAChB,EAAE,EAAE,eAAe,EACnB,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,GAC3B,OAAO,CAAC,UAAU,CAAC,CAAC;IAGvB,WAAW,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI,CAAC,CAAC;IAC1F,cAAc,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAG5D,oBAAoB,CAAC,KAAK,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACxE,aAAa,CAAC,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACjE"}

package/dist/auth/provider.js

@@ -0,0 +1 @@
+export {};

package/dist/client/index.d.ts

@@ -0,0 +1,24 @@
+export * from '../types/index.js';
+export type { SidebarUser, SidebarNavItem, SidebarBranding, SidebarData } from '../types/sidebar.js';
+export * from '../field-validation/rule.js';
+export * from '../field-validation/utils.js';
+export { createContentHash, hasUnpublishedChanges } from '../utils/content-hash.js';
+export { setSchemaContext, getSchemaContext } from '../schema-context.svelte.js';
+export * from '../schema-utils/index.js';
+export { default as DocumentEditor } from '../components/admin/DocumentEditor.svelte';
+export { default as DocumentTypesList } from '../components/admin/DocumentTypesList.svelte';
+export { default as SchemaField } from '../components/admin/SchemaField.svelte';
+export { default as AdminApp } from '../components/AdminApp.svelte';
+export { default as Sidebar } from '../components/layout/Sidebar.svelte';
+export { default as StringField } from '../components/admin/fields/StringField.svelte';
+export { default as TextareaField } from '../components/admin/fields/TextareaField.svelte';
+export { default as NumberField } from '../components/admin/fields/NumberField.svelte';
+export { default as BooleanField } from '../components/admin/fields/BooleanField.svelte';
+export { default as ImageField } from '../components/admin/fields/ImageField.svelte';
+export { default as SlugField } from '../components/admin/fields/SlugField.svelte';
+export { default as ArrayField } from '../components/admin/fields/ArrayField.svelte';
+export { default as ReferenceField } from '../components/admin/fields/ReferenceField.svelte';
+export * from '../utils/index.js';
+export * from '../api/index.js';
+export type { ApiResponse } from '../api/index.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/client/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/lib/client/index.ts"],"names":[],"mappings":"AAIA,cAAc,mBAAmB,CAAC;AAClC,YAAY,EACX,WAAW,EACX,cAAc,EACd,eAAe,EACf,WAAW,EACX,MAAM,qBAAqB,CAAC;AAG7B,cAAc,6BAA6B,CAAC;AAC5C,cAAc,8BAA8B,CAAC;AAG7C,OAAO,EAAE,iBAAiB,EAAE,qBAAqB,EAAE,MAAM,0BAA0B,CAAC;AAGpF,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,MAAM,6BAA6B,CAAC;AAGjF,cAAc,0BAA0B,CAAC;AAGzC,OAAO,EAAE,OAAO,IAAI,cAAc,EAAE,MAAM,2CAA2C,CAAC;AACtF,OAAO,EAAE,OAAO,IAAI,iBAAiB,EAAE,MAAM,8CAA8C,CAAC;AAC5F,OAAO,EAAE,OAAO,IAAI,WAAW,EAAE,MAAM,wCAAwC,CAAC;AAChF,OAAO,EAAE,OAAO,IAAI,QAAQ,EAAE,MAAM,+BAA+B,CAAC;AACpE,OAAO,EAAE,OAAO,IAAI,OAAO,EAAE,MAAM,qCAAqC,CAAC;AAGzE,OAAO,EAAE,OAAO,IAAI,WAAW,EAAE,MAAM,+CAA+C,CAAC;AACvF,OAAO,EAAE,OAAO,IAAI,aAAa,EAAE,MAAM,iDAAiD,CAAC;AAC3F,OAAO,EAAE,OAAO,IAAI,WAAW,EAAE,MAAM,+CAA+C,CAAC;AACvF,OAAO,EAAE,OAAO,IAAI,YAAY,EAAE,MAAM,gDAAgD,CAAC;AACzF,OAAO,EAAE,OAAO,IAAI,UAAU,EAAE,MAAM,8CAA8C,CAAC;AACrF,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,6CAA6C,CAAC;AACnF,OAAO,EAAE,OAAO,IAAI,UAAU,EAAE,MAAM,8CAA8C,CAAC;AACrF,OAAO,EAAE,OAAO,IAAI,cAAc,EAAE,MAAM,kDAAkD,CAAC;AAG7F,cAAc,mBAAmB,CAAC;AAElC,cAAc,iBAAiB,CAAC;AAChC,YAAY,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC"}

package/dist/client/index.js

@@ -0,0 +1,31 @@
+// Aphex CMS Core - Client-side exports
+// These are safe to import in the browser (no Node.js dependencies)
+// Core types (shared between client and server)
+export * from '../types/index.js';
+// Field validation (client-side validation)
+export * from '../field-validation/rule.js';
+export * from '../field-validation/utils.js';
+// Content hashing utilities (for client-side change detection)
+export { createContentHash, hasUnpublishedChanges } from '../utils/content-hash.js';
+// Schema context (for providing schemas to components)
+export { setSchemaContext, getSchemaContext } from '../schema-context.svelte.js';
+// Schema utilities (for working with schemas)
+export * from '../schema-utils/index.js';
+// Components (UI components for the admin interface)
+export { default as DocumentEditor } from '../components/admin/DocumentEditor.svelte';
+export { default as DocumentTypesList } from '../components/admin/DocumentTypesList.svelte';
+export { default as SchemaField } from '../components/admin/SchemaField.svelte';
+export { default as AdminApp } from '../components/AdminApp.svelte';
+export { default as Sidebar } from '../components/layout/Sidebar.svelte';
+// Field components
+export { default as StringField } from '../components/admin/fields/StringField.svelte';
+export { default as TextareaField } from '../components/admin/fields/TextareaField.svelte';
+export { default as NumberField } from '../components/admin/fields/NumberField.svelte';
+export { default as BooleanField } from '../components/admin/fields/BooleanField.svelte';
+export { default as ImageField } from '../components/admin/fields/ImageField.svelte';
+export { default as SlugField } from '../components/admin/fields/SlugField.svelte';
+export { default as ArrayField } from '../components/admin/fields/ArrayField.svelte';
+export { default as ReferenceField } from '../components/admin/fields/ReferenceField.svelte';
+// Utility functions (browser-safe)
+export * from '../utils/index.js';
+export * from '../api/index.js';