@cosmicdrift/kumiko-bundled-features 0.86.0 → 0.87.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cosmicdrift/kumiko-bundled-features",
-  "version": "0.86.0",
+  "version": "0.87.1",
   "description": "Built-in features — tenant, user, auth, delivery. The stuff you'd rewrite anyway, already typed.",
   "license": "BUSL-1.1",
   "author": "Marc Frost <marc@cosmicdriftgamestudio.com>",
@@ -80,16 +80,17 @@
     "./renderer-foundation": "./src/renderer-foundation/index.ts",
     "./legal-pages": "./src/legal-pages/index.ts",
     "./legal-pages/web": "./src/legal-pages/web/index.ts",
+    "./page-render": "./src/page-render/index.ts",
     "./managed-pages": "./src/managed-pages/index.ts",
     "./managed-pages/seeding": "./src/managed-pages/seeding.ts",
     "./step-dispatcher": "./src/step-dispatcher/index.ts"
   },
   "dependencies": {
-    "@cosmicdrift/kumiko-dispatcher-live": "0.86.0",
-    "@cosmicdrift/kumiko-framework": "0.86.0",
-    "@cosmicdrift/kumiko-headless": "0.86.0",
-    "@cosmicdrift/kumiko-renderer": "0.86.0",
-    "@cosmicdrift/kumiko-renderer-web": "0.86.0",
+    "@cosmicdrift/kumiko-dispatcher-live": "0.87.1",
+    "@cosmicdrift/kumiko-framework": "0.87.1",
+    "@cosmicdrift/kumiko-headless": "0.87.1",
+    "@cosmicdrift/kumiko-renderer": "0.87.1",
+    "@cosmicdrift/kumiko-renderer-web": "0.87.1",
     "@mollie/api-client": "^4.5.0",
     "@node-rs/argon2": "^2.0.2",
     "@types/nodemailer": "^8.0.0",

package/src/auth-email-password/web/__tests__/session-auth-bootstrap.test.ts

@@ -0,0 +1,22 @@
+import { describe, expect, test } from "bun:test";
+import { emailPasswordClient } from "../client-plugin";
+import { hasLikelyAuthSession } from "../session";
+
+describe("hasLikelyAuthSession", () => {
+  test("no kumiko_csrf cookie → false", () => {
+    expect(hasLikelyAuthSession("theme=dark")).toBe(false);
+  });
+
+  test("kumiko_csrf present → true", () => {
+    expect(hasLikelyAuthSession("kumiko_csrf=abc-123")).toBe(true);
+  });
+});
+
+describe("emailPasswordClient", () => {
+  test("registers SessionAuthGate as gate, not SessionProvider as provider", () => {
+    const feature = emailPasswordClient();
+    expect(feature.providers).toEqual([]);
+    expect(feature.gates).toHaveLength(1);
+    expect(feature.gates[0]?.name).toBe("SessionAuthGate");
+  });
+});

package/src/auth-email-password/web/auth-gate.tsx

@@ -11,7 +11,7 @@
 
 import type { ComponentType, ReactNode } from "react";
 import { LoginScreen, type LoginScreenProps } from "./login-screen";
-import { useSession } from "./session";
+import { SessionProvider, useSession } from "./session";
 
 export function makeAuthGate(
   LoginComponent: ComponentType<LoginScreenProps> = LoginScreen,
@@ -31,3 +31,22 @@ export function makeAuthGate(
   }
   return AuthGate;
 }
+
+/** SessionProvider + AuthGate als ein Gate — damit öffentliche Gates davor
+ *  (z.B. /rechner) den Session-Bootstrap nicht mounten. createKumikoApp
+ *  stackt providers außerhalb aller gates; SessionProvider darf deshalb
+ *  kein provider mehr sein. */
+export function makeSessionAuthGate(
+  LoginComponent: ComponentType<LoginScreenProps> = LoginScreen,
+  loginProps?: LoginScreenProps,
+): ComponentType<{ children: ReactNode }> {
+  const AuthGate = makeAuthGate(LoginComponent, loginProps);
+  function SessionAuthGate({ children }: { readonly children: ReactNode }): ReactNode {
+    return (
+      <SessionProvider>
+        <AuthGate>{children}</AuthGate>
+      </SessionProvider>
+    );
+  }
+  return SessionAuthGate;
+}

package/src/auth-email-password/web/client-plugin.ts

@@ -8,9 +8,8 @@
 import type { TranslationsByLocale } from "@cosmicdrift/kumiko-renderer";
 import type { ComponentType, ReactNode } from "react";
 import { defaultTranslations, mergeTranslations } from "../i18n";
-import { makeAuthGate } from "./auth-gate";
+import { makeSessionAuthGate } from "./auth-gate";
 import type { LoginScreenProps } from "./login-screen";
-import { SessionProvider } from "./session";
 
 export type EmailPasswordClientOptions = {
   /** Eigener Login-Screen. Default: der shadcn-stylte LoginScreen
@@ -41,8 +40,8 @@ export function emailPasswordClient(
   const translations = mergeTranslations(defaultTranslations, options.translations ?? {});
   return {
     name: "auth-email-password",
-    providers: [SessionProvider],
-    gates: [makeAuthGate(options.loginScreen, options.loginScreenProps)],
+    providers: [],
+    gates: [makeSessionAuthGate(options.loginScreen, options.loginScreenProps)],
     translations,
   };
 }

package/src/auth-email-password/web/index.ts

@@ -26,7 +26,7 @@ export {
 } from "./auth-client";
 export type { AuthShellRenderer } from "./auth-form-primitives";
 export { AuthShellProvider, useAuthShell } from "./auth-form-primitives";
-export { makeAuthGate } from "./auth-gate";
+export { makeAuthGate, makeSessionAuthGate } from "./auth-gate";
 export type {
   EmailPasswordClientFeature,
   EmailPasswordClientOptions,
@@ -43,7 +43,7 @@ export { LoginScreen } from "./login-screen";
 export type { ResetPasswordScreenProps } from "./reset-password-screen";
 export { ResetPasswordScreen } from "./reset-password-screen";
 export type { SessionApi, SessionState, SessionStatus } from "./session";
-export { SessionContext, SessionProvider, useSession } from "./session";
+export { hasLikelyAuthSession, SessionContext, SessionProvider, useSession } from "./session";
 export type { SignupCompleteScreenProps } from "./signup-complete-screen";
 export { SignupCompleteScreen } from "./signup-complete-screen";
 export type { SignupScreenProps } from "./signup-screen";

package/src/auth-email-password/web/session.tsx

@@ -9,6 +9,7 @@
 // unter `<SessionProvider>`; der `useSession()`-Hook liefert den State
 // und die Transitions.
 
+import { readCsrfToken } from "@cosmicdrift/kumiko-dispatcher-live";
 import { createContext, type ReactNode, useCallback, useContext, useEffect, useState } from "react";
 import {
   type CurrentUserProfile,
@@ -43,6 +44,14 @@ export type SessionApi = SessionState & {
   readonly switchTenant: (tenantId: string) => Promise<void>;
 };
 
+const UNAUTHENTICATED: SessionState = {
+  status: "unauthenticated",
+  user: null,
+  activeTenantId: null,
+  tenants: [],
+  roles: [],
+};
+
 const INITIAL: SessionState = {
   status: "loading",
   user: null,
@@ -51,6 +60,11 @@ const INITIAL: SessionState = {
   roles: [],
 };
 
+// kumiko_auth ist HttpOnly — kumiko_csrf wird beim Login gemeinsam gesetzt.
+export function hasLikelyAuthSession(cookieSource?: string): boolean {
+  return readCsrfToken(cookieSource) !== undefined;
+}
+
 // Exported damit tests den merge-pfad direkt pinnen können — der hier
 // muss byte-identisch zum server-side merge in auth-routes.ts +
 // login.write.ts sein, sonst sieht der Client andere session-rollen
@@ -76,27 +90,18 @@ export function computeActiveRoles(
 export const SessionContext = createContext<SessionApi | undefined>(undefined);
 
 // Eine Refresh-Runde: /auth/tenants → wenn 401 nicht-eingeloggt, sonst
-// parallel /user:me. Beides zusammen ergibt den vollen SessionState.
+// /user:me. Beides zusammen ergibt den vollen SessionState.
 async function refresh(): Promise<SessionState> {
+  if (!hasLikelyAuthSession()) {
+    return UNAUTHENTICATED;
+  }
   const tenants = await fetchTenants();
   if (tenants === null) {
-    return {
-      status: "unauthenticated",
-      user: null,
-      activeTenantId: null,
-      tenants: [],
-      roles: [],
-    };
+    return UNAUTHENTICATED;
   }
   const user = await fetchCurrentUser();
   if (user === null) {
-    return {
-      status: "unauthenticated",
-      user: null,
-      activeTenantId: null,
-      tenants: [],
-      roles: [],
-    };
+    return UNAUTHENTICATED;
   }
   return {
     status: "authenticated",
@@ -131,13 +136,7 @@ export function SessionProvider({ children }: { readonly children: ReactNode }):
 
   const logout = useCallback<SessionApi["logout"]>(async () => {
     await logoutApi();
-    setState({
-      status: "unauthenticated",
-      user: null,
-      activeTenantId: null,
-      tenants: [],
-      roles: [],
-    });
+    setState(UNAUTHENTICATED);
     // Hard-Reload: React-Tree, dispatcher-live-Caches, EventSource —
     // alles fliegt auf Null. Nach Logout ist das der billigste Weg zu
     // sauberer Ausgangslage, ohne dass wir jeden einzelnen Consumer

package/src/legal-pages/__tests__/legal-pages.integration.test.ts

@@ -161,9 +161,20 @@ describe("legal-pages :: edge-cases", () => {
 });
 
 describe("legal-pages :: cache-control", () => {
-  test("sets public cache header for 5min", async () => {
+  test("sets revalidate cache header + etag", async () => {
     const res = await stack.app.request("/legal/impressum");
-    expect(res.headers.get("cache-control")).toBe("public, max-age=300");
+    expect(res.headers.get("cache-control")).toBe("public, max-age=0, must-revalidate");
+    expect(res.headers.get("etag")).toBeTruthy();
+  });
+
+  test("If-None-Match → 304 when content unchanged", async () => {
+    const first = await stack.app.request("/legal/impressum");
+    const etag = first.headers.get("etag");
+    expect(etag).toBeTruthy();
+    const second = await stack.app.request("/legal/impressum", {
+      headers: { "if-none-match": etag ?? "" },
+    });
+    expect(second.status).toBe(304);
   });
 });
 

package/src/legal-pages/feature.ts

@@ -2,14 +2,15 @@ import {
   requireTextContent,
   type TextContentApi,
 } from "@cosmicdrift/kumiko-bundled-features/text-content";
+import { computeRevisionEtag } from "@cosmicdrift/kumiko-framework/api";
 import {
   defineFeature,
   type FeatureDefinition,
   SYSTEM_TENANT_ID,
 } from "@cosmicdrift/kumiko-framework/engine";
+import { cachedSecurePageResponse } from "../page-render";
 import { LEGAL_REQUIRED_BLOCKS, LEGAL_ROUTES } from "./constants";
 import { renderMarkdownToHtml, wrapInLayout } from "./markdown";
-import { securePageHeaders } from "./security-headers";
 
 // QN-Konstante als dokumentierter Public-Contract des text-content-
 // Features. Ein magic-string statt eines Code-Imports ist hier explizit
@@ -22,7 +23,7 @@ const TEXT_CONTENT_BY_SLUG_QN = "text-content:query:by-slug";
 
 // Wire-Body-Shape von /api/query — das, was bySlugQuery returnt.
 type ByslugQueryBody = {
-  data: { title: string; body: string | null } | null;
+  data: { title: string; body: string | null; updatedAt: string } | null;
 };
 
 // legal-pages — Opt-in-Wrapper um text-content für DACH-Compliance.
@@ -113,20 +114,32 @@ export function createLegalPagesFeature(opts: LegalPagesOptions = {}): FeatureDe
             );
           }
 
+          const etag = computeRevisionEtag([
+            SYSTEM_TENANT_ID,
+            route.slug,
+            route.lang,
+            data.updatedAt,
+          ]);
+          const notModified = cachedSecurePageResponse(c.req.raw, {
+            body: null,
+            etag,
+            cache: { kind: "revalidate" },
+            extra: { "content-type": "text/html; charset=utf-8" },
+          });
+          if (notModified.status === 304) return notModified;
+
           const html = wrapLayout({
             title: data.title || route.titleFallback,
             bodyHtml: renderMarkdownToHtml(data.body),
             lang: route.lang,
           });
 
-          return c.body(
-            html,
-            200,
-            securePageHeaders({
-              "content-type": "text/html; charset=utf-8",
-              "cache-control": "public, max-age=300",
-            }),
-          );
+          return cachedSecurePageResponse(c.req.raw, {
+            body: html,
+            etag,
+            cache: { kind: "revalidate" },
+            extra: { "content-type": "text/html; charset=utf-8" },
+          });
         },
       });
     }

package/src/managed-pages/__tests__/managed-pages.integration.test.ts

@@ -142,13 +142,24 @@ describe("managed-pages :: Cross-Tenant-Isolation", () => {
 });
 
 describe("managed-pages :: Cache + Security-Header", () => {
-  test("Vary: Host + CSP/Hardening-Header", async () => {
+  test("Vary: Host + CSP/Hardening-Header + revalidate cache", async () => {
     const res = await stack.app.request("http://a.example.com/p/about");
     expect(res.headers.get("vary")).toBe("Host");
-    expect(res.headers.get("cache-control")).toBe("public, max-age=300");
+    expect(res.headers.get("cache-control")).toBe("public, max-age=0, must-revalidate");
+    expect(res.headers.get("etag")).toBeTruthy();
     expect(res.headers.get("content-security-policy")).toContain("script-src 'none'");
     expect(res.headers.get("x-content-type-options")).toBe("nosniff");
   });
+
+  test("If-None-Match → 304 when page unchanged", async () => {
+    const first = await stack.app.request("http://a.example.com/p/about");
+    const etag = first.headers.get("etag");
+    expect(etag).toBeTruthy();
+    const second = await stack.app.request("http://a.example.com/p/about", {
+      headers: { "if-none-match": etag ?? "" },
+    });
+    expect(second.status).toBe(304);
+  });
 });
 
 describe("managed-pages :: XSS-Härtung", () => {

package/src/managed-pages/feature.ts

@@ -1,3 +1,4 @@
+import { computeRevisionEtag } from "@cosmicdrift/kumiko-framework/api";
 import {
   defineEntityCreateHandler,
   defineEntityDeleteHandler,
@@ -9,9 +10,9 @@ import {
 } from "@cosmicdrift/kumiko-framework/engine";
 import {
   type BrandingTokens,
+  cachedSecurePageResponse,
   EMPTY_BRANDING,
   renderSafeMarkdown,
-  securePageHeaders,
   wrapInLayout,
 } from "../page-render";
 import { BRANDING_KEYS, BRANDING_QUERY_QN, CUSTOM_CSS_KEY, coerceBranding } from "./branding";
@@ -40,9 +41,23 @@ type ByslugQueryBody = {
     lang: string;
     description: string | null;
     ogImage: string | null;
+    version: number;
+    updatedAt: string;
   } | null;
 };
 
+function brandingRevisionSeed(branding: BrandingTokens): string {
+  return JSON.stringify([
+    branding.title,
+    branding.description,
+    branding.siteUrl,
+    branding.accentColor,
+    branding.logoUrl,
+    branding.layoutPreset,
+    branding.customCss,
+  ]);
+}
+
 // Parse the branding query's `{ data }` envelope into BrandingTokens, never
 // throwing: a non-ok status or malformed body degrades to the unbranded
 // default (branding is decoration, not a hard dependency of the page render).
@@ -221,6 +236,26 @@ export function createManagedPagesFeature(opts: ManagedPagesOptions): FeatureDef
 
         const branding = await readBrandingResponse(brandingRes);
 
+        const etag = computeRevisionEtag([
+          tenantId,
+          slug,
+          lang,
+          String(data.version),
+          data.updatedAt,
+          brandingRevisionSeed(branding),
+        ]);
+        const pageHeaders = {
+          "content-type": "text/html; charset=utf-8",
+          vary: "Host",
+        } as const;
+        const notModified = cachedSecurePageResponse(c.req.raw, {
+          body: null,
+          etag,
+          cache: { kind: "revalidate" },
+          extra: pageHeaders,
+        });
+        if (notModified.status === 304) return notModified;
+
         const html = wrapLayout({
           title: data.title,
           bodyHtml: renderSafeMarkdown(data.body),
@@ -231,18 +266,12 @@ export function createManagedPagesFeature(opts: ManagedPagesOptions): FeatureDef
           branding,
         });
 
-        // Vary: Host — per-Tenant-Content darf nicht von einem shared CDN
-        // nur unter dem Pfad gecached werden (sonst Tenant A's Page auf
-        // Tenant B's Domain). Cache keyed mit auf den Host.
-        return c.body(
-          html,
-          200,
-          securePageHeaders({
-            "content-type": "text/html; charset=utf-8",
-            "cache-control": "public, max-age=300",
-            vary: "Host",
-          }),
-        );
+        return cachedSecurePageResponse(c.req.raw, {
+          body: html,
+          etag,
+          cache: { kind: "revalidate" },
+          extra: pageHeaders,
+        });
       },
     });
 

package/src/managed-pages/handlers/by-slug.query.ts

@@ -30,6 +30,8 @@ export const bySlugQuery = defineQueryHandler({
       body: row.body,
       description: row.description,
       ogImage: row.ogImage,
+      version: row.version,
+      updatedAt: row.updatedAt,
     };
   },
 });

package/src/page-render/cached-page-response.ts

@@ -0,0 +1,25 @@
+import { type CachePolicy, cachedResponse } from "@cosmicdrift/kumiko-framework/api";
+import { securePageHeaders } from "./security-headers";
+
+export type CachedSecurePageResponseInit = {
+  readonly body: BodyInit | null;
+  readonly status?: number;
+  readonly etag: string;
+  readonly cache: CachePolicy;
+  readonly extra?: Record<string, string>;
+  readonly lastModified?: Date;
+};
+
+export function cachedSecurePageResponse(
+  req: Request,
+  init: CachedSecurePageResponseInit,
+): Response {
+  return cachedResponse(req, {
+    body: init.body,
+    status: init.status,
+    etag: init.etag,
+    cache: init.cache,
+    lastModified: init.lastModified,
+    headers: securePageHeaders(init.extra ?? {}),
+  });
+}

package/src/page-render/index.ts

@@ -7,6 +7,10 @@ export {
   isSafeHttpsUrl,
   layoutMaxWidth,
 } from "./branding";
+export {
+  type CachedSecurePageResponseInit,
+  cachedSecurePageResponse,
+} from "./cached-page-response";
 export { sanitizeTenantCss } from "./css-sanitize";
 export { TENANT_CONTENT_ATTR, tenantStyleBlock, wrapInLayout } from "./layout";
 export { renderSafeMarkdown } from "./markdown";