npm - @decocms/start - Versions diffs - 0.35.1 → 0.36.1 - Mend

@decocms/start 0.35.1 → 0.36.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@decocms/start",
-  "version": "0.35.1",
+  "version": "0.36.1",
   "type": "module",
   "description": "Deco framework for TanStack Start - CMS bridge, admin protocol, hooks, schema generation",
   "main": "./src/index.ts",
@@ -21,6 +21,7 @@
     "./sdk/cachedLoader": "./src/sdk/cachedLoader.ts",
     "./sdk/serverTimings": "./src/sdk/serverTimings.ts",
     "./sdk/cacheHeaders": "./src/sdk/cacheHeaders.ts",
+    "./sdk/crypto": "./src/sdk/crypto.ts",
     "./sdk/invoke": "./src/sdk/invoke.ts",
     "./sdk/instrumentedFetch": "./src/sdk/instrumentedFetch.ts",
     "./sdk/workerEntry": "./src/sdk/workerEntry.ts",

package/src/apps/autoconfig.ts CHANGED Viewed

@@ -1,9 +1,13 @@
 /**
  * Auto-configures known apps from CMS blocks.
  *
- * Scans the decofile for known app block keys (e.g. "deco-resend") and:
- * 1. Configures the app client with CMS-provided credentials
- * 2. Registers invoke handlers so `invoke.app.actions.*` works via the proxy
+ * Scans the decofile for block keys matching known apps and dynamically imports
+ * their `mod.ts` from @decocms/apps. Each app mod exports:
+ * - `configure(blockData, resolveSecret)` → configures the app client
+ * - `handlers` → record of invoke handler keys → handler functions
+ *
+ * Zero hardcoded app logic in the framework — all app-specific code lives in
+ * @decocms/apps/{app}/mod.ts.
  *
  * Usage in setup.ts:
  *   import { autoconfigApps } from "@decocms/start/apps/autoconfig";
@@ -13,57 +17,85 @@
 import { setInvokeActions, type InvokeAction } from "../admin/invoke";
 import { onChange } from "../cms/loader";
+import { resolveSecret } from "../sdk/crypto";
+// ---------------------------------------------------------------------------
+// Block key → @decocms/apps module mapping
+// ---------------------------------------------------------------------------
+/**
+ * Maps CMS block keys (e.g. "deco-resend") to their @decocms/apps module path.
+ * To add a new app, just add an entry here — no other code changes needed.
+ */
+const BLOCK_TO_APP: Record<string, string> = {
+	"deco-resend": "resend",
+	// "deco-analytics": "analytics",
+	// "deco-shopify": "shopify",
+	// "deco-vtex": "vtex",
+};
 // ---------------------------------------------------------------------------
-// Known app block keys → dynamic import + configure
+// Generic app loader
 // ---------------------------------------------------------------------------
-interface AppAutoconfigurator {
-	/** Try to import, configure, and return invoke actions for this app */
-	(blockData: unknown): Promise<Record<string, InvokeAction>>;
+interface AppMod {
+	configure: (
+		blockData: unknown,
+		resolveSecret: (value: unknown, envKey: string) => Promise<string | null>,
+	) => Promise<boolean>;
+	handlers: Record<string, (props: any, request: Request) => Promise<any>>;
 }
-const KNOWN_APPS: Record<string, AppAutoconfigurator> = {
-	"deco-resend": async (block: any) => {
-		try {
-			const [resendClient, resendActions] = await Promise.all([
-				import("@decocms/apps/resend/client" as string),
-				import("@decocms/apps/resend/actions/send" as string),
-			]);
-			const { configureResend } = resendClient as { configureResend: (cfg: any) => void };
-			const { sendEmail } = resendActions as { sendEmail: (props: any) => Promise<any> };
-			const apiKey =
-				typeof block.apiKey === "string"
-					? block.apiKey
-					: block.apiKey?.get?.() ?? "";
-			if (!apiKey) return {};
-			configureResend({
-				apiKey,
-				emailFrom: block.emailFrom
-					? `${block.emailFrom.name || "Contact"} ${block.emailFrom.domain || "<onboarding@resend.dev>"}`
-					: undefined,
-				emailTo: block.emailTo,
-				subject: block.subject,
-			});
-			return {
-				"resend/actions/emails/send.ts": async (props: any) =>
-					sendEmail(props),
-			};
-		} catch {
-			// @decocms/apps not installed or doesn't have resend — skip
+async function loadAndConfigureApp(
+	blockKey: string,
+	appName: string,
+	blockData: unknown,
+): Promise<Record<string, InvokeAction>> {
+	try {
+		// Dynamic import of @decocms/apps/{appName}/mod
+		const mod: AppMod = await import(
+			/* @vite-ignore */ `@decocms/apps/${appName}/mod`
+		);
+		const ok = await mod.configure(blockData, resolveSecret);
+		if (!ok) {
+			console.warn(
+				`[autoconfig] ${blockKey}: configure() returned false.` +
+				` Set DECO_CRYPTO_KEY to decrypt CMS secrets, or set the app's env var fallback.`,
+			);
 			return {};
 		}
-	},
-};
+		console.log(`[autoconfig] ${blockKey}: configured (${Object.keys(mod.handlers).length} handlers)`);
+		return mod.handlers;
+	} catch (e) {
+		// @decocms/apps not installed or app module doesn't exist — skip silently
+		if ((e as any)?.code === "ERR_MODULE_NOT_FOUND" || (e as any)?.message?.includes("Cannot find")) {
+			return {};
+		}
+		console.warn(`[autoconfig] ${blockKey}:`, e);
+		return {};
+	}
+}
 // ---------------------------------------------------------------------------
 // Main
 // ---------------------------------------------------------------------------
+async function configureAll(blocks: Record<string, unknown>): Promise<Record<string, InvokeAction>> {
+	const actions: Record<string, InvokeAction> = {};
+	for (const [blockKey, appName] of Object.entries(BLOCK_TO_APP)) {
+		const block = blocks[blockKey];
+		if (!block) continue;
+		const appActions = await loadAndConfigureApp(blockKey, appName, block);
+		Object.assign(actions, appActions);
+	}
+	return actions;
+}
 /**
  * Auto-configure apps from CMS blocks.
  * Call in setup.ts after setBlocks(). Also re-runs on admin hot-reload.
@@ -71,19 +103,7 @@ const KNOWN_APPS: Record<string, AppAutoconfigurator> = {
 export async function autoconfigApps(blocks: Record<string, unknown>) {
 	if (typeof document !== "undefined") return; // server-only
-	const actions: Record<string, InvokeAction> = {};
-	for (const [blockKey, configurator] of Object.entries(KNOWN_APPS)) {
-		const block = blocks[blockKey];
-		if (!block) continue;
-		try {
-			const appActions = await configurator(block);
-			Object.assign(actions, appActions);
-		} catch (e) {
-			console.warn(`[autoconfig] ${blockKey}:`, e);
-		}
-	}
+	const actions = await configureAll(blocks);
 	if (Object.keys(actions).length > 0) {
 		setInvokeActions(() => ({ ...actions }));
@@ -92,14 +112,7 @@ export async function autoconfigApps(blocks: Record<string, unknown>) {
 	// Re-configure on admin hot-reload
 	onChange(async (newBlocks) => {
 		if (typeof document !== "undefined") return;
-		const updatedActions: Record<string, InvokeAction> = {};
-		for (const [blockKey, configurator] of Object.entries(KNOWN_APPS)) {
-			const block = newBlocks[blockKey];
-			if (!block) continue;
-			try {
-				Object.assign(updatedActions, await configurator(block));
-			} catch {}
-		}
+		const updatedActions = await configureAll(newBlocks);
 		if (Object.keys(updatedActions).length > 0) {
 			setInvokeActions(() => ({ ...updatedActions }));
 		}

package/src/sdk/crypto.ts ADDED Viewed

@@ -0,0 +1,150 @@
+/**
+ * Secret decryption for CMS encrypted values.
+ *
+ * CMS blocks store sensitive values (API keys, tokens) encrypted with AES-CBC.
+ * The encryption key is stored in the DECO_CRYPTO_KEY environment variable
+ * as a base64-encoded JSON: { key: number[], iv: number[] }
+ *
+ * Usage:
+ *   import { decryptSecret, resolveSecret } from "@decocms/start/sdk/crypto";
+ *
+ *   // Decrypt a hex-encoded encrypted string
+ *   const apiKey = await decryptSecret("888fafd937dd...");
+ *
+ *   // Or resolve a CMS secret block (handles all formats)
+ *   const apiKey = await resolveSecret(block.apiKey, "RESEND_API_KEY");
+ */
+const textDecoder = new TextDecoder();
+const textEncoder = new TextEncoder();
+// Cache the imported key
+let cachedKey: Promise<{ key: CryptoKey; iv: Uint8Array }> | null = null;
+function hexToBytes(hex: string): Uint8Array {
+	const bytes = new Uint8Array(hex.length / 2);
+	for (let i = 0; i < hex.length; i += 2) {
+		bytes[i / 2] = parseInt(hex.substring(i, i + 2), 16);
+	}
+	return bytes;
+}
+/**
+ * Get the AES key from DECO_CRYPTO_KEY environment variable.
+ * Returns null if not set.
+ */
+function getKeyFromEnv(): Promise<{ key: CryptoKey; iv: Uint8Array }> | null {
+	const envKey = process.env.DECO_CRYPTO_KEY;
+	if (!envKey) return null;
+	return cachedKey ??= (async () => {
+		const parsed = JSON.parse(atob(envKey));
+		const keyBytes = new Uint8Array(
+			Array.isArray(parsed.key) ? parsed.key : Object.values(parsed.key),
+		);
+		const iv = new Uint8Array(
+			Array.isArray(parsed.iv) ? parsed.iv : Object.values(parsed.iv),
+		);
+		const importedKey = await crypto.subtle.importKey(
+			"raw",
+			keyBytes.buffer,
+			"AES-CBC",
+			false,
+			["decrypt"],
+		);
+		return { key: importedKey, iv };
+	})();
+}
+/**
+ * Check if the crypto key is available.
+ */
+export function hasCryptoKey(): boolean {
+	return !!process.env.DECO_CRYPTO_KEY;
+}
+/**
+ * Decrypt a hex-encoded AES-CBC encrypted string.
+ * Requires DECO_CRYPTO_KEY environment variable.
+ *
+ * @returns The decrypted string, or null if decryption fails.
+ */
+export async function decryptSecret(encryptedHex: string): Promise<string | null> {
+	const keyPromise = getKeyFromEnv();
+	if (!keyPromise) {
+		return null;
+	}
+	try {
+		const { key, iv } = await keyPromise;
+		const encryptedBytes = hexToBytes(encryptedHex);
+		const decrypted = await crypto.subtle.decrypt(
+			{ name: "AES-CBC", iv } as AesCbcParams,
+			key,
+			encryptedBytes as unknown as BufferSource,
+		);
+		return textDecoder.decode(new Uint8Array(decrypted));
+	} catch (e) {
+		console.warn("[crypto] Failed to decrypt secret:", (e as Error).message);
+		return null;
+	}
+}
+// In-memory cache for resolved secrets
+const secretCache = new Map<string, string | null>();
+/**
+ * Resolve a CMS secret value from multiple sources.
+ *
+ * Resolution order:
+ * 1. Plain string → use directly
+ * 2. Object with .get() → call .get() (old Secret loader pattern)
+ * 3. Object with .encrypted → decrypt using DECO_CRYPTO_KEY
+ * 4. Environment variable (envVarName) → fallback
+ *
+ * @param value - The secret value from CMS block (string | { encrypted } | { get })
+ * @param envVarName - Optional env var name to use as fallback (e.g. "RESEND_API_KEY")
+ * @returns The resolved secret string, or null if not available
+ */
+export async function resolveSecret(
+	value: unknown,
+	envVarName?: string,
+): Promise<string | null> {
+	// 1. Plain string
+	if (typeof value === "string" && value.length > 0) {
+		return value;
+	}
+	if (value && typeof value === "object") {
+		const obj = value as Record<string, any>;
+		// 2. Secret object with .get()
+		if (typeof obj.get === "function") {
+			const result = obj.get();
+			if (typeof result === "string" && result.length > 0) return result;
+		}
+		// 3. Encrypted secret
+		if (typeof obj.encrypted === "string" && obj.encrypted.length > 0) {
+			const cacheKey = obj.encrypted;
+			if (secretCache.has(cacheKey)) return secretCache.get(cacheKey)!;
+			const decrypted = await decryptSecret(obj.encrypted);
+			// Only cache successful decryptions — null would block env var fallback
+			if (decrypted) {
+				secretCache.set(cacheKey, decrypted);
+				return decrypted;
+			}
+		}
+	}
+	// 4. Environment variable fallback
+	if (envVarName) {
+		const envValue = process.env[envVarName];
+		if (envValue) return envValue;
+	}
+	return null;
+}