@digiko-npm/cms 0.1.0

package/dist/session/index.js

@@ -0,0 +1,83 @@
+// src/session/store.ts
+import { Redis } from "@upstash/redis";
+var DEFAULT_SESSION_DURATION = 24 * 60 * 60 * 1e3;
+function createSessionStore(config) {
+  const redis = new Redis({
+    url: config.redisUrl,
+    token: config.redisToken
+  });
+  const sessionKey = (token) => `${config.keyPrefix}session:${token}`;
+  return {
+    async addSession(token, session) {
+      const ttlMs = session.expiresAt - Date.now();
+      const ttlSeconds = Math.max(Math.ceil(ttlMs / 1e3), 1);
+      await redis.set(sessionKey(token), JSON.stringify(session), { ex: ttlSeconds });
+    },
+    async getSession(token) {
+      const data = await redis.get(sessionKey(token));
+      if (!data) return void 0;
+      const session = typeof data === "string" ? JSON.parse(data) : data;
+      if (Date.now() > session.expiresAt) {
+        await redis.del(sessionKey(token));
+        return void 0;
+      }
+      return session;
+    },
+    async removeSession(token) {
+      const result = await redis.del(sessionKey(token));
+      return result > 0;
+    }
+  };
+}
+function getDefaultSessionDuration() {
+  return DEFAULT_SESSION_DURATION;
+}
+
+// src/session/rate-limit.ts
+import { Redis as Redis2 } from "@upstash/redis";
+var DEFAULTS = {
+  maxAttempts: 10,
+  windowMs: 15 * 60 * 1e3
+  // 15 minutes
+};
+function createRateLimiter(config) {
+  const redis = new Redis2({
+    url: config.redisUrl,
+    token: config.redisToken
+  });
+  const maxAttempts = config.maxAttempts ?? DEFAULTS.maxAttempts;
+  const windowMs = config.windowMs ?? DEFAULTS.windowMs;
+  const rateLimitKey = (key) => `${config.keyPrefix}ratelimit:${key}`;
+  return {
+    async check(key) {
+      const now = Date.now();
+      const redisKey = rateLimitKey(key);
+      const data = await redis.get(redisKey);
+      let entry = null;
+      if (data) {
+        entry = typeof data === "string" ? JSON.parse(data) : data;
+        if (entry && now > entry.resetAt) entry = null;
+      }
+      if (!entry) {
+        const newEntry = { count: 1, resetAt: now + windowMs };
+        await redis.set(redisKey, JSON.stringify(newEntry), { ex: Math.ceil(windowMs / 1e3) });
+        return { allowed: true, remaining: maxAttempts - 1 };
+      }
+      if (entry.count >= maxAttempts) {
+        return { allowed: false, remaining: 0, retryAfterMs: entry.resetAt - now };
+      }
+      entry.count++;
+      const ttlSeconds = Math.max(Math.ceil((entry.resetAt - now) / 1e3), 1);
+      await redis.set(redisKey, JSON.stringify(entry), { ex: ttlSeconds });
+      return { allowed: true, remaining: maxAttempts - entry.count };
+    },
+    async reset(key) {
+      await redis.del(rateLimitKey(key));
+    }
+  };
+}
+export {
+  createRateLimiter,
+  createSessionStore,
+  getDefaultSessionDuration
+};

package/dist/supabase/index.d.ts

@@ -0,0 +1,21 @@
+import { SupabaseClient } from '@supabase/supabase-js';
+import { c as SupabaseConfig } from '../config-qNdTlg1g.js';
+
+/**
+ * Browser-side Supabase client with anon key.
+ * Respects RLS — only reads published content.
+ */
+declare function createBrowserClient(config: SupabaseConfig): SupabaseClient;
+
+/**
+ * Server-side Supabase client with service role key.
+ * Bypasses RLS — full read/write access.
+ */
+declare function createAdminClient(config: SupabaseConfig): SupabaseClient;
+/**
+ * Server-side Supabase client with anon key.
+ * Respects RLS — safe for public data fetching.
+ */
+declare function createPublicClient(config: SupabaseConfig): SupabaseClient;
+
+export { createAdminClient, createBrowserClient, createPublicClient };

package/dist/supabase/index.js

@@ -0,0 +1,22 @@
+// src/supabase/client.ts
+import { createClient } from "@supabase/supabase-js";
+function createBrowserClient(config) {
+  return createClient(config.url, config.anonKey);
+}
+
+// src/supabase/server.ts
+import { createClient as createClient2 } from "@supabase/supabase-js";
+function createAdminClient(config) {
+  if (!config.serviceRoleKey) {
+    throw new Error("@digiko-npm/cms: serviceRoleKey is required for createAdminClient");
+  }
+  return createClient2(config.url, config.serviceRoleKey);
+}
+function createPublicClient(config) {
+  return createClient2(config.url, config.anonKey);
+}
+export {
+  createAdminClient,
+  createBrowserClient,
+  createPublicClient
+};

package/dist/types/index.d.ts

@@ -0,0 +1,3 @@
+export { A as AuthConfig, R as R2Config, a as RateLimiterConfig, b as RequestVerifierConfig, S as SessionStoreConfig, c as SupabaseConfig, U as UploadConfig } from '../config-qNdTlg1g.js';
+export { M as MediaInsert, a as MediaRecord, b as MediaUpdate } from '../media-ExBfXePZ.js';
+export { A as AuthResult, R as RateLimitResult, S as Session, V as VerifyResult } from '../auth-C8Nq_GmD.js';

package/package.json

@@ -0,0 +1,101 @@
+{
+  "name": "@digiko-npm/cms",
+  "version": "0.1.0",
+  "description": "Reusable CMS utilities — Supabase, Cloudflare R2, auth, sessions.",
+  "type": "module",
+  "main": "./dist/index.js",
+  "module": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "import": "./dist/index.js",
+      "types": "./dist/index.d.ts"
+    },
+    "./supabase": {
+      "import": "./dist/supabase/index.js",
+      "types": "./dist/supabase/index.d.ts"
+    },
+    "./r2": {
+      "import": "./dist/r2/index.js",
+      "types": "./dist/r2/index.d.ts"
+    },
+    "./auth": {
+      "import": "./dist/auth/index.js",
+      "types": "./dist/auth/index.d.ts"
+    },
+    "./session": {
+      "import": "./dist/session/index.js",
+      "types": "./dist/session/index.d.ts"
+    },
+    "./next": {
+      "import": "./dist/next/index.js",
+      "types": "./dist/next/index.d.ts"
+    },
+    "./http": {
+      "import": "./dist/http/index.js",
+      "types": "./dist/http/index.d.ts"
+    },
+    "./types": {
+      "import": "./dist/types/index.js",
+      "types": "./dist/types/index.d.ts"
+    }
+  },
+  "files": [
+    "dist/",
+    "src/"
+  ],
+  "scripts": {
+    "build": "tsup",
+    "dev": "tsup --watch",
+    "type-check": "tsc --noEmit",
+    "lint": "eslint src/",
+    "clean": "rm -rf dist",
+    "prepublishOnly": "npm run build"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "peerDependencies": {
+    "@supabase/supabase-js": "^2.0.0",
+    "@aws-sdk/client-s3": "^3.0.0",
+    "@aws-sdk/s3-request-presigner": "^3.0.0",
+    "@upstash/redis": "^1.0.0",
+    "next": ">=14.0.0"
+  },
+  "peerDependenciesMeta": {
+    "@aws-sdk/client-s3": {
+      "optional": true
+    },
+    "@aws-sdk/s3-request-presigner": {
+      "optional": true
+    },
+    "@upstash/redis": {
+      "optional": true
+    },
+    "next": {
+      "optional": true
+    }
+  },
+  "devDependencies": {
+    "@supabase/supabase-js": "^2.95.0",
+    "@aws-sdk/client-s3": "^3.986.0",
+    "@aws-sdk/s3-request-presigner": "^3.986.0",
+    "@upstash/redis": "^1.36.0",
+    "@types/node": "^20",
+    "next": "16.1.6",
+    "tsup": "^8.0.0",
+    "typescript": "^5"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/digiko-dev/cms.git"
+  },
+  "license": "MIT",
+  "keywords": [
+    "cms",
+    "supabase",
+    "cloudflare-r2",
+    "admin",
+    "auth"
+  ]
+}

package/src/auth/index.ts

@@ -0,0 +1,2 @@
+export { hashPassword, verifyPassword } from './password'
+export { generateSessionToken } from './token'

package/src/auth/password.ts

@@ -0,0 +1,48 @@
+import crypto from 'crypto'
+import type { AuthConfig } from '../types/config'
+
+const DEFAULTS = {
+  iterations: 100_000,
+  keyLength: 64,
+  digest: 'sha512',
+} as const
+
+/**
+ * Hash a password using PBKDF2.
+ * Returns a hex-encoded hash string.
+ */
+export function hashPassword(
+  password: string,
+  salt: string,
+  config?: AuthConfig['pbkdf2']
+): string {
+  const iterations = config?.iterations ?? DEFAULTS.iterations
+  const keyLength = config?.keyLength ?? DEFAULTS.keyLength
+  const digest = config?.digest ?? DEFAULTS.digest
+
+  return crypto
+    .pbkdf2Sync(password, salt, iterations, keyLength, digest)
+    .toString('hex')
+}
+
+/**
+ * Verify a password against a stored hash using timing-safe comparison.
+ * Returns true if the password matches.
+ */
+export function verifyPassword(
+  password: string,
+  salt: string,
+  storedHash: string,
+  config?: AuthConfig['pbkdf2']
+): boolean {
+  const inputHash = hashPassword(password, salt, config)
+
+  const storedBuffer = Buffer.from(storedHash, 'hex')
+  const inputBuffer = Buffer.from(inputHash, 'hex')
+
+  if (storedBuffer.length !== inputBuffer.length) {
+    return false
+  }
+
+  return crypto.timingSafeEqual(storedBuffer, inputBuffer)
+}

package/src/auth/token.ts

@@ -0,0 +1,11 @@
+import crypto from 'crypto'
+
+const DEFAULT_TOKEN_BYTES = 32
+
+/**
+ * Generate a cryptographically secure session token.
+ * Returns a hex string (default: 64 characters from 32 bytes).
+ */
+export function generateSessionToken(bytes?: number): string {
+  return crypto.randomBytes(bytes ?? DEFAULT_TOKEN_BYTES).toString('hex')
+}

package/src/http/index.ts

@@ -0,0 +1 @@
+export { HTTP_STATUS, type HttpStatus } from './status'

package/src/http/status.ts

@@ -0,0 +1,14 @@
+export const HTTP_STATUS = {
+  OK: 200,
+  CREATED: 201,
+  NO_CONTENT: 204,
+  BAD_REQUEST: 400,
+  UNAUTHORIZED: 401,
+  FORBIDDEN: 403,
+  NOT_FOUND: 404,
+  CONFLICT: 409,
+  TOO_MANY_REQUESTS: 429,
+  INTERNAL_ERROR: 500,
+} as const
+
+export type HttpStatus = (typeof HTTP_STATUS)[keyof typeof HTTP_STATUS]

package/src/index.ts

@@ -0,0 +1,42 @@
+// Supabase
+export { createBrowserClient } from './supabase/client'
+export { createAdminClient, createPublicClient } from './supabase/server'
+
+// Cloudflare R2
+export { createR2Client, getR2Bucket, getR2PublicUrl } from './r2/client'
+export { uploadFile, type UploadOptions, type UploadResult } from './r2/upload'
+
+// Auth
+export { hashPassword, verifyPassword } from './auth/password'
+export { generateSessionToken } from './auth/token'
+
+// Sessions
+export { createSessionStore, getDefaultSessionDuration, type SessionStore } from './session/store'
+export { createRateLimiter, type RateLimiter } from './session/rate-limit'
+
+// HTTP
+export { HTTP_STATUS, type HttpStatus } from './http/status'
+
+// Types
+export type {
+  SupabaseConfig,
+  R2Config,
+  SessionStoreConfig,
+  RateLimiterConfig,
+  AuthConfig,
+  UploadConfig,
+  RequestVerifierConfig,
+} from './types/config'
+
+export type {
+  MediaRecord,
+  MediaInsert,
+  MediaUpdate,
+} from './types/media'
+
+export type {
+  Session,
+  AuthResult,
+  VerifyResult,
+  RateLimitResult,
+} from './types/auth'

package/src/next/index.ts

@@ -0,0 +1 @@
+export { createRequestVerifier } from './verify-request'

package/src/next/verify-request.ts

@@ -0,0 +1,54 @@
+import { NextRequest, NextResponse } from 'next/server'
+import type { RequestVerifierConfig } from '../types/config'
+import { HTTP_STATUS } from '../http/status'
+
+const DEFAULTS = {
+  cookieName: 'admin_session',
+  unauthorizedMessage: 'Unauthorized',
+  sessionExpiredMessage: 'Session expired',
+} as const
+
+type AuthSuccess = { authorized: true; token: string }
+type AuthFailure = { authorized: false; response: NextResponse }
+
+/**
+ * Create a request verifier for Next.js API routes.
+ * Extracts session token from cookie or Authorization header,
+ * then validates against the provided session store.
+ */
+export function createRequestVerifier(config: RequestVerifierConfig) {
+  const cookieName = config.cookieName ?? DEFAULTS.cookieName
+  const unauthorizedMsg = config.unauthorizedMessage ?? DEFAULTS.unauthorizedMessage
+  const sessionExpiredMsg = config.sessionExpiredMessage ?? DEFAULTS.sessionExpiredMessage
+
+  return async function verifyAdminRequest(
+    request: NextRequest
+  ): Promise<AuthSuccess | AuthFailure> {
+    const token =
+      request.cookies.get(cookieName)?.value ||
+      request.headers.get('Authorization')?.replace('Bearer ', '')
+
+    if (!token) {
+      return {
+        authorized: false,
+        response: NextResponse.json(
+          { error: unauthorizedMsg },
+          { status: HTTP_STATUS.UNAUTHORIZED }
+        ),
+      }
+    }
+
+    const session = await config.getSession(token)
+    if (!session) {
+      return {
+        authorized: false,
+        response: NextResponse.json(
+          { error: sessionExpiredMsg },
+          { status: HTTP_STATUS.UNAUTHORIZED }
+        ),
+      }
+    }
+
+    return { authorized: true, token }
+  }
+}

package/src/r2/client.ts

@@ -0,0 +1,28 @@
+import { S3Client } from '@aws-sdk/client-s3'
+import type { R2Config } from '../types/config'
+
+/**
+ * Create a Cloudflare R2 client (S3-compatible).
+ */
+export function createR2Client(config: R2Config): S3Client {
+  return new S3Client({
+    region: 'auto',
+    endpoint: `https://${config.accountId}.r2.cloudflarestorage.com`,
+    credentials: {
+      accessKeyId: config.accessKeyId,
+      secretAccessKey: config.secretAccessKey,
+    },
+    requestChecksumCalculation: 'WHEN_REQUIRED',
+    responseChecksumValidation: 'WHEN_REQUIRED',
+  })
+}
+
+/** Get the R2 bucket name from config */
+export function getR2Bucket(config: R2Config): string {
+  return config.bucketName
+}
+
+/** Get the R2 public URL from config */
+export function getR2PublicUrl(config: R2Config): string {
+  return config.publicUrl
+}

package/src/r2/index.ts

@@ -0,0 +1,2 @@
+export { createR2Client, getR2Bucket, getR2PublicUrl } from './client'
+export { uploadFile, type UploadOptions, type UploadResult } from './upload'

package/src/r2/upload.ts

@@ -0,0 +1,99 @@
+import type { UploadConfig } from '../types/config'
+import type { MediaRecord } from '../types/media'
+
+export interface UploadOptions {
+  file: File
+  folder?: string
+  onProgress?: (percent: number) => void
+}
+
+export interface UploadResult {
+  url: string
+  key: string
+  media: MediaRecord
+}
+
+/**
+ * Upload a file to R2 via presigned URL, then register in the DB.
+ *
+ * Flow:
+ * 1. POST to uploadEndpoint → get presigned PUT URL
+ * 2. PUT file directly to R2 (with progress tracking via XHR)
+ * 3. POST metadata to mediaEndpoint → register the upload
+ */
+export async function uploadFile(
+  config: UploadConfig,
+  { file, folder = 'media', onProgress }: UploadOptions
+): Promise<UploadResult> {
+  // 1. Get presigned URL
+  const presignRes = await fetch(config.uploadEndpoint, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({
+      filename: file.name,
+      contentType: file.type,
+      folder,
+    }),
+  })
+
+  if (!presignRes.ok) {
+    throw new Error(`Failed to get upload URL: ${presignRes.status}`)
+  }
+
+  const { uploadUrl, publicUrl, key } = await presignRes.json()
+
+  // 2. Upload directly to R2 with progress
+  await uploadToR2(uploadUrl, file, file.type, onProgress)
+
+  // 3. Register in the database
+  const confirmRes = await fetch(config.mediaEndpoint, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({
+      filename: key.split('/').pop(),
+      original_name: file.name,
+      mime_type: file.type,
+      size_bytes: file.size,
+      url: publicUrl,
+    }),
+  })
+
+  if (!confirmRes.ok) {
+    throw new Error(`Failed to register upload: ${confirmRes.status}`)
+  }
+
+  const media: MediaRecord = await confirmRes.json()
+  return { url: publicUrl, key, media }
+}
+
+function uploadToR2(
+  url: string,
+  file: File,
+  contentType: string,
+  onProgress?: (percent: number) => void
+): Promise<void> {
+  return new Promise((resolve, reject) => {
+    const xhr = new XMLHttpRequest()
+
+    xhr.upload.addEventListener('progress', (e) => {
+      if (e.lengthComputable && onProgress) {
+        onProgress(Math.round((e.loaded / e.total) * 100))
+      }
+    })
+
+    xhr.addEventListener('load', () => {
+      if (xhr.status >= 200 && xhr.status < 300) {
+        resolve()
+      } else {
+        reject(new Error(`Upload failed with status ${xhr.status}`))
+      }
+    })
+
+    xhr.addEventListener('error', () => reject(new Error('Upload failed')))
+    xhr.addEventListener('abort', () => reject(new Error('Upload aborted')))
+
+    xhr.open('PUT', url)
+    xhr.setRequestHeader('Content-Type', contentType)
+    xhr.send(file)
+  })
+}

package/src/session/index.ts

@@ -0,0 +1,2 @@
+export { createSessionStore, getDefaultSessionDuration, type SessionStore } from './store'
+export { createRateLimiter, type RateLimiter } from './rate-limit'

package/src/session/rate-limit.ts

@@ -0,0 +1,66 @@
+import { Redis } from '@upstash/redis'
+import type { RateLimiterConfig } from '../types/config'
+import type { RateLimitResult } from '../types/auth'
+
+const DEFAULTS = {
+  maxAttempts: 10,
+  windowMs: 15 * 60 * 1000, // 15 minutes
+} as const
+
+interface RateLimitEntry {
+  count: number
+  resetAt: number
+}
+
+export interface RateLimiter {
+  check: (key: string) => Promise<RateLimitResult>
+  reset: (key: string) => Promise<void>
+}
+
+/**
+ * Create a Redis-backed sliding-window rate limiter.
+ * Keys are namespaced with the configured keyPrefix.
+ */
+export function createRateLimiter(config: RateLimiterConfig): RateLimiter {
+  const redis = new Redis({
+    url: config.redisUrl,
+    token: config.redisToken,
+  })
+
+  const maxAttempts = config.maxAttempts ?? DEFAULTS.maxAttempts
+  const windowMs = config.windowMs ?? DEFAULTS.windowMs
+  const rateLimitKey = (key: string) => `${config.keyPrefix}ratelimit:${key}`
+
+  return {
+    async check(key: string): Promise<RateLimitResult> {
+      const now = Date.now()
+      const redisKey = rateLimitKey(key)
+      const data = await redis.get<string>(redisKey)
+      let entry: RateLimitEntry | null = null
+
+      if (data) {
+        entry = typeof data === 'string' ? JSON.parse(data) : data
+        if (entry && now > entry.resetAt) entry = null
+      }
+
+      if (!entry) {
+        const newEntry: RateLimitEntry = { count: 1, resetAt: now + windowMs }
+        await redis.set(redisKey, JSON.stringify(newEntry), { ex: Math.ceil(windowMs / 1000) })
+        return { allowed: true, remaining: maxAttempts - 1 }
+      }
+
+      if (entry.count >= maxAttempts) {
+        return { allowed: false, remaining: 0, retryAfterMs: entry.resetAt - now }
+      }
+
+      entry.count++
+      const ttlSeconds = Math.max(Math.ceil((entry.resetAt - now) / 1000), 1)
+      await redis.set(redisKey, JSON.stringify(entry), { ex: ttlSeconds })
+      return { allowed: true, remaining: maxAttempts - entry.count }
+    },
+
+    async reset(key: string): Promise<void> {
+      await redis.del(rateLimitKey(key))
+    },
+  }
+}

package/src/session/store.ts

@@ -0,0 +1,56 @@
+import { Redis } from '@upstash/redis'
+import type { SessionStoreConfig } from '../types/config'
+import type { Session } from '../types/auth'
+
+const DEFAULT_SESSION_DURATION = 24 * 60 * 60 * 1000 // 24 hours
+
+export interface SessionStore {
+  addSession: (token: string, session: Session) => Promise<void>
+  getSession: (token: string) => Promise<Session | undefined>
+  removeSession: (token: string) => Promise<boolean>
+}
+
+/**
+ * Create a Redis-backed session store.
+ * All keys are namespaced with the configured keyPrefix.
+ */
+export function createSessionStore(config: SessionStoreConfig): SessionStore {
+  const redis = new Redis({
+    url: config.redisUrl,
+    token: config.redisToken,
+  })
+
+  const sessionKey = (token: string) => `${config.keyPrefix}session:${token}`
+
+  return {
+    async addSession(token: string, session: Session): Promise<void> {
+      const ttlMs = session.expiresAt - Date.now()
+      const ttlSeconds = Math.max(Math.ceil(ttlMs / 1000), 1)
+      await redis.set(sessionKey(token), JSON.stringify(session), { ex: ttlSeconds })
+    },
+
+    async getSession(token: string): Promise<Session | undefined> {
+      const data = await redis.get<string>(sessionKey(token))
+      if (!data) return undefined
+
+      const session: Session = typeof data === 'string' ? JSON.parse(data) : data
+
+      if (Date.now() > session.expiresAt) {
+        await redis.del(sessionKey(token))
+        return undefined
+      }
+
+      return session
+    },
+
+    async removeSession(token: string): Promise<boolean> {
+      const result = await redis.del(sessionKey(token))
+      return result > 0
+    },
+  }
+}
+
+/** Get the default session duration in milliseconds */
+export function getDefaultSessionDuration(): number {
+  return DEFAULT_SESSION_DURATION
+}