@kidecms/core 0.1.0

package/routes/api/cms/assets/folders.ts

@@ -0,0 +1,81 @@
+import type { APIRoute } from "astro";
+import { folders } from "virtual:kide/runtime";
+
+export const prerender = false;
+
+export const GET: APIRoute = async ({ url }) => {
+  const parent = url.searchParams.get("parent");
+  if (parent !== null) {
+    const items = await folders.findByParent(parent || null);
+    return Response.json(items);
+  }
+  const items = await folders.findAll();
+  return Response.json(items);
+};
+
+export const POST: APIRoute = async ({ request }) => {
+  const contentType = request.headers.get("content-type") ?? "";
+
+  if (contentType.includes("application/json")) {
+    const body = await request.json();
+    const { action, id, name, parent } = body;
+
+    if (action === "create" && name) {
+      const folder = await folders.create(String(name), parent ?? null);
+      return Response.json(folder, { status: 201 });
+    }
+
+    if (action === "rename" && id && name) {
+      const folder = await folders.rename(String(id), String(name));
+      if (!folder) return Response.json({ error: "Not found." }, { status: 404 });
+      return Response.json(folder);
+    }
+
+    if (action === "delete" && id) {
+      await folders.delete(String(id));
+      return new Response(null, { status: 204 });
+    }
+
+    return Response.json({ error: "Invalid action." }, { status: 400 });
+  }
+
+  // Form submission (for non-JS fallback / redirect flows)
+  const formData = new URLSearchParams(await request.text());
+  const action = formData.get("_action");
+  const redirectTo = formData.get("redirectTo") || "/admin/assets";
+
+  if (action === "create") {
+    const name = formData.get("name");
+    const parent = formData.get("parent");
+    if (!name) return Response.json({ error: "Name is required." }, { status: 400 });
+    const folder = await folders.create(name, parent || null);
+    const folderParam = encodeURIComponent(folder._id);
+    return new Response(null, {
+      status: 303,
+      headers: { Location: `${redirectTo}?folder=${folderParam}&_toast=success&_msg=Folder+created` },
+    });
+  }
+
+  if (action === "rename") {
+    const id = formData.get("id");
+    const name = formData.get("name");
+    if (!id || !name) return Response.json({ error: "ID and name required." }, { status: 400 });
+    await folders.rename(id, name);
+    return new Response(null, {
+      status: 303,
+      headers: { Location: `${redirectTo}?_toast=success&_msg=Folder+renamed` },
+    });
+  }
+
+  if (action === "delete") {
+    const id = formData.get("id");
+    if (!id) return Response.json({ error: "ID required." }, { status: 400 });
+    await folders.delete(id);
+    return new Response(null, {
+      status: 303,
+      headers: { Location: `${redirectTo}?_toast=success&_msg=Folder+deleted` },
+    });
+  }
+
+  return Response.json({ error: "Invalid action." }, { status: 400 });
+};

package/routes/api/cms/assets/index.ts

@@ -0,0 +1,23 @@
+import type { APIRoute } from "astro";
+import { assets } from "virtual:kide/runtime";
+
+export const prerender = false;
+
+export const GET: APIRoute = async ({ url }) => {
+  const lookupUrl = url.searchParams.get("url");
+  if (lookupUrl) {
+    const asset = await assets.findByUrl(lookupUrl);
+    if (!asset) return Response.json(null, { status: 404 });
+    return Response.json(asset);
+  }
+
+  const limit = url.searchParams.get("limit") ? Number(url.searchParams.get("limit")) : 50;
+  const offset = url.searchParams.get("offset") ? Number(url.searchParams.get("offset")) : 0;
+  const folderParam = url.searchParams.get("folder");
+  const folder = folderParam !== null ? (folderParam === "" ? null : folderParam) : undefined;
+
+  const items = await assets.find({ limit, offset, folder });
+  const total = await assets.count();
+
+  return Response.json({ items, total });
+};

package/routes/api/cms/assets/upload.ts

@@ -0,0 +1,112 @@
+import type { APIRoute } from "astro";
+import { assets } from "virtual:kide/runtime";
+import config from "virtual:kide/config";
+
+export const prerender = false;
+
+const DEFAULT_ALLOWED_TYPES = [
+  "image/jpeg",
+  "image/png",
+  "image/gif",
+  "image/webp",
+  "image/avif",
+  "image/svg+xml",
+  "application/pdf",
+  "video/mp4",
+  "video/webm",
+];
+
+const ALLOWED_TYPES = new Set(config.admin?.uploads?.allowedTypes ?? DEFAULT_ALLOWED_TYPES);
+const MAX_FILE_SIZE = config.admin?.uploads?.maxFileSize ?? 50 * 1024 * 1024; // 50 MB
+
+// Magic number signatures for binary file type verification
+const MAGIC_SIGNATURES: Array<{ type: string; bytes: number[]; offset?: number }> = [
+  { type: "image/jpeg", bytes: [0xff, 0xd8, 0xff] },
+  { type: "image/png", bytes: [0x89, 0x50, 0x4e, 0x47] },
+  { type: "image/gif", bytes: [0x47, 0x49, 0x46, 0x38] },
+  { type: "image/webp", bytes: [0x52, 0x49, 0x46, 0x46], offset: 0 }, // RIFF....WEBP
+  { type: "application/pdf", bytes: [0x25, 0x50, 0x44, 0x46] },
+  { type: "video/mp4", bytes: [0x66, 0x74, 0x79, 0x70], offset: 4 }, // ....ftyp
+];
+
+function verifyMagicBytes(buffer: ArrayBuffer, declaredType: string): boolean {
+  // SVG and text-based formats can't be verified by magic bytes
+  if (declaredType === "image/svg+xml") {
+    const text = new TextDecoder().decode(buffer.slice(0, 256));
+    return text.includes("<svg") || text.trimStart().startsWith("<?xml");
+  }
+
+  const header = new Uint8Array(buffer.slice(0, 16));
+  for (const sig of MAGIC_SIGNATURES) {
+    if (sig.type !== declaredType) continue;
+    const offset = sig.offset ?? 0;
+    const match = sig.bytes.every((byte, i) => header[offset + i] === byte);
+    if (match) return true;
+  }
+
+  // AVIF is an ISOBMFF container — check for ftyp box with avif brand
+  if (declaredType === "image/avif") {
+    const offset4 = new Uint8Array(buffer.slice(4, 12));
+    const ftypStr = String.fromCharCode(...offset4);
+    return ftypStr.startsWith("ftyp") && ftypStr.includes("avif");
+  }
+
+  // video/webm starts with EBML header
+  if (declaredType === "video/webm") {
+    return header[0] === 0x1a && header[1] === 0x45 && header[2] === 0xdf && header[3] === 0xa3;
+  }
+
+  return false;
+}
+
+export const POST: APIRoute = async ({ request }) => {
+  const contentType = request.headers.get("content-type") ?? "";
+
+  if (!contentType.includes("multipart/form-data")) {
+    return Response.json({ error: "Expected multipart/form-data." }, { status: 400 });
+  }
+
+  const formData = await request.formData();
+  const file = formData.get("file");
+  const alt = formData.get("alt");
+  const folder = formData.get("folder");
+
+  if (!file || !(file instanceof File)) {
+    return Response.json({ error: "No file provided." }, { status: 400 });
+  }
+
+  if (!ALLOWED_TYPES.has(file.type)) {
+    return Response.json({ error: `File type "${file.type}" is not allowed.` }, { status: 400 });
+  }
+
+  if (file.size > MAX_FILE_SIZE) {
+    return Response.json({ error: `File exceeds the ${MAX_FILE_SIZE / 1024 / 1024} MB size limit.` }, { status: 400 });
+  }
+
+  // Verify file content matches declared type
+  const buffer = await file.arrayBuffer();
+  if (!verifyMagicBytes(buffer, file.type)) {
+    return Response.json({ error: "File content does not match declared type." }, { status: 400 });
+  }
+
+  // Reconstruct File from buffer since arrayBuffer() consumed the stream
+  const verifiedFile = new File([buffer], file.name, { type: file.type });
+
+  const asset = await assets.upload(verifiedFile, {
+    alt: alt ? String(alt) : undefined,
+    folder: folder ? String(folder) : undefined,
+  });
+
+  const redirectTo = formData.get("redirectTo");
+
+  if (redirectTo) {
+    // Delay so Vite's dev server picks up the new file before the redirect
+    await new Promise((r) => setTimeout(r, 1000));
+    return new Response(null, {
+      status: 303,
+      headers: { Location: `/admin/assets/${asset._id}?_toast=success&_msg=Asset+uploaded` },
+    });
+  }
+
+  return Response.json(asset, { status: 201 });
+};

package/routes/api/cms/auth/invite.ts

@@ -0,0 +1,166 @@
+import type { APIRoute } from "astro";
+import { eq } from "drizzle-orm";
+
+import { getDb } from "virtual:kide/db";
+import {
+  createInvite,
+  validateInvite,
+  consumeInvite,
+  hashPassword,
+  createSession,
+  setSessionCookie,
+  getSessionUser,
+} from "virtual:kide/runtime";
+import { sendInviteEmail, isEmailConfigured } from "virtual:kide/email";
+
+export const prerender = false;
+
+export const POST: APIRoute = async ({ request, url }) => {
+  const formData = await request.formData();
+  const action = String(formData.get("_action") ?? "create");
+
+  if (action === "accept") {
+    return handleAccept(formData);
+  }
+
+  return handleCreate(formData, url, request);
+};
+
+async function handleCreate(formData: FormData, url: URL, request: Request) {
+  const user = await getSessionUser(request);
+  if (!user || user.role !== "admin") {
+    return new Response(null, {
+      status: 303,
+      headers: { Location: "/admin/users?_toast=error&_msg=Only+admins+can+invite+users" },
+    });
+  }
+
+  const email = String(formData.get("email") ?? "").trim();
+  const role = String(formData.get("role") ?? "editor");
+  const name = String(formData.get("name") ?? email.split("@")[0]).trim();
+
+  if (!email) {
+    return new Response(null, {
+      status: 303,
+      headers: { Location: "/admin/users/new?_toast=error&_msg=Email+is+required" },
+    });
+  }
+
+  const db = await getDb();
+  const schema = await import("virtual:kide/schema");
+  const tables = schema.cmsTables as Record<string, { main: any }>;
+  if (!tables.users) {
+    return new Response(null, {
+      status: 303,
+      headers: { Location: "/admin/users?_toast=error&_msg=Users+collection+not+configured" },
+    });
+  }
+
+  // Check for duplicate email
+  const existing = await db.select().from(tables.users.main).where(eq(tables.users.main.email, email)).limit(1);
+  if (existing.length > 0) {
+    return new Response(null, {
+      status: 303,
+      headers: { Location: "/admin/users/new?_toast=error&_msg=A+user+with+this+email+already+exists" },
+    });
+  }
+
+  const { nanoid } = await import("nanoid");
+  const id = nanoid();
+  const now = new Date().toISOString();
+
+  await db.insert(tables.users.main).values({
+    _id: id,
+    name,
+    email,
+    password: "",
+    role,
+    _createdAt: now,
+    _updatedAt: now,
+  });
+
+  const invite = await createInvite(id);
+  const inviteUrl = `${url.origin}/admin/invite?token=${invite.token}`;
+
+  let emailSent = false;
+  if (isEmailConfigured()) {
+    emailSent = await sendInviteEmail(email, inviteUrl);
+  }
+
+  const params = new URLSearchParams({
+    _toast: "success",
+    _msg: emailSent ? `Invitation sent to ${email}` : "User created",
+    inviteToken: invite.token,
+    emailSent: String(emailSent),
+  });
+
+  return new Response(null, {
+    status: 303,
+    headers: { Location: `/admin/users/${id}?${params}` },
+  });
+}
+
+async function handleAccept(formData: FormData) {
+  const token = String(formData.get("token") ?? "");
+  const name = String(formData.get("name") ?? "").trim();
+  const password = String(formData.get("password") ?? "");
+  const confirmPassword = String(formData.get("confirmPassword") ?? "");
+
+  if (!token) {
+    return new Response(null, {
+      status: 303,
+      headers: { Location: "/admin/invite?error=invalid" },
+    });
+  }
+
+  if (!name || !password) {
+    return new Response(null, {
+      status: 303,
+      headers: { Location: `/admin/invite?token=${token}&error=missing` },
+    });
+  }
+
+  if (password !== confirmPassword) {
+    return new Response(null, {
+      status: 303,
+      headers: { Location: `/admin/invite?token=${token}&error=password` },
+    });
+  }
+
+  if (password.length < 8) {
+    return new Response(null, {
+      status: 303,
+      headers: { Location: `/admin/invite?token=${token}&error=short` },
+    });
+  }
+
+  const invite = await validateInvite(token);
+  if (!invite) {
+    return new Response(null, {
+      status: 303,
+      headers: { Location: "/admin/invite?error=expired" },
+    });
+  }
+
+  const db = await getDb();
+  const schema = await import("virtual:kide/schema");
+  const tables = schema.cmsTables as Record<string, { main: any }>;
+
+  const hashedPassword = await hashPassword(password);
+  await db
+    .update(tables.users.main)
+    .set({ name, password: hashedPassword, _updatedAt: new Date().toISOString() })
+    .where(eq(tables.users.main._id, invite.userId));
+
+  await consumeInvite(token);
+
+  const session = await createSession(invite.userId);
+
+  return new Response(null, {
+    status: 303,
+    headers: {
+      Location: "/admin",
+      "Set-Cookie": setSessionCookie(session.token, session.expiresAt),
+    },
+  });
+}

package/routes/api/cms/auth/login.ts

@@ -0,0 +1,124 @@
+import type { APIRoute } from "astro";
+import { eq } from "drizzle-orm";
+
+import { getDb } from "virtual:kide/db";
+import { verifyPassword, createSession, setSessionCookie } from "virtual:kide/runtime";
+import config from "virtual:kide/config";
+
+export const prerender = false;
+
+// Simple in-memory rate limiter
+const attempts = new Map<string, { count: number; resetAt: number }>();
+const MAX_ATTEMPTS = config.admin?.rateLimit?.maxAttempts ?? 5;
+const WINDOW_MS = config.admin?.rateLimit?.windowMs ?? 15 * 60 * 1000;
+
+function isRateLimited(ip: string): boolean {
+  const now = Date.now();
+  const entry = attempts.get(ip);
+  if (!entry || now > entry.resetAt) {
+    attempts.set(ip, { count: 1, resetAt: now + WINDOW_MS });
+    return false;
+  }
+  entry.count++;
+  return entry.count > MAX_ATTEMPTS;
+}
+
+export const POST: APIRoute = async ({ request, clientAddress }) => {
+  const contentType = request.headers.get("content-type") ?? "";
+
+  if (isRateLimited(clientAddress)) {
+    if (contentType.includes("application/json")) {
+      return Response.json({ error: "Too many login attempts. Try again later." }, { status: 429 });
+    }
+    return new Response(null, {
+      status: 303,
+      headers: { Location: "/admin/login?error=rate-limited" },
+    });
+  }
+
+  let email: string;
+  let password: string;
+
+  if (contentType.includes("application/json")) {
+    const body = await request.json();
+    email = String(body.email ?? "");
+    password = String(body.password ?? "");
+  } else {
+    const formData = await request.formData();
+    email = String(formData.get("email") ?? "");
+    password = String(formData.get("password") ?? "");
+  }
+
+  if (!email || !password) {
+    if (contentType.includes("application/json")) {
+      return Response.json({ error: "Email and password are required." }, { status: 400 });
+    }
+    return new Response(null, {
+      status: 303,
+      headers: { Location: "/admin/login?error=missing" },
+    });
+  }
+
+  const db = await getDb();
+  const schema = await import("virtual:kide/schema");
+  const tables = schema.cmsTables as Record<string, { main: any }>;
+
+  if (!tables.users) {
+    return Response.json({ error: "Users collection not configured." }, { status: 500 });
+  }
+
+  const rows = await db.select().from(tables.users.main).where(eq(tables.users.main.email, email)).limit(1);
+
+  if (rows.length === 0) {
+    if (contentType.includes("application/json")) {
+      return Response.json({ error: "Invalid credentials." }, { status: 401 });
+    }
+    return new Response(null, {
+      status: 303,
+      headers: { Location: "/admin/login?error=invalid" },
+    });
+  }
+
+  const user = rows[0] as Record<string, unknown>;
+  const storedHash = String(user.password ?? "");
+
+  let valid = false;
+  try {
+    valid = await verifyPassword(storedHash, password);
+  } catch {
+    // valid remains false
+  }
+
+  if (!valid) {
+    if (contentType.includes("application/json")) {
+      return Response.json({ error: "Invalid credentials." }, { status: 401 });
+    }
+    return new Response(null, {
+      status: 303,
+      headers: { Location: "/admin/login?error=invalid" },
+    });
+  }
+
+  // Successful login — clear rate limit
+  attempts.delete(clientAddress);
+
+  const session = await createSession(String(user._id));
+
+  if (contentType.includes("application/json")) {
+    return new Response(JSON.stringify({ ok: true }), {
+      status: 200,
+      headers: {
+        "Content-Type": "application/json",
+        "Set-Cookie": setSessionCookie(session.token, session.expiresAt),
+      },
+    });
+  }
+
+  return new Response(null, {
+    status: 303,
+    headers: {
+      Location: "/admin",
+      "Set-Cookie": setSessionCookie(session.token, session.expiresAt),
+    },
+  });
+};

package/routes/api/cms/auth/logout.ts

@@ -0,0 +1,33 @@
+import type { APIRoute } from "astro";
+
+import { destroySession, clearSessionCookie } from "virtual:kide/runtime";
+
+export const prerender = false;
+
+export const POST: APIRoute = async ({ request }) => {
+  const cookieHeader = request.headers.get("cookie") ?? "";
+  const match = cookieHeader.match(/cms_session=([^;]+)/);
+
+  if (match) {
+    await destroySession(match[1]);
+  }
+
+  const contentType = request.headers.get("content-type") ?? "";
+  if (contentType.includes("application/json")) {
+    return new Response(JSON.stringify({ ok: true }), {
+      status: 200,
+      headers: {
+        "Content-Type": "application/json",
+        "Set-Cookie": clearSessionCookie(),
+      },
+    });
+  }
+
+  return new Response(null, {
+    status: 303,
+    headers: {
+      Location: "/admin/login",
+      "Set-Cookie": clearSessionCookie(),
+    },
+  });
+};

package/routes/api/cms/auth/setup.ts

@@ -0,0 +1,77 @@
+import type { APIRoute } from "astro";
+import { nanoid } from "nanoid";
+
+import { getDb } from "virtual:kide/db";
+import { hashPassword, createSession, setSessionCookie } from "virtual:kide/runtime";
+
+export const prerender = false;
+
+export const POST: APIRoute = async ({ request }) => {
+  const formData = await request.formData();
+  const name = String(formData.get("name") ?? "").trim();
+  const email = String(formData.get("email") ?? "").trim();
+  const password = String(formData.get("password") ?? "");
+  const confirmPassword = String(formData.get("confirmPassword") ?? "");
+
+  if (!name || !email || !password) {
+    return new Response(null, {
+      status: 303,
+      headers: { Location: "/admin/setup?error=missing" },
+    });
+  }
+
+  if (password !== confirmPassword) {
+    return new Response(null, {
+      status: 303,
+      headers: { Location: "/admin/setup?error=password" },
+    });
+  }
+
+  if (password.length < 8) {
+    return new Response(null, {
+      status: 303,
+      headers: { Location: "/admin/setup?error=short" },
+    });
+  }
+
+  const db = await getDb();
+  const schema = await import("virtual:kide/schema");
+  const tables = schema.cmsTables as Record<string, { main: any }>;
+
+  if (!tables.users) {
+    return Response.json({ error: "Users collection not configured." }, { status: 500 });
+  }
+
+  // Prevent setup if users already exist
+  const existing = await db.select().from(tables.users.main).limit(1);
+  if (existing.length > 0) {
+    return new Response(null, {
+      status: 303,
+      headers: { Location: "/admin/login" },
+    });
+  }
+
+  const id = nanoid();
+  const now = new Date().toISOString();
+  const hashedPassword = await hashPassword(password);
+
+  await db.insert(tables.users.main).values({
+    _id: id,
+    name,
+    email,
+    password: hashedPassword,
+    role: "admin",
+    _createdAt: now,
+    _updatedAt: now,
+  });
+
+  const session = await createSession(id);
+
+  return new Response(null, {
+    status: 303,
+    headers: {
+      Location: "/admin",
+      "Set-Cookie": setSessionCookie(session.token, session.expiresAt),
+    },
+  });
+};

package/routes/api/cms/cron/publish.ts

@@ -0,0 +1,33 @@
+import type { APIRoute } from "astro";
+
+import { cms } from "virtual:kide/api";
+
+export const prerender = false;
+
+const cmsRuntime = cms as Record<string, any> & { scheduled: typeof cms.scheduled };
+
+const isAuthorized = (request: Request) => {
+  const secret = import.meta.env.CRON_SECRET;
+  if (!secret) return true;
+
+  const authHeader = request.headers.get("authorization") ?? "";
+  return authHeader === `Bearer ${secret}`;
+};
+
+const handler: APIRoute = async ({ request, cache }) => {
+  if (!isAuthorized(request)) {
+    return Response.json({ error: "Unauthorized" }, { status: 401 });
+  }
+
+  const result = await cmsRuntime.scheduled.processPublishing(cache);
+
+  return Response.json({
+    ok: true,
+    published: result.published,
+    unpublished: result.unpublished,
+    processedAt: new Date().toISOString(),
+  });
+};
+
+export const GET = handler;
+export const POST = handler;

package/routes/api/cms/img/[...path].ts

@@ -0,0 +1,24 @@
+import type { APIRoute } from "astro";
+import { transformImage } from "@kidecms/core";
+
+export const prerender = false;
+
+export const GET: APIRoute = async ({ params, url }) => {
+  const src = `/${params.path}`;
+  const width = url.searchParams.get("w") ? Number(url.searchParams.get("w")) : undefined;
+  const format = url.searchParams.get("f") || "webp";
+  const quality = url.searchParams.get("q") ? Number(url.searchParams.get("q")) : undefined;
+
+  const result = await transformImage(src, width, format, quality);
+
+  if (!result) {
+    return new Response("Not found", { status: 404 });
+  }
+
+  return new Response(new Uint8Array(result.buffer), {
+    headers: {
+      "Content-Type": result.contentType,
+      "Cache-Control": "public, max-age=31536000, immutable",
+    },
+  });
+};