@momentumcms/server-core 0.1.10 → 0.3.0

package/CHANGELOG.md

@@ -1,3 +1,31 @@
+## 0.3.0 (2026-02-20)
+
+### 🚀 Features
+
+- add article slugs, detail pages, live preview, and fix PATCH field hooks ([454b61c](https://github.com/DonaldMurillo/momentum-cms/commit/454b61c))
+- add named tabs support with nested data grouping and UI improvements ([#30](https://github.com/DonaldMurillo/momentum-cms/pull/30))
+
+### 🩹 Fixes
+
+- address code review issues across admin, server-core, and e2e ([4664463](https://github.com/DonaldMurillo/momentum-cms/commit/4664463))
+- add auth guard and MIME validation to PATCH upload route; fix pagination with client-side filtering ([#32](https://github.com/DonaldMurillo/momentum-cms/pull/32))
+
+### ❤️ Thank You
+
+- Claude Opus 4.6
+- Donald Murillo @DonaldMurillo
+
+## 0.2.0 (2026-02-17)
+
+### 🚀 Features
+
+- add named tabs support with nested data grouping and tab UI improvements ([63ab63e](https://github.com/DonaldMurillo/momentum-cms/commit/63ab63e))
+
+### ❤️ Thank You
+
+- Claude Opus 4.6
+- Donald Murillo @DonaldMurillo
+
 ## 0.1.10 (2026-02-17)
 
 ### 🩹 Fixes

package/index.cjs

@@ -54,6 +54,7 @@ __export(src_exports, {
   getMomentumAPI: () => getMomentumAPI,
   getSwaggerUIHTML: () => getSwaggerUIHTML,
   getUploadConfig: () => getUploadConfig,
+  handleCollectionUpload: () => handleCollectionUpload,
   handleFileDelete: () => handleFileDelete,
   handleFileGet: () => handleFileGet,
   handleUpload: () => handleUpload,
@@ -75,7 +76,8 @@ __export(src_exports, {
   sanitizeErrorMessage: () => sanitizeErrorMessage,
   sanitizeFilename: () => sanitizeFilename,
   shouldRunSeeding: () => shouldRunSeeding,
-  startPublishScheduler: () => startPublishScheduler
+  startPublishScheduler: () => startPublishScheduler,
+  validateMimeType: () => validateMimeType2
 });
 module.exports = __toCommonJS(src_exports);
 
@@ -344,12 +346,26 @@ var ReferentialIntegrityError = class extends Error {
     this.constraint = constraint;
   }
 };
+function isNamedTab(tab) {
+  return typeof tab.name === "string" && tab.name.length > 0;
+}
 function flattenDataFields(fields) {
   const result = [];
   for (const field of fields) {
     if (field.type === "tabs") {
       for (const tab of field.tabs) {
-        result.push(...flattenDataFields(tab.fields));
+        if (isNamedTab(tab)) {
+          const syntheticGroup = {
+            name: tab.name,
+            type: "group",
+            label: tab.label,
+            description: tab.description,
+            fields: tab.fields
+          };
+          result.push(syntheticGroup);
+        } else {
+          result.push(...flattenDataFields(tab.fields));
+        }
       }
     } else if (field.type === "collapsible" || field.type === "row") {
       result.push(...flattenDataFields(field.fields));
@@ -501,6 +517,9 @@ var MediaCollection = defineCollection({
     singular: "Media",
     plural: "Media"
   },
+  upload: {
+    mimeTypes: ["image/*", "application/pdf", "video/*", "audio/*"]
+  },
   admin: {
     useAsTitle: "filename",
     defaultColumns: ["filename", "mimeType", "filesize", "createdAt"]
@@ -521,7 +540,6 @@ var MediaCollection = defineCollection({
       description: "File size in bytes"
     }),
     text("path", {
-      required: true,
       label: "Storage Path",
       description: "Path/key where the file is stored",
       admin: {
@@ -802,7 +820,20 @@ async function runFieldHooks(hookType, fields, data, req, operation) {
   for (const field of fields) {
     if (field.type === "tabs") {
       for (const tab of field.tabs) {
-        processedData = await runFieldHooks(hookType, tab.fields, processedData, req, operation);
+        if (isNamedTab(tab)) {
+          const nested = processedData[tab.name];
+          if (nested && typeof nested === "object" && !Array.isArray(nested)) {
+            processedData[tab.name] = await runFieldHooks(
+              hookType,
+              tab.fields,
+              nested,
+              req,
+              operation
+            );
+          }
+        } else {
+          processedData = await runFieldHooks(hookType, tab.fields, processedData, req, operation);
+        }
       }
       continue;
     }
@@ -812,6 +843,7 @@ async function runFieldHooks(hookType, fields, data, req, operation) {
     }
     const hooks = field.hooks?.[hookType];
     if (hooks && hooks.length > 0) {
+      const fieldExistsInData = field.name in processedData;
       let value = processedData[field.name];
       for (const hook of hooks) {
         const result = await Promise.resolve(
@@ -826,7 +858,9 @@ async function runFieldHooks(hookType, fields, data, req, operation) {
           value = result;
         }
       }
-      processedData[field.name] = value;
+      if (fieldExistsInData || value !== void 0) {
+        processedData[field.name] = value;
+      }
     }
     if (field.type === "group" && processedData[field.name] && typeof processedData[field.name] === "object" && !Array.isArray(processedData[field.name])) {
       processedData[field.name] = await runFieldHooks(
@@ -4110,6 +4144,64 @@ async function handleUpload(config, request) {
     };
   }
 }
+async function handleCollectionUpload(globalConfig, request) {
+  const { adapter } = globalConfig;
+  const { file, user, fields, collectionSlug, collectionUpload } = request;
+  const maxFileSize = collectionUpload.maxFileSize ?? globalConfig.maxFileSize ?? 10 * 1024 * 1024;
+  const allowedMimeTypes = collectionUpload.mimeTypes ?? globalConfig.allowedMimeTypes ?? [];
+  try {
+    if (!user) {
+      return {
+        status: 401,
+        error: "Authentication required to upload files"
+      };
+    }
+    const sizeError = validateFileSize(file, maxFileSize);
+    if (sizeError) {
+      return { status: 400, error: sizeError };
+    }
+    const mimeError = validateMimeType2(file.mimeType, allowedMimeTypes);
+    if (mimeError) {
+      return { status: 400, error: mimeError };
+    }
+    if (file.buffer && file.buffer.length > 0) {
+      const magicByteResult = validateMimeType(
+        file.buffer,
+        file.mimeType,
+        allowedMimeTypes
+      );
+      if (!magicByteResult.valid) {
+        return {
+          status: 400,
+          error: magicByteResult.error ?? "File content does not match claimed type"
+        };
+      }
+    }
+    const storedFile = await adapter.upload(file);
+    const docData = {
+      ...fields,
+      filename: file.originalName,
+      mimeType: file.mimeType,
+      filesize: file.size,
+      path: storedFile.path,
+      url: storedFile.url
+    };
+    const api = getMomentumAPI().setContext({ user });
+    const doc = await api.collection(collectionSlug).create(docData);
+    return {
+      status: 201,
+      doc
+    };
+  } catch (error) {
+    if (error instanceof Error) {
+      if (error.message.includes("Access denied")) {
+        return { status: 403, error: error.message };
+      }
+      return { status: 500, error: `Upload failed: ${error.message}` };
+    }
+    return { status: 500, error: "Upload failed: Unknown error" };
+  }
+}
 async function handleFileDelete(adapter, path) {
   return adapter.delete(path);
 }
@@ -5229,6 +5321,7 @@ function coerceCsvValue(value, fieldType) {
   getMomentumAPI,
   getSwaggerUIHTML,
   getUploadConfig,
+  handleCollectionUpload,
   handleFileDelete,
   handleFileGet,
   handleUpload,
@@ -5250,5 +5343,6 @@ function coerceCsvValue(value, fieldType) {
   sanitizeErrorMessage,
   sanitizeFilename,
   shouldRunSeeding,
-  startPublishScheduler
+  startPublishScheduler,
+  validateMimeType
 });

package/index.js

@@ -263,12 +263,26 @@ var ReferentialIntegrityError = class extends Error {
     this.constraint = constraint;
   }
 };
+function isNamedTab(tab) {
+  return typeof tab.name === "string" && tab.name.length > 0;
+}
 function flattenDataFields(fields) {
   const result = [];
   for (const field of fields) {
     if (field.type === "tabs") {
       for (const tab of field.tabs) {
-        result.push(...flattenDataFields(tab.fields));
+        if (isNamedTab(tab)) {
+          const syntheticGroup = {
+            name: tab.name,
+            type: "group",
+            label: tab.label,
+            description: tab.description,
+            fields: tab.fields
+          };
+          result.push(syntheticGroup);
+        } else {
+          result.push(...flattenDataFields(tab.fields));
+        }
       }
     } else if (field.type === "collapsible" || field.type === "row") {
       result.push(...flattenDataFields(field.fields));
@@ -420,6 +434,9 @@ var MediaCollection = defineCollection({
     singular: "Media",
     plural: "Media"
   },
+  upload: {
+    mimeTypes: ["image/*", "application/pdf", "video/*", "audio/*"]
+  },
   admin: {
     useAsTitle: "filename",
     defaultColumns: ["filename", "mimeType", "filesize", "createdAt"]
@@ -440,7 +457,6 @@ var MediaCollection = defineCollection({
       description: "File size in bytes"
     }),
     text("path", {
-      required: true,
       label: "Storage Path",
       description: "Path/key where the file is stored",
       admin: {
@@ -721,7 +737,20 @@ async function runFieldHooks(hookType, fields, data, req, operation) {
   for (const field of fields) {
     if (field.type === "tabs") {
       for (const tab of field.tabs) {
-        processedData = await runFieldHooks(hookType, tab.fields, processedData, req, operation);
+        if (isNamedTab(tab)) {
+          const nested = processedData[tab.name];
+          if (nested && typeof nested === "object" && !Array.isArray(nested)) {
+            processedData[tab.name] = await runFieldHooks(
+              hookType,
+              tab.fields,
+              nested,
+              req,
+              operation
+            );
+          }
+        } else {
+          processedData = await runFieldHooks(hookType, tab.fields, processedData, req, operation);
+        }
       }
       continue;
     }
@@ -731,6 +760,7 @@ async function runFieldHooks(hookType, fields, data, req, operation) {
     }
     const hooks = field.hooks?.[hookType];
     if (hooks && hooks.length > 0) {
+      const fieldExistsInData = field.name in processedData;
       let value = processedData[field.name];
       for (const hook of hooks) {
         const result = await Promise.resolve(
@@ -745,7 +775,9 @@ async function runFieldHooks(hookType, fields, data, req, operation) {
           value = result;
         }
       }
-      processedData[field.name] = value;
+      if (fieldExistsInData || value !== void 0) {
+        processedData[field.name] = value;
+      }
     }
     if (field.type === "group" && processedData[field.name] && typeof processedData[field.name] === "object" && !Array.isArray(processedData[field.name])) {
       processedData[field.name] = await runFieldHooks(
@@ -4042,6 +4074,64 @@ async function handleUpload(config, request) {
     };
   }
 }
+async function handleCollectionUpload(globalConfig, request) {
+  const { adapter } = globalConfig;
+  const { file, user, fields, collectionSlug, collectionUpload } = request;
+  const maxFileSize = collectionUpload.maxFileSize ?? globalConfig.maxFileSize ?? 10 * 1024 * 1024;
+  const allowedMimeTypes = collectionUpload.mimeTypes ?? globalConfig.allowedMimeTypes ?? [];
+  try {
+    if (!user) {
+      return {
+        status: 401,
+        error: "Authentication required to upload files"
+      };
+    }
+    const sizeError = validateFileSize(file, maxFileSize);
+    if (sizeError) {
+      return { status: 400, error: sizeError };
+    }
+    const mimeError = validateMimeType2(file.mimeType, allowedMimeTypes);
+    if (mimeError) {
+      return { status: 400, error: mimeError };
+    }
+    if (file.buffer && file.buffer.length > 0) {
+      const magicByteResult = validateMimeType(
+        file.buffer,
+        file.mimeType,
+        allowedMimeTypes
+      );
+      if (!magicByteResult.valid) {
+        return {
+          status: 400,
+          error: magicByteResult.error ?? "File content does not match claimed type"
+        };
+      }
+    }
+    const storedFile = await adapter.upload(file);
+    const docData = {
+      ...fields,
+      filename: file.originalName,
+      mimeType: file.mimeType,
+      filesize: file.size,
+      path: storedFile.path,
+      url: storedFile.url
+    };
+    const api = getMomentumAPI().setContext({ user });
+    const doc = await api.collection(collectionSlug).create(docData);
+    return {
+      status: 201,
+      doc
+    };
+  } catch (error) {
+    if (error instanceof Error) {
+      if (error.message.includes("Access denied")) {
+        return { status: 403, error: error.message };
+      }
+      return { status: 500, error: `Upload failed: ${error.message}` };
+    }
+    return { status: 500, error: "Upload failed: Unknown error" };
+  }
+}
 async function handleFileDelete(adapter, path) {
   return adapter.delete(path);
 }
@@ -5160,6 +5250,7 @@ export {
   getMomentumAPI,
   getSwaggerUIHTML,
   getUploadConfig,
+  handleCollectionUpload,
   handleFileDelete,
   handleFileGet,
   handleUpload,
@@ -5181,5 +5272,6 @@ export {
   sanitizeErrorMessage,
   sanitizeFilename,
   shouldRunSeeding,
-  startPublishScheduler
+  startPublishScheduler,
+  validateMimeType2 as validateMimeType
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@momentumcms/server-core",
-  "version": "0.1.10",
+  "version": "0.3.0",
   "description": "Framework-agnostic server handlers for Momentum CMS",
   "license": "MIT",
   "author": "Momentum CMS Contributors",

package/src/index.d.ts

@@ -12,7 +12,7 @@ export { buildGraphQLSchema, type GraphQLContext } from './lib/graphql-schema';
 export { executeGraphQL, type GraphQLRequestBody, type GraphQLResult } from './lib/graphql-handler';
 export { GraphQLJSON } from './lib/graphql-scalars';
 export { generateApiKey, hashApiKey, getKeyPrefix, isValidApiKeyFormat, generateApiKeyId, createAdapterApiKeyStore, createPostgresApiKeyStore, API_KEYS_TABLE_SQL_POSTGRES, API_KEYS_TABLE_SQL_SQLITE, type ApiKeyRecord, type CreateApiKeyResult, type CreateApiKeyOptions, type ApiKeyStore, } from './lib/api-keys';
-export { handleUpload, handleFileDelete, handleFileGet, getUploadConfig, type UploadRequest, type UploadResponse, type UploadConfig, } from './lib/upload-handler';
+export { handleUpload, handleCollectionUpload, handleFileDelete, handleFileGet, getUploadConfig, validateMimeType, type UploadRequest, type UploadResponse, type UploadConfig, type CollectionUploadRequest, type CollectionUploadResponse, } from './lib/upload-handler';
 export { generateOpenAPISpec, type OpenAPIDocument, type OpenAPIGeneratorOptions, } from './lib/openapi-generator';
 export { getSwaggerUIHTML } from './lib/swagger-ui-html';
 export { renderPreviewHTML, type PreviewRenderOptions } from './lib/preview-renderer';

package/src/lib/upload-handler.d.ts

@@ -2,7 +2,7 @@
  * Upload Handler for Momentum CMS
  * Framework-agnostic file upload handling
  */
-import type { StorageAdapter, UploadedFile, MomentumConfig, MediaDocument } from '@momentumcms/core';
+import type { StorageAdapter, UploadedFile, MomentumConfig, MediaDocument, UploadCollectionConfig } from '@momentumcms/core';
 import { type MomentumAPIContext } from './momentum-api';
 /**
  * Upload request from the client.
@@ -43,6 +43,11 @@ export interface UploadConfig {
  * Get upload configuration from MomentumConfig.
  */
 export declare function getUploadConfig(config: MomentumConfig): UploadConfig | null;
+/**
+ * Validate claimed MIME type against an allow-list.
+ * Returns an error message if the type is not allowed, or null if OK.
+ */
+export declare function validateMimeType(mimeType: string, allowedTypes: string[]): string | null;
 /**
  * Handle file upload.
  *
@@ -51,6 +56,45 @@ export declare function getUploadConfig(config: MomentumConfig): UploadConfig |
  * @returns Upload response with created media document or error
  */
 export declare function handleUpload(config: UploadConfig, request: UploadRequest): Promise<UploadResponse>;
+/**
+ * Upload request for a collection-level upload.
+ * Used when POST /api/{slug} with multipart/form-data hits an upload collection.
+ */
+export interface CollectionUploadRequest {
+    /** The uploaded file */
+    file: UploadedFile;
+    /** User context for access control */
+    user?: MomentumAPIContext['user'];
+    /** Non-file form fields from multipart body (e.g., alt, title) */
+    fields: Record<string, unknown>;
+    /** Target collection slug */
+    collectionSlug: string;
+    /** Collection-level upload config */
+    collectionUpload: UploadCollectionConfig;
+}
+/**
+ * Response from a collection-level upload.
+ */
+export interface CollectionUploadResponse {
+    /** Created document (with auto-populated file metadata) */
+    doc?: Record<string, unknown>;
+    /** Error message if upload failed */
+    error?: string;
+    /** HTTP status code */
+    status: number;
+}
+/**
+ * Handle file upload for an upload collection.
+ * Stores the file, auto-populates metadata fields, merges with user-provided fields,
+ * and creates the document in the target collection.
+ *
+ * Collection-level config overrides global config for mimeTypes and maxFileSize.
+ *
+ * @param globalConfig - Global upload configuration (storage adapter, defaults)
+ * @param request - Collection upload request with file, user fields, and collection config
+ * @returns Response with created document or error
+ */
+export declare function handleCollectionUpload(globalConfig: UploadConfig, request: CollectionUploadRequest): Promise<CollectionUploadResponse>;
 /**
  * Handle file deletion.
  *