@natilon/cms-server 0.1.2 → 0.3.0

package/src/express-shim.mjs

@@ -0,0 +1,51 @@
+/**
+ * Mount runtime-agnostic routes (from routes.mjs) onto an Express app.
+ *
+ * Each handler receives a ctx object; its `ResponseSpec` return value is
+ * translated to res.status/json/redirect/send.
+ */
+export function mountRoutes(app, routes, { adapters, config }) {
+  for (const route of routes) {
+    const method = route.method.toLowerCase();
+    app[method](route.path, async (req, res) => {
+      if (route.auth === "admin" && req.cmsUser && req.cmsUser.role !== "admin") {
+        return res.status(403).json({ error: "Admin role required" });
+      }
+      const ctx = {
+        params: req.params,
+        query: req.query,
+        body: req.body,
+        user: req.cmsUser || null,
+        header: (name) => req.headers[name.toLowerCase()],
+        env: (name) => process.env[name],
+        adapters,
+        config,
+      };
+      try {
+        const result = await route.handler(ctx);
+        writeResponse(res, result);
+      } catch (err) {
+        res.status(500).json({ error: err.message });
+      }
+    });
+  }
+}
+
+function writeResponse(res, result) {
+  if (!result) return res.status(204).end();
+  if (result.headers) {
+    for (const [k, v] of Object.entries(result.headers)) res.set(k, v);
+  }
+  if (result.redirect) return res.redirect(result.status || 302, result.redirect);
+  if (result.status) res.status(result.status);
+  if (result.json !== undefined) return res.json(result.json);
+  if (result.text !== undefined) return res.send(result.text);
+  res.end();
+}
+
+/** Build an Express middleware that returns true for any "public" route path. */
+export function buildPublicAllowlist(routes) {
+  const exact = new Set();
+  for (const r of routes) if (r.auth === "public") exact.add(r.path);
+  return (req) => exact.has(req.path) || req.path.startsWith("/admin/oauth/");
+}

package/src/hono-shim.mjs

@@ -0,0 +1,108 @@
+/**
+ * Mount runtime-agnostic routes (from routes.mjs) onto a Hono app.
+ *
+ * Usage in a Worker:
+ *   import { Hono } from "hono";
+ *   import { allRoutes } from "@natilon/cms-server/routes";
+ *   import { mountHonoRoutes, honoAuthMiddleware } from "@natilon/cms-server/hono-shim";
+ *
+ *   const app = new Hono();
+ *   const routes = allRoutes(config);
+ *   app.use("*", honoAuthMiddleware({ routes, config, buildAdapters }));
+ *   mountHonoRoutes(app, routes, { config });
+ *
+ * `buildAdapters(env)` is supplied by the caller and must return the adapter
+ * bag the route handlers expect: { content, templates, cdnMedia, auth, build,
+ * publicConfig }.
+ */
+
+export function mountHonoRoutes(app, routes, { config }) {
+  for (const route of routes) {
+    const method = route.method.toLowerCase();
+    app[method](route.path, async (c) => {
+      const adapters = c.get("adapters");
+      const user = c.get("cmsUser") || null;
+      if (route.auth === "admin" && user?.role !== "admin") {
+        return c.json({ error: "Admin role required" }, 403);
+      }
+      let body = null;
+      if (route.method === "POST" || route.method === "PUT") {
+        try {
+          body = await c.req.json();
+        } catch {
+          body = null;
+        }
+      }
+      const ctx = {
+        params: c.req.param(),
+        query: c.req.query(),
+        body,
+        user,
+        header: (name) => c.req.header(name),
+        env: (name) => c.env[name],
+        adapters,
+        config,
+      };
+      try {
+        const result = await route.handler(ctx);
+        return writeResponse(c, result);
+      } catch (err) {
+        return c.json({ error: err.message }, 500);
+      }
+    });
+  }
+}
+
+function writeResponse(c, result) {
+  if (!result) return new Response(null, { status: 204 });
+  if (result.redirect) return c.redirect(result.redirect, result.status || 302);
+  const status = result.status || 200;
+  if (result.headers) {
+    for (const [k, v] of Object.entries(result.headers)) c.header(k, v);
+  }
+  if (result.json !== undefined) return c.json(result.json, status);
+  if (result.text !== undefined) return c.text(result.text, status);
+  return new Response(null, { status });
+}
+
+/**
+ * Middleware that builds adapters per-request, enforces auth on /api/* except
+ * for routes declared `auth: "public"` (and any /admin/oauth/* path).
+ */
+export function honoAuthMiddleware({ routes, config, buildAdapters, realm = "CMS Admin" }) {
+  const publicMatchers = compilePublicMatchers(routes);
+
+  return async (c, next) => {
+    const adapters = buildAdapters(c.env);
+    c.set("adapters", adapters);
+
+    const path = c.req.path;
+    const isPublic =
+      path.startsWith("/admin/oauth/") || publicMatchers.some((m) => m(path, c.req.method));
+
+    if (!path.startsWith("/api/") || isPublic) return next();
+
+    const cmsUser = adapters.auth.verify(c.req.header("Authorization") || "");
+    if (!cmsUser) {
+      if (config.auth?.provider === "github-oauth") {
+        return c.json({ error: "Authentication required", loginUrl: "/admin/oauth/login" }, 401);
+      }
+      return new Response("Authentication required", {
+        status: 401,
+        headers: { "WWW-Authenticate": `Basic realm="${realm}"` },
+      });
+    }
+    c.set("cmsUser", cmsUser);
+    return next();
+  };
+}
+
+function compilePublicMatchers(routes) {
+  return routes
+    .filter((r) => r.auth === "public")
+    .map((r) => {
+      const pattern = r.path.replace(/:[a-zA-Z_]+/g, "([^/]+)");
+      const re = new RegExp(`^${pattern}$`);
+      return (path, method) => method === r.method && re.test(path);
+    });
+}

package/src/index.mjs

@@ -2,7 +2,9 @@ export { createCmsServer, mountAdminUi, startCmsServer, startScheduler } from ".
 export { defaultPublicConfig } from "./default-public-config.mjs";
 export {
   createFsJsonContent,
+  createFsTemplates,
   createGitHubContent,
+  createGitHubTemplates,
   createLocalAssetsMedia,
   createCdnProxyMedia,
   createBasicAuth,

package/src/routes.mjs

@@ -0,0 +1,394 @@
+/**
+ * Runtime-agnostic API routes for the Natilon CMS.
+ *
+ * Each route is `{ method, path, auth, handler }`:
+ *   - `path` uses Express-style `:param` placeholders.
+ *   - `auth` is `"public"` (no token required), `"any"` (any logged-in user),
+ *     or `"admin"` (admin role).
+ *   - `handler(ctx)` returns a `ResponseSpec`.
+ *
+ * Ctx shape (provided by the runtime shim):
+ *   {
+ *     params,                // route params
+ *     query,                 // parsed query object
+ *     body,                  // parsed JSON body (or null)
+ *     user,                  // cmsUser or null
+ *     header(name),          // request header lookup (case-insensitive)
+ *     env(name),             // env var lookup
+ *     adapters,              // { content, templates, cdnMedia, auth, build }
+ *     config,                // cms.config
+ *   }
+ *
+ * ResponseSpec:
+ *   { status?, json?, text?, redirect?, headers? }
+ */
+
+
+function ok(json) {
+  return { json };
+}
+
+function notFound(error = "Not found") {
+  return { status: 404, json: { error } };
+}
+
+function badRequest(error) {
+  return { status: 400, json: { error } };
+}
+
+export const apiRoutes = [
+  // ── Config ─────────────────────────────────────────────────────────────
+  {
+    method: "GET",
+    path: "/api/config",
+    auth: "public",
+    handler: ({ adapters }) => ok(adapters.publicConfig()),
+  },
+
+  {
+    method: "GET",
+    path: "/api/me",
+    auth: "any",
+    handler: ({ user }) => ok(user || { login: "admin", role: "admin" }),
+  },
+
+  // ── Collections ────────────────────────────────────────────────────────
+  {
+    method: "GET",
+    path: "/api/collections",
+    auth: "any",
+    handler: async ({ adapters }) => ok(await adapters.content.listCollections()),
+  },
+
+  {
+    method: "GET",
+    path: "/api/collections/:collection",
+    auth: "any",
+    handler: async ({ adapters, config, params }) => {
+      const sortConfig = config.collections?.[params.collection]?.sort ?? null;
+      const pages = await adapters.content.listPages(params.collection, sortConfig);
+      if (pages === null) return notFound();
+      return ok(pages);
+    },
+  },
+
+  {
+    method: "GET",
+    path: "/api/collections/:collection/:file",
+    auth: "any",
+    handler: async ({ adapters, params }) => {
+      const data = await adapters.content.readPage(params.collection, params.file);
+      if (!data) return notFound();
+      return ok(data);
+    },
+  },
+
+  {
+    method: "PUT",
+    path: "/api/collections/:collection/:file",
+    auth: "any",
+    handler: async ({ adapters, params, body }) => {
+      await adapters.content.writePage(params.collection, params.file, body);
+      return ok({ ok: true });
+    },
+  },
+
+  {
+    method: "POST",
+    path: "/api/collections/:collection",
+    auth: "any",
+    handler: async ({ adapters, params, body }) => {
+      const result = await adapters.content.createPage(params.collection, body);
+      return ok({ ok: true, file: result.file });
+    },
+  },
+
+  {
+    method: "DELETE",
+    path: "/api/collections/:collection/:file",
+    auth: "admin",
+    handler: async ({ adapters, params }) => {
+      const okDel = await adapters.content.deletePage(params.collection, params.file);
+      if (!okDel) return notFound();
+      return ok({ ok: true });
+    },
+  },
+
+  {
+    method: "POST",
+    path: "/api/collections/:collection/:file/duplicate",
+    auth: "any",
+    handler: async ({ adapters, params }) => {
+      const result = await adapters.content.duplicatePage(params.collection, params.file);
+      if (!result) return notFound();
+      return ok({ ok: true, file: result.file });
+    },
+  },
+
+  // ── History ────────────────────────────────────────────────────────────
+  {
+    method: "GET",
+    path: "/api/history/:collection/:file",
+    auth: "any",
+    handler: async ({ adapters, params }) => {
+      try {
+        return ok(await adapters.content.listHistory(params.collection, params.file));
+      } catch (err) {
+        return { status: 500, json: { error: err.message } };
+      }
+    },
+  },
+
+  {
+    method: "POST",
+    path: "/api/history/:collection/:file/:ts/restore",
+    auth: "any",
+    handler: async ({ adapters, params }) => {
+      try {
+        const okRestore = await adapters.content.restoreHistory(
+          params.collection,
+          params.file,
+          params.ts,
+        );
+        if (!okRestore) return notFound("Revision not found");
+        return ok({ ok: true });
+      } catch (err) {
+        return { status: 500, json: { error: err.message } };
+      }
+    },
+  },
+
+  // ── Templates ──────────────────────────────────────────────────────────
+  {
+    method: "GET",
+    path: "/api/templates",
+    auth: "any",
+    handler: async ({ adapters }) => ok(await adapters.templates.list()),
+  },
+
+  {
+    method: "GET",
+    path: "/api/templates/:slug",
+    auth: "any",
+    handler: async ({ adapters, params }) => {
+      const data = await adapters.templates.get(params.slug);
+      if (!data) return notFound();
+      return ok(data);
+    },
+  },
+
+  {
+    method: "POST",
+    path: "/api/templates",
+    auth: "any",
+    handler: async ({ adapters, body }) => {
+      const { name, blocks } = body || {};
+      if (!name || !blocks) return badRequest("name and blocks required");
+      const slug = name.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-|-$/g, "");
+      await adapters.templates.put(slug, { name, blocks });
+      return ok({ ok: true, slug });
+    },
+  },
+
+  {
+    method: "DELETE",
+    path: "/api/templates/:slug",
+    auth: "admin",
+    handler: async ({ adapters, params }) => {
+      const okDel = await adapters.templates.delete(params.slug);
+      if (!okDel) return notFound();
+      return ok({ ok: true });
+    },
+  },
+
+  // ── Media ──────────────────────────────────────────────────────────────
+  {
+    method: "GET",
+    path: "/api/media/folders",
+    auth: "any",
+    handler: async ({ adapters }) => {
+      try {
+        return ok(await adapters.cdnMedia.listFolders());
+      } catch (err) {
+        return mediaError(err);
+      }
+    },
+  },
+
+  {
+    method: "GET",
+    path: "/api/media/folder/:folder",
+    auth: "any",
+    handler: async ({ adapters, params, query }) => {
+      try {
+        return ok(
+          await adapters.cdnMedia.listFolder(params.folder, {
+            page: parseInt(query.page) || 1,
+            perPage: parseInt(query.per_page) || 30,
+            search: query.search || "",
+          }),
+        );
+      } catch (err) {
+        return mediaError(err);
+      }
+    },
+  },
+
+  {
+    method: "POST",
+    path: "/api/media/upload",
+    auth: "any",
+    handler: async ({ adapters, body }) => {
+      try {
+        return ok(await adapters.cdnMedia.upload(body));
+      } catch (err) {
+        return mediaError(err);
+      }
+    },
+  },
+
+  // ── Publish ────────────────────────────────────────────────────────────
+  {
+    method: "POST",
+    path: "/api/publish",
+    auth: "admin",
+    handler: async ({ adapters }) => {
+      try {
+        return ok(await adapters.content.publish());
+      } catch (err) {
+        return { status: 500, json: { ok: false, message: err.message } };
+      }
+    },
+  },
+
+  {
+    method: "GET",
+    path: "/api/publish/status",
+    auth: "any",
+    handler: async ({ adapters }) => {
+      try {
+        return ok(await adapters.content.pendingChanges());
+      } catch (err) {
+        return { status: 500, json: { error: err.message } };
+      }
+    },
+  },
+
+  // ── Deploy ─────────────────────────────────────────────────────────────
+  {
+    method: "GET",
+    path: "/api/deploy/status",
+    auth: "any",
+    handler: async ({ adapters, query }) => {
+      if (!adapters.build.configured) return ok({ configured: false });
+      try {
+        return ok(
+          await adapters.build.getDeployStatus({ branch: query.branch, sha: query.sha }),
+        );
+      } catch (err) {
+        if (err.upstreamStatus) {
+          return { status: 502, json: { configured: true, error: err.message } };
+        }
+        return { status: 500, json: { configured: true, error: err.message } };
+      }
+    },
+  },
+];
+
+function mediaError(err) {
+  const status = err.upstreamStatus || 500;
+  return {
+    status: status >= 400 && status < 600 ? status : 502,
+    json: { error: err.message },
+  };
+}
+
+/**
+ * GitHub OAuth login/callback routes — runtime-agnostic since they only need
+ * the env-var lookup and header access provided via ctx.
+ */
+export const oauthRoutes = [
+  {
+    method: "GET",
+    path: "/admin/oauth/login",
+    auth: "public",
+    handler: ({ config, env, header, adapters }) => {
+      const clientId = env(config.auth.githubClientIdEnv || "GITHUB_CLIENT_ID");
+      const proto = header("x-forwarded-proto") || "https";
+      const host = header("host");
+      const callbackUrl = `${proto}://${host}/admin/oauth/callback`;
+      const params = new URLSearchParams({
+        client_id: clientId,
+        redirect_uri: callbackUrl,
+        scope: "read:user",
+        state: adapters.auth.issueOAuthState(),
+      });
+      return { redirect: `https://github.com/login/oauth/authorize?${params}` };
+    },
+  },
+  {
+    method: "GET",
+    path: "/admin/oauth/callback",
+    auth: "public",
+    handler: async ({ config, env, header, query, adapters }) => {
+      const { code, state } = query;
+      if (!code) return { status: 400, text: "Missing code" };
+      if (!state || !adapters.auth.verifyOAuthState(state)) {
+        return { status: 400, text: "Invalid or expired OAuth state" };
+      }
+
+      const clientId = env(config.auth.githubClientIdEnv || "GITHUB_CLIENT_ID");
+      const clientSecret = env(config.auth.githubClientSecretEnv || "GITHUB_CLIENT_SECRET");
+      const proto = header("x-forwarded-proto") || "https";
+      const host = header("host");
+      const callbackUrl = `${proto}://${host}/admin/oauth/callback`;
+
+      const tokenRes = await fetch("https://github.com/login/oauth/access_token", {
+        method: "POST",
+        headers: { Accept: "application/json", "Content-Type": "application/json" },
+        body: JSON.stringify({
+          client_id: clientId,
+          client_secret: clientSecret,
+          code,
+          redirect_uri: callbackUrl,
+        }),
+      });
+      const tokenData = await tokenRes.json();
+      if (!tokenData.access_token) {
+        return {
+          status: 401,
+          text: "GitHub OAuth failed: " + (tokenData.error_description || "unknown"),
+        };
+      }
+
+      const userRes = await fetch("https://api.github.com/user", {
+        headers: {
+          Authorization: `Bearer ${tokenData.access_token}`,
+          "User-Agent": "natilon-cms",
+        },
+      });
+      const user = await userRes.json();
+
+      const allowedLogins = config.auth.allowedLogins || [];
+      if (allowedLogins.length > 0 && !allowedLogins.includes(user.login)) {
+        return {
+          status: 403,
+          text: `GitHub user "${user.login}" is not authorised for this CMS.`,
+        };
+      }
+
+      const sessionToken = adapters.auth.issueSessionToken(
+        user.login,
+        user.name || user.login,
+      );
+      return { redirect: `/admin/?token=${encodeURIComponent(sessionToken)}` };
+    },
+  },
+];
+
+/** All routes both runtimes mount. OAuth is conditional on auth.provider. */
+export function allRoutes(config) {
+  const routes = [...apiRoutes];
+  if (config.auth?.provider === "github-oauth") routes.push(...oauthRoutes);
+  return routes;
+}