@natilon/cms-server 0.3.0 → 0.6.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@natilon/cms-server",
-  "version": "0.3.0",
+  "version": "0.6.0",
   "description": "Express-based CMS server with pluggable adapters for content, media, auth, and build.",
   "license": "MIT",
   "repository": {
@@ -35,7 +35,7 @@
     "bin"
   ],
   "dependencies": {
-    "@natilon/admin-ui": "^0.2.0",
+    "@natilon/admin-ui": ">=0.5.0",
     "express": "^4.21.0"
   },
   "peerDependencies": {

package/src/adapters/basic-auth.mjs

@@ -21,11 +21,28 @@ function safeEq(a, b) {
 export function createBasicAuth({
   user,
   pass,
+  users,
   jwtSecret,
   jwtTtl,
   realm = "Admin",
 }) {
-  const configured = Boolean(pass);
+  // Normalise: prefer `users` array, fall back to single user/pass pair.
+  // Each entry may use `pass` (plaintext) or `passEnv` (env var name).
+  const userList = (users?.length
+    ? users
+    : pass ? [{ user: user || "admin", pass, role: "admin" }] : []
+  ).map((entry) => ({
+    ...entry,
+    pass: entry.passEnv ? process.env[entry.passEnv] : entry.pass,
+  }));
+
+  const configured = userList.length > 0;
+
+  function findUser(u, p) {
+    return userList.find(
+      (entry) => safeEq(u, entry.user) && safeEq(p, entry.pass),
+    ) ?? null;
+  }
 
   function issueMediaToken(tenantId) {
     if (!jwtSecret) throw new Error("JWT_SECRET not set");
@@ -55,11 +72,13 @@ export function createBasicAuth({
         res.set("WWW-Authenticate", `Basic realm="${realm}"`);
         return res.status(401).send("Authentication required");
       }
-      const [u, p] = Buffer.from(auth.slice(6), "base64")
-        .toString()
-        .split(":");
-      if (safeEq(u, user) && safeEq(p, pass)) {
-        req.cmsUser = { login: user, role: "admin" };
+      const decoded = Buffer.from(auth.slice(6), "base64").toString();
+      const colon = decoded.indexOf(":");
+      const u = decoded.slice(0, colon);
+      const p = decoded.slice(colon + 1);
+      const entry = findUser(u, p);
+      if (entry) {
+        req.cmsUser = { login: entry.user, name: entry.name || entry.user, role: entry.role || "editor" };
         return next();
       }
       res.set("WWW-Authenticate", `Basic realm="${realm}"`);
@@ -68,14 +87,15 @@ export function createBasicAuth({
   }
 
   function verify(authHeader) {
-    if (!configured) return { login: user, role: "admin" };
+    if (!configured) return { login: "admin", role: "admin" };
     if (!authHeader?.startsWith("Basic ")) return null;
     const decoded = Buffer.from(authHeader.slice(6), "base64").toString();
     const colon = decoded.indexOf(":");
     const u = decoded.slice(0, colon);
     const p = decoded.slice(colon + 1);
-    if (safeEq(u, user) && safeEq(p, pass)) return { login: user, role: "admin" };
-    return null;
+    const entry = findUser(u, p);
+    if (!entry) return null;
+    return { login: entry.user, name: entry.name || entry.user, role: entry.role || "editor" };
   }
 
   return {

package/src/adapters/cloudflare-access.mjs

@@ -0,0 +1,140 @@
+/**
+ * Cloudflare Access auth adapter.
+ *
+ * Verifies the `Cf-Access-Jwt-Assertion` header (or `CF_Authorization` cookie)
+ * signed by your Cloudflare Access team using RS256. No third-party libraries —
+ * uses Node's built-in `crypto` module.
+ *
+ * cms.config.mjs:
+ *   auth: {
+ *     provider: "cloudflare-access",
+ *     teamDomain: "https://yourteam.cloudflareaccess.com",
+ *     audience:   "your-application-audience-tag",   // from Access app settings
+ *     roles: {                                        // optional: map email → role
+ *       "fatih@example.com": "admin",
+ *     },
+ *     defaultRole: "editor",                          // role when email not in roles map
+ *   }
+ */
+
+import crypto from "crypto";
+
+const JWKS_TTL_MS = 60 * 60 * 1000; // 1 hour
+
+/**
+ * @param {Object} opts
+ * @param {string} opts.teamDomain   e.g. "https://yourteam.cloudflareaccess.com"
+ * @param {string} opts.audience     Application Audience tag from Cloudflare Access
+ * @param {Object} [opts.roles]      { "email": "admin" | "editor" }
+ * @param {string} [opts.defaultRole]
+ */
+export function createCloudflareAccess({ teamDomain, audience, roles = {}, defaultRole = "editor" }) {
+  const domain = teamDomain.replace(/\/$/, "");
+  const certsUrl = `${domain}/cdn-cgi/access/certs`;
+
+  // JWKS cache
+  let jwksCache = null;
+  let jwksCachedAt = 0;
+
+  async function getJwks() {
+    if (jwksCache && Date.now() - jwksCachedAt < JWKS_TTL_MS) return jwksCache;
+    const res = await fetch(certsUrl);
+    if (!res.ok) throw new Error(`Failed to fetch Cloudflare Access JWKS: ${res.status}`);
+    jwksCache = await res.json();
+    jwksCachedAt = Date.now();
+    return jwksCache;
+  }
+
+  function base64urlDecode(str) {
+    return Buffer.from(str.replace(/-/g, "+").replace(/_/g, "/"), "base64");
+  }
+
+  function importPublicKey(jwk) {
+    // Cloudflare Access JWKS uses x5c (certificate chain) or n/e (RSA components).
+    if (jwk.x5c?.length) {
+      const pem = `-----BEGIN CERTIFICATE-----\n${jwk.x5c[0].match(/.{1,64}/g).join("\n")}\n-----END CERTIFICATE-----`;
+      return crypto.createPublicKey(pem);
+    }
+    if (jwk.n && jwk.e) {
+      return crypto.createPublicKey({ key: jwk, format: "jwk" });
+    }
+    throw new Error("Unsupported JWK format — no x5c or n/e fields");
+  }
+
+  async function verifyToken(token) {
+    const parts = token.split(".");
+    if (parts.length !== 3) throw new Error("Invalid JWT format");
+
+    const [headerB64, payloadB64, sigB64] = parts;
+    const header = JSON.parse(base64urlDecode(headerB64).toString());
+    const payload = JSON.parse(base64urlDecode(payloadB64).toString());
+
+    // Claim validation
+    const now = Math.floor(Date.now() / 1000);
+    if (payload.exp && payload.exp < now) throw new Error("JWT expired");
+    if (payload.nbf && payload.nbf > now) throw new Error("JWT not yet valid");
+    if (payload.iss !== domain) throw new Error(`JWT issuer mismatch: ${payload.iss}`);
+    if (audience && payload.aud !== audience && !payload.aud?.includes?.(audience)) {
+      throw new Error("JWT audience mismatch");
+    }
+
+    // Signature verification
+    const jwks = await getJwks();
+    const jwk = jwks.keys?.find((k) => k.kid === header.kid) ?? jwks.keys?.[0];
+    if (!jwk) throw new Error("No matching JWK found");
+
+    const pubKey = importPublicKey(jwk);
+    const verify = crypto.createVerify("RSA-SHA256");
+    verify.update(`${headerB64}.${payloadB64}`);
+    const valid = verify.verify(pubKey, base64urlDecode(sigB64));
+    if (!valid) throw new Error("JWT signature invalid");
+
+    return payload;
+  }
+
+  function extractToken(req) {
+    const header = req.headers["cf-access-jwt-assertion"];
+    if (header) return header;
+    // Fall back to cookie
+    const cookie = req.headers.cookie || "";
+    const match = cookie.match(/(?:^|;\s*)CF_Authorization=([^;]+)/);
+    return match ? match[1] : null;
+  }
+
+  function resolveUser(payload) {
+    const email = payload.email || payload.sub;
+    const role = roles[email] ?? defaultRole;
+    return { login: email, name: email, role };
+  }
+
+  function middlewareWith(allowlist) {
+    return async (req, res, next) => {
+      if (allowlist && allowlist(req)) return next();
+      const token = extractToken(req);
+      if (!token) {
+        return res.status(401).json({ error: "Cloudflare Access token required" });
+      }
+      try {
+        const payload = await verifyToken(token);
+        req.cmsUser = resolveUser(payload);
+        return next();
+      } catch (err) {
+        return res.status(401).json({ error: `Access denied: ${err.message}` });
+      }
+    };
+  }
+
+  async function verify(authHeader) {
+    // authHeader unused — Cloudflare Access uses its own header/cookie
+    return null;
+  }
+
+  return {
+    configured: Boolean(teamDomain && audience),
+    middleware: middlewareWith(null),
+    middlewareWith,
+    verify,
+    // issueMediaToken not supported for Cloudflare Access — use Cloudflare's own CDN auth
+    issueMediaToken: () => { throw new Error("issueMediaToken not supported for cloudflare-access"); },
+  };
+}

package/src/adapters/index.mjs

@@ -6,5 +6,6 @@ export { createLocalAssetsMedia } from "./local-assets-media.mjs";
 export { createCdnProxyMedia } from "./cdn-proxy-media.mjs";
 export { createBasicAuth } from "./basic-auth.mjs";
 export { createGitHubOAuth } from "./github-oauth.mjs";
+export { createCloudflareAccess } from "./cloudflare-access.mjs";
 export { createNetlifyBuild } from "./build-netlify.mjs";
 export { createMediaUrl } from "./media-url.mjs";

package/src/locks.mjs

@@ -0,0 +1,64 @@
+/**
+ * In-memory content lock store.
+ *
+ * A lock is keyed by "collection/file" and holds the user who acquired it
+ * plus an expiry timestamp. Clients must send a heartbeat every ~30 s;
+ * locks that go 60 s without a heartbeat are considered stale and released
+ * automatically.
+ */
+
+const LOCK_TTL_MS = 60_000;
+
+/** @type {Map<string, { user: string, name: string, expiresAt: number }>} */
+const locks = new Map();
+
+function key(collection, file) {
+  return `${collection}/${file}`;
+}
+
+function pruneExpired() {
+  const now = Date.now();
+  for (const [k, lock] of locks) {
+    if (lock.expiresAt <= now) locks.delete(k);
+  }
+}
+
+/**
+ * Try to acquire (or renew) a lock.
+ * Returns `{ ok: true, lock }` on success, `{ ok: false, lock }` if held by
+ * someone else.
+ */
+export function acquireLock(collection, file, userLogin, userName) {
+  pruneExpired();
+  const k = key(collection, file);
+  const existing = locks.get(k);
+  if (existing && existing.user !== userLogin) {
+    return { ok: false, lock: existing };
+  }
+  const lock = { user: userLogin, name: userName || userLogin, expiresAt: Date.now() + LOCK_TTL_MS };
+  locks.set(k, lock);
+  return { ok: true, lock };
+}
+
+/** Renew an existing lock. Returns false if not held by this user. */
+export function renewLock(collection, file, userLogin) {
+  pruneExpired();
+  const k = key(collection, file);
+  const existing = locks.get(k);
+  if (!existing || existing.user !== userLogin) return false;
+  existing.expiresAt = Date.now() + LOCK_TTL_MS;
+  return true;
+}
+
+/** Release a lock. No-op if not held or held by someone else. */
+export function releaseLock(collection, file, userLogin) {
+  const k = key(collection, file);
+  const existing = locks.get(k);
+  if (existing && existing.user === userLogin) locks.delete(k);
+}
+
+/** Check who holds a lock, or null if free. */
+export function getLock(collection, file) {
+  pruneExpired();
+  return locks.get(key(collection, file)) ?? null;
+}

package/src/routes.mjs

@@ -24,6 +24,8 @@
  */
 
 
+import { acquireLock, renewLock, releaseLock, getLock } from "./locks.mjs";
+
 function ok(json) {
   return { json };
 }
@@ -87,7 +89,12 @@ export const apiRoutes = [
     method: "PUT",
     path: "/api/collections/:collection/:file",
     auth: "any",
-    handler: async ({ adapters, params, body }) => {
+    handler: async ({ adapters, params, body, user }) => {
+      const login = user?.login || "admin";
+      const held = getLock(params.collection, params.file);
+      if (held && held.user !== login) {
+        return { status: 423, json: { error: `Locked by ${held.name}` } };
+      }
       await adapters.content.writePage(params.collection, params.file, body);
       return ok({ ok: true });
     },
@@ -125,6 +132,44 @@ export const apiRoutes = [
     },
   },
 
+  // ── Locks ──────────────────────────────────────────────────────────────
+  {
+    method: "POST",
+    path: "/api/locks/:collection/:file",
+    auth: "any",
+    handler: ({ params, user }) => {
+      const login = user?.login || "admin";
+      const name = user?.name || login;
+      const result = acquireLock(params.collection, params.file, login, name);
+      if (!result.ok) {
+        return { status: 423, json: { error: `Locked by ${result.lock.name}`, lock: result.lock } };
+      }
+      return ok({ ok: true, lock: result.lock });
+    },
+  },
+
+  {
+    method: "PUT",
+    path: "/api/locks/:collection/:file",
+    auth: "any",
+    handler: ({ params, user }) => {
+      const login = user?.login || "admin";
+      const renewed = renewLock(params.collection, params.file, login);
+      if (!renewed) return { status: 409, json: { error: "Lock not held" } };
+      return ok({ ok: true });
+    },
+  },
+
+  {
+    method: "DELETE",
+    path: "/api/locks/:collection/:file",
+    auth: "any",
+    handler: ({ params, user }) => {
+      releaseLock(params.collection, params.file, user?.login || "admin");
+      return ok({ ok: true });
+    },
+  },
+
   // ── History ────────────────────────────────────────────────────────────
   {
     method: "GET",

package/src/server.mjs

@@ -12,6 +12,7 @@ import {
   createCdnProxyMedia,
   createBasicAuth,
   createGitHubOAuth,
+  createCloudflareAccess,
   createNetlifyBuild,
   createFsTemplates,
   createGitHubTemplates,
@@ -61,13 +62,21 @@ export function createCmsServer({ config, rootDir, publicConfig: publicConfigFn,
           jwtTtl: config.auth.jwtTtl,
           realm,
         })
-      : createBasicAuth({
-          user: process.env[config.auth.userEnv] || "admin",
-          pass: process.env[config.auth.passEnv],
-          jwtSecret: process.env[config.auth.jwtSecretEnv],
-          jwtTtl: config.auth.jwtTtl,
-          realm,
-        });
+      : config.auth?.provider === "cloudflare-access"
+        ? createCloudflareAccess({
+            teamDomain: config.auth.teamDomain,
+            audience: config.auth.audience,
+            roles: config.auth.roles || {},
+            defaultRole: config.auth.defaultRole || "editor",
+          })
+        : createBasicAuth({
+            user: process.env[config.auth.userEnv] || "admin",
+            pass: process.env[config.auth.passEnv],
+            users: config.auth.users,
+            jwtSecret: process.env[config.auth.jwtSecretEnv],
+            jwtTtl: config.auth.jwtTtl,
+            realm,
+          });
 
   const cdnMedia = createCdnProxyMedia({
     baseUrl: config.media.cdnBase,