@setzkasten-cms/astro-admin 0.6.0 → 1.1.0

package/src/api-routes/_storage-config.ts

@@ -1,8 +1,23 @@
 /**
- * Resolve storage config from all available sources:
- * 1. Request body (explicit override)
- * 2. __SETZKASTEN_STORAGE__ (Vite define, embedded at build time — works everywhere)
- * 3. globalThis.__SETZKASTEN_CONFIG__ (injectScript, only works for rendered pages)
+ * Storage resolution helpers for admin API routes.
+ *
+ * Two entry points:
+ *
+ * - {@link resolveStorageConfigForRequest} (default for content routes) —
+ *   resolves the **active website** for a request. In single mode this
+ *   is always the integration's website; in multi mode it is the website
+ *   selected by the X-SK-Website header.
+ *
+ * - {@link resolveStorageConfig} (build-time only, used by auth-guard
+ *   for the editors file) — returns the integration's build-time storage
+ *   target. In single mode this is the website repo; in multi mode it
+ *   is the config repo (where `_editors.json` lives next to
+ *   `websites.json`).
+ *
+ * The lookup chain inside `resolveStorageConfig`:
+ * 1. Request body override (explicit `{ owner, repo, branch }` payload)
+ * 2. `__SETZKASTEN_STORAGE__` Vite define (embedded at build time)
+ * 3. `globalThis.__SETZKASTEN_CONFIG__` (injectScript, SSR-only fallback)
  */
 
 declare const __SETZKASTEN_STORAGE__: {
@@ -23,6 +38,13 @@ export interface StorageConfig {
   projectPrefix: string
 }
 
+/**
+ * Returns the integration's build-time storage target. Used by the
+ * auth-guard to read the editors file (which lives next to the build-
+ * time storage in both single and multi mode) and by tests that want
+ * to bypass the per-request resolver. Most content routes should use
+ * {@link resolveStorageConfigForRequest} instead.
+ */
 export function resolveStorageConfig(body?: {
   owner?: string
   repo?: string
@@ -52,3 +74,41 @@ export function prefixPath(filePath: string, projectPrefix: string): string {
   if (!projectPrefix) return filePath
   return `${projectPrefix}/${filePath}`
 }
+
+/**
+ * Standalone-aware variant: resolves storage from the active website
+ * (X-SK-Website header → WebsitesRegistry) before falling back to the
+ * single-repo build-time configuration.
+ *
+ * Body overrides still win over both — useful for routes that take an
+ * explicit `{ owner, repo, branch }` payload.
+ */
+export async function resolveStorageConfigForRequest(
+  request: Request,
+  body?: { owner?: string; repo?: string; branch?: string },
+): Promise<StorageConfig | null> {
+  if (body?.owner && body.repo) {
+    return {
+      owner: body.owner,
+      repo: body.repo,
+      branch: body.branch ?? 'main',
+      projectPrefix: '',
+    }
+  }
+
+  const { resolveCurrentWebsite } = await import('./_website-resolver.js')
+  const resolved = await resolveCurrentWebsite(request)
+  if (resolved.ok) {
+    const [owner, repo] = resolved.value.repo.split('/')
+    if (owner && repo) {
+      return {
+        owner,
+        repo,
+        branch: resolved.value.branch,
+        projectPrefix: '',
+      }
+    }
+  }
+
+  return resolveStorageConfig(body)
+}

package/src/api-routes/_vercel-origin.ts

@@ -0,0 +1,22 @@
+/**
+ * Derives the real public origin on Vercel (and any reverse-proxy setup).
+ *
+ * Problem: Inside a Vercel serverless function, both `request.url` and
+ * Astro's `url` context resolve to the internal function host
+ * (e.g. "https://localhost"), not the public hostname.
+ *
+ * Solution: Read the x-forwarded-host and x-forwarded-proto headers that
+ * Vercel's edge layer sets on every inbound request.
+ *
+ * Falls back gracefully to the `host` header and `https` for local dev
+ * or non-Vercel environments.
+ */
+export function getPublicOrigin(request: Request): string {
+  const host =
+    request.headers.get('x-forwarded-host') ??
+    request.headers.get('host') ??
+    'localhost'
+  const proto =
+    request.headers.get('x-forwarded-proto')?.split(',')[0]?.trim() ?? 'https'
+  return `${proto}://${host}`
+}

package/src/api-routes/_website-resolver.ts

@@ -0,0 +1,243 @@
+import {
+  type Result,
+  type WebsiteEntry,
+  type WebsitesRegistryProvider,
+  err,
+  notFoundError,
+  ok,
+  validationError,
+} from '@setzkasten-cms/core'
+import { GitHubAppClient, GitHubWebsitesRegistry } from '@setzkasten-cms/github-adapter'
+
+/**
+ * Per-request resolver for the active website.
+ *
+ * Standalone mode: looks up the entry matching the X-SK-Website request
+ * header in the websites registry (config-repo).
+ *
+ * Single-repo mode (backward compat): returns a synthesized WebsiteEntry
+ * built from the integration's build-time storage + GitHub-App ENV vars.
+ * The header is ignored.
+ */
+
+interface MultiState {
+  readonly mode: 'multi'
+  readonly registry: WebsitesRegistryProvider
+}
+
+interface SingleRepoState {
+  readonly mode: 'single'
+  readonly synthesized: WebsiteEntry
+}
+
+type ResolverState = MultiState | SingleRepoState | null
+
+let state: ResolverState = null
+
+/** Test/admin hook: install or clear the resolver state. */
+export function __resetWebsiteResolverForTests(next: ResolverState): void {
+  state = next
+}
+
+/**
+ * Configure the resolver state explicitly. Currently only the test suite
+ * uses this — production wiring runs lazily through
+ * {@link bootstrapResolverFromGlobals} on the first request, since the
+ * Astro integration doesn't have an obvious "initialize once" hook
+ * (`astro:server:start` runs in dev only). The export stays available so
+ * a future integration-startup wire-up has a typed entry point.
+ */
+export function configureWebsiteResolver(next: ResolverState): void {
+  state = next
+}
+
+interface FullConfig {
+  storage?:
+    | {
+        // 'single' is canonical; 'github-app' is the legacy alias.
+        kind: 'single' | 'github-app' | 'local'
+        repo?: string
+        appId?: string
+        installationId?: string
+      }
+    | {
+        // 'multi' is canonical; 'standalone' is the legacy alias.
+        kind: 'multi' | 'standalone'
+        configRepo: string
+        configBranch?: string
+        appId: string
+        installationId: string
+      }
+}
+
+function isMultiKind(kind: unknown): boolean {
+  return kind === 'multi' || kind === 'standalone'
+}
+
+interface BuildTimeStorage {
+  owner: string
+  repo: string
+  branch: string
+}
+
+// Vite define-injected literals. The integration (`packages/astro/src/
+// integration.ts`) sets them via the build-time Vite define plugin, so by
+// the time this code runs in a compiled API route the literals are
+// substituted with their JSON values. globalThis-style reads break on
+// cold-start serverless functions because the integration's
+// page-ssr injectScript only fires for SSR pages, never for API-only
+// invocations.
+declare const __SETZKASTEN_FULL_CONFIG__: FullConfig | null | undefined
+declare const __SETZKASTEN_STORAGE__: BuildTimeStorage | null | undefined
+declare const __SETZKASTEN_WEBSITE_URL__: string | undefined
+
+/**
+ * Lazy bootstrap from build-time globals. Reads `__SETZKASTEN_FULL_CONFIG__`
+ * and `__SETZKASTEN_STORAGE__` (set by the Astro integration via Vite
+ * define — literals only, NOT globalThis) to derive single-repo or
+ * standalone state. Idempotent — does nothing if the resolver is already
+ * configured.
+ */
+export function bootstrapResolverFromGlobals(): void {
+  if (state !== null) return
+
+  const fullConfig =
+    (typeof __SETZKASTEN_FULL_CONFIG__ !== 'undefined' ? __SETZKASTEN_FULL_CONFIG__ : null) ??
+    ((globalThis as Record<string, unknown>).__SETZKASTEN_FULL_CONFIG__ as
+      | FullConfig
+      | undefined)
+  const buildStorage =
+    (typeof __SETZKASTEN_STORAGE__ !== 'undefined' ? __SETZKASTEN_STORAGE__ : null) ??
+    ((globalThis as Record<string, unknown>).__SETZKASTEN_STORAGE__ as
+      | BuildTimeStorage
+      | undefined)
+
+  const storageKind = fullConfig?.storage?.kind
+  if (isMultiKind(storageKind)) {
+    const standalone = fullConfig?.storage as {
+      kind: 'multi' | 'standalone'
+      configRepo: string
+      configBranch?: string
+      appId: string
+      installationId: string
+    }
+    const privateKey = process.env.GITHUB_APP_PRIVATE_KEY
+    if (!privateKey) {
+      // Without the private key the resolver can't mint installation tokens;
+      // every Multi-Mode request would 400 with a confusing "X-SK-Website
+      // header missing" message instead of the actual root cause.
+      console.error(
+        '[setzkasten] Multi-mode resolver bootstrap failed: GITHUB_APP_PRIVATE_KEY is not set in env. ' +
+          'Set it on the standalone-admin deployment so the registry can be loaded.',
+      )
+      return
+    }
+    const [owner, repo] = standalone.configRepo.split('/')
+    if (!owner || !repo) {
+      console.error(
+        `[setzkasten] Multi-mode resolver bootstrap failed: storage.configRepo "${standalone.configRepo}" is not in "owner/repo" form.`,
+      )
+      return
+    }
+
+    const client = new GitHubAppClient(
+      { appId: standalone.appId, installationId: standalone.installationId, privateKey },
+      { owner, repo, branch: standalone.configBranch ?? 'main' },
+    )
+    const registry = new GitHubWebsitesRegistry({
+      reader: { read: (path) => client.getFileContent(path) },
+      path: 'websites.json',
+      ttlMs: 60_000,
+    })
+    state = { mode: 'multi', registry }
+    return
+  }
+
+  if (!buildStorage) return
+
+  const appId = process.env.GITHUB_APP_ID ?? ''
+  const installationId = process.env.GITHUB_APP_INSTALLATION_ID ?? ''
+  // Source of truth: __SETZKASTEN_WEBSITE_URL__ Vite define (mirrors
+  // astro.config.mjs#site, dev-server origin in dev) — same value the
+  // updater registers licenses with. As a Vite literal it survives
+  // cold-start API-only function invocations (unlike __SETZKASTEN_CONFIG__
+  // which is only set via injectScript on page-ssr renders).
+  // PUBLIC_SITE_URL stays as an escape hatch for setups without `site:`.
+  const websiteUrlLiteral =
+    typeof __SETZKASTEN_WEBSITE_URL__ !== 'undefined' ? __SETZKASTEN_WEBSITE_URL__ : ''
+  const previewOrigin =
+    websiteUrlLiteral ||
+    process.env.PUBLIC_SITE_URL ||
+    'http://localhost:4321'
+
+  state = {
+    mode: 'single',
+    synthesized: {
+      id: 'default',
+      name: buildStorage.repo,
+      repo: `${buildStorage.owner}/${buildStorage.repo}`,
+      branch: buildStorage.branch,
+      previewOrigin,
+      githubApp: { appId, installationId },
+    },
+  }
+}
+
+const HEADER = 'x-sk-website'
+
+export async function resolveCurrentWebsite(request: Request): Promise<Result<WebsiteEntry>> {
+  if (state === null) bootstrapResolverFromGlobals()
+  if (state === null) {
+    return err(
+      validationError(
+        ['websiteResolver'],
+        'not-configured',
+        'Website resolver not configured — call configureWebsiteResolver() at integration startup.',
+      ),
+    )
+  }
+
+  if (state.mode === 'single') {
+    return ok(state.synthesized)
+  }
+
+  const requested = request.headers.get(HEADER)?.trim() ?? ''
+
+  if (!requested) {
+    const list = await state.registry.list()
+    if (!list.ok) return list
+
+    const sole = list.value.length === 1 ? list.value[0] : undefined
+    if (sole) return ok(sole)
+
+    return err(
+      validationError(
+        [HEADER],
+        'required',
+        'Standalone mode requires the X-SK-Website request header (registry has multiple entries).',
+      ),
+    )
+  }
+
+  const found = await state.registry.get(requested)
+  if (!found.ok) return found
+  if (!found.value) return err(notFoundError(`website:${requested}`))
+
+  return ok(found.value)
+}
+
+/**
+ * Lists all websites known to the resolver.
+ * Standalone mode: defers to the registry. Single-repo mode: returns the
+ * synthesized entry as a one-element list.
+ */
+export async function listAllWebsites(): Promise<Result<readonly WebsiteEntry[]>> {
+  if (state === null) bootstrapResolverFromGlobals()
+  if (state === null) {
+    return err(
+      validationError(['websiteResolver'], 'not-configured', 'Website resolver not configured.'),
+    )
+  }
+  if (state.mode === 'single') return ok([state.synthesized])
+  return state.registry.list()
+}

package/src/api-routes/_websites-store.ts

@@ -0,0 +1,120 @@
+/**
+ * Read/write the standalone admin's `websites.json` from the config repo.
+ * Pure HTTP — no caching here; the GitHub-side cache lives in
+ * GitHubWebsitesRegistry, which API routes invalidate explicitly after a
+ * successful write.
+ */
+
+import {
+  type Result,
+  type WebsitesRegistry,
+  err,
+  networkError,
+  ok,
+  parseWebsitesRegistry,
+} from '@setzkasten-cms/core'
+import { withTrailers } from './_commit-trailers'
+
+interface ConfigRepoTarget {
+  readonly owner: string
+  readonly repo: string
+  readonly branch: string
+  readonly path: string
+  readonly token: string
+}
+
+interface ReadResult {
+  readonly registry: WebsitesRegistry
+  readonly sha: string | null
+}
+
+const githubHeaders = (token: string) => ({
+  Authorization: `Bearer ${token}`,
+  Accept: 'application/vnd.github+json',
+  'X-GitHub-Api-Version': '2022-11-28',
+  'Content-Type': 'application/json',
+})
+
+export async function readWebsitesRegistryFromGitHub(
+  target: ConfigRepoTarget,
+): Promise<Result<ReadResult>> {
+  try {
+    const url = `https://api.github.com/repos/${target.owner}/${target.repo}/contents/${target.path}?ref=${target.branch}`
+    const response = await fetch(url, { headers: githubHeaders(target.token) })
+
+    if (response.status === 404) {
+      return ok({ registry: { websites: [] }, sha: null })
+    }
+    if (!response.ok) {
+      return err(networkError(`GitHub returned ${response.status} reading ${target.path}`))
+    }
+
+    const data = (await response.json()) as { content: string; sha: string }
+    const decoded = Buffer.from(data.content, 'base64').toString('utf-8')
+    const parsed = parseWebsitesRegistry(decoded)
+    if (!parsed.ok) return parsed
+
+    return ok({ registry: parsed.value, sha: data.sha })
+  } catch (cause) {
+    const message = cause instanceof Error ? cause.message : 'Unknown error'
+    return err(networkError(`Failed to read ${target.path}: ${message}`, cause))
+  }
+}
+
+export async function writeWebsitesRegistryToGitHub(
+  target: ConfigRepoTarget,
+  registry: WebsitesRegistry,
+  previousSha: string | null,
+  commitMessage: string,
+): Promise<Result<void>> {
+  const body: Record<string, unknown> = {
+    message: withTrailers(commitMessage),
+    content: Buffer.from(JSON.stringify(registry, null, 2)).toString('base64'),
+    branch: target.branch,
+  }
+  if (previousSha) body.sha = previousSha
+
+  try {
+    const response = await fetch(
+      `https://api.github.com/repos/${target.owner}/${target.repo}/contents/${target.path}`,
+      { method: 'PUT', headers: githubHeaders(target.token), body: JSON.stringify(body) },
+    )
+
+    if (!response.ok) {
+      const text = await response.text()
+      return err(networkError(`GitHub PUT failed: ${response.status} ${text}`))
+    }
+    return ok(undefined)
+  } catch (cause) {
+    const message = cause instanceof Error ? cause.message : 'Unknown error'
+    return err(networkError(`Failed to write ${target.path}: ${message}`, cause))
+  }
+}
+
+/**
+ * Reads the standalone-admin storage config out of the build-time
+ * `__SETZKASTEN_FULL_CONFIG__` global. Returns null when the deployment
+ * is not in standalone mode (single-repo setups have no websites.json).
+ */
+export function resolveConfigRepoTargetFromGlobals(token: string): ConfigRepoTarget | null {
+  const fullConfig = (globalThis as Record<string, unknown>).__SETZKASTEN_FULL_CONFIG__ as
+    | { storage?: { kind: string; configRepo?: string; configBranch?: string } }
+    | undefined
+
+  // Accept the canonical 'multi' as well as the legacy 'standalone' alias.
+  // defineConfig() rewrites legacy values, but tests and direct setters of
+  // __SETZKASTEN_FULL_CONFIG__ may pass either form.
+  const storage = fullConfig?.storage
+  if (!storage || (storage.kind !== 'multi' && storage.kind !== 'standalone')) return null
+  if (!storage.configRepo) return null
+  const [owner, repo] = storage.configRepo.split('/')
+  if (!owner || !repo) return null
+
+  return {
+    owner,
+    repo,
+    branch: storage.configBranch ?? 'main',
+    path: 'websites.json',
+    token,
+  }
+}

package/src/api-routes/asset-proxy.ts

@@ -1,4 +1,5 @@
 import type { APIRoute } from 'astro'
+import { resolveGitHubTokenForRequest } from './_github-token'
 
 /**
  * Asset proxy – serves images from the private GitHub repo.
@@ -7,7 +8,7 @@ import type { APIRoute } from 'astro'
  * GET /api/setzkasten/asset/public/images/about/LP_Logo.png
  * → fetches from GitHub API and returns the raw binary with correct Content-Type.
  */
-export const GET: APIRoute = async ({ params, cookies }) => {
+export const GET: APIRoute = async ({ params, request, cookies }) => {
   const session = cookies.get('setzkasten_session')?.value
   if (!session) {
     return new Response('Unauthorized', { status: 401 })
@@ -18,10 +19,11 @@ export const GET: APIRoute = async ({ params, cookies }) => {
     return new Response('Missing path', { status: 400 })
   }
 
-  const githubToken = import.meta.env.GITHUB_TOKEN ?? process.env.GITHUB_TOKEN
-  if (!githubToken) {
-    return new Response('GitHub token not configured', { status: 500 })
+  const tokenResult = await resolveGitHubTokenForRequest(request)
+  if (!tokenResult.ok) {
+    return new Response(tokenResult.error.message, { status: 500 })
   }
+  const githubToken = tokenResult.value
 
   const config = (globalThis as any).__SETZKASTEN_CONFIG__
   if (!config?.storage) {

package/src/api-routes/auth-callback.ts

@@ -1,11 +1,10 @@
 import type { APIRoute } from 'astro'
 import { createGitHubAuth } from '@setzkasten-cms/auth'
-import { createGoogleAuth } from '@setzkasten-cms/auth'
+import { sessionCookieOptions } from './_session-cookie.js'
 
 /**
- * OAuth callback handler.
- * Receives the authorization code from GitHub/Google, exchanges it for a
- * session via the auth adapter, and sets a signed session cookie.
+ * GitHub OAuth callback handler.
+ * Google uses the GIS flow (POST /api/setzkasten/auth/google) — no callback needed there.
  */
 export const GET: APIRoute = async ({ request, url, cookies, redirect }) => {
   const code = url.searchParams.get('code')
@@ -15,91 +14,60 @@ export const GET: APIRoute = async ({ request, url, cookies, redirect }) => {
     return new Response('Missing authorization code', { status: 400 })
   }
 
-  // Parse stored state (may contain provider info)
   const storedRaw = cookies.get('setzkasten_oauth_state')?.value
   let storedState: string | undefined
-  let provider = 'github'
+
   if (storedRaw) {
     try {
-      const parsed = JSON.parse(storedRaw)
-      storedState = parsed.state
-      provider = parsed.provider ?? 'github'
+      storedState = JSON.parse(storedRaw).state
     } catch {
       storedState = storedRaw
     }
   }
 
-  // CSRF: verify state matches stored state
-  if (state && storedState && state !== storedState) {
+  if (!storedState || state !== storedState) {
     return new Response('Invalid state parameter', { status: 400 })
   }
 
-  // Clear the state cookie
   cookies.delete('setzkasten_oauth_state', { path: '/' })
 
   const config = (globalThis as Record<string, unknown>).__SETZKASTEN_CONFIG__ as
     | { adminPath: string }
     | undefined
-
   const adminPath = config?.adminPath ?? '/admin'
 
-  // On Vercel, url.origin may resolve to localhost. Use the Host header instead.
   const host = request.headers.get('x-forwarded-host') ?? request.headers.get('host') ?? url.host
   const protocol = request.headers.get('x-forwarded-proto') ?? (url.protocol === 'https:' ? 'https' : 'http')
-  const origin = `${protocol}://${host}`
-  const redirectUri = `${origin}/api/setzkasten/auth/callback`
+  const redirectUri = `${protocol}://${host}/api/setzkasten/auth/callback`
 
-  // Read allowed emails from env (comma-separated)
   const allowedEmailsRaw = import.meta.env.SETZKASTEN_ALLOWED_EMAILS ?? process.env.SETZKASTEN_ALLOWED_EMAILS ?? ''
   const allowedEmails = allowedEmailsRaw
     ? allowedEmailsRaw.split(',').map((e: string) => e.trim())
     : undefined
 
-  try {
-    let sessionResult
+  const auth = createGitHubAuth({
+    clientId: import.meta.env.GITHUB_CLIENT_ID ?? process.env.GITHUB_CLIENT_ID ?? '',
+    clientSecret: import.meta.env.GITHUB_CLIENT_SECRET ?? process.env.GITHUB_CLIENT_SECRET ?? '',
+    redirectUri,
+    allowedEmails,
+  })
 
-    if (provider === 'google') {
-      const auth = createGoogleAuth({
-        clientId: import.meta.env.GOOGLE_CLIENT_ID ?? process.env.GOOGLE_CLIENT_ID ?? '',
-        clientSecret: import.meta.env.GOOGLE_CLIENT_SECRET ?? process.env.GOOGLE_CLIENT_SECRET ?? '',
-        redirectUri,
-        allowedEmails,
-      })
-      sessionResult = await auth.handleCallback(code, 'google')
-    } else {
-      const auth = createGitHubAuth({
-        clientId: import.meta.env.GITHUB_CLIENT_ID ?? process.env.GITHUB_CLIENT_ID ?? '',
-        clientSecret: import.meta.env.GITHUB_CLIENT_SECRET ?? process.env.GITHUB_CLIENT_SECRET ?? '',
-        redirectUri,
-        allowedEmails,
-      })
-      sessionResult = await auth.handleCallback(code, 'github')
-    }
+  try {
+    const sessionResult = await auth.handleCallback(code)
 
     if (!sessionResult.ok) {
-      console.error('[setzkasten] Auth failed:', sessionResult.error.message)
       return new Response(`Authentication failed: ${sessionResult.error.message}`, { status: 403 })
     }
 
     const session = sessionResult.value
-
-    // Set session cookie with user info (HMAC-signed in production)
-    const sessionPayload = JSON.stringify({
-      user: session.user,
-      expiresAt: session.expiresAt,
-    })
-
-    cookies.set('setzkasten_session', sessionPayload, {
-      httpOnly: true,
-      secure: import.meta.env.PROD,
-      sameSite: 'lax',
-      path: '/',
-      maxAge: 60 * 60 * 24 * 7, // 7 days
-    })
+    cookies.set(
+      'setzkasten_session',
+      JSON.stringify({ user: session.user, expiresAt: session.expiresAt }),
+      sessionCookieOptions(import.meta.env.PROD),
+    )
 
     return redirect(adminPath)
-  } catch (error) {
-    console.error('[setzkasten] Auth callback error:', error)
+  } catch {
     return new Response('Authentication failed', { status: 500 })
   }
 }