@setzkasten-cms/astro-admin 0.6.0 → 1.1.0

package/src/api-routes/auth-login.ts

@@ -1,87 +1,40 @@
 import type { APIRoute } from 'astro'
 import { createGitHubAuth } from '@setzkasten-cms/auth'
-import { createGoogleAuth } from '@setzkasten-cms/auth'
 
 /**
- * Login initiation – redirects the user to the chosen OAuth provider.
+ * Login initiation – redirects the user to GitHub OAuth.
+ * Google uses GIS (POST /api/setzkasten/auth/google) instead of this redirect flow.
  *
- * GET /api/setzkasten/auth/login?provider=github|google
+ * GET /api/setzkasten/auth/login?provider=github
  */
 export const GET: APIRoute = async ({ request, url, cookies, redirect }) => {
-  const provider = url.searchParams.get('provider') ?? 'github'
-
   const config = (globalThis as Record<string, unknown>).__SETZKASTEN_CONFIG__ as
-    | { adminPath: string; hasGitHub: boolean; hasGoogle: boolean }
+    | { adminPath: string }
     | undefined
 
-  const adminPath = config?.adminPath ?? '/admin'
-
   // On Vercel, url.origin may resolve to localhost. Use the Host header instead.
   const host = request.headers.get('x-forwarded-host') ?? request.headers.get('host') ?? url.host
   const protocol = request.headers.get('x-forwarded-proto') ?? (url.protocol === 'https:' ? 'https' : 'http')
   const origin = `${protocol}://${host}`
   const redirectUri = `${origin}/api/setzkasten/auth/callback`
 
-  let loginUrl: string
-
-  if (provider === 'google') {
-    const googleClientId = import.meta.env.GOOGLE_CLIENT_ID ?? process.env.GOOGLE_CLIENT_ID ?? ''
-    const googleClientSecret = import.meta.env.GOOGLE_CLIENT_SECRET ?? process.env.GOOGLE_CLIENT_SECRET ?? ''
-
-    if (!googleClientId || !googleClientSecret) {
-      return new Response('Google OAuth not configured', { status: 500 })
-    }
-
-    const auth = createGoogleAuth({
-      clientId: googleClientId,
-      clientSecret: googleClientSecret,
-      redirectUri,
-    })
+  const ghClientId = import.meta.env.GITHUB_CLIENT_ID ?? process.env.GITHUB_CLIENT_ID ?? ''
+  const ghClientSecret = import.meta.env.GITHUB_CLIENT_SECRET ?? process.env.GITHUB_CLIENT_SECRET ?? ''
 
-    loginUrl = auth.getLoginUrl('google')
-
-    // Store the PKCE code verifier in a cookie for the callback
-    // Arctic generates it internally – we extract it from the URL
-    const urlObj = new URL(loginUrl)
-    const state = urlObj.searchParams.get('state')
-    if (state) {
-      cookies.set('setzkasten_oauth_state', JSON.stringify({ state, provider: 'google' }), {
-        httpOnly: true,
-        secure: true,
-        sameSite: 'lax',
-        path: '/',
-        maxAge: 600, // 10 min
-      })
-    }
-  } else {
-    // Default: GitHub
-    const ghClientId = import.meta.env.GITHUB_CLIENT_ID ?? process.env.GITHUB_CLIENT_ID ?? ''
-    const ghClientSecret = import.meta.env.GITHUB_CLIENT_SECRET ?? process.env.GITHUB_CLIENT_SECRET ?? ''
-
-    if (!ghClientId || !ghClientSecret) {
-      return new Response('GitHub OAuth not configured', { status: 500 })
-    }
-
-    const auth = createGitHubAuth({
-      clientId: ghClientId,
-      clientSecret: ghClientSecret,
-      redirectUri,
-    })
+  if (!ghClientId || !ghClientSecret) {
+    return new Response('GitHub OAuth not configured', { status: 500 })
+  }
 
-    loginUrl = auth.getLoginUrl('github')
+  const auth = createGitHubAuth({ clientId: ghClientId, clientSecret: ghClientSecret, redirectUri })
+  const { url: loginUrl, state } = auth.getLoginUrl()
 
-    const urlObj = new URL(loginUrl)
-    const state = urlObj.searchParams.get('state')
-    if (state) {
-      cookies.set('setzkasten_oauth_state', JSON.stringify({ state, provider: 'github' }), {
-        httpOnly: true,
-        secure: true,
-        sameSite: 'lax',
-        path: '/',
-        maxAge: 600,
-      })
-    }
-  }
+  cookies.set('setzkasten_oauth_state', JSON.stringify({ state, provider: 'github' }), {
+    httpOnly: true,
+    secure: true,
+    sameSite: 'lax',
+    path: '/',
+    maxAge: 600,
+  })
 
   return redirect(loginUrl)
 }

package/src/api-routes/auth-logout.ts

@@ -1,9 +1,13 @@
 import type { APIRoute } from 'astro'
+import { sessionCookieOptions } from './_session-cookie.js'
 
 /**
  * Logout – clears the session cookie and redirects to home.
+ * Mirrors the same `domain` attribute used when the cookie was set so the
+ * browser actually deletes it on subdomains in standalone-admin setups.
  */
 export const GET: APIRoute = async ({ cookies, redirect }) => {
-  cookies.delete('setzkasten_session', { path: '/' })
+  const opts = sessionCookieOptions(false)
+  cookies.delete('setzkasten_session', { path: '/', domain: opts.domain })
   return redirect('/')
 }

package/src/api-routes/auth-setzkasten-login.ts

@@ -0,0 +1,71 @@
+import type { APIRoute } from 'astro'
+import { verifyFirebaseJwt } from '@setzkasten-cms/auth'
+import { readEditorsFile } from './editors'
+import { readGlobalConfig } from './global-config'
+import { resolveStorageConfig } from './_storage-config'
+import { resolveConfigRepoToken } from './_github-token'
+import { sessionCookieOptions } from './_session-cookie.js'
+
+/**
+ * POST /api/setzkasten/auth/setzkasten-login
+ * Body: { idToken: string }  — Firebase ID token from signInWithPopup
+ *
+ * Verifies the Firebase JWT against Firebase's public JWKS (no secret needed).
+ * Access is gated exclusively by _editors.json (fail-closed).
+ *
+ * Editors live in the build-time-configured repo regardless of which website
+ * the request is targeting — in single-mode that's the website's repo, in
+ * multi-mode it's the config-repo. The per-request resolver and X-SK-Website
+ * header are intentionally NOT consulted here, because login predates any
+ * website selection.
+ */
+export const POST: APIRoute = async ({ request, cookies }) => {
+  const body = await request.json().catch(() => null)
+  const idToken = body?.idToken as string | undefined
+
+  if (!idToken) {
+    return new Response('Missing idToken', { status: 400 })
+  }
+
+  const storage = resolveStorageConfig()
+  if (!storage) {
+    return new Response('Storage not configured', { status: 500 })
+  }
+  const { owner, repo, branch } = storage
+  const serverConfig = (globalThis as { __SETZKASTEN_CONFIG__?: { storage?: { contentPath?: string } } })
+    .__SETZKASTEN_CONFIG__
+  const contentPath: string = serverConfig?.storage?.contentPath ?? 'content'
+
+  const tokenResult = await resolveConfigRepoToken()
+  if (!tokenResult.ok) {
+    return new Response(`GitHub token unavailable: ${tokenResult.error.message}`, { status: 503 })
+  }
+
+  // Verify that SetzKastenLogin is configured (firebaseConfig must exist in global config)
+  const globalCfg = await readGlobalConfig().catch(() => null)
+  if (!globalCfg?.firebaseConfig) {
+    return new Response('SetzKastenLogin not configured', { status: 500 })
+  }
+
+  // Read editors list — fail-closed: if unreadable, deny all logins
+  const editors = await readEditorsFile(owner, repo, branch, contentPath, tokenResult.value)
+  if (editors === null) {
+    return new Response('Editors list unavailable — no access granted', { status: 503 })
+  }
+
+  const allowedEmails = editors.map((e) => e.email)
+  const result = await verifyFirebaseJwt(idToken, allowedEmails)
+
+  if (!result.ok) {
+    return new Response(result.error.message, { status: 403 })
+  }
+
+  const session = result.value
+  cookies.set(
+    'setzkasten_session',
+    JSON.stringify({ user: session.user, expiresAt: session.expiresAt }),
+    sessionCookieOptions(import.meta.env.PROD),
+  )
+
+  return Response.json({ ok: true })
+}

package/src/api-routes/catalog-add.ts

@@ -1,8 +1,11 @@
 import type { APIRoute } from 'astro'
 import { registry } from '@setzkasten-cms/catalog'
-import { resolveStorageConfig, prefixPath } from './_storage-config'
+import { prefixPath, resolveStorageConfigForRequest } from './_storage-config'
 import { validateCatalogAddBody, buildCatalogAddCommit } from './catalog-helpers'
 import { generateAddKey, addToPageConfig } from './section-management'
+import { parseSession, guardPageAccess } from './_auth-guard'
+import { withTrailers } from './_commit-trailers'
+import { resolveGitHubTokenForRequest } from './_github-token'
 
 /**
  * POST /api/setzkasten/catalog/add
@@ -17,8 +20,11 @@ export const POST: APIRoute = async ({ request, cookies }) => {
   const session = cookies.get('setzkasten_session')?.value
   if (!session) return new Response('Unauthorized', { status: 401 })
 
-  const githubToken = import.meta.env.GITHUB_TOKEN ?? process.env.GITHUB_TOKEN
-  if (!githubToken) return new Response('GitHub token not configured', { status: 500 })
+  const tokenResult = await resolveGitHubTokenForRequest(request)
+  if (!tokenResult.ok) {
+    return new Response(tokenResult.error.message, { status: 500 })
+  }
+  const githubToken = tokenResult.value
 
   try {
     const body = await request.json() as Record<string, unknown>
@@ -32,13 +38,17 @@ export const POST: APIRoute = async ({ request, cookies }) => {
 
     const { templateName, pageKey } = validated
 
-    const storage = resolveStorageConfig(body)
+    const storage = await resolveStorageConfigForRequest(request, body)
     if (!storage) return Response.json({ error: 'Could not resolve owner/repo' }, { status: 400 })
     const { owner, repo, branch, projectPrefix } = storage
 
     const serverConfig = (globalThis as any).__SETZKASTEN_CONFIG__
+    const fullConfig = (globalThis as any).__SETZKASTEN_FULL_CONFIG__
     const contentPath = (body.contentPath as string) || serverConfig?.storage?.contentPath || 'content'
 
+    const denied = await guardPageAccess(parseSession(cookies.get('setzkasten_session')?.value), pageKey, fullConfig, request)
+    if (denied) return denied
+
     const headers = {
       Authorization: `Bearer ${githubToken}`,
       Accept: 'application/vnd.github+json',
@@ -82,7 +92,10 @@ export const POST: APIRoute = async ({ request, cookies }) => {
         { path: pageConfigPath, content: JSON.stringify(updatedConfig, null, 2) },
         { path: sectionJsonPath, content: JSON.stringify(template.defaultContent, null, 2) },
       ],
-      `content: add catalog template "${templateName}" as "${sectionKey}" to ${pageKey}`,
+      withTrailers(
+        `content: add catalog template "${templateName}" as "${sectionKey}" to ${pageKey}`,
+        parseSession(cookies.get('setzkasten_session')?.value)?.user?.email,
+      ),
       headers,
     )
 

package/src/api-routes/catalog-export.ts

@@ -1,6 +1,7 @@
 import type { APIRoute } from 'astro'
 import { exportTemplate } from '@setzkasten-cms/catalog'
-import { resolveStorageConfig, prefixPath } from './_storage-config'
+import { prefixPath, resolveStorageConfigForRequest } from './_storage-config'
+import { resolveGitHubTokenForRequest } from './_github-token'
 
 /**
  * POST /api/setzkasten/catalog/export
@@ -14,8 +15,11 @@ export const POST: APIRoute = async ({ request, cookies }) => {
   const session = cookies.get('setzkasten_session')?.value
   if (!session) return new Response('Unauthorized', { status: 401 })
 
-  const githubToken = import.meta.env.GITHUB_TOKEN ?? process.env.GITHUB_TOKEN
-  if (!githubToken) return new Response('GitHub token not configured', { status: 500 })
+  const tokenResult = await resolveGitHubTokenForRequest(request)
+  if (!tokenResult.ok) {
+    return new Response(tokenResult.error.message, { status: 500 })
+  }
+  const githubToken = tokenResult.value
 
   try {
     const body = await request.json() as {
@@ -30,7 +34,7 @@ export const POST: APIRoute = async ({ request, cookies }) => {
       return Response.json({ error: 'sectionKey is required' }, { status: 400 })
     }
 
-    const storage = resolveStorageConfig(body)
+    const storage = await resolveStorageConfigForRequest(request, body)
     if (!storage) return Response.json({ error: 'Could not resolve owner/repo' }, { status: 400 })
     const { owner, repo, branch, projectPrefix } = storage
 

package/src/api-routes/config.ts

@@ -1,26 +1,38 @@
 import type { APIRoute } from 'astro'
+import { readGlobalConfig } from './global-config'
 
 /**
- * Returns the full SetzKastenConfig as JSON.
- * The config is injected into globalThis by the integration at build time.
- *
  * GET /api/setzkasten/config
+ *
+ * Returns the full SetzKastenConfig as JSON. Fields from GlobalConfig
+ * (stored in _global_config.json) are merged over the static config so
+ * admins can change theme and Firebase settings without a code deployment.
  */
 export const GET: APIRoute = async () => {
   const config = (globalThis as Record<string, unknown>).__SETZKASTEN_FULL_CONFIG__ ?? {}
   const ssrConfig = (globalThis as Record<string, unknown>).__SETZKASTEN_CONFIG__ as Record<string, unknown> | undefined
 
+  const globalCfg = await readGlobalConfig().catch(() => null)
+
+  const staticTheme = (config as any).theme ?? {}
+  const globalTheme = globalCfg?.theme ?? {}
+
   const result = {
-    storage: { kind: 'github' },
+    // Default fallback when no config is injected at build time. Real
+    // values are spread from `config` below.
+    storage: { kind: 'local' },
     auth: { providers: ['github'] },
-    theme: {},
     products: {},
     collections: {},
     ...config,
+    // Global config theme overrides static config theme field by field
+    theme: { ...staticTheme, ...globalTheme },
     // Include storage params so the client can create ProxyContentRepository
     _storage: ssrConfig?.storage ?? undefined,
     _hasGitHub: ssrConfig?.hasGitHub ?? false,
     _hasGoogle: ssrConfig?.hasGoogle ?? false,
+    // SetzKastenLogin Firebase config (present only when license is valid)
+    _firebaseConfig: globalCfg?.firebaseConfig ?? null,
   }
 
   return new Response(JSON.stringify(result), {

package/src/api-routes/editors.ts

@@ -0,0 +1,205 @@
+import type { APIRoute } from 'astro'
+import { resolveStorageConfig } from './_storage-config'
+import { parseSession } from './_auth-guard'
+import { resolveConfigRepoToken } from './_github-token'
+import type { ContentEditorConfig } from '@setzkasten-cms/core'
+import { cachedFetch, invalidateCache } from './_github-cache'
+import { withTrailers } from './_commit-trailers'
+
+const EDITORS_FILE = (contentPath: string) => `${contentPath}/_editors.json`
+
+// In Multi-Mode editors are global across all websites and live in the
+// config-repo; in Single-Mode the config-repo IS the website-repo. Either
+// way the answer is "the build-time-configured storage" — never the
+// per-website storage that the X-SK-Website header would route to.
+function configRepoStorage(): { owner: string; repo: string; branch: string } | null {
+  const storage = resolveStorageConfig()
+  if (!storage) return null
+  return { owner: storage.owner, repo: storage.repo, branch: storage.branch }
+}
+
+// ---------------------------------------------------------------------------
+// GET /api/setzkasten/editors
+// Returns the current editors list from _editors.json.
+// Any authenticated user may read this (needed for the page-filter in the UI).
+// ---------------------------------------------------------------------------
+
+export const GET: APIRoute = async ({ cookies }) => {
+  const session = parseSession(cookies.get('setzkasten_session')?.value)
+  if (!session) return new Response('Unauthorized', { status: 401 })
+
+  const tokenResult = await resolveConfigRepoToken()
+  if (!tokenResult.ok) return new Response('GitHub token not configured', { status: 500 })
+
+  const storage = configRepoStorage()
+  if (!storage) return Response.json({ error: 'Could not resolve storage config' }, { status: 400 })
+
+  const serverConfig = (globalThis as { __SETZKASTEN_CONFIG__?: { storage?: { contentPath?: string } } })
+    .__SETZKASTEN_CONFIG__
+  const contentPath = serverConfig?.storage?.contentPath ?? 'content'
+  const { owner, repo, branch } = storage
+
+  const raw = await readEditorsFile(owner, repo, branch, contentPath, tokenResult.value)
+  return Response.json(raw ?? [])
+}
+
+// ---------------------------------------------------------------------------
+// PUT /api/setzkasten/editors
+// Replaces the editors list. Admin-only.
+// Body: ContentEditorConfig[]
+// ---------------------------------------------------------------------------
+
+export const PUT: APIRoute = async ({ request, cookies }) => {
+  const session = parseSession(cookies.get('setzkasten_session')?.value)
+  if (!session) return new Response('Unauthorized', { status: 401 })
+  if (session.user.role !== 'admin') return new Response('Forbidden', { status: 403 })
+
+  const tokenResult = await resolveConfigRepoToken()
+  if (!tokenResult.ok) return new Response('GitHub token not configured', { status: 500 })
+
+  const storage = configRepoStorage()
+  if (!storage) return Response.json({ error: 'Could not resolve storage config' }, { status: 400 })
+
+  const serverConfig = (globalThis as { __SETZKASTEN_CONFIG__?: { storage?: { contentPath?: string } } })
+    .__SETZKASTEN_CONFIG__
+  const contentPath = serverConfig?.storage?.contentPath ?? 'content'
+  const { owner, repo, branch } = storage
+
+  let editors: ContentEditorConfig[]
+  try {
+    editors = (await request.json()) as ContentEditorConfig[]
+    if (!Array.isArray(editors)) throw new Error('Expected array')
+  } catch {
+    return Response.json({ error: 'Invalid request body' }, { status: 400 })
+  }
+
+  const filePath = EDITORS_FILE(contentPath)
+  const fileContent = JSON.stringify(editors, null, 2)
+  const headers = {
+    Authorization: `Bearer ${tokenResult.value}`,
+    Accept: 'application/vnd.github+json',
+    'X-GitHub-Api-Version': '2022-11-28',
+    'Content-Type': 'application/json',
+  }
+
+  // Get current SHA if the file already exists (needed for updates)
+  const existing = await fetchFileSha(owner, repo, branch, filePath, headers)
+
+  const body: Record<string, unknown> = {
+    message: withTrailers('chore(editors): update content editor permissions'),
+    content: Buffer.from(fileContent).toString('base64'),
+    branch,
+  }
+  if (existing) body.sha = existing
+
+  const res = await fetch(
+    `https://api.github.com/repos/${owner}/${repo}/contents/${filePath}`,
+    { method: 'PUT', headers, body: JSON.stringify(body) },
+  )
+
+  if (!res.ok) {
+    const text = await res.text()
+    return Response.json({ error: `GitHub write failed: ${text}` }, { status: 502 })
+  }
+
+  invalidateCache(`editors:${owner}/${repo}:${branch}`)
+  return Response.json({ ok: true })
+}
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+async function fetchFileSha(
+  owner: string,
+  repo: string,
+  branch: string,
+  path: string,
+  headers: Record<string, string>,
+): Promise<string | null> {
+  try {
+    const res = await fetch(
+      `https://api.github.com/repos/${owner}/${repo}/contents/${path}?ref=${branch}`,
+      { headers },
+    )
+    if (!res.ok) return null
+    const data = await res.json() as { sha: string }
+    return data.sha ?? null
+  } catch { return null }
+}
+
+export async function readEditorsFile(
+  owner: string,
+  repo: string,
+  branch: string,
+  contentPath: string,
+  token: string,
+): Promise<ContentEditorConfig[] | null> {
+  const key = `editors:${owner}/${repo}:${branch}`
+  return cachedFetch(key, 2 * 60_000, async () => {
+    const res = await fetch(
+      `https://api.github.com/repos/${owner}/${repo}/contents/${EDITORS_FILE(contentPath)}?ref=${branch}`,
+      { headers: { Authorization: `Bearer ${token}`, Accept: 'application/vnd.github+json', 'X-GitHub-Api-Version': '2022-11-28' } },
+    )
+    if (!res.ok) return null
+    const data = await res.json() as { content: string; encoding: string }
+    const raw = data.encoding === 'base64' ? Buffer.from(data.content, 'base64').toString('utf-8') : data.content
+    return JSON.parse(raw) as ContentEditorConfig[]
+  })
+}
+
+/**
+ * Discriminated result for the editors-file fetch. Lets callers decide the
+ * fail-mode policy: the auth-guard wants to ALLOW when the file is genuinely
+ * absent (no restrictions configured) but DENY when the fetch errors out.
+ * The basic readEditorsFile() above returns null for both cases, which is
+ * unsafe for authorization checks.
+ *
+ * Caller is responsible for caching — this function never reads from or
+ * writes to the shared cache, because caching an "error" state would
+ * silently extend privilege-escalation windows.
+ */
+export type EditorsStatus =
+  | { kind: 'absent' }
+  | { kind: 'present'; editors: ContentEditorConfig[] }
+  | { kind: 'error'; message: string }
+
+export async function readEditorsFileStatus(
+  owner: string,
+  repo: string,
+  branch: string,
+  contentPath: string,
+  token: string,
+): Promise<EditorsStatus> {
+  let res: Response
+  try {
+    res = await fetch(
+      `https://api.github.com/repos/${owner}/${repo}/contents/${EDITORS_FILE(contentPath)}?ref=${branch}`,
+      {
+        headers: {
+          Authorization: `Bearer ${token}`,
+          Accept: 'application/vnd.github+json',
+          'X-GitHub-Api-Version': '2022-11-28',
+        },
+      },
+    )
+  } catch (err) {
+    return { kind: 'error', message: err instanceof Error ? err.message : 'network error' }
+  }
+
+  if (res.status === 404) return { kind: 'absent' }
+  if (!res.ok) {
+    return { kind: 'error', message: `GitHub returned ${res.status}` }
+  }
+
+  try {
+    const data = (await res.json()) as { content: string; encoding: string }
+    const raw =
+      data.encoding === 'base64'
+        ? Buffer.from(data.content, 'base64').toString('utf-8')
+        : data.content
+    return { kind: 'present', editors: JSON.parse(raw) as ContentEditorConfig[] }
+  } catch (err) {
+    return { kind: 'error', message: err instanceof Error ? err.message : 'parse error' }
+  }
+}

package/src/api-routes/github-proxy.ts

@@ -1,6 +1,7 @@
 import type { APIRoute } from 'astro'
 import { writeFile } from 'node:fs/promises'
 import { join } from 'node:path'
+import { resolveGitHubTokenForRequest } from './_github-token'
 
 /**
  * Server-side proxy for GitHub API calls.
@@ -21,12 +22,11 @@ export const ALL: APIRoute = async ({ params, request, cookies }) => {
     return new Response('Missing path', { status: 400 })
   }
 
-  // GitHub App token from environment (never sent to client)
-  const githubToken = import.meta.env.GITHUB_TOKEN ?? process.env.GITHUB_TOKEN
-
-  if (!githubToken) {
-    return new Response('GitHub token not configured', { status: 500 })
+  const tokenResult = await resolveGitHubTokenForRequest(request)
+  if (!tokenResult.ok) {
+    return new Response(tokenResult.error.message, { status: 500 })
   }
+  const githubToken = tokenResult.value
 
   const githubUrl = `https://api.github.com/${githubPath}`