@setzkasten-cms/astro-admin 0.6.0

package/src/api-routes/__tests__/scan-page-helpers.test.ts

@@ -0,0 +1,162 @@
+/**
+ * Tests for the pure helper logic in init-scan-page.ts
+ *
+ * The route handler itself requires GitHub API + session auth. We test
+ * the extractable pure functions directly:
+ *
+ *   1. pageKey normalisation (pagePath → sectionKey)
+ *      The `_page_` prefix and `/` → `_` substitution must be correct,
+ *      because the sectionKey is used to look up content JSON files.
+ *      Wrong key = 404 in content API.
+ *
+ *   2. extractLayoutRegions()
+ *      Extracts <header> and <footer> from a layout file. Used to
+ *      surface global nav/footer as editable sections in the admin.
+ */
+
+import { describe, it, expect } from 'vitest'
+import { extractLayoutRegions } from '../init-scan-page'
+
+// ---------------------------------------------------------------------------
+// 1. pageKey normalisation — re-implemented inline from the route handler
+//    so we can test the exact logic without importing APIRoute deps.
+//    IMPORTANT: keep in sync with init-scan-page.ts lines 172-176.
+// ---------------------------------------------------------------------------
+
+function pagePathToSectionKey(pagePath: string): string {
+  const pageKeyNorm = pagePath
+    .replace(/^src\/pages\//, '')
+    .replace(/\/(index)?\.astro$/, '')
+    .replace(/\.astro$/, '') || 'index'
+  return '_page_' + pageKeyNorm.replace(/\//g, '_')
+}
+
+describe('pagePathToSectionKey — correct key derivation', () => {
+  it('index page', () => {
+    expect(pagePathToSectionKey('src/pages/index.astro')).toBe('_page_index')
+  })
+
+  it('top-level page', () => {
+    expect(pagePathToSectionKey('src/pages/about.astro')).toBe('_page_about')
+  })
+
+  it('nested page', () => {
+    expect(pagePathToSectionKey('src/pages/docs/architecture.astro')).toBe('_page_docs_architecture')
+  })
+
+  it('uses underscore not double-dash for nested', () => {
+    expect(pagePathToSectionKey('src/pages/docs/architecture.astro')).not.toContain('--')
+  })
+
+  it('nested index page', () => {
+    // src/pages/docs/index.astro → pageKey should be 'docs'
+    expect(pagePathToSectionKey('src/pages/docs/index.astro')).toBe('_page_docs')
+  })
+
+  it('three levels deep', () => {
+    expect(pagePathToSectionKey('src/pages/blog/2024/intro.astro')).toBe('_page_blog_2024_intro')
+  })
+
+  it('fields page (real regression case)', () => {
+    // This was the page that broke — docs/fields.astro
+    expect(pagePathToSectionKey('src/pages/docs/fields.astro')).toBe('_page_docs_fields')
+  })
+})
+
+// ---------------------------------------------------------------------------
+// 2. extractLayoutRegions
+// ---------------------------------------------------------------------------
+
+describe('extractLayoutRegions — header and footer extraction', () => {
+  const layoutWithBoth = `---
+import { getSection } from 'setzkasten:content'
+---
+
+<html>
+  <body>
+    <header class="sticky top-0 z-50">
+      <nav>
+        <a href="/">Home</a>
+        <a href="/about">About</a>
+      </nav>
+    </header>
+
+    <main>
+      <slot />
+    </main>
+
+    <footer class="py-8">
+      <p>© 2024 Lilapixel</p>
+      <a href="/impressum">Impressum</a>
+    </footer>
+  </body>
+</html>
+`
+
+  it('should extract header region', () => {
+    const regions = extractLayoutRegions(layoutWithBoth)
+    expect(regions.some(r => r.name === 'header')).toBe(true)
+  })
+
+  it('should extract footer region', () => {
+    const regions = extractLayoutRegions(layoutWithBoth)
+    expect(regions.some(r => r.name === 'footer')).toBe(true)
+  })
+
+  it('header region HTML should contain the nav content', () => {
+    const regions = extractLayoutRegions(layoutWithBoth)
+    const header = regions.find(r => r.name === 'header')!
+    expect(header.html).toContain('<nav>')
+    expect(header.html).toContain('Home')
+  })
+
+  it('footer region HTML should contain the footer content', () => {
+    const regions = extractLayoutRegions(layoutWithBoth)
+    const footer = regions.find(r => r.name === 'footer')!
+    expect(footer.html).toContain('Lilapixel')
+  })
+
+  it('should set correct tag names', () => {
+    const regions = extractLayoutRegions(layoutWithBoth)
+    for (const r of regions) {
+      expect(r.tag).toBe(r.name)
+    }
+  })
+})
+
+describe('extractLayoutRegions — partial layouts', () => {
+  it('returns only header if no footer', () => {
+    const source = `---\n---\n<html><header><nav>Menu</nav></header><main><slot /></main></html>`
+    const regions = extractLayoutRegions(source)
+    expect(regions).toHaveLength(1)
+    expect(regions[0]!.name).toBe('header')
+  })
+
+  it('returns only footer if no header', () => {
+    const source = `---\n---\n<html><main><slot /></main><footer><p>Footer</p></footer></html>`
+    const regions = extractLayoutRegions(source)
+    expect(regions).toHaveLength(1)
+    expect(regions[0]!.name).toBe('footer')
+  })
+
+  it('returns empty array if neither header nor footer', () => {
+    const source = `---\n---\n<html><main><slot /></main></html>`
+    const regions = extractLayoutRegions(source)
+    expect(regions).toHaveLength(0)
+  })
+
+  it('handles layout without frontmatter', () => {
+    const source = `<html><header><a href="/">Home</a></header></html>`
+    const regions = extractLayoutRegions(source)
+    expect(regions).toHaveLength(1)
+  })
+})
+
+describe('extractLayoutRegions — attributes on tags', () => {
+  it('handles header with class attributes', () => {
+    const source = `---\n---\n<header class="sticky top-0 bg-white z-50"><nav>nav</nav></header>`
+    const regions = extractLayoutRegions(source)
+    expect(regions).toHaveLength(1)
+    expect(regions[0]!.html).toContain('sticky top-0')
+  })
+})

package/src/api-routes/__tests__/section-management.test.ts

@@ -0,0 +1,284 @@
+/**
+ * Tests for section-management helpers: delete and duplicate.
+ *
+ * Pure logic — no GitHub API involved.
+ * Covered:
+ *   1. removeFromPageConfig: removes a section entry from page config
+ *   2. generateDuplicateKey: unique key generation with suffix
+ *   3. duplicateInPageConfig: adds duplicate entry after the original
+ */
+
+import { describe, it, expect } from 'vitest'
+import {
+  removeFromPageConfig,
+  generateDuplicateKey,
+  duplicateInPageConfig,
+  generateAddKey,
+  addToPageConfig,
+} from '../section-management'
+
+// ---------------------------------------------------------------------------
+// Fixtures
+// ---------------------------------------------------------------------------
+
+const pageConfig = {
+  sections: [
+    { key: 'hero', enabled: true, order: 0 },
+    { key: 'features', enabled: true, order: 1 },
+    { key: 'cta', enabled: false, order: 2 },
+  ],
+}
+
+// ---------------------------------------------------------------------------
+// removeFromPageConfig
+// ---------------------------------------------------------------------------
+
+describe('removeFromPageConfig', () => {
+  it('removes the matching section entry', () => {
+    const result = removeFromPageConfig(pageConfig, 'features')
+    expect(result.sections.map(s => s.key)).toEqual(['hero', 'cta'])
+  })
+
+  it('re-numbers order after removal', () => {
+    const result = removeFromPageConfig(pageConfig, 'features')
+    expect(result.sections[0]!.order).toBe(0)
+    expect(result.sections[1]!.order).toBe(1)
+  })
+
+  it('does not mutate the original config', () => {
+    removeFromPageConfig(pageConfig, 'hero')
+    expect(pageConfig.sections).toHaveLength(3)
+  })
+
+  it('returns config unchanged if key does not exist', () => {
+    const result = removeFromPageConfig(pageConfig, 'nonexistent')
+    expect(result.sections).toHaveLength(3)
+  })
+
+  it('works when removing the only section', () => {
+    const single = { sections: [{ key: 'hero', enabled: true, order: 0 }] }
+    const result = removeFromPageConfig(single, 'hero')
+    expect(result.sections).toHaveLength(0)
+  })
+})
+
+// ---------------------------------------------------------------------------
+// generateDuplicateKey
+// ---------------------------------------------------------------------------
+
+describe('generateDuplicateKey', () => {
+  it('appends --copy when key is free', () => {
+    expect(generateDuplicateKey(['hero', 'features'], 'hero')).toBe('hero--copy')
+  })
+
+  it('appends --copy2 when hero--copy already exists', () => {
+    expect(generateDuplicateKey(['hero', 'hero--copy'], 'hero')).toBe('hero--copy2')
+  })
+
+  it('appends --copy3 when hero--copy and hero--copy2 exist', () => {
+    expect(generateDuplicateKey(['hero', 'hero--copy', 'hero--copy2'], 'hero')).toBe('hero--copy3')
+  })
+
+  it('works for multi-instance keys (hero--about → hero--about--copy)', () => {
+    expect(generateDuplicateKey(['hero--about'], 'hero--about')).toBe('hero--about--copy')
+  })
+
+  it('does not conflict with unrelated keys containing copy', () => {
+    expect(generateDuplicateKey(['features', 'features--copycat'], 'features')).toBe('features--copy')
+  })
+})
+
+// ---------------------------------------------------------------------------
+// duplicateInPageConfig
+// ---------------------------------------------------------------------------
+
+describe('duplicateInPageConfig', () => {
+  it('inserts duplicate entry immediately after the original', () => {
+    const result = duplicateInPageConfig(pageConfig, 'hero', 'hero--copy')
+    const keys = result.sections.map(s => s.key)
+    expect(keys).toEqual(['hero', 'hero--copy', 'features', 'cta'])
+  })
+
+  it('new entry is enabled regardless of original enabled state', () => {
+    const result = duplicateInPageConfig(pageConfig, 'cta', 'cta--copy')
+    const copy = result.sections.find(s => s.key === 'cta--copy')!
+    expect(copy.enabled).toBe(true)
+  })
+
+  it('re-numbers order after insertion', () => {
+    const result = duplicateInPageConfig(pageConfig, 'hero', 'hero--copy')
+    result.sections.forEach((s, i) => expect(s.order).toBe(i))
+  })
+
+  it('preserves type field from original if present', () => {
+    const withType = {
+      sections: [
+        { key: 'hero--about', type: 'hero', enabled: true, order: 0 },
+      ],
+    }
+    const result = duplicateInPageConfig(withType, 'hero--about', 'hero--about--copy')
+    const copy = result.sections.find(s => s.key === 'hero--about--copy')!
+    expect((copy as any).type).toBe('hero')
+  })
+
+  it('does not mutate the original config', () => {
+    duplicateInPageConfig(pageConfig, 'hero', 'hero--copy')
+    expect(pageConfig.sections).toHaveLength(3)
+  })
+
+  it('returns config unchanged if original key does not exist', () => {
+    const result = duplicateInPageConfig(pageConfig, 'nonexistent', 'nonexistent--copy')
+    expect(result.sections).toHaveLength(3)
+  })
+})
+
+// ---------------------------------------------------------------------------
+// generateAddKey
+// ---------------------------------------------------------------------------
+
+describe('generateAddKey', () => {
+  it('returns type as key when no existing keys', () => {
+    expect(generateAddKey([], 'hero')).toBe('hero')
+  })
+
+  it('returns type as key when type key is not taken', () => {
+    expect(generateAddKey(['features', 'cta'], 'hero')).toBe('hero')
+  })
+
+  it('appends --2 when base key is taken', () => {
+    expect(generateAddKey(['hero'], 'hero')).toBe('hero--2')
+  })
+
+  it('appends --3 when hero and hero--2 are taken', () => {
+    expect(generateAddKey(['hero', 'hero--2'], 'hero')).toBe('hero--3')
+  })
+
+  it('does not conflict with unrelated keys', () => {
+    expect(generateAddKey(['hero-section', 'hero--about'], 'hero')).toBe('hero')
+  })
+})
+
+// ---------------------------------------------------------------------------
+// delete workflow integration (helpers combined)
+// ---------------------------------------------------------------------------
+
+describe('delete workflow', () => {
+  it('removes section and renumbers order', () => {
+    const after = removeFromPageConfig(pageConfig, 'features')
+    expect(after.sections.map(s => s.key)).toEqual(['hero', 'cta'])
+    expect(after.sections[0]!.order).toBe(0)
+    expect(after.sections[1]!.order).toBe(1)
+  })
+
+  it('removing the last section leaves empty array', () => {
+    let cfg = removeFromPageConfig(pageConfig, 'hero')
+    cfg = removeFromPageConfig(cfg, 'features')
+    cfg = removeFromPageConfig(cfg, 'cta')
+    expect(cfg.sections).toHaveLength(0)
+  })
+})
+
+// ---------------------------------------------------------------------------
+// duplicate workflow integration (helpers combined)
+// ---------------------------------------------------------------------------
+
+describe('duplicate workflow', () => {
+  it('generates key and inserts copy right after original', () => {
+    const existingKeys = pageConfig.sections.map(s => s.key)
+    const newKey = generateDuplicateKey(existingKeys, 'hero')
+    const after = duplicateInPageConfig(pageConfig, 'hero', newKey)
+    expect(newKey).toBe('hero--copy')
+    expect(after.sections.map(s => s.key)).toEqual(['hero', 'hero--copy', 'features', 'cta'])
+    after.sections.forEach((s, i) => expect(s.order).toBe(i))
+  })
+
+  it('handles second duplicate when --copy already exists', () => {
+    const withCopy = {
+      sections: [
+        { key: 'hero', enabled: true, order: 0 },
+        { key: 'hero--copy', enabled: true, order: 1 },
+      ],
+    }
+    const existingKeys = withCopy.sections.map(s => s.key)
+    const newKey = generateDuplicateKey(existingKeys, 'hero')
+    expect(newKey).toBe('hero--copy2')
+    const after = duplicateInPageConfig(withCopy, 'hero', newKey)
+    expect(after.sections.map(s => s.key)).toEqual(['hero', 'hero--copy2', 'hero--copy'])
+  })
+})
+
+// ---------------------------------------------------------------------------
+// addToPageConfig
+// ---------------------------------------------------------------------------
+
+describe('addToPageConfig', () => {
+  it('appends new entry at the end', () => {
+    const result = addToPageConfig(pageConfig, 'testimonials', 'testimonials')
+    expect(result.sections.map(s => s.key)).toEqual(['hero', 'features', 'cta', 'testimonials'])
+  })
+
+  it('new entry is enabled by default', () => {
+    const result = addToPageConfig(pageConfig, 'testimonials', 'testimonials')
+    const entry = result.sections.find(s => s.key === 'testimonials')!
+    expect(entry.enabled).toBe(true)
+  })
+
+  it('sets type field when key differs from type', () => {
+    const result = addToPageConfig(pageConfig, 'hero--2', 'hero')
+    const entry = result.sections.find(s => s.key === 'hero--2')!
+    expect((entry as any).type).toBe('hero')
+  })
+
+  it('omits type field when key equals type', () => {
+    const result = addToPageConfig(pageConfig, 'testimonials', 'testimonials')
+    const entry = result.sections.find(s => s.key === 'testimonials')!
+    expect((entry as any).type).toBeUndefined()
+  })
+
+  it('assigns correct order (after last existing)', () => {
+    const result = addToPageConfig(pageConfig, 'testimonials', 'testimonials')
+    const entry = result.sections.find(s => s.key === 'testimonials')!
+    expect(entry.order).toBe(3)
+  })
+
+  it('does not mutate the original config', () => {
+    addToPageConfig(pageConfig, 'testimonials', 'testimonials')
+    expect(pageConfig.sections).toHaveLength(3)
+  })
+})
+
+// ---------------------------------------------------------------------------
+// section-prepare: contract tests (key generation + config update, no commit)
+// These test the same helpers the prepare endpoint uses, documenting the
+// expected behavior of optimistic/deferred section addition.
+// ---------------------------------------------------------------------------
+
+describe('section-prepare contract', () => {
+  it('generates key and returns updated config without touching GitHub', () => {
+    const existingKeys = pageConfig.sections.map(s => s.key)
+    const newKey = generateAddKey(existingKeys, 'features')   // 'features' is taken
+    expect(newKey).toBe('features--2')
+    const updated = addToPageConfig(pageConfig, newKey, 'features')
+    expect(updated.sections).toHaveLength(4)
+    const entry = updated.sections.find(s => s.key === 'features--2')!
+    expect((entry as any).type).toBe('features')
+    expect(entry.enabled).toBe(true)
+  })
+
+  it('new section key is unique even after two pending adds of same type', () => {
+    let keys = pageConfig.sections.map(s => s.key)
+    const key1 = generateAddKey(keys, 'hero')     // hero is taken → hero--2
+    expect(key1).toBe('hero--2')
+    keys = [...keys, key1]
+    const key2 = generateAddKey(keys, 'hero')     // hero + hero--2 taken → hero--3
+    expect(key2).toBe('hero--3')
+  })
+
+  it('addToPageConfig preserves existing order entries', () => {
+    const updated = addToPageConfig(pageConfig, 'newSection', 'newSection')
+    expect(updated.sections[0]!.order).toBe(0)
+    expect(updated.sections[1]!.order).toBe(1)
+    expect(updated.sections[2]!.order).toBe(2)
+    expect(updated.sections[3]!.order).toBe(3) // new section gets next order
+  })
+})

package/src/api-routes/_storage-config.ts

@@ -0,0 +1,54 @@
+/**
+ * Resolve storage config from all available sources:
+ * 1. Request body (explicit override)
+ * 2. __SETZKASTEN_STORAGE__ (Vite define, embedded at build time — works everywhere)
+ * 3. globalThis.__SETZKASTEN_CONFIG__ (injectScript, only works for rendered pages)
+ */
+
+declare const __SETZKASTEN_STORAGE__: {
+  owner: string
+  repo: string
+  branch: string
+  contentPath: string
+  assetsPath: string
+  /** Monorepo prefix, e.g. 'apps/website'. Empty string for standalone projects. */
+  projectPrefix: string
+} | null
+
+export interface StorageConfig {
+  owner: string
+  repo: string
+  branch: string
+  /** Monorepo prefix to prepend to file paths, e.g. 'apps/website' */
+  projectPrefix: string
+}
+
+export function resolveStorageConfig(body?: {
+  owner?: string
+  repo?: string
+  branch?: string
+}): StorageConfig | null {
+  // Build-time constant (Vite define) — available in all modules including API routes
+  const buildConfig = typeof __SETZKASTEN_STORAGE__ !== 'undefined' ? __SETZKASTEN_STORAGE__ : null
+
+  // Runtime fallback (injectScript page-ssr — only for rendered pages)
+  const serverConfig = (globalThis as any).__SETZKASTEN_CONFIG__
+
+  const owner = body?.owner || buildConfig?.owner || serverConfig?.storage?.owner
+  const repo = body?.repo || buildConfig?.repo || serverConfig?.storage?.repo
+  const branch = body?.branch || buildConfig?.branch || serverConfig?.storage?.branch || 'main'
+  const projectPrefix = buildConfig?.projectPrefix ?? ''
+
+  if (!owner || !repo) return null
+
+  return { owner, repo, branch, projectPrefix }
+}
+
+/**
+ * Prefix a file path with the monorepo project prefix.
+ * e.g. prefixPath('src/pages/index.astro', 'apps/website') → 'apps/website/src/pages/index.astro'
+ */
+export function prefixPath(filePath: string, projectPrefix: string): string {
+  if (!projectPrefix) return filePath
+  return `${projectPrefix}/${filePath}`
+}

package/src/api-routes/asset-proxy.ts

@@ -0,0 +1,76 @@
+import type { APIRoute } from 'astro'
+
+/**
+ * Asset proxy – serves images from the private GitHub repo.
+ * Used by the admin UI to display image thumbnails without exposing the GitHub token.
+ *
+ * GET /api/setzkasten/asset/public/images/about/LP_Logo.png
+ * → fetches from GitHub API and returns the raw binary with correct Content-Type.
+ */
+export const GET: APIRoute = async ({ params, cookies }) => {
+  const session = cookies.get('setzkasten_session')?.value
+  if (!session) {
+    return new Response('Unauthorized', { status: 401 })
+  }
+
+  const assetPath = params.path
+  if (!assetPath) {
+    return new Response('Missing path', { status: 400 })
+  }
+
+  const githubToken = import.meta.env.GITHUB_TOKEN ?? process.env.GITHUB_TOKEN
+  if (!githubToken) {
+    return new Response('GitHub token not configured', { status: 500 })
+  }
+
+  const config = (globalThis as any).__SETZKASTEN_CONFIG__
+  if (!config?.storage) {
+    return new Response('Storage not configured', { status: 500 })
+  }
+
+  const { owner, repo, branch } = config.storage
+  const githubUrl = `https://api.github.com/repos/${owner}/${repo}/contents/${assetPath}?ref=${branch}`
+
+  try {
+    const response = await fetch(githubUrl, {
+      headers: {
+        Authorization: `Bearer ${githubToken}`,
+        Accept: 'application/vnd.github.raw+json',
+        'X-GitHub-Api-Version': '2022-11-28',
+      },
+    })
+
+    if (!response.ok) {
+      return new Response('Asset not found', { status: response.status })
+    }
+
+    const contentType = guessMimeType(assetPath)
+    const body = await response.arrayBuffer()
+
+    return new Response(body, {
+      status: 200,
+      headers: {
+        'Content-Type': contentType,
+        'Cache-Control': 'private, max-age=300',
+      },
+    })
+  } catch (error) {
+    console.error('[setzkasten] Asset proxy error:', error)
+    return new Response('Failed to fetch asset', { status: 502 })
+  }
+}
+
+function guessMimeType(path: string): string {
+  const ext = path.split('.').pop()?.toLowerCase()
+  const types: Record<string, string> = {
+    jpg: 'image/jpeg',
+    jpeg: 'image/jpeg',
+    png: 'image/png',
+    gif: 'image/gif',
+    webp: 'image/webp',
+    avif: 'image/avif',
+    svg: 'image/svg+xml',
+    pdf: 'application/pdf',
+  }
+  return types[ext ?? ''] ?? 'application/octet-stream'
+}

package/src/api-routes/auth-callback.ts

@@ -0,0 +1,105 @@
+import type { APIRoute } from 'astro'
+import { createGitHubAuth } from '@setzkasten-cms/auth'
+import { createGoogleAuth } from '@setzkasten-cms/auth'
+
+/**
+ * OAuth callback handler.
+ * Receives the authorization code from GitHub/Google, exchanges it for a
+ * session via the auth adapter, and sets a signed session cookie.
+ */
+export const GET: APIRoute = async ({ request, url, cookies, redirect }) => {
+  const code = url.searchParams.get('code')
+  const state = url.searchParams.get('state')
+
+  if (!code) {
+    return new Response('Missing authorization code', { status: 400 })
+  }
+
+  // Parse stored state (may contain provider info)
+  const storedRaw = cookies.get('setzkasten_oauth_state')?.value
+  let storedState: string | undefined
+  let provider = 'github'
+  if (storedRaw) {
+    try {
+      const parsed = JSON.parse(storedRaw)
+      storedState = parsed.state
+      provider = parsed.provider ?? 'github'
+    } catch {
+      storedState = storedRaw
+    }
+  }
+
+  // CSRF: verify state matches stored state
+  if (state && storedState && state !== storedState) {
+    return new Response('Invalid state parameter', { status: 400 })
+  }
+
+  // Clear the state cookie
+  cookies.delete('setzkasten_oauth_state', { path: '/' })
+
+  const config = (globalThis as Record<string, unknown>).__SETZKASTEN_CONFIG__ as
+    | { adminPath: string }
+    | undefined
+
+  const adminPath = config?.adminPath ?? '/admin'
+
+  // On Vercel, url.origin may resolve to localhost. Use the Host header instead.
+  const host = request.headers.get('x-forwarded-host') ?? request.headers.get('host') ?? url.host
+  const protocol = request.headers.get('x-forwarded-proto') ?? (url.protocol === 'https:' ? 'https' : 'http')
+  const origin = `${protocol}://${host}`
+  const redirectUri = `${origin}/api/setzkasten/auth/callback`
+
+  // Read allowed emails from env (comma-separated)
+  const allowedEmailsRaw = import.meta.env.SETZKASTEN_ALLOWED_EMAILS ?? process.env.SETZKASTEN_ALLOWED_EMAILS ?? ''
+  const allowedEmails = allowedEmailsRaw
+    ? allowedEmailsRaw.split(',').map((e: string) => e.trim())
+    : undefined
+
+  try {
+    let sessionResult
+
+    if (provider === 'google') {
+      const auth = createGoogleAuth({
+        clientId: import.meta.env.GOOGLE_CLIENT_ID ?? process.env.GOOGLE_CLIENT_ID ?? '',
+        clientSecret: import.meta.env.GOOGLE_CLIENT_SECRET ?? process.env.GOOGLE_CLIENT_SECRET ?? '',
+        redirectUri,
+        allowedEmails,
+      })
+      sessionResult = await auth.handleCallback(code, 'google')
+    } else {
+      const auth = createGitHubAuth({
+        clientId: import.meta.env.GITHUB_CLIENT_ID ?? process.env.GITHUB_CLIENT_ID ?? '',
+        clientSecret: import.meta.env.GITHUB_CLIENT_SECRET ?? process.env.GITHUB_CLIENT_SECRET ?? '',
+        redirectUri,
+        allowedEmails,
+      })
+      sessionResult = await auth.handleCallback(code, 'github')
+    }
+
+    if (!sessionResult.ok) {
+      console.error('[setzkasten] Auth failed:', sessionResult.error.message)
+      return new Response(`Authentication failed: ${sessionResult.error.message}`, { status: 403 })
+    }
+
+    const session = sessionResult.value
+
+    // Set session cookie with user info (HMAC-signed in production)
+    const sessionPayload = JSON.stringify({
+      user: session.user,
+      expiresAt: session.expiresAt,
+    })
+
+    cookies.set('setzkasten_session', sessionPayload, {
+      httpOnly: true,
+      secure: import.meta.env.PROD,
+      sameSite: 'lax',
+      path: '/',
+      maxAge: 60 * 60 * 24 * 7, // 7 days
+    })
+
+    return redirect(adminPath)
+  } catch (error) {
+    console.error('[setzkasten] Auth callback error:', error)
+    return new Response('Authentication failed', { status: 500 })
+  }
+}