@setzkasten-cms/astro-admin 0.8.0 → 1.1.0

package/src/api-routes/__tests__/migrate-to-multi.test.ts

@@ -0,0 +1,189 @@
+/**
+ * @vitest-environment node
+ */
+
+import { generateKeyPairSync } from 'node:crypto'
+import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
+
+const { privateKey } = generateKeyPairSync('rsa', { modulusLength: 2048 })
+const PEM = privateKey.export({ type: 'pkcs8', format: 'pem' }) as string
+
+function makeCtx(body: unknown, sessionValue = 'valid', role: 'admin' | 'editor' = 'admin') {
+  const request = new Request('https://cms.example.com/api/setzkasten/migrate/to-multi', {
+    method: 'POST',
+    body: JSON.stringify(body),
+    headers: { 'content-type': 'application/json' },
+  })
+  const sessionPayload = sessionValue
+    ? JSON.stringify({ user: { email: 'a@b.com', role }, expiresAt: Date.now() + 60_000 })
+    : ''
+  return {
+    request,
+    cookies: {
+      get: vi.fn((name: string) =>
+        name === 'setzkasten_session' && sessionPayload ? { value: sessionPayload } : undefined,
+      ),
+    },
+  }
+}
+
+beforeEach(() => {
+  vi.unstubAllEnvs()
+  vi.stubEnv('GITHUB_APP_ID', '1')
+  vi.stubEnv('GITHUB_APP_INSTALLATION_ID', '111')
+  vi.stubEnv('GITHUB_APP_PRIVATE_KEY', PEM)
+  vi.stubEnv('SETZKASTEN_LICENSE_KEY', 'SK-PRO-AAAA-BBBB-CCCC')
+  ;(globalThis as Record<string, unknown>).__SETZKASTEN_FULL_CONFIG__ = {
+    storage: { kind: 'single', repo: 'acme/site', appId: '1', installationId: '111' },
+  }
+  ;(globalThis as Record<string, unknown>).__SETZKASTEN_STORAGE__ = {
+    owner: 'acme',
+    repo: 'site',
+    branch: 'main',
+    contentPath: 'content',
+    assetsPath: 'public/images',
+    projectPrefix: '',
+  }
+})
+
+afterEach(() => {
+  vi.restoreAllMocks()
+  vi.unstubAllEnvs()
+  ;(globalThis as Record<string, unknown>).__SETZKASTEN_FULL_CONFIG__ = undefined
+  ;(globalThis as Record<string, unknown>).__SETZKASTEN_STORAGE__ = undefined
+})
+
+describe('POST /api/setzkasten/migrate/to-multi', () => {
+  it('returns 401 without a session', async () => {
+    const { POST } = await import('../migrate-to-multi')
+    const res = await (POST as (ctx: unknown) => Promise<Response>)(makeCtx({}, ''))
+
+    expect(res.status).toBe(401)
+  })
+
+  it('returns 403 for non-admin users', async () => {
+    const { POST } = await import('../migrate-to-multi')
+    const res = await (POST as (ctx: unknown) => Promise<Response>)(makeCtx({}, 'valid', 'editor'))
+
+    expect(res.status).toBe(403)
+  })
+
+  it('returns 402 for free license tier', async () => {
+    vi.stubEnv('SETZKASTEN_LICENSE_KEY', '')
+    const { POST } = await import('../migrate-to-multi')
+    const res = await (POST as (ctx: unknown) => Promise<Response>)(
+      makeCtx({ configRepo: 'acme/cms-config', configInstallationId: '999' }),
+    )
+    const body = (await res.json()) as { error?: string }
+
+    expect(res.status).toBe(402)
+    expect(body.error).toMatch(/Pro.*Enterprise/i)
+  })
+
+  it('returns 400 when configRepo is missing', async () => {
+    const { POST } = await import('../migrate-to-multi')
+    const res = await (POST as (ctx: unknown) => Promise<Response>)(
+      makeCtx({ configInstallationId: '999' }),
+    )
+
+    expect(res.status).toBe(400)
+  })
+
+  it('returns 400 when configInstallationId is missing', async () => {
+    const { POST } = await import('../migrate-to-multi')
+    const res = await (POST as (ctx: unknown) => Promise<Response>)(
+      makeCtx({ configRepo: 'acme/cms-config' }),
+    )
+
+    expect(res.status).toBe(400)
+  })
+
+  it('returns 400 when current setup is already multi', async () => {
+    ;(globalThis as Record<string, unknown>).__SETZKASTEN_FULL_CONFIG__ = {
+      storage: { kind: 'multi', configRepo: 'a/b', appId: '1', installationId: '1' },
+    }
+
+    const { POST } = await import('../migrate-to-multi')
+    const res = await (POST as (ctx: unknown) => Promise<Response>)(
+      makeCtx({ configRepo: 'acme/cms-config', configInstallationId: '999' }),
+    )
+
+    expect(res.status).toBe(400)
+  })
+
+  it('copies editors+global and writes a single-entry websites.json', async () => {
+    const calls: Array<{ url: string; method?: string; body?: unknown }> = []
+    const fetchMock = vi.fn(async (url: string, init?: RequestInit) => {
+      calls.push({ url, method: init?.method, body: init?.body })
+      if (url.includes('/access_tokens')) {
+        return {
+          ok: true,
+          json: async () => ({
+            token: 'gh_mock',
+            expires_at: new Date(Date.now() + 60 * 60 * 1000).toISOString(),
+          }),
+        } as Response
+      }
+      // Source reads (website-repo)
+      if (url.includes('/repos/acme/site/contents/content/_editors.json')) {
+        return {
+          ok: true,
+          json: async () => ({
+            content: Buffer.from(JSON.stringify([{ email: 'a@b.com' }])).toString('base64'),
+            sha: 'editors-sha',
+          }),
+        } as Response
+      }
+      if (url.includes('/repos/acme/site/contents/content/_global_config.json')) {
+        return {
+          ok: true,
+          json: async () => ({
+            content: Buffer.from(JSON.stringify({ theme: { brandName: 'X' } })).toString('base64'),
+            sha: 'gc-sha',
+          }),
+        } as Response
+      }
+      // Target writes (config-repo)
+      if (url.includes('/repos/acme/cms-config/contents/') && init?.method === 'PUT') {
+        return { ok: true, json: async () => ({ content: { sha: 'new' } }) } as Response
+      }
+      // Target reads (websites.json) — assume not yet present
+      if (
+        url.includes('/repos/acme/cms-config/contents/websites.json') &&
+        (init?.method ?? 'GET') === 'GET'
+      ) {
+        return new Response(null, { status: 404 })
+      }
+      throw new Error(`unexpected URL: ${url} method=${init?.method}`)
+    })
+    vi.stubGlobal('fetch', fetchMock)
+
+    const { POST } = await import('../migrate-to-multi')
+    const res = await (POST as (ctx: unknown) => Promise<Response>)(
+      makeCtx({ configRepo: 'acme/cms-config', configInstallationId: '999' }),
+    )
+
+    expect(res.status).toBe(200)
+    const body = (await res.json()) as {
+      ok: boolean
+      committed: { editors: boolean; globalConfig: boolean; websites: boolean }
+    }
+    expect(body.ok).toBe(true)
+    expect(body.committed.editors).toBe(true)
+    expect(body.committed.globalConfig).toBe(true)
+    expect(body.committed.websites).toBe(true)
+
+    // Ensure the websites.json write contained the source-website snapshot
+    const websitesPut = calls.find(
+      (c) => c.method === 'PUT' && c.url.includes('/repos/acme/cms-config/contents/websites.json'),
+    )
+    expect(websitesPut).toBeDefined()
+    const websitesBody = JSON.parse(String(websitesPut!.body)) as { content: string }
+    const websitesPayload = JSON.parse(
+      Buffer.from(websitesBody.content, 'base64').toString('utf-8'),
+    )
+    expect(websitesPayload.websites).toHaveLength(1)
+    expect(websitesPayload.websites[0].repo).toBe('acme/site')
+    expect(websitesPayload.websites[0].githubApp.installationId).toBe('111')
+  })
+})

package/src/api-routes/__tests__/pages-meta-store.test.ts

@@ -0,0 +1,179 @@
+/**
+ * @vitest-environment node
+ */
+
+import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
+
+const TARGET = {
+  owner: 'acme',
+  repo: 'site',
+  branch: 'main',
+  contentPath: 'content',
+  token: 'gh-token',
+}
+
+beforeEach(() => {
+  vi.unstubAllEnvs()
+})
+
+afterEach(() => {
+  vi.restoreAllMocks()
+  vi.unstubAllEnvs()
+})
+
+function fetchSequence(steps: Array<(url: string, init?: RequestInit) => Response | Promise<Response>>) {
+  let i = 0
+  const fetchMock = vi.fn(async (url: string, init?: RequestInit) => {
+    const handler = steps[Math.min(i++, steps.length - 1)]
+    if (!handler) throw new Error('fetchSequence: empty step list')
+    return handler(url, init)
+  })
+  vi.stubGlobal('fetch', fetchMock)
+  return fetchMock
+}
+
+describe('readPagesMeta', () => {
+  it('returns an empty meta when GitHub responds 404', async () => {
+    fetchSequence([() => new Response(null, { status: 404 })])
+
+    const { readPagesMeta } = await import('../_pages-meta-store')
+    const result = await readPagesMeta(TARGET)
+
+    expect(result.ok).toBe(true)
+    if (result.ok) {
+      expect(result.value.meta.pages).toEqual({})
+      expect(result.value.sha).toBeNull()
+    }
+  })
+
+  it('returns the parsed meta + sha when the file exists', async () => {
+    const meta = { version: 1, pages: { index: { lastModified: 5 } } }
+    fetchSequence([
+      () =>
+        new Response(
+          JSON.stringify({ content: Buffer.from(JSON.stringify(meta)).toString('base64'), sha: 'abc' }),
+          { status: 200, headers: { 'content-type': 'application/json' } },
+        ),
+    ])
+
+    const { readPagesMeta } = await import('../_pages-meta-store')
+    const result = await readPagesMeta(TARGET)
+
+    expect(result.ok).toBe(true)
+    if (result.ok) {
+      expect(result.value.meta.pages.index?.lastModified).toBe(5)
+      expect(result.value.sha).toBe('abc')
+    }
+  })
+
+  it('falls through to network error on non-404 failures', async () => {
+    fetchSequence([() => new Response('boom', { status: 500 })])
+
+    const { readPagesMeta } = await import('../_pages-meta-store')
+    const result = await readPagesMeta(TARGET)
+
+    expect(result.ok).toBe(false)
+  })
+})
+
+describe('recordPageEdit', () => {
+  it('reads, sets the timestamp, writes back — with the correct sha', async () => {
+    const calls: { url: string; method?: string; body?: unknown }[] = []
+    const existingMeta = { version: 1, pages: { index: { lastModified: 1 } } }
+    fetchSequence([
+      // 1) GET existing meta
+      (url, init) => {
+        calls.push({ url, method: init?.method, body: init?.body })
+        return new Response(
+          JSON.stringify({
+            content: Buffer.from(JSON.stringify(existingMeta)).toString('base64'),
+            sha: 'old-sha',
+          }),
+          { status: 200, headers: { 'content-type': 'application/json' } },
+        )
+      },
+      // 2) PUT updated meta
+      (url, init) => {
+        calls.push({ url, method: init?.method, body: init?.body })
+        return new Response(JSON.stringify({ content: { sha: 'new-sha' } }), {
+          status: 200,
+          headers: { 'content-type': 'application/json' },
+        })
+      },
+    ])
+
+    const { recordPageEdit } = await import('../_pages-meta-store')
+    const result = await recordPageEdit(TARGET, 'about', 99)
+
+    expect(result.ok).toBe(true)
+    expect(calls).toHaveLength(2)
+    expect(calls[1]?.method).toBe('PUT')
+    const writtenBody = JSON.parse(String(calls[1]?.body)) as { content: string; sha?: string }
+    expect(writtenBody.sha).toBe('old-sha')
+    const writtenMeta = JSON.parse(Buffer.from(writtenBody.content, 'base64').toString('utf-8'))
+    expect(writtenMeta.pages.index.lastModified).toBe(1)
+    expect(writtenMeta.pages.about.lastModified).toBe(99)
+  })
+
+  it('initialises the file when it does not exist (no sha sent)', async () => {
+    const calls: { url: string; method?: string; body?: unknown }[] = []
+    fetchSequence([
+      (url, init) => {
+        calls.push({ url, method: init?.method, body: init?.body })
+        return new Response(null, { status: 404 })
+      },
+      (url, init) => {
+        calls.push({ url, method: init?.method, body: init?.body })
+        return new Response(JSON.stringify({ content: { sha: 'first' } }), {
+          status: 200,
+          headers: { 'content-type': 'application/json' },
+        })
+      },
+    ])
+
+    const { recordPageEdit } = await import('../_pages-meta-store')
+    const result = await recordPageEdit(TARGET, 'about', 42)
+
+    expect(result.ok).toBe(true)
+    const putBody = JSON.parse(String(calls[1]?.body)) as { sha?: string }
+    expect(putBody.sha).toBeUndefined()
+  })
+
+  it('retries once on a 409 conflict, succeeds on the second write', async () => {
+    const empty = { version: 1, pages: {} }
+    fetchSequence([
+      () =>
+        new Response(
+          JSON.stringify({
+            content: Buffer.from(JSON.stringify(empty)).toString('base64'),
+            sha: 'first',
+          }),
+          { status: 200, headers: { 'content-type': 'application/json' } },
+        ),
+      // First PUT → 409
+      () => new Response('conflict', { status: 409 }),
+      // Re-read with newer sha
+      () =>
+        new Response(
+          JSON.stringify({
+            content: Buffer.from(JSON.stringify({ version: 1, pages: { x: { lastModified: 2 } } })).toString(
+              'base64',
+            ),
+            sha: 'second',
+          }),
+          { status: 200, headers: { 'content-type': 'application/json' } },
+        ),
+      // Second PUT → ok
+      () =>
+        new Response(JSON.stringify({ content: { sha: 'third' } }), {
+          status: 200,
+          headers: { 'content-type': 'application/json' },
+        }),
+    ])
+
+    const { recordPageEdit } = await import('../_pages-meta-store')
+    const result = await recordPageEdit(TARGET, 'about', 7)
+
+    expect(result.ok).toBe(true)
+  })
+})

package/src/api-routes/__tests__/route-registry.test.ts

@@ -0,0 +1,120 @@
+/**
+ * Route-Registry-Konsistenztest
+ *
+ * Jede öffentliche Route-Datei in packages/astro-admin/src/api-routes/
+ * muss an drei Stellen registriert sein:
+ *   1. Als Export in packages/astro-admin/package.json
+ *   2. Als injectRoute-Entrypoint in packages/astro/src/integration.ts
+ *
+ * Ausnahmen (kein Export, kein injectRoute nötig):
+ *   - Dateien mit `_`-Prefix  → interne Helpers
+ *   - Dateien mit `-helpers`  → interne Helpers
+ *   - Dateien mit `-management` → interne Helpers (nur von anderen Routes importiert)
+ *
+ * Dieser Test verhindert, dass neue Route-Dateien vergessen werden —
+ * ein Fehler, der erst beim Produktions-Build auffällt (ENOENT).
+ */
+
+import { describe, it, expect } from 'vitest'
+import { readdirSync, readFileSync } from 'node:fs'
+import { resolve, dirname } from 'node:path'
+import { fileURLToPath } from 'node:url'
+
+const __dirname = dirname(fileURLToPath(import.meta.url))
+// Test sits at src/api-routes/__tests__, so go up three levels
+const ADMIN_ROOT = resolve(__dirname, '../../../')         // packages/astro-admin
+const ASTRO_ROOT = resolve(__dirname, '../../../../astro') // packages/astro
+
+// ---------------------------------------------------------------------------
+// Load sources
+// ---------------------------------------------------------------------------
+
+const routeFiles = readdirSync(resolve(ADMIN_ROOT, 'src/api-routes')).filter(
+  f => f.endsWith('.ts') && !f.endsWith('.test.ts'),
+)
+
+const packageJson = JSON.parse(
+  readFileSync(resolve(ADMIN_ROOT, 'package.json'), 'utf-8'),
+) as { exports: Record<string, string> }
+
+const integrationSrc = readFileSync(
+  resolve(ASTRO_ROOT, 'src/integration.ts'),
+  'utf-8',
+)
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+/** Files that are internal — no export or injectRoute needed */
+function isInternal(filename: string): boolean {
+  const base = filename.replace(/\.ts$/, '')
+  return (
+    base.startsWith('_') ||
+    base.endsWith('-helpers') ||
+    base.endsWith('-management')
+  )
+}
+
+/** Export key as used in package.json, e.g. "catalog-list" → "./catalog" special-cased */
+function exportKey(filename: string): string {
+  const base = filename.replace(/\.ts$/, '')
+  // Special case: catalog-list is exported as "./catalog"
+  if (base === 'catalog-list') return './catalog'
+  return `./${base}`
+}
+
+function entrypoint(filename: string): string {
+  const base = filename.replace(/\.ts$/, '')
+  if (base === 'catalog-list') return '@setzkasten-cms/astro-admin/catalog'
+  return `@setzkasten-cms/astro-admin/${base}`
+}
+
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+
+const publicRoutes = routeFiles.filter(f => !isInternal(f))
+
+describe('Route-Registry-Konsistenz', () => {
+  describe('package.json exports', () => {
+    for (const file of publicRoutes) {
+      it(`${file} ist in package.json exports registriert`, () => {
+        const key = exportKey(file)
+        expect(
+          packageJson.exports,
+          `Fehlender Export: "${key}" in packages/astro-admin/package.json`,
+        ).toHaveProperty(key)
+      })
+    }
+  })
+
+  describe('integration.ts injectRoute', () => {
+    for (const file of publicRoutes) {
+      it(`${file} ist als injectRoute-Entrypoint in integration.ts registriert`, () => {
+        const ep = entrypoint(file)
+        expect(
+          integrationSrc,
+          `Fehlender injectRoute-Eintrag für '${ep}' in packages/astro/src/integration.ts`,
+        ).toContain(`'${ep}'`)
+      })
+    }
+  })
+
+  describe('Keine verwaisten Exports', () => {
+    it('alle package.json-Exports (astro-admin routes) haben eine entsprechende Datei', () => {
+      const routeExports = Object.entries(packageJson.exports)
+        .filter(([, v]) => v.startsWith('./src/api-routes/'))
+        .map(([k]) => k)
+
+      const knownKeys = new Set(publicRoutes.map(exportKey))
+
+      for (const key of routeExports) {
+        expect(
+          knownKeys.has(key),
+          `Export "${key}" in package.json hat keine Route-Datei mehr`,
+        ).toBe(true)
+      }
+    })
+  })
+})

package/src/api-routes/__tests__/session-cookie.test.ts

@@ -0,0 +1,67 @@
+/**
+ * @vitest-environment node
+ */
+
+import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
+import { sessionCookieOptions } from '../_session-cookie'
+
+beforeEach(() => {
+  ;(globalThis as Record<string, unknown>).__SETZKASTEN_FULL_CONFIG__ = undefined
+  vi.unstubAllEnvs()
+})
+
+afterEach(() => {
+  ;(globalThis as Record<string, unknown>).__SETZKASTEN_FULL_CONFIG__ = undefined
+  vi.unstubAllEnvs()
+})
+
+describe('sessionCookieOptions', () => {
+  it('returns secure defaults regardless of config', () => {
+    const opts = sessionCookieOptions(false)
+
+    expect(opts.httpOnly).toBe(true)
+    expect(opts.sameSite).toBe('lax')
+    expect(opts.path).toBe('/')
+    expect(opts.maxAge).toBe(60 * 60 * 24 * 7)
+  })
+
+  it('toggles secure with the prod flag', () => {
+    expect(sessionCookieOptions(false).secure).toBe(false)
+    expect(sessionCookieOptions(true).secure).toBe(true)
+  })
+
+  it('omits domain when no cookieDomain is configured (single-repo default)', () => {
+    expect(sessionCookieOptions(true).domain).toBeUndefined()
+  })
+
+  it('reads cookieDomain from __SETZKASTEN_FULL_CONFIG__.auth.cookieDomain', () => {
+    ;(globalThis as Record<string, unknown>).__SETZKASTEN_FULL_CONFIG__ = {
+      auth: { cookieDomain: '.example.com' },
+    }
+
+    expect(sessionCookieOptions(true).domain).toBe('.example.com')
+  })
+
+  it('falls back to SETZKASTEN_COOKIE_DOMAIN env when full config has no value', () => {
+    vi.stubEnv('SETZKASTEN_COOKIE_DOMAIN', '.example.com')
+
+    expect(sessionCookieOptions(true).domain).toBe('.example.com')
+  })
+
+  it('config wins over env', () => {
+    ;(globalThis as Record<string, unknown>).__SETZKASTEN_FULL_CONFIG__ = {
+      auth: { cookieDomain: '.config.example.com' },
+    }
+    vi.stubEnv('SETZKASTEN_COOKIE_DOMAIN', '.env.example.com')
+
+    expect(sessionCookieOptions(true).domain).toBe('.config.example.com')
+  })
+
+  it('treats empty cookieDomain as unset', () => {
+    ;(globalThis as Record<string, unknown>).__SETZKASTEN_FULL_CONFIG__ = {
+      auth: { cookieDomain: '' },
+    }
+
+    expect(sessionCookieOptions(true).domain).toBeUndefined()
+  })
+})