@setzkasten-cms/astro-admin 0.8.0 → 1.1.0

package/src/api-routes/__tests__/setup-github-app-callback.test.ts

@@ -0,0 +1,145 @@
+/**
+ * Tests for setup-github-app-callback.ts
+ *
+ * Key regression: cookies.set() nach Response.redirect() wirft
+ * "TypeError: immutable" weil Response.redirect() eine frozen Response
+ * zurückgibt. Fix: manuelles new Response(null, { status: 302 }).
+ *
+ * @vitest-environment node
+ */
+
+import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest'
+
+// ---------------------------------------------------------------------------
+// Minimal Astro context mock
+// ---------------------------------------------------------------------------
+
+function makeCookies() {
+  const jar: Record<string, string> = {}
+  return {
+    set: vi.fn((name: string, value: string) => { jar[name] = value }),
+    get: vi.fn((name: string) => jar[name] ? { value: jar[name] } : undefined),
+    _jar: jar,
+  }
+}
+
+function makeCtx(code: string | null, headers: Record<string, string> = {}) {
+  const search = code ? `?code=${code}` : ''
+  const url = new URL(`https://localhost/api/setzkasten/setup/github-app/callback${search}`)
+  const request = new Request(url, { headers: { 'x-forwarded-host': 'setzkasten.vercel.app', 'x-forwarded-proto': 'https', ...headers } })
+  return { url, request, cookies: makeCookies() }
+}
+
+const GITHUB_RESPONSE = {
+  id: 123456,
+  slug: 'meine-cms-app',
+  pem: '-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEA\n-----END RSA PRIVATE KEY-----\n',
+  client_id: 'Iv1.abc',
+  client_secret: 'secret',
+  webhook_secret: null,
+}
+
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+
+describe('setup-github-app-callback', () => {
+  beforeEach(() => { vi.stubGlobal('fetch', vi.fn()) })
+  afterEach(() => { vi.restoreAllMocks(); vi.resetModules() })
+
+  it('setzt Cookie und leitet zum Standard-adminPath weiter bei erfolgreichem Code-Austausch', async () => {
+    vi.mocked(fetch).mockResolvedValueOnce({
+      ok: true,
+      json: async () => GITHUB_RESPONSE,
+    } as Response)
+
+    const { GET } = await import('../setup-github-app-callback')
+    const ctx = makeCtx('abc123')
+    const res = await (GET as Function)(ctx)
+
+    expect(res.status).toBe(302)
+    expect(res.headers.get('location')).toBe('https://setzkasten.vercel.app/admin')
+    expect(ctx.cookies.set).toHaveBeenCalledOnce()
+
+    const stored = ctx.cookies._jar['sk_app_setup']
+    expect(stored).toBeDefined()
+    const cookieValue = JSON.parse(stored as string)
+    expect(cookieValue.appId).toBe('123456')
+    expect(cookieValue.slug).toBe('meine-cms-app')
+    expect(cookieValue.privateKey).toContain('RSA PRIVATE KEY')
+  })
+
+  it('Response ist nicht immutable — Cookie-Header kann gesetzt werden', async () => {
+    vi.mocked(fetch).mockResolvedValueOnce({
+      ok: true,
+      json: async () => GITHUB_RESPONSE,
+    } as Response)
+
+    const { GET } = await import('../setup-github-app-callback')
+    const ctx = makeCtx('abc123')
+    const res = await (GET as Function)(ctx)
+
+    // Wenn Response.redirect() verwendet würde, wäre der Response immutable
+    // und das Setzen eines Headers würde "TypeError: immutable" werfen.
+    // Dieser Test schlägt fehl, wenn die falsche Implementierung verwendet wird.
+    expect(() => res.headers.set('X-Test', 'ok')).not.toThrow()
+  })
+
+  it('leitet mit github-app-error=missing_code weiter wenn kein Code', async () => {
+    const { GET } = await import('../setup-github-app-callback')
+    const ctx = makeCtx(null)
+    const res = await (GET as Function)(ctx)
+
+    expect(res.status).toBe(302)
+    expect(res.headers.get('location')).toContain('github-app-error=missing_code')
+    expect(ctx.cookies.set).not.toHaveBeenCalled()
+  })
+
+  it('leitet mit github-app-error=exchange_failed weiter wenn GitHub-API fehlschlägt', async () => {
+    vi.mocked(fetch).mockResolvedValueOnce({ ok: false, status: 422, json: async () => ({}) } as Response)
+
+    const { GET } = await import('../setup-github-app-callback')
+    const ctx = makeCtx('badcode')
+    const res = await (GET as Function)(ctx)
+
+    expect(res.status).toBe(302)
+    expect(res.headers.get('location')).toContain('github-app-error=exchange_failed')
+    expect(ctx.cookies.set).not.toHaveBeenCalled()
+  })
+
+  it('Redirect-URL enthält den echten Host aus x-forwarded-host', async () => {
+    vi.mocked(fetch).mockResolvedValueOnce({ ok: true, json: async () => GITHUB_RESPONSE } as Response)
+
+    const { GET } = await import('../setup-github-app-callback')
+    const ctx = makeCtx('abc123', { 'x-forwarded-host': 'meine-website.de', 'x-forwarded-proto': 'https' })
+    const res = await (GET as Function)(ctx)
+
+    expect(res.headers.get('location')).toBe('https://meine-website.de/admin')
+  })
+})
+
+describe('setup-github-app-callback – adminPath', () => {
+  beforeEach(() => { vi.stubGlobal('fetch', vi.fn()) })
+  afterEach(() => { vi.restoreAllMocks(); vi.resetModules() })
+
+  it('verwendet /admin als Standard-Redirect wenn kein adminPath konfiguriert', async () => {
+    vi.mocked(fetch).mockResolvedValueOnce({ ok: true, json: async () => GITHUB_RESPONSE } as Response)
+    ;(globalThis as any).__SETZKASTEN_CONFIG__ = undefined
+
+    const { GET } = await import('../setup-github-app-callback')
+    const res = await (GET as Function)(makeCtx('abc123'))
+
+    const location = new URL(res.headers.get('location') ?? '')
+    expect(location.pathname).toBe('/admin')
+  })
+
+  it('verwendet konfigurierten adminPath für den Redirect', async () => {
+    vi.mocked(fetch).mockResolvedValueOnce({ ok: true, json: async () => GITHUB_RESPONSE } as Response)
+    ;(globalThis as any).__SETZKASTEN_CONFIG__ = { adminPath: '/cms' }
+
+    const { GET } = await import('../setup-github-app-callback')
+    const res = await (GET as Function)(makeCtx('abc123'))
+
+    expect(res.headers.get('location')).toContain('/cms')
+  })
+})

package/src/api-routes/__tests__/setup-github-app-repos.test.ts

@@ -0,0 +1,192 @@
+/**
+ * Tests for setup-github-app-repos.ts and setup-github-app-branches.ts.
+ *
+ * Both routes are admin-only and read GITHUB_APP_ID + GITHUB_APP_PRIVATE_KEY
+ * from the env. We mock fetch to simulate GitHub responses.
+ *
+ * @vitest-environment node
+ */
+
+import { generateKeyPairSync } from 'node:crypto'
+import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest'
+
+const { privateKey: KEY } = generateKeyPairSync('rsa', { modulusLength: 2048 })
+const PRIVATE_KEY_PEM = KEY.export({ type: 'pkcs8', format: 'pem' }) as string
+
+// The setup endpoints are admin-gated, so the placeholder "tok" string the
+// tests used to pass would now be rejected before reaching the GitHub layer.
+// Replace it with a real serialized admin session and let callers opt out
+// via session: null when they want to exercise the unauthenticated branch.
+const ADMIN_SESSION = JSON.stringify({
+  user: {
+    id: 'u1',
+    email: 'admin@example.com',
+    role: 'admin',
+    provider: 'github',
+  },
+  expiresAt: Date.now() + 60 * 60 * 1000,
+})
+
+function makeCookies(session?: string) {
+  const jar: Record<string, string> = {}
+  // Treat the legacy "tok" placeholder as an admin session; explicit
+  // undefined keeps the cookie absent (401 path).
+  const resolved = session === 'tok' ? ADMIN_SESSION : session
+  if (resolved) jar.setzkasten_session = resolved
+  return {
+    get: vi.fn((name: string) => (jar[name] ? { value: jar[name] } : undefined)),
+    set: vi.fn(),
+  }
+}
+
+function makeCtx(opts: { session?: string; query?: string } = {}) {
+  const url = new URL(
+    `https://localhost/api/setzkasten/setup/github-app/repos${opts.query ?? ''}`,
+  )
+  return {
+    url,
+    cookies: makeCookies(opts.session),
+    request: new Request(url),
+  }
+}
+
+interface MockResponse {
+  status?: number
+  body: unknown
+}
+
+function mockFetchSequence(steps: Array<(url: string) => MockResponse>) {
+  let i = 0
+  vi.stubGlobal(
+    'fetch',
+    vi.fn(async (input: string | URL) => {
+      const url = typeof input === 'string' ? input : input.toString()
+      const step = steps[i] ?? steps.at(-1)!
+      i += 1
+      const response = step(url)
+      const status = response.status ?? 200
+      return {
+        ok: status >= 200 && status < 300,
+        status,
+        json: async () => response.body,
+      } as Response
+    }),
+  )
+}
+
+describe('setup-github-app-repos', () => {
+  beforeEach(() => {
+    process.env.GITHUB_APP_ID = '12345'
+    process.env.GITHUB_APP_PRIVATE_KEY = PRIVATE_KEY_PEM
+  })
+  afterEach(() => {
+    vi.restoreAllMocks()
+    vi.resetModules()
+    delete process.env.GITHUB_APP_ID
+    delete process.env.GITHUB_APP_PRIVATE_KEY
+  })
+
+  it('rejects unauthenticated requests with 401', async () => {
+    const { GET } = await import('../setup-github-app-repos')
+    // biome-ignore lint/suspicious/noExplicitAny: minimal Astro context shape
+    const res = await GET(makeCtx() as any)
+    expect(res.status).toBe(401)
+  })
+
+  it('returns 400 when the GitHub App env vars are missing', async () => {
+    delete process.env.GITHUB_APP_ID
+    const { GET } = await import('../setup-github-app-repos')
+    // biome-ignore lint/suspicious/noExplicitAny: minimal Astro context shape
+    const res = await GET(makeCtx({ session: 'tok' }) as any)
+    expect(res.status).toBe(400)
+  })
+
+  it('returns the flattened repo list across installations', async () => {
+    mockFetchSequence([
+      // List installations
+      () => ({
+        body: [{ id: 100, account: { login: 'acme' } }],
+      }),
+      // Installation token
+      () => ({
+        body: { token: 'tok', expires_at: new Date(Date.now() + 3600_000).toISOString() },
+      }),
+      // Repos
+      () => ({
+        body: {
+          repositories: [
+            {
+              full_name: 'acme/site',
+              name: 'site',
+              owner: { login: 'acme' },
+              default_branch: 'main',
+              private: false,
+            },
+          ],
+        },
+      }),
+    ])
+
+    const { GET } = await import('../setup-github-app-repos')
+    // biome-ignore lint/suspicious/noExplicitAny: minimal Astro context shape
+    const res = await GET(makeCtx({ session: 'tok' }) as any)
+    expect(res.status).toBe(200)
+    const body = (await res.json()) as { repos: Array<Record<string, unknown>> }
+    expect(body.repos).toHaveLength(1)
+    expect(body.repos[0]).toMatchObject({
+      installationId: '100',
+      fullName: 'acme/site',
+      defaultBranch: 'main',
+    })
+  })
+})
+
+describe('setup-github-app-branches', () => {
+  beforeEach(() => {
+    process.env.GITHUB_APP_ID = '12345'
+    process.env.GITHUB_APP_PRIVATE_KEY = PRIVATE_KEY_PEM
+  })
+  afterEach(() => {
+    vi.restoreAllMocks()
+    vi.resetModules()
+    delete process.env.GITHUB_APP_ID
+    delete process.env.GITHUB_APP_PRIVATE_KEY
+  })
+
+  it('returns 400 when ?repo or ?installation is missing', async () => {
+    const { GET } = await import('../setup-github-app-branches')
+    const url = new URL('https://localhost/api/setzkasten/setup/github-app/branches')
+    const ctx = {
+      url,
+      cookies: makeCookies('tok'),
+      request: new Request(url),
+    }
+    // biome-ignore lint/suspicious/noExplicitAny: minimal Astro context shape
+    const res = await GET(ctx as any)
+    expect(res.status).toBe(400)
+  })
+
+  it('returns the branch list for a repo', async () => {
+    mockFetchSequence([
+      () => ({
+        body: { token: 'tok', expires_at: new Date(Date.now() + 3600_000).toISOString() },
+      }),
+      () => ({ body: [{ name: 'main' }, { name: 'develop' }] }),
+    ])
+
+    const { GET } = await import('../setup-github-app-branches')
+    const url = new URL(
+      'https://localhost/api/setzkasten/setup/github-app/branches?installation=100&repo=acme/site',
+    )
+    const ctx = {
+      url,
+      cookies: makeCookies('tok'),
+      request: new Request(url),
+    }
+    // biome-ignore lint/suspicious/noExplicitAny: minimal Astro context shape
+    const res = await GET(ctx as any)
+    expect(res.status).toBe(200)
+    const body = (await res.json()) as { branches: string[] }
+    expect(body.branches).toEqual(['develop', 'main'])
+  })
+})

package/src/api-routes/__tests__/setup-github-app.test.ts

@@ -0,0 +1,107 @@
+/**
+ * Tests for setup-github-app.ts API route.
+ *
+ * Covers:
+ *   GET 1. Nicht konfiguriert → { configured: false }
+ *   GET 2. Konfiguriert (GITHUB_APP_* Vars gesetzt) → { configured: true, appId }
+ *   POST 3. Gültige Credentials → { ok: true }
+ *   POST 4. Fehlende installationId → 400
+ *   POST 5. Ungültige Credentials (Token-Fetch schlägt fehl) → { ok: false, error }
+ */
+
+import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest'
+import { generateKeyPairSync } from 'node:crypto'
+
+const { privateKey: TEST_KEY } = generateKeyPairSync('rsa', { modulusLength: 2048 })
+const TEST_PEM = TEST_KEY.export({ type: 'pkcs8', format: 'pem' }) as string
+
+type MockRequest = { json: () => Promise<unknown> }
+type MockContext = { request: MockRequest }
+
+function makeCtx(body: unknown): MockContext {
+  return { request: { json: async () => body } }
+}
+
+function setEnv(vars: Record<string, string | undefined>) {
+  for (const [k, v] of Object.entries(vars))
+    v === undefined ? delete process.env[k] : (process.env[k] = v)
+}
+
+describe('setup-github-app GET', () => {
+  afterEach(() => {
+    setEnv({ GITHUB_APP_ID: undefined, GITHUB_APP_PRIVATE_KEY: undefined, GITHUB_APP_INSTALLATION_ID: undefined })
+    vi.resetModules()
+  })
+
+  it('gibt configured: false zurück wenn App nicht konfiguriert', async () => {
+    const { GET } = await import('../setup-github-app')
+    const res = await (GET as Function)({})
+    const body = await res.json()
+    expect(res.status).toBe(200)
+    expect(body.configured).toBe(false)
+  })
+
+  it('gibt configured: true + appId zurück wenn alle Vars gesetzt sind', async () => {
+    setEnv({ GITHUB_APP_ID: '99999', GITHUB_APP_PRIVATE_KEY: TEST_PEM, GITHUB_APP_INSTALLATION_ID: '11111' })
+    vi.resetModules()
+    const { GET } = await import('../setup-github-app')
+    const res = await (GET as Function)({})
+    const body = await res.json()
+    expect(res.status).toBe(200)
+    expect(body.configured).toBe(true)
+    expect(body.appId).toBe('99999')
+  })
+})
+
+describe('setup-github-app POST', () => {
+  beforeEach(() => {
+    vi.stubGlobal('fetch', vi.fn())
+    vi.resetModules()
+  })
+
+  afterEach(() => {
+    vi.restoreAllMocks()
+    vi.resetModules()
+  })
+
+  it('gibt ok: true zurück wenn Verbindungstest erfolgreich', async () => {
+    vi.mocked(fetch).mockResolvedValueOnce({
+      ok: true,
+      json: async () => ({
+        token: 'ghs_test',
+        expires_at: new Date(Date.now() + 3600_000).toISOString(),
+      }),
+    } as Response)
+
+    const { POST } = await import('../setup-github-app')
+    const ctx = makeCtx({ appId: '123', privateKey: TEST_PEM, installationId: '456' })
+    const res = await (POST as Function)(ctx)
+    const body = await res.json()
+
+    expect(res.status).toBe(200)
+    expect(body.ok).toBe(true)
+  })
+
+  it('gibt 400 zurück wenn installationId fehlt', async () => {
+    const { POST } = await import('../setup-github-app')
+    const ctx = makeCtx({ appId: '123', privateKey: TEST_PEM })
+    const res = await (POST as Function)(ctx)
+    expect(res.status).toBe(400)
+  })
+
+  it('gibt ok: false zurück wenn GitHub-API-Aufruf fehlschlägt', async () => {
+    vi.mocked(fetch).mockResolvedValueOnce({
+      ok: false,
+      json: async () => ({ message: 'Bad credentials' }),
+    } as Response)
+
+    const { POST } = await import('../setup-github-app')
+    const ctx = makeCtx({ appId: '123', privateKey: TEST_PEM, installationId: '456' })
+    const res = await (POST as Function)(ctx)
+    const body = await res.json()
+
+    expect(res.status).toBe(400)
+    expect(body.ok).toBe(false)
+    expect(body.error).toBeTruthy()
+  })
+})

package/src/api-routes/__tests__/storage-config-for-request.test.ts

@@ -0,0 +1,78 @@
+/**
+ * @vitest-environment node
+ */
+
+import { type Result, type WebsiteEntry, ok } from '@setzkasten-cms/core'
+import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
+import { resolveStorageConfigForRequest } from '../_storage-config'
+import { __resetWebsiteResolverForTests } from '../_website-resolver'
+
+const ENTRY: WebsiteEntry = {
+  id: 'site-a',
+  name: 'Site A',
+  repo: 'acme/site-a',
+  branch: 'develop',
+  previewOrigin: 'https://a.example.com',
+  githubApp: { appId: '11', installationId: '101' },
+}
+
+function makeRegistry(entries: readonly WebsiteEntry[]) {
+  return {
+    list: vi.fn(async (): Promise<Result<readonly WebsiteEntry[]>> => ok(entries)),
+    get: vi.fn(async (id: string): Promise<Result<WebsiteEntry | null>> => {
+      return ok(entries.find((e) => e.id === id) ?? null)
+    }),
+  }
+}
+
+beforeEach(() => {
+  ;(globalThis as Record<string, unknown>).__SETZKASTEN_FULL_CONFIG__ = undefined
+  ;(globalThis as Record<string, unknown>).__SETZKASTEN_STORAGE__ = undefined
+})
+
+afterEach(() => __resetWebsiteResolverForTests(null))
+
+describe('resolveStorageConfigForRequest', () => {
+  it('derives owner/repo/branch from the resolved website entry', async () => {
+    __resetWebsiteResolverForTests({ mode: 'multi', registry: makeRegistry([ENTRY]) })
+    const req = new Request('https://cms.example.com/x', {
+      headers: { 'x-sk-website': 'site-a' },
+    })
+
+    const result = await resolveStorageConfigForRequest(req)
+
+    expect(result).not.toBeNull()
+    expect(result?.owner).toBe('acme')
+    expect(result?.repo).toBe('site-a')
+    expect(result?.branch).toBe('develop')
+    expect(result?.projectPrefix).toBe('')
+  })
+
+  it('returns null when no website matches and no body override is given', async () => {
+    __resetWebsiteResolverForTests({ mode: 'multi', registry: makeRegistry([ENTRY]) })
+    const req = new Request('https://cms.example.com/x', {
+      headers: { 'x-sk-website': 'unknown' },
+    })
+
+    const result = await resolveStorageConfigForRequest(req)
+
+    expect(result).toBeNull()
+  })
+
+  it('honours an explicit body override even when resolver yields a website', async () => {
+    __resetWebsiteResolverForTests({ mode: 'multi', registry: makeRegistry([ENTRY]) })
+    const req = new Request('https://cms.example.com/x', {
+      headers: { 'x-sk-website': 'site-a' },
+    })
+
+    const result = await resolveStorageConfigForRequest(req, {
+      owner: 'override',
+      repo: 'forced',
+      branch: 'main',
+    })
+
+    expect(result?.owner).toBe('override')
+    expect(result?.repo).toBe('forced')
+    expect(result?.branch).toBe('main')
+  })
+})

package/src/api-routes/__tests__/website-resolver-bootstrap-standalone.test.ts

@@ -0,0 +1,85 @@
+/**
+ * @vitest-environment node
+ */
+
+import { generateKeyPairSync } from 'node:crypto'
+import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
+import {
+  __resetWebsiteResolverForTests,
+  bootstrapResolverFromGlobals,
+  listAllWebsites,
+} from '../_website-resolver'
+
+const { privateKey } = generateKeyPairSync('rsa', { modulusLength: 2048 })
+const PEM = privateKey.export({ type: 'pkcs8', format: 'pem' }) as string
+
+const REGISTRY = {
+  websites: [
+    {
+      id: 'a',
+      name: 'A',
+      repo: 'acme/a',
+      branch: 'main',
+      previewOrigin: 'https://a.example.com',
+      githubApp: { appId: '1', installationId: '101' },
+    },
+  ],
+}
+
+beforeEach(() => {
+  __resetWebsiteResolverForTests(null)
+  vi.unstubAllEnvs()
+  vi.stubEnv('GITHUB_APP_ID', '1')
+  vi.stubEnv('GITHUB_APP_INSTALLATION_ID', '111')
+  vi.stubEnv('GITHUB_APP_PRIVATE_KEY', PEM)
+  ;(globalThis as Record<string, unknown>).__SETZKASTEN_FULL_CONFIG__ = {
+    storage: {
+      kind: 'standalone',
+      configRepo: 'acme/cms-config',
+      configBranch: 'main',
+      appId: '1',
+      installationId: '111',
+    },
+  }
+})
+
+afterEach(() => {
+  __resetWebsiteResolverForTests(null)
+  vi.unstubAllEnvs()
+  vi.restoreAllMocks()
+  ;(globalThis as Record<string, unknown>).__SETZKASTEN_FULL_CONFIG__ = undefined
+})
+
+describe('bootstrapResolverFromGlobals – standalone activation', () => {
+  it('returns the registry list from the config repo', async () => {
+    const fetchMock = vi.fn(async (url: string) => {
+      if (url.includes('/access_tokens')) {
+        return new Response(
+          JSON.stringify({
+            token: 'gh_mock',
+            expires_at: new Date(Date.now() + 60 * 60 * 1000).toISOString(),
+          }),
+          { status: 200, headers: { 'content-type': 'application/json' } },
+        )
+      }
+      if (url.includes('/contents/websites.json')) {
+        return new Response(
+          JSON.stringify({
+            type: 'file',
+            content: Buffer.from(JSON.stringify(REGISTRY)).toString('base64'),
+            sha: 'abc',
+          }),
+          { status: 200, headers: { 'content-type': 'application/json' } },
+        )
+      }
+      throw new Error(`unexpected URL: ${url}`)
+    })
+    vi.stubGlobal('fetch', fetchMock)
+
+    bootstrapResolverFromGlobals()
+
+    const result = await listAllWebsites()
+    expect(result.ok).toBe(true)
+    if (result.ok) expect(result.value.map((w) => w.id)).toEqual(['a'])
+  })
+})