@setzkasten-cms/astro-admin 0.8.0 → 1.3.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@setzkasten-cms/astro-admin",
-  "version": "0.8.0",
+  "version": "1.3.0",
   "description": "Setzkasten Admin-UI, Init-Wizard und Adoptions-Pipeline für Astro",
   "type": "module",
   "license": "SEE LICENSE IN LICENSE",
@@ -40,6 +40,12 @@
     "./catalog": "./src/api-routes/catalog-list.ts",
     "./catalog-add": "./src/api-routes/catalog-add.ts",
     "./catalog-export": "./src/api-routes/catalog-export.ts",
+    "./history": "./src/api-routes/history.ts",
+    "./history-version": "./src/api-routes/history-version.ts",
+    "./history-rollback": "./src/api-routes/history-rollback.ts",
+    "./webhooks": "./src/api-routes/webhooks.ts",
+    "./webhooks-test": "./src/api-routes/webhooks-test.ts",
+    "./webhooks-status": "./src/api-routes/webhooks-status.ts",
     "./section-add": "./src/api-routes/section-add.ts",
     "./section-prepare": "./src/api-routes/section-prepare.ts",
     "./section-prepare-copy": "./src/api-routes/section-prepare-copy.ts",
@@ -51,6 +57,16 @@
     "./updater-transfer": "./src/api-routes/updater-transfer.ts",
     "./updater-unbind": "./src/api-routes/updater-unbind.ts",
     "./editors": "./src/api-routes/editors.ts",
+    "./setup-github-app": "./src/api-routes/setup-github-app.ts",
+    "./setup-github-app-callback": "./src/api-routes/setup-github-app-callback.ts",
+    "./setup-github-app-installed": "./src/api-routes/setup-github-app-installed.ts",
+    "./setup-github-app-bounce": "./src/api-routes/setup-github-app-bounce.ts",
+    "./setup-github-app-repos": "./src/api-routes/setup-github-app-repos.ts",
+    "./setup-github-app-branches": "./src/api-routes/setup-github-app-branches.ts",
+    "./websites-list": "./src/api-routes/websites-list.ts",
+    "./websites-add": "./src/api-routes/websites-add.ts",
+    "./websites-remove": "./src/api-routes/websites-remove.ts",
+    "./migrate-to-multi": "./src/api-routes/migrate-to-multi.ts",
     "./admin-page": "./src/admin-page.astro"
   },
   "devDependencies": {
@@ -58,11 +74,11 @@
   },
   "dependencies": {
     "@astrojs/compiler": "^3.0.0",
-    "@setzkasten-cms/auth": "0.8.0",
-    "@setzkasten-cms/catalog": "0.8.0",
-    "@setzkasten-cms/core": "0.8.0",
-    "@setzkasten-cms/github-adapter": "0.8.0",
-    "@setzkasten-cms/ui": "0.8.0"
+    "@setzkasten-cms/catalog": "1.3.0",
+    "@setzkasten-cms/auth": "1.3.0",
+    "@setzkasten-cms/core": "1.3.0",
+    "@setzkasten-cms/github-adapter": "1.3.0",
+    "@setzkasten-cms/ui": "1.3.0"
   },
   "peerDependencies": {
     "astro": "^5.0.0",

package/src/admin-page.astro

@@ -81,7 +81,7 @@
           // providers is always derived from injected flags (license-aware),
           // so we override auth.providers regardless of what userConfig says.
           const skConfig = {
-            storage: { kind: 'github' as const },
+            storage: { kind: 'local' as const },
             theme: {},
             products: {},
             collections: {},

package/src/api-routes/__tests__/auth-guard.test.ts

@@ -0,0 +1,134 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest'
+import { parseSession, guardPageAccess } from '../_auth-guard'
+import type { AuthSession, SetzKastenConfig } from '@setzkasten-cms/core'
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+function adminSession(): AuthSession {
+  return { user: { id: '1', email: 'admin@example.com', provider: 'github', role: 'admin' }, expiresAt: Date.now() + 86400_000 }
+}
+
+function editorSession(email = 'editor@example.com'): AuthSession {
+  return { user: { id: '2', email, provider: 'google', role: 'editor' }, expiresAt: Date.now() + 86400_000 }
+}
+
+const baseConfig: SetzKastenConfig = {
+  storage: { kind: 'local' as const },
+  auth: { providers: ['github'] },
+  products: {},
+}
+
+// ---------------------------------------------------------------------------
+// parseSession
+// ---------------------------------------------------------------------------
+
+describe('parseSession', () => {
+  it('returns null for undefined input', () => {
+    expect(parseSession(undefined)).toBeNull()
+  })
+
+  it('returns null for invalid JSON', () => {
+    expect(parseSession('not-json')).toBeNull()
+  })
+
+  it('parses a valid session cookie', () => {
+    const session = adminSession()
+    expect(parseSession(JSON.stringify(session))).toEqual(session)
+  })
+})
+
+// ---------------------------------------------------------------------------
+// guardPageAccess – dynamic editors
+// ---------------------------------------------------------------------------
+
+vi.mock('../editors', () => ({
+  readEditorsFileStatus: vi.fn(),
+}))
+
+vi.mock('../_storage-config', () => ({
+  resolveStorageConfig: vi.fn(() => ({ owner: 'test', repo: 'test', branch: 'main' })),
+}))
+
+vi.mock('../_github-token', () => ({
+  resolveConfigRepoToken: vi.fn(async () => ({ ok: true, value: 'ghs_mock' })),
+}))
+
+const { readEditorsFileStatus } = await import('../editors')
+
+beforeEach(() => {
+  vi.mocked(readEditorsFileStatus).mockReset()
+})
+
+describe('guardPageAccess – no session', () => {
+  it('returns 401 for missing session', async () => {
+    const res = await guardPageAccess(null, 'home', baseConfig)
+    expect(res?.status).toBe(401)
+  })
+})
+
+describe('guardPageAccess – admin', () => {
+  it('always passes for admin regardless of editors', async () => {
+    vi.mocked(readEditorsFileStatus).mockResolvedValue({
+      kind: 'present',
+      editors: [{ email: 'other@example.com' }],
+    })
+    const res = await guardPageAccess(adminSession(), 'home', baseConfig)
+    expect(res).toBeNull()
+  })
+})
+
+describe('guardPageAccess – dynamic editors', () => {
+  it('allows editor access when listed in _editors.json', async () => {
+    vi.mocked(readEditorsFileStatus).mockResolvedValue({
+      kind: 'present',
+      editors: [{ email: 'editor@example.com', pages: ['home', 'about'] }],
+    })
+    const res = await guardPageAccess(editorSession('editor@example.com'), 'home', baseConfig)
+    expect(res).toBeNull()
+  })
+
+  it('denies editor access when page not listed in _editors.json', async () => {
+    vi.mocked(readEditorsFileStatus).mockResolvedValue({
+      kind: 'present',
+      editors: [{ email: 'editor@example.com', pages: ['about'] }],
+    })
+    const res = await guardPageAccess(editorSession('editor@example.com'), 'home', baseConfig)
+    expect(res?.status).toBe(403)
+  })
+
+  it('allows all pages when editor has no page restriction', async () => {
+    vi.mocked(readEditorsFileStatus).mockResolvedValue({
+      kind: 'present',
+      editors: [{ email: 'editor@example.com' }],
+    })
+    const res = await guardPageAccess(editorSession('editor@example.com'), 'secret-page', baseConfig)
+    expect(res).toBeNull()
+  })
+
+  it('allows access when _editors.json is genuinely absent (404)', async () => {
+    vi.mocked(readEditorsFileStatus).mockResolvedValue({ kind: 'absent' })
+    const res = await guardPageAccess(editorSession(), 'home', baseConfig)
+    expect(res).toBeNull()
+  })
+
+  it('returns 503 when the editors fetch errors out (fail-closed)', async () => {
+    vi.mocked(readEditorsFileStatus).mockResolvedValue({
+      kind: 'error',
+      message: 'GitHub returned 500',
+    })
+    const res = await guardPageAccess(editorSession(), 'home', baseConfig)
+    expect(res?.status).toBe(503)
+  })
+
+  it('denies when dynamic editors list is empty, regardless of config', async () => {
+    vi.mocked(readEditorsFileStatus).mockResolvedValue({
+      kind: 'present',
+      editors: [],
+    })
+    // Dynamic list is empty → denied
+    const res = await guardPageAccess(editorSession('editor@example.com'), 'home', baseConfig)
+    expect(res?.status).toBe(403)
+  })
+})

package/src/api-routes/__tests__/feature-gate.test.ts

@@ -0,0 +1,60 @@
+import { describe, it, expect, beforeEach, afterEach } from 'vitest'
+import { gateFeature } from '../_feature-gate'
+
+const ORIGINAL_KEY = process.env.SETZKASTEN_LICENSE_KEY
+
+afterEach(() => {
+  if (ORIGINAL_KEY === undefined) delete process.env.SETZKASTEN_LICENSE_KEY
+  else process.env.SETZKASTEN_LICENSE_KEY = ORIGINAL_KEY
+})
+
+describe('gateFeature', () => {
+  beforeEach(() => {
+    delete process.env.SETZKASTEN_LICENSE_KEY
+  })
+
+  it('returns null (allow) for an unknown feature key at any tier', () => {
+    expect(gateFeature('something-not-yet-declared')).toBeNull()
+    process.env.SETZKASTEN_LICENSE_KEY = 'SK-PRO-AAAA-BBBB-CCCC'
+    expect(gateFeature('something-not-yet-declared')).toBeNull()
+  })
+
+  it('blocks editors at free tier with 403 + JSON body', async () => {
+    const res = gateFeature('editors')
+    expect(res).not.toBeNull()
+    expect(res!.status).toBe(403)
+    expect(res!.headers.get('Content-Type')).toContain('application/json')
+    const body = await res!.json()
+    expect(body).toMatchObject({
+      code: 'feature-locked',
+      feature: 'editors',
+      requiredTier: 'pro',
+      currentTier: 'free',
+    })
+    expect(body.error).toBeTruthy()
+  })
+
+  it('allows editors at pro tier (returns null)', () => {
+    process.env.SETZKASTEN_LICENSE_KEY = 'SK-PRO-AAAA-BBBB-CCCC'
+    expect(gateFeature('editors')).toBeNull()
+  })
+
+  it('allows editors at enterprise tier (returns null)', () => {
+    process.env.SETZKASTEN_LICENSE_KEY = 'SK-ENT-AAAA-BBBB-CCCC'
+    expect(gateFeature('editors')).toBeNull()
+  })
+
+  it('blocks google-auth at free tier', async () => {
+    const res = gateFeature('google-auth')
+    expect(res).not.toBeNull()
+    expect(res!.status).toBe(403)
+    const body = await res!.json()
+    expect(body.feature).toBe('google-auth')
+  })
+
+  it('blocks webhooks at free tier (reserved key)', async () => {
+    const res = gateFeature('webhooks')
+    expect(res).not.toBeNull()
+    expect(res!.status).toBe(403)
+  })
+})

package/src/api-routes/__tests__/github-token-for-request.test.ts

@@ -0,0 +1,112 @@
+/**
+ * @vitest-environment node
+ */
+
+import { generateKeyPairSync } from 'node:crypto'
+import { type Result, type WebsiteEntry, ok } from '@setzkasten-cms/core'
+import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
+import { resolveGitHubTokenForRequest } from '../_github-token'
+import { __resetWebsiteResolverForTests } from '../_website-resolver'
+
+const { privateKey } = generateKeyPairSync('rsa', { modulusLength: 2048 })
+const PEM = privateKey.export({ type: 'pkcs8', format: 'pem' }) as string
+
+const ENTRY_A: WebsiteEntry = {
+  id: 'a',
+  name: 'A',
+  repo: 'acme/a',
+  branch: 'main',
+  previewOrigin: 'https://a.example.com',
+  githubApp: { appId: '11', installationId: '101' },
+}
+
+const ENTRY_B: WebsiteEntry = {
+  id: 'b',
+  name: 'B',
+  repo: 'acme/b',
+  branch: 'main',
+  previewOrigin: 'https://b.example.com',
+  githubApp: { appId: '11', installationId: '202' },
+}
+
+function makeRegistry(entries: readonly WebsiteEntry[]) {
+  return {
+    list: vi.fn(async (): Promise<Result<readonly WebsiteEntry[]>> => ok(entries)),
+    get: vi.fn(async (id: string): Promise<Result<WebsiteEntry | null>> => {
+      return ok(entries.find((e) => e.id === id) ?? null)
+    }),
+  }
+}
+
+beforeEach(() => {
+  vi.unstubAllEnvs()
+  vi.stubEnv('GITHUB_APP_PRIVATE_KEY', PEM)
+})
+
+afterEach(() => {
+  __resetWebsiteResolverForTests(null)
+  vi.restoreAllMocks()
+  vi.unstubAllEnvs()
+})
+
+describe('resolveGitHubTokenForRequest', () => {
+  it('uses the resolved website installation id when calling GitHub', async () => {
+    __resetWebsiteResolverForTests({
+      mode: 'multi',
+      registry: makeRegistry([ENTRY_A, ENTRY_B]),
+    })
+
+    const fetchMock = vi.fn(async (_url: string, _init?: RequestInit) => ({
+      ok: true,
+      json: async () => ({
+        token: 'ghs_token_for_b',
+        expires_at: new Date(Date.now() + 60 * 60 * 1000).toISOString(),
+      }),
+    }))
+    vi.stubGlobal('fetch', fetchMock)
+
+    const req = new Request('https://cms.example.com/x', {
+      headers: { 'x-sk-website': 'b' },
+    })
+
+    const result = await resolveGitHubTokenForRequest(req)
+
+    expect(result.ok).toBe(true)
+    if (result.ok) expect(result.value).toBe('ghs_token_for_b')
+
+    const calledUrl = fetchMock.mock.calls[0]?.[0]
+    expect(calledUrl ?? '').toContain('/app/installations/202/access_tokens')
+  })
+
+  it('returns auth-error when resolver fails', async () => {
+    __resetWebsiteResolverForTests({
+      mode: 'multi',
+      registry: makeRegistry([ENTRY_A]),
+    })
+
+    const req = new Request('https://cms.example.com/x', {
+      headers: { 'x-sk-website': 'unknown' },
+    })
+
+    const result = await resolveGitHubTokenForRequest(req)
+
+    expect(result.ok).toBe(false)
+  })
+
+  it('returns auth-error when GITHUB_APP_PRIVATE_KEY is missing', async () => {
+    __resetWebsiteResolverForTests({
+      mode: 'multi',
+      registry: makeRegistry([ENTRY_A]),
+    })
+    vi.unstubAllEnvs()
+
+    const req = new Request('https://cms.example.com/x', {
+      headers: { 'x-sk-website': 'a' },
+    })
+
+    const result = await resolveGitHubTokenForRequest(req)
+
+    expect(result.ok).toBe(false)
+    if (!result.ok) expect(result.error.type).toBe('auth')
+  })
+})

package/src/api-routes/__tests__/github-token.test.ts

@@ -0,0 +1,78 @@
+/**
+ * Tests for _github-token.ts
+ *
+ * Covers:
+ *   1. GitHub App vars gesetzt → gibt Installation Access Token zurück
+ *   2. Nicht alle Vars gesetzt → auth error Result
+ */
+
+import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest'
+import { generateKeyPairSync } from 'node:crypto'
+
+const { privateKey: TEST_KEY } = generateKeyPairSync('rsa', { modulusLength: 2048 })
+const TEST_PRIVATE_KEY_PEM = TEST_KEY.export({ type: 'pkcs8', format: 'pem' }) as string
+
+function setEnv(vars: Record<string, string | undefined>) {
+  for (const [key, value] of Object.entries(vars)) {
+    if (value === undefined) {
+      delete process.env[key]
+    } else {
+      process.env[key] = value
+    }
+  }
+}
+
+function clearAppEnv() {
+  setEnv({
+    GITHUB_APP_ID: undefined,
+    GITHUB_APP_PRIVATE_KEY: undefined,
+    GITHUB_APP_INSTALLATION_ID: undefined,
+  })
+}
+
+describe('resolveConfigRepoToken', () => {
+  beforeEach(() => {
+    clearAppEnv()
+    vi.stubGlobal('fetch', vi.fn())
+  })
+
+  afterEach(() => {
+    clearAppEnv()
+    vi.restoreAllMocks()
+  })
+
+  it('gibt Installation-Token zurück wenn alle GITHUB_APP_*-Vars gesetzt sind', async () => {
+    setEnv({
+      GITHUB_APP_ID: '123456',
+      GITHUB_APP_PRIVATE_KEY: TEST_PRIVATE_KEY_PEM,
+      GITHUB_APP_INSTALLATION_ID: '42000000',
+    })
+
+    vi.mocked(fetch).mockResolvedValueOnce({
+      ok: true,
+      json: async () => ({
+        token: 'ghs_installation_token',
+        expires_at: new Date(Date.now() + 60 * 60 * 1000).toISOString(),
+      }),
+    } as Response)
+
+    const { resolveConfigRepoToken } = await import('../_github-token')
+    const result = await resolveConfigRepoToken()
+
+    expect(result.ok).toBe(true)
+    if (result.ok) expect(result.value).toBe('ghs_installation_token')
+    expect(vi.mocked(fetch)).toHaveBeenCalledWith(
+      expect.stringContaining('/app/installations/42000000/access_tokens'),
+      expect.objectContaining({ method: 'POST' }),
+    )
+  })
+
+  it('gibt auth error zurück wenn GITHUB_APP_*-Vars fehlen', async () => {
+    const { resolveConfigRepoToken } = await import('../_github-token')
+    const result = await resolveConfigRepoToken()
+
+    expect(result.ok).toBe(false)
+    if (!result.ok) expect(result.error.type).toBe('auth')
+    expect(vi.mocked(fetch)).not.toHaveBeenCalled()
+  })
+})

package/src/api-routes/__tests__/global-config-theme.test.ts

@@ -0,0 +1,71 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest'
+
+vi.mock('../_storage-config', () => ({
+  resolveStorageConfig: vi.fn(() => ({ owner: 'o', repo: 'r', branch: 'main' })),
+}))
+
+vi.stubGlobal('__SETZKASTEN_CONFIG__', { storage: { contentPath: 'content' } })
+
+describe('GlobalConfig – theme field', () => {
+  it('GlobalConfig type accepts a theme object', async () => {
+    const { } = await import('../global-config')
+    // Type-level check: if this compiles the type is correct
+    const cfg = {
+      theme: { primaryColor: '#ff0000', brandName: 'Acme', logo: '/logo.png' },
+    }
+    expect(cfg.theme.primaryColor).toBe('#ff0000')
+    expect(cfg.theme.brandName).toBe('Acme')
+  })
+
+  it('GlobalConfig theme fields are all optional', async () => {
+    const cfg = { theme: {} }
+    expect(cfg.theme).toBeDefined()
+  })
+})
+
+describe('config.ts – theme merge', () => {
+  beforeEach(() => {
+    vi.resetModules()
+  })
+
+  it('merges global theme over static config theme', async () => {
+    vi.doMock('../global-config', () => ({
+      readGlobalConfig: vi.fn(async () => ({
+        theme: { primaryColor: '#abc123', brandName: 'Dynamic Brand' },
+      })),
+    }))
+
+    vi.stubGlobal('__SETZKASTEN_FULL_CONFIG__', {
+      theme: { primaryColor: '#ffffff', brandName: 'Static Brand', logo: '/logo.png' },
+      auth: { providers: ['github'] },
+      products: {},
+    })
+
+    const { GET } = await import('../config')
+    const res = await GET({} as any)
+    const body = await res.json() as any
+
+    expect(body.theme.primaryColor).toBe('#abc123')
+    expect(body.theme.brandName).toBe('Dynamic Brand')
+    expect(body.theme.logo).toBe('/logo.png') // static fallback preserved
+  })
+
+  it('uses static theme when global config has no theme', async () => {
+    vi.doMock('../global-config', () => ({
+      readGlobalConfig: vi.fn(async () => ({ firebaseConfig: null })),
+    }))
+
+    vi.stubGlobal('__SETZKASTEN_FULL_CONFIG__', {
+      theme: { primaryColor: '#ffffff', brandName: 'Static Brand' },
+      auth: { providers: ['github'] },
+      products: {},
+    })
+
+    const { GET } = await import('../config')
+    const res = await GET({} as any)
+    const body = await res.json() as any
+
+    expect(body.theme.primaryColor).toBe('#ffffff')
+    expect(body.theme.brandName).toBe('Static Brand')
+  })
+})