@setzkasten-cms/astro-admin 1.1.0 → 1.3.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@setzkasten-cms/astro-admin",
-  "version": "1.1.0",
+  "version": "1.3.0",
   "description": "Setzkasten Admin-UI, Init-Wizard und Adoptions-Pipeline für Astro",
   "type": "module",
   "license": "SEE LICENSE IN LICENSE",
@@ -40,6 +40,12 @@
     "./catalog": "./src/api-routes/catalog-list.ts",
     "./catalog-add": "./src/api-routes/catalog-add.ts",
     "./catalog-export": "./src/api-routes/catalog-export.ts",
+    "./history": "./src/api-routes/history.ts",
+    "./history-version": "./src/api-routes/history-version.ts",
+    "./history-rollback": "./src/api-routes/history-rollback.ts",
+    "./webhooks": "./src/api-routes/webhooks.ts",
+    "./webhooks-test": "./src/api-routes/webhooks-test.ts",
+    "./webhooks-status": "./src/api-routes/webhooks-status.ts",
     "./section-add": "./src/api-routes/section-add.ts",
     "./section-prepare": "./src/api-routes/section-prepare.ts",
     "./section-prepare-copy": "./src/api-routes/section-prepare-copy.ts",
@@ -68,11 +74,11 @@
   },
   "dependencies": {
     "@astrojs/compiler": "^3.0.0",
-    "@setzkasten-cms/auth": "1.1.0",
-    "@setzkasten-cms/catalog": "1.1.0",
-    "@setzkasten-cms/github-adapter": "1.1.0",
-    "@setzkasten-cms/core": "1.1.0",
-    "@setzkasten-cms/ui": "1.1.0"
+    "@setzkasten-cms/catalog": "1.3.0",
+    "@setzkasten-cms/auth": "1.3.0",
+    "@setzkasten-cms/core": "1.3.0",
+    "@setzkasten-cms/github-adapter": "1.3.0",
+    "@setzkasten-cms/ui": "1.3.0"
   },
   "peerDependencies": {
     "astro": "^5.0.0",

package/src/api-routes/__tests__/feature-gate.test.ts

@@ -0,0 +1,60 @@
+import { describe, it, expect, beforeEach, afterEach } from 'vitest'
+import { gateFeature } from '../_feature-gate'
+
+const ORIGINAL_KEY = process.env.SETZKASTEN_LICENSE_KEY
+
+afterEach(() => {
+  if (ORIGINAL_KEY === undefined) delete process.env.SETZKASTEN_LICENSE_KEY
+  else process.env.SETZKASTEN_LICENSE_KEY = ORIGINAL_KEY
+})
+
+describe('gateFeature', () => {
+  beforeEach(() => {
+    delete process.env.SETZKASTEN_LICENSE_KEY
+  })
+
+  it('returns null (allow) for an unknown feature key at any tier', () => {
+    expect(gateFeature('something-not-yet-declared')).toBeNull()
+    process.env.SETZKASTEN_LICENSE_KEY = 'SK-PRO-AAAA-BBBB-CCCC'
+    expect(gateFeature('something-not-yet-declared')).toBeNull()
+  })
+
+  it('blocks editors at free tier with 403 + JSON body', async () => {
+    const res = gateFeature('editors')
+    expect(res).not.toBeNull()
+    expect(res!.status).toBe(403)
+    expect(res!.headers.get('Content-Type')).toContain('application/json')
+    const body = await res!.json()
+    expect(body).toMatchObject({
+      code: 'feature-locked',
+      feature: 'editors',
+      requiredTier: 'pro',
+      currentTier: 'free',
+    })
+    expect(body.error).toBeTruthy()
+  })
+
+  it('allows editors at pro tier (returns null)', () => {
+    process.env.SETZKASTEN_LICENSE_KEY = 'SK-PRO-AAAA-BBBB-CCCC'
+    expect(gateFeature('editors')).toBeNull()
+  })
+
+  it('allows editors at enterprise tier (returns null)', () => {
+    process.env.SETZKASTEN_LICENSE_KEY = 'SK-ENT-AAAA-BBBB-CCCC'
+    expect(gateFeature('editors')).toBeNull()
+  })
+
+  it('blocks google-auth at free tier', async () => {
+    const res = gateFeature('google-auth')
+    expect(res).not.toBeNull()
+    expect(res!.status).toBe(403)
+    const body = await res!.json()
+    expect(body.feature).toBe('google-auth')
+  })
+
+  it('blocks webhooks at free tier (reserved key)', async () => {
+    const res = gateFeature('webhooks')
+    expect(res).not.toBeNull()
+    expect(res!.status).toBe(403)
+  })
+})

package/src/api-routes/__tests__/history-rollback.test.ts

@@ -0,0 +1,196 @@
+/**
+ * @vitest-environment node
+ */
+
+import { generateKeyPairSync } from 'node:crypto'
+import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
+
+const { privateKey } = generateKeyPairSync('rsa', { modulusLength: 2048 })
+const PEM = privateKey.export({ type: 'pkcs8', format: 'pem' }) as string
+
+const ADMIN_SESSION = JSON.stringify({
+  user: { id: 'u1', email: 'admin@example.com', role: 'admin', provider: 'github' },
+  expiresAt: Date.now() + 60 * 60 * 1000,
+})
+
+const EDITOR_SESSION = JSON.stringify({
+  user: { id: 'u2', email: 'editor@example.com', role: 'editor', provider: 'google' },
+  expiresAt: Date.now() + 60 * 60 * 1000,
+})
+
+function makeCtx(body: unknown, sessionValue: string | null = ADMIN_SESSION) {
+  const request = new Request('https://cms.example.com/api/setzkasten/history/rollback', {
+    method: 'POST',
+    body: JSON.stringify(body),
+    headers: { 'content-type': 'application/json' },
+  })
+  return {
+    request,
+    cookies: {
+      get: vi.fn((name: string) =>
+        name === 'setzkasten_session' && sessionValue ? { value: sessionValue } : undefined,
+      ),
+    },
+  }
+}
+
+beforeEach(() => {
+  vi.unstubAllEnvs()
+  vi.stubEnv('GITHUB_APP_ID', '1')
+  vi.stubEnv('GITHUB_APP_INSTALLATION_ID', '111')
+  vi.stubEnv('GITHUB_APP_PRIVATE_KEY', PEM)
+  vi.stubEnv('SETZKASTEN_LICENSE_KEY', 'SK-PRO-AAAAAAAA-BBBBBBBB-CCCCCCCC')
+  ;(globalThis as Record<string, unknown>).__SETZKASTEN_STORAGE__ = {
+    kind: 'github-app',
+    repo: 'acme/site',
+    branch: 'main',
+    appId: '1',
+    installationId: '111',
+  }
+  ;(globalThis as Record<string, unknown>).__SETZKASTEN_FULL_CONFIG__ = {
+    storage: {
+      kind: 'github-app',
+      repo: 'acme/site',
+      branch: 'main',
+      appId: '1',
+      installationId: '111',
+    },
+  }
+})
+
+afterEach(() => {
+  vi.restoreAllMocks()
+  vi.unstubAllEnvs()
+  ;(globalThis as Record<string, unknown>).__SETZKASTEN_STORAGE__ = undefined
+  ;(globalThis as Record<string, unknown>).__SETZKASTEN_FULL_CONFIG__ = undefined
+})
+
+const ROLLBACK_PATH = 'content/sections/hero.json'
+const TARGET_SHA = 'b'.repeat(40)
+const HEAD_SHA_FILE = 'c'.repeat(40)
+
+describe('POST /api/setzkasten/history/rollback', () => {
+  it('returns 401 without a session', async () => {
+    const { POST } = await import('../history-rollback')
+    const res = await (POST as (ctx: unknown) => Promise<Response>)(
+      makeCtx({ path: ROLLBACK_PATH, sha: TARGET_SHA }, null),
+    )
+    expect(res.status).toBe(401)
+  })
+
+  it('returns 403 for editor session', async () => {
+    const { POST } = await import('../history-rollback')
+    const res = await (POST as (ctx: unknown) => Promise<Response>)(
+      makeCtx({ path: ROLLBACK_PATH, sha: TARGET_SHA }, EDITOR_SESSION),
+    )
+    expect(res.status).toBe(403)
+  })
+
+  it('returns 400 when path or sha missing', async () => {
+    const { POST } = await import('../history-rollback')
+    const res = await (POST as (ctx: unknown) => Promise<Response>)(makeCtx({ path: ROLLBACK_PATH }))
+    expect(res.status).toBe(400)
+  })
+
+  it('writes a new commit with the historical content', async () => {
+    const calls: string[] = []
+    const fetchMock = vi.fn(async (url: string | URL, init?: RequestInit) => {
+      const u = url instanceof URL ? url : new URL(url)
+      calls.push(`${init?.method ?? 'GET'} ${u.pathname}${u.search}`)
+      if (u.pathname.endsWith('/access_tokens')) {
+        return {
+          ok: true,
+          json: async () => ({
+            token: 'gh_mock',
+            expires_at: new Date(Date.now() + 60 * 60 * 1000).toISOString(),
+          }),
+        } as Response
+      }
+      // Read at target sha
+      if (u.search.includes(`ref=${TARGET_SHA}`)) {
+        return {
+          ok: true,
+          status: 200,
+          json: async () => ({
+            content: Buffer.from('{"heading":"old"}').toString('base64'),
+            encoding: 'base64',
+            sha: 'old-blob',
+          }),
+        } as Response
+      }
+      // Read HEAD blob sha
+      if (u.search.includes('ref=main') && (init?.method ?? 'GET') === 'GET') {
+        return {
+          ok: true,
+          status: 200,
+          json: async () => ({ sha: HEAD_SHA_FILE }),
+        } as Response
+      }
+      // PUT new commit
+      if (init?.method === 'PUT' && u.pathname.includes('/contents/')) {
+        return {
+          ok: true,
+          status: 200,
+          json: async () => ({ commit: { sha: 'd'.repeat(40) } }),
+        } as Response
+      }
+      throw new Error(`unexpected URL: ${u.toString()}`)
+    })
+    vi.stubGlobal('fetch', fetchMock)
+
+    const { POST } = await import('../history-rollback')
+    const res = await (POST as (ctx: unknown) => Promise<Response>)(
+      makeCtx({ path: ROLLBACK_PATH, sha: TARGET_SHA }),
+    )
+    expect(res.status).toBe(200)
+    const body = await res.json()
+    expect(body.ok).toBe(true)
+    expect(body.commitSha).toBe('d'.repeat(40))
+    expect(calls.some((c) => c.startsWith('PUT'))).toBe(true)
+  })
+
+  it('returns 409 when expectedHeadSha does not match current HEAD', async () => {
+    const fetchMock = vi.fn(async (url: string | URL) => {
+      const u = url instanceof URL ? url : new URL(url)
+      if (u.pathname.endsWith('/access_tokens')) {
+        return {
+          ok: true,
+          json: async () => ({
+            token: 'gh_mock',
+            expires_at: new Date(Date.now() + 60 * 60 * 1000).toISOString(),
+          }),
+        } as Response
+      }
+      if (u.search.includes(`ref=${TARGET_SHA}`)) {
+        return {
+          ok: true,
+          status: 200,
+          json: async () => ({
+            content: Buffer.from('{"heading":"old"}').toString('base64'),
+            encoding: 'base64',
+            sha: 'old-blob',
+          }),
+        } as Response
+      }
+      // HEAD has SHA "moved-on" but client expected "expected"
+      return {
+        ok: true,
+        status: 200,
+        json: async () => ({ sha: 'moved-on-since-page-load' }),
+      } as Response
+    })
+    vi.stubGlobal('fetch', fetchMock)
+
+    const { POST } = await import('../history-rollback')
+    const res = await (POST as (ctx: unknown) => Promise<Response>)(
+      makeCtx({
+        path: ROLLBACK_PATH,
+        sha: TARGET_SHA,
+        expectedHeadSha: 'something-else-entirely',
+      }),
+    )
+    expect(res.status).toBe(409)
+    const body = await res.json()
+    expect(body.code).toBe('head-moved')
+  })
+})

package/src/api-routes/__tests__/history.test.ts

@@ -0,0 +1,168 @@
+/**
+ * @vitest-environment node
+ */
+
+import { generateKeyPairSync } from 'node:crypto'
+import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
+
+const { privateKey } = generateKeyPairSync('rsa', { modulusLength: 2048 })
+const PEM = privateKey.export({ type: 'pkcs8', format: 'pem' }) as string
+
+const ADMIN_SESSION = JSON.stringify({
+  user: { id: 'u1', email: 'admin@example.com', role: 'admin', provider: 'github' },
+  expiresAt: Date.now() + 60 * 60 * 1000,
+})
+
+const EDITOR_SESSION = JSON.stringify({
+  user: { id: 'u2', email: 'editor@example.com', role: 'editor', provider: 'google' },
+  expiresAt: Date.now() + 60 * 60 * 1000,
+})
+
+function makeCtx(searchParams: Record<string, string>, sessionValue: string | null = ADMIN_SESSION) {
+  const url = new URL('https://cms.example.com/api/setzkasten/history')
+  for (const [k, v] of Object.entries(searchParams)) url.searchParams.set(k, v)
+  const request = new Request(url, { method: 'GET' })
+  return {
+    request,
+    url,
+    cookies: {
+      get: vi.fn((name: string) =>
+        name === 'setzkasten_session' && sessionValue ? { value: sessionValue } : undefined,
+      ),
+    },
+  }
+}
+
+beforeEach(() => {
+  vi.unstubAllEnvs()
+  vi.stubEnv('GITHUB_APP_ID', '1')
+  vi.stubEnv('GITHUB_APP_INSTALLATION_ID', '111')
+  vi.stubEnv('GITHUB_APP_PRIVATE_KEY', PEM)
+  vi.stubEnv('SETZKASTEN_LICENSE_KEY', 'SK-PRO-AAAAAAAA-BBBBBBBB-CCCCCCCC')
+  ;(globalThis as Record<string, unknown>).__SETZKASTEN_STORAGE__ = {
+    kind: 'github-app',
+    repo: 'acme/site',
+    branch: 'main',
+    appId: '1',
+    installationId: '111',
+  }
+  ;(globalThis as Record<string, unknown>).__SETZKASTEN_FULL_CONFIG__ = {
+    storage: {
+      kind: 'github-app',
+      repo: 'acme/site',
+      branch: 'main',
+      appId: '1',
+      installationId: '111',
+    },
+  }
+  // Reset history cache between tests so cachedFetch doesn't pollute state.
+  return import('../_github-cache').then((m) => {
+    // We don't know the keys, but the cache is keyed by route+args; tests
+    // pick fresh paths, so old entries simply expire. No reset API exposed.
+    void m
+  })
+})
+
+afterEach(() => {
+  vi.restoreAllMocks()
+  vi.unstubAllEnvs()
+  ;(globalThis as Record<string, unknown>).__SETZKASTEN_STORAGE__ = undefined
+  ;(globalThis as Record<string, unknown>).__SETZKASTEN_FULL_CONFIG__ = undefined
+})
+
+const SAMPLE_COMMIT = {
+  sha: 'a'.repeat(40),
+  commit: {
+    author: { name: 'Maria', email: 'maria@example.com', date: '2026-05-01T12:00:00Z' },
+    message: `Update hero\n\nCo-authored-by: Editor <editor@example.com>`,
+  },
+  author: { avatar_url: 'https://avatars.example.com/maria.png' },
+}
+
+describe('GET /api/setzkasten/history', () => {
+  it('returns 401 without a session', async () => {
+    const { GET } = await import('../history')
+    const res = await (GET as (ctx: unknown) => Promise<Response>)(
+      makeCtx({ path: 'content/sections/hero.json' }, null),
+    )
+    expect(res.status).toBe(401)
+  })
+
+  it('returns 403 for editor (admin-only)', async () => {
+    const { GET } = await import('../history')
+    const res = await (GET as (ctx: unknown) => Promise<Response>)(
+      makeCtx({ path: 'content/sections/hero.json' }, EDITOR_SESSION),
+    )
+    expect(res.status).toBe(403)
+  })
+
+  it('returns 400 when path is missing', async () => {
+    const { GET } = await import('../history')
+    const res = await (GET as (ctx: unknown) => Promise<Response>)(makeCtx({}))
+    expect(res.status).toBe(400)
+  })
+
+  it('returns parsed commits with co-authors and short sha', async () => {
+    const fetchMock = vi.fn(async (url: string | URL) => {
+      const u = url instanceof URL ? url : new URL(url)
+      if (u.pathname.endsWith('/access_tokens')) {
+        return {
+          ok: true,
+          json: async () => ({
+            token: 'gh_mock',
+            expires_at: new Date(Date.now() + 60 * 60 * 1000).toISOString(),
+          }),
+        } as Response
+      }
+      if (u.pathname.endsWith('/commits')) {
+        return { ok: true, status: 200, json: async () => [SAMPLE_COMMIT] } as Response
+      }
+      throw new Error(`unexpected URL: ${u.toString()}`)
+    })
+    vi.stubGlobal('fetch', fetchMock)
+
+    const { GET } = await import('../history')
+    // Use a fresh path each time to avoid cache hits from earlier tests
+    const res = await (GET as (ctx: unknown) => Promise<Response>)(
+      makeCtx({ path: 'content/sections/hero-' + Date.now() + '.json' }),
+    )
+    expect(res.status).toBe(200)
+    const body = await res.json()
+    expect(body.commits).toHaveLength(1)
+    expect(body.commits[0]).toMatchObject({
+      sha: 'a'.repeat(40),
+      shortSha: 'aaaaaaa',
+      authorName: 'Maria',
+      authorEmail: 'maria@example.com',
+      message: 'Update hero',
+    })
+    expect(body.commits[0].coAuthors).toEqual([
+      { name: 'Editor', email: 'editor@example.com' },
+    ])
+  })
+
+  it('returns empty list when GitHub returns 404 for the path', async () => {
+    const fetchMock = vi.fn(async (url: string | URL) => {
+      const u = url instanceof URL ? url : new URL(url)
+      if (u.pathname.endsWith('/access_tokens')) {
+        return {
+          ok: true,
+          json: async () => ({
+            token: 'gh_mock',
+            expires_at: new Date(Date.now() + 60 * 60 * 1000).toISOString(),
+          }),
+        } as Response
+      }
+      return { ok: false, status: 404, json: async () => ({}) } as Response
+    })
+    vi.stubGlobal('fetch', fetchMock)
+
+    const { GET } = await import('../history')
+    const res = await (GET as (ctx: unknown) => Promise<Response>)(
+      makeCtx({ path: 'content/sections/missing-' + Date.now() + '.json' }),
+    )
+    expect(res.status).toBe(200)
+    const body = await res.json()
+    expect(body.commits).toEqual([])
+  })
+})

package/src/api-routes/__tests__/setup-github-app-callback.test.ts

@@ -67,6 +67,13 @@ describe('setup-github-app-callback', () => {
     expect(cookieValue.appId).toBe('123456')
     expect(cookieValue.slug).toBe('meine-cms-app')
     expect(cookieValue.privateKey).toContain('RSA PRIVATE KEY')
+    // v1.2: GitHub-App also serves as the OAuth provider for admin
+    // login. The Manifest exchange returns client_id + client_secret
+    // alongside the App credentials; we capture both so the wizard
+    // can surface them as env vars and the CLI doesn't need to ask
+    // for OAuth credentials separately.
+    expect(cookieValue.clientId).toBe('Iv1.abc')
+    expect(cookieValue.clientSecret).toBe('secret')
   })
 
   it('Response ist nicht immutable — Cookie-Header kann gesetzt werden', async () => {

package/src/api-routes/__tests__/webhook-signing.test.ts

@@ -0,0 +1,39 @@
+/**
+ * @vitest-environment node
+ */
+
+import { describe, it, expect } from 'vitest'
+import { signPayload } from '../_webhook-signing'
+
+describe('signPayload', () => {
+  it('produces deterministic output for same input', () => {
+    const a = signPayload('{"hello":"world"}', 'secret')
+    const b = signPayload('{"hello":"world"}', 'secret')
+    expect(a).toBe(b)
+  })
+
+  it('produces different output for different bodies', () => {
+    const a = signPayload('{"hello":"world"}', 'secret')
+    const b = signPayload('{"hello":"there"}', 'secret')
+    expect(a).not.toBe(b)
+  })
+
+  it('produces different output for different secrets', () => {
+    const a = signPayload('{"hello":"world"}', 'secret-a')
+    const b = signPayload('{"hello":"world"}', 'secret-b')
+    expect(a).not.toBe(b)
+  })
+
+  it('matches a known HMAC-SHA256 reference value', () => {
+    // Reference: `echo -n "test" | openssl dgst -sha256 -hmac "key"`
+    // → 02afb56304902c656fcb737cdd03de6205bb6d401da2812efd9b2d36a08af159
+    expect(signPayload('test', 'key')).toBe(
+      '02afb56304902c656fcb737cdd03de6205bb6d401da2812efd9b2d36a08af159',
+    )
+  })
+
+  it('returns a 64-char hex string', () => {
+    const sig = signPayload('any body', 'any secret')
+    expect(sig).toMatch(/^[0-9a-f]{64}$/)
+  })
+})