@setzkasten-cms/astro-admin 1.4.0 → 1.4.1

package/dist/api-routes/webhooks.js

@@ -0,0 +1,148 @@
+import {
+  parseSession,
+  requireAdmin
+} from "../chunk-INIWFKQ3.js";
+import {
+  resolveStorageConfigForRequest
+} from "../chunk-6UIKVKED.js";
+import {
+  gateFeature
+} from "../chunk-5PIMDP4N.js";
+import {
+  cachedFetch,
+  invalidateCache
+} from "../chunk-45ARVNT3.js";
+import {
+  resolveGitHubTokenForRequest
+} from "../chunk-NKDATSPA.js";
+import "../chunk-TJNJKPUL.js";
+import {
+  withTrailers
+} from "../chunk-KH22FJO5.js";
+
+// src/api-routes/webhooks.ts
+import {
+  parseWebhooksFile,
+  validateWebhookConfig
+} from "@setzkasten-cms/core";
+var WEBHOOKS_FILE = (contentPath) => `${contentPath}/_webhooks.json`;
+var GET = async ({ request, cookies }) => {
+  const denied = requireAdmin(cookies.get("setzkasten_session")?.value);
+  if (denied) return denied;
+  const tokenResult = await resolveGitHubTokenForRequest(request);
+  if (!tokenResult.ok) return new Response(tokenResult.error.message, { status: 500 });
+  const storage = await resolveStorageConfigForRequest(request);
+  if (!storage) {
+    return Response.json({ error: "Could not resolve owner/repo" }, { status: 400 });
+  }
+  const { owner, repo, branch } = storage;
+  const contentPath = resolveContentPath();
+  const cacheKey = `webhooks:${owner}/${repo}:${branch}`;
+  const webhooks = await cachedFetch(cacheKey, 6e4, async () => {
+    const res = await fetch(
+      `https://api.github.com/repos/${owner}/${repo}/contents/${WEBHOOKS_FILE(contentPath)}?ref=${branch}`,
+      {
+        headers: {
+          Authorization: `Bearer ${tokenResult.value}`,
+          Accept: "application/vnd.github+json",
+          "X-GitHub-Api-Version": "2022-11-28"
+        }
+      }
+    );
+    if (res.status === 404) return [];
+    if (!res.ok) return null;
+    const data = await res.json();
+    const raw = data.encoding === "base64" ? Buffer.from(data.content, "base64").toString("utf-8") : data.content;
+    const parsed = parseWebhooksFile(raw);
+    return parsed.ok ? parsed.value.webhooks : null;
+  });
+  if (webhooks === null) {
+    return Response.json({ error: "Could not read webhooks file" }, { status: 502 });
+  }
+  return Response.json({ webhooks });
+};
+var PUT = async ({ request, cookies }) => {
+  const denied = requireAdmin(cookies.get("setzkasten_session")?.value);
+  if (denied) return denied;
+  const gate = gateFeature("webhooks");
+  if (gate) return gate;
+  const session = parseSession(cookies.get("setzkasten_session")?.value);
+  if (!session) return new Response("Unauthorized", { status: 401 });
+  let body;
+  try {
+    body = await request.json();
+  } catch {
+    return Response.json({ error: "Invalid JSON" }, { status: 400 });
+  }
+  if (!Array.isArray(body.webhooks)) {
+    return Response.json({ error: "webhooks must be an array" }, { status: 400 });
+  }
+  const validated = [];
+  const seenIds = /* @__PURE__ */ new Set();
+  for (let i = 0; i < body.webhooks.length; i++) {
+    const result = validateWebhookConfig(body.webhooks[i]);
+    if (!result.ok) {
+      return Response.json(
+        { error: result.error.message, index: i },
+        { status: 400 }
+      );
+    }
+    if (seenIds.has(result.value.id)) {
+      return Response.json(
+        { error: `Duplicate webhook id: ${result.value.id}`, index: i },
+        { status: 400 }
+      );
+    }
+    seenIds.add(result.value.id);
+    validated.push(result.value);
+  }
+  const tokenResult = await resolveGitHubTokenForRequest(request);
+  if (!tokenResult.ok) return new Response(tokenResult.error.message, { status: 500 });
+  const storage = await resolveStorageConfigForRequest(request);
+  if (!storage) {
+    return Response.json({ error: "Could not resolve owner/repo" }, { status: 400 });
+  }
+  const { owner, repo, branch } = storage;
+  const contentPath = resolveContentPath();
+  const filePath = WEBHOOKS_FILE(contentPath);
+  const headers = {
+    Authorization: `Bearer ${tokenResult.value}`,
+    Accept: "application/vnd.github+json",
+    "X-GitHub-Api-Version": "2022-11-28",
+    "Content-Type": "application/json"
+  };
+  let currentSha = null;
+  const existingRes = await fetch(
+    `https://api.github.com/repos/${owner}/${repo}/contents/${filePath}?ref=${branch}`,
+    { headers }
+  );
+  if (existingRes.ok) {
+    const data = await existingRes.json();
+    currentSha = data.sha;
+  }
+  const fileBody = JSON.stringify({ version: 1, webhooks: validated }, null, 2);
+  const putBody = {
+    message: withTrailers("chore(webhooks): update webhook configuration", session.user.email),
+    content: Buffer.from(fileBody).toString("base64"),
+    branch
+  };
+  if (currentSha) putBody.sha = currentSha;
+  const putRes = await fetch(
+    `https://api.github.com/repos/${owner}/${repo}/contents/${filePath}`,
+    { method: "PUT", headers, body: JSON.stringify(putBody) }
+  );
+  if (!putRes.ok) {
+    const text = await putRes.text();
+    return Response.json({ error: `Webhook write failed: ${text}` }, { status: 502 });
+  }
+  invalidateCache(`webhooks:${owner}/${repo}:${branch}`);
+  return Response.json({ ok: true, webhooks: validated });
+};
+function resolveContentPath() {
+  const serverConfig = globalThis.__SETZKASTEN_CONFIG__;
+  return serverConfig?.storage?.contentPath ?? "content";
+}
+export {
+  GET,
+  PUT
+};

package/dist/api-routes/websites-add.d.ts

@@ -0,0 +1,15 @@
+import { APIRoute } from 'astro';
+
+/**
+ * POST /api/setzkasten/websites/add
+ *
+ * Body: { entry: WebsiteEntry }
+ *
+ * Reads the current websites.json from the config-repo, adds the entry
+ * (validated via parseWebsitesRegistry to share one truth on what makes
+ * a valid WebsiteEntry), and commits the new file back via the GitHub
+ * Contents API.
+ */
+declare const POST: APIRoute;
+
+export { POST };

package/dist/api-routes/websites-add.js

@@ -0,0 +1,92 @@
+import {
+  readWebsitesRegistryFromGitHub,
+  resolveConfigRepoTargetFromGlobals,
+  writeWebsitesRegistryToGitHub
+} from "../chunk-35S35OIV.js";
+import {
+  requireAdmin
+} from "../chunk-INIWFKQ3.js";
+import "../chunk-6UIKVKED.js";
+import "../chunk-5PIMDP4N.js";
+import "../chunk-45ARVNT3.js";
+import {
+  resolveConfigRepoToken
+} from "../chunk-NKDATSPA.js";
+import {
+  resolveLicenseTier
+} from "../chunk-TJNJKPUL.js";
+import "../chunk-KH22FJO5.js";
+
+// src/api-routes/websites-add.ts
+import {
+  addWebsiteToRegistry,
+  canAddWebsite,
+  parseWebsitesRegistry
+} from "@setzkasten-cms/core";
+var POST = async ({ request, cookies }) => {
+  const denied = requireAdmin(cookies.get("setzkasten_session")?.value);
+  if (denied) return denied;
+  let parsed = {};
+  try {
+    parsed = await request.json();
+  } catch {
+    return new Response(JSON.stringify({ error: "Invalid JSON body" }), { status: 400 });
+  }
+  if (!parsed.entry || typeof parsed.entry !== "object") {
+    return new Response(JSON.stringify({ error: 'Missing "entry" in body' }), { status: 400 });
+  }
+  const entry = parsed.entry;
+  if (entry.githubApp && !entry.githubApp.appId) {
+    const envAppId = process.env.GITHUB_APP_ID;
+    if (envAppId) entry.githubApp.appId = envAppId;
+  }
+  const validation = parseWebsitesRegistry(JSON.stringify({ websites: [parsed.entry] }));
+  if (!validation.ok) {
+    return new Response(JSON.stringify({ error: validation.error.message }), { status: 400 });
+  }
+  const tokenResult = await resolveConfigRepoToken();
+  if (!tokenResult.ok) {
+    return new Response(JSON.stringify({ error: tokenResult.error.message }), { status: 500 });
+  }
+  const target = resolveConfigRepoTargetFromGlobals(tokenResult.value);
+  if (!target) {
+    return new Response(
+      JSON.stringify({
+        error: 'Multi-mode storage not configured (storage.kind must be "multi").'
+      }),
+      { status: 400 }
+    );
+  }
+  const current = await readWebsitesRegistryFromGitHub(target);
+  if (!current.ok) {
+    return new Response(JSON.stringify({ error: current.error.message }), { status: 502 });
+  }
+  const tier = resolveLicenseTier();
+  const allowed = canAddWebsite(tier, current.value.registry.websites.length);
+  if (!allowed.ok) {
+    return new Response(
+      JSON.stringify({ error: allowed.reason, tier: allowed.tier, limit: allowed.limit }),
+      { status: 402, headers: { "Content-Type": "application/json" } }
+    );
+  }
+  const merged = addWebsiteToRegistry(current.value.registry, parsed.entry);
+  if (!merged.ok) {
+    return new Response(JSON.stringify({ error: merged.error.message }), { status: 409 });
+  }
+  const written = await writeWebsitesRegistryToGitHub(
+    target,
+    merged.value,
+    current.value.sha,
+    `feat(websites): add "${parsed.entry.id}" to registry`
+  );
+  if (!written.ok) {
+    return new Response(JSON.stringify({ error: written.error.message }), { status: 502 });
+  }
+  return new Response(JSON.stringify({ ok: true, websites: merged.value.websites }), {
+    status: 200,
+    headers: { "Content-Type": "application/json" }
+  });
+};
+export {
+  POST
+};

package/dist/api-routes/websites-list.d.ts

@@ -0,0 +1,12 @@
+import { APIRoute } from 'astro';
+
+/**
+ * GET /api/setzkasten/websites
+ *
+ * Returns the list of managed websites visible to the admin SPA.
+ * Strips private fields (`githubApp` installation refs, `allowedEmails`)
+ * — the client only needs ids/names/repos for the switcher.
+ */
+declare const GET: APIRoute;
+
+export { GET };

package/dist/api-routes/websites-list.js

@@ -0,0 +1,35 @@
+import {
+  listAllWebsites
+} from "../chunk-V6IMPVF3.js";
+
+// src/api-routes/websites-list.ts
+var GET = async ({ cookies }) => {
+  const session = cookies.get("setzkasten_session")?.value;
+  if (!session) {
+    return new Response(JSON.stringify({ authenticated: false }), {
+      status: 401,
+      headers: { "Content-Type": "application/json" }
+    });
+  }
+  const result = await listAllWebsites();
+  if (!result.ok) {
+    return new Response(JSON.stringify({ error: result.error.message }), {
+      status: 500,
+      headers: { "Content-Type": "application/json" }
+    });
+  }
+  const websites = result.value.map((entry) => ({
+    id: entry.id,
+    name: entry.name,
+    repo: entry.repo,
+    branch: entry.branch,
+    previewOrigin: entry.previewOrigin
+  }));
+  return new Response(JSON.stringify({ websites }), {
+    status: 200,
+    headers: { "Content-Type": "application/json" }
+  });
+};
+export {
+  GET
+};

package/dist/api-routes/websites-remove.d.ts

@@ -0,0 +1,15 @@
+import { APIRoute } from 'astro';
+
+/**
+ * POST /api/setzkasten/websites/remove
+ *
+ * Body: { id: string }
+ *
+ * Drops the matching entry from websites.json and commits the new file.
+ * Admin-only — editors must not be able to detach websites from the
+ * registry. Returns 404 when the id is not present, 502 when GitHub I/O
+ * fails.
+ */
+declare const POST: APIRoute;
+
+export { POST };

package/dist/api-routes/websites-remove.js

@@ -0,0 +1,69 @@
+import {
+  readWebsitesRegistryFromGitHub,
+  resolveConfigRepoTargetFromGlobals,
+  writeWebsitesRegistryToGitHub
+} from "../chunk-35S35OIV.js";
+import {
+  requireAdmin
+} from "../chunk-INIWFKQ3.js";
+import "../chunk-6UIKVKED.js";
+import "../chunk-5PIMDP4N.js";
+import "../chunk-45ARVNT3.js";
+import {
+  resolveConfigRepoToken
+} from "../chunk-NKDATSPA.js";
+import "../chunk-TJNJKPUL.js";
+import "../chunk-KH22FJO5.js";
+
+// src/api-routes/websites-remove.ts
+import { removeWebsiteFromRegistry } from "@setzkasten-cms/core";
+var POST = async ({ request, cookies }) => {
+  const denied = requireAdmin(cookies.get("setzkasten_session")?.value);
+  if (denied) return denied;
+  let body = {};
+  try {
+    body = await request.json();
+  } catch {
+    return new Response(JSON.stringify({ error: "Invalid JSON body" }), { status: 400 });
+  }
+  if (!body.id || typeof body.id !== "string") {
+    return new Response(JSON.stringify({ error: 'Missing "id" in body' }), { status: 400 });
+  }
+  const tokenResult = await resolveConfigRepoToken();
+  if (!tokenResult.ok) {
+    return new Response(JSON.stringify({ error: tokenResult.error.message }), { status: 500 });
+  }
+  const target = resolveConfigRepoTargetFromGlobals(tokenResult.value);
+  if (!target) {
+    return new Response(
+      JSON.stringify({
+        error: 'Multi-mode storage not configured (storage.kind must be "multi").'
+      }),
+      { status: 400 }
+    );
+  }
+  const current = await readWebsitesRegistryFromGitHub(target);
+  if (!current.ok) {
+    return new Response(JSON.stringify({ error: current.error.message }), { status: 502 });
+  }
+  const next = removeWebsiteFromRegistry(current.value.registry, body.id);
+  if (!next.ok) {
+    return new Response(JSON.stringify({ error: next.error.message }), { status: 404 });
+  }
+  const written = await writeWebsitesRegistryToGitHub(
+    target,
+    next.value,
+    current.value.sha,
+    `chore(websites): remove "${body.id}" from registry`
+  );
+  if (!written.ok) {
+    return new Response(JSON.stringify({ error: written.error.message }), { status: 502 });
+  }
+  return new Response(JSON.stringify({ ok: true, websites: next.value.websites }), {
+    status: 200,
+    headers: { "Content-Type": "application/json" }
+  });
+};
+export {
+  POST
+};

package/dist/chunk-35S35OIV.js

@@ -0,0 +1,80 @@
+import {
+  withTrailers
+} from "./chunk-KH22FJO5.js";
+
+// src/api-routes/_websites-store.ts
+import {
+  err,
+  networkError,
+  ok,
+  parseWebsitesRegistry
+} from "@setzkasten-cms/core";
+var githubHeaders = (token) => ({
+  Authorization: `Bearer ${token}`,
+  Accept: "application/vnd.github+json",
+  "X-GitHub-Api-Version": "2022-11-28",
+  "Content-Type": "application/json"
+});
+async function readWebsitesRegistryFromGitHub(target) {
+  try {
+    const url = `https://api.github.com/repos/${target.owner}/${target.repo}/contents/${target.path}?ref=${target.branch}`;
+    const response = await fetch(url, { headers: githubHeaders(target.token) });
+    if (response.status === 404) {
+      return ok({ registry: { websites: [] }, sha: null });
+    }
+    if (!response.ok) {
+      return err(networkError(`GitHub returned ${response.status} reading ${target.path}`));
+    }
+    const data = await response.json();
+    const decoded = Buffer.from(data.content, "base64").toString("utf-8");
+    const parsed = parseWebsitesRegistry(decoded);
+    if (!parsed.ok) return parsed;
+    return ok({ registry: parsed.value, sha: data.sha });
+  } catch (cause) {
+    const message = cause instanceof Error ? cause.message : "Unknown error";
+    return err(networkError(`Failed to read ${target.path}: ${message}`, cause));
+  }
+}
+async function writeWebsitesRegistryToGitHub(target, registry, previousSha, commitMessage) {
+  const body = {
+    message: withTrailers(commitMessage),
+    content: Buffer.from(JSON.stringify(registry, null, 2)).toString("base64"),
+    branch: target.branch
+  };
+  if (previousSha) body.sha = previousSha;
+  try {
+    const response = await fetch(
+      `https://api.github.com/repos/${target.owner}/${target.repo}/contents/${target.path}`,
+      { method: "PUT", headers: githubHeaders(target.token), body: JSON.stringify(body) }
+    );
+    if (!response.ok) {
+      const text = await response.text();
+      return err(networkError(`GitHub PUT failed: ${response.status} ${text}`));
+    }
+    return ok(void 0);
+  } catch (cause) {
+    const message = cause instanceof Error ? cause.message : "Unknown error";
+    return err(networkError(`Failed to write ${target.path}: ${message}`, cause));
+  }
+}
+function resolveConfigRepoTargetFromGlobals(token) {
+  const fullConfig = globalThis.__SETZKASTEN_FULL_CONFIG__;
+  const storage = fullConfig?.storage;
+  if (!storage || storage.kind !== "multi" && storage.kind !== "standalone") return null;
+  if (!storage.configRepo) return null;
+  const [owner, repo] = storage.configRepo.split("/");
+  if (!owner || !repo) return null;
+  return {
+    owner,
+    repo,
+    branch: storage.configBranch ?? "main",
+    path: "websites.json",
+    token
+  };
+}
+
+export {
+  readWebsitesRegistryFromGitHub,
+  writeWebsitesRegistryToGitHub,
+  resolveConfigRepoTargetFromGlobals
+};

package/dist/chunk-45ARVNT3.js

@@ -0,0 +1,25 @@
+// src/api-routes/_github-cache.ts
+var cache = /* @__PURE__ */ new Map();
+async function cachedFetch(key, ttlMs, fetcher) {
+  const entry = cache.get(key);
+  const now = Date.now();
+  if (entry !== void 0 && now - entry.fetchedAt < ttlMs) {
+    return entry.value;
+  }
+  try {
+    const value = await fetcher();
+    cache.set(key, { value, fetchedAt: now });
+    return value;
+  } catch (err) {
+    if (entry !== void 0) return entry.value;
+    throw err;
+  }
+}
+function invalidateCache(key) {
+  cache.delete(key);
+}
+
+export {
+  cachedFetch,
+  invalidateCache
+};

package/dist/chunk-5PIMDP4N.js

@@ -0,0 +1,25 @@
+import {
+  resolveLicenseTier
+} from "./chunk-TJNJKPUL.js";
+
+// src/api-routes/_feature-gate.ts
+import { checkFeature } from "@setzkasten-cms/core";
+function gateFeature(feature) {
+  const tier = resolveLicenseTier();
+  const result = checkFeature(feature, tier);
+  if (result.ok) return null;
+  return new Response(
+    JSON.stringify({
+      error: result.reason,
+      code: "feature-locked",
+      feature: result.feature,
+      requiredTier: result.requiredTier,
+      currentTier: tier
+    }),
+    { status: 403, headers: { "Content-Type": "application/json" } }
+  );
+}
+
+export {
+  gateFeature
+};

package/dist/chunk-5ZFTG4BW.js

@@ -0,0 +1,10 @@
+// src/api-routes/_vercel-origin.ts
+function getPublicOrigin(request) {
+  const host = request.headers.get("x-forwarded-host") ?? request.headers.get("host") ?? "localhost";
+  const proto = request.headers.get("x-forwarded-proto")?.split(",")[0]?.trim() ?? "https";
+  return `${proto}://${host}`;
+}
+
+export {
+  getPublicOrigin
+};

package/dist/chunk-6UIKVKED.js

@@ -0,0 +1,51 @@
+// src/api-routes/_storage-config.ts
+function resolveStorageConfig(body) {
+  const buildConfig = typeof __SETZKASTEN_STORAGE__ !== "undefined" ? __SETZKASTEN_STORAGE__ : null;
+  const serverConfig = globalThis.__SETZKASTEN_CONFIG__;
+  const owner = body?.owner || buildConfig?.owner || serverConfig?.storage?.owner;
+  const repo = body?.repo || buildConfig?.repo || serverConfig?.storage?.repo;
+  const branch = body?.branch || buildConfig?.branch || serverConfig?.storage?.branch || "main";
+  const projectPrefix = buildConfig?.projectPrefix ?? "";
+  if (!owner || !repo) return null;
+  return { owner, repo, branch, projectPrefix };
+}
+function prefixPath(filePath, projectPrefix) {
+  if (!projectPrefix) return filePath;
+  return `${projectPrefix}/${filePath}`;
+}
+async function resolveStorageConfigForRequest(request, body) {
+  const buildConfig = typeof __SETZKASTEN_STORAGE__ !== "undefined" ? __SETZKASTEN_STORAGE__ : null;
+  const inheritPrefix = (owner, repo) => {
+    if (!buildConfig?.projectPrefix) return "";
+    if (buildConfig.owner === owner && buildConfig.repo === repo) return buildConfig.projectPrefix;
+    return "";
+  };
+  if (body?.owner && body.repo) {
+    return {
+      owner: body.owner,
+      repo: body.repo,
+      branch: body.branch ?? "main",
+      projectPrefix: inheritPrefix(body.owner, body.repo)
+    };
+  }
+  const { resolveCurrentWebsite } = await import("./api-routes/_website-resolver.js");
+  const resolved = await resolveCurrentWebsite(request);
+  if (resolved.ok) {
+    const [owner, repo] = resolved.value.repo.split("/");
+    if (owner && repo) {
+      return {
+        owner,
+        repo,
+        branch: resolved.value.branch,
+        projectPrefix: inheritPrefix(owner, repo)
+      };
+    }
+  }
+  return resolveStorageConfig(body);
+}
+
+export {
+  resolveStorageConfig,
+  prefixPath,
+  resolveStorageConfigForRequest
+};

package/dist/chunk-737TIZRU.js

@@ -0,0 +1,9 @@
+// src/api-routes/_webhook-signing.ts
+import { createHmac } from "crypto";
+function signPayload(body, secret) {
+  return createHmac("sha256", secret).update(body, "utf8").digest("hex");
+}
+
+export {
+  signPayload
+};