@setzkasten-cms/astro-admin 1.4.0 → 1.4.1

package/dist/chunk-AM4DZXXM.js

@@ -0,0 +1,120 @@
+import {
+  parseSession
+} from "./chunk-INIWFKQ3.js";
+import {
+  resolveStorageConfig
+} from "./chunk-6UIKVKED.js";
+import {
+  cachedFetch,
+  invalidateCache
+} from "./chunk-45ARVNT3.js";
+import {
+  resolveConfigRepoToken
+} from "./chunk-NKDATSPA.js";
+import {
+  withTrailers
+} from "./chunk-KH22FJO5.js";
+
+// src/api-routes/global-config.ts
+var GLOBAL_CONFIG_FILE = (contentPath) => `${contentPath}/_global_config.json`;
+var GET = async ({ cookies }) => {
+  const session = parseSession(cookies.get("setzkasten_session")?.value);
+  if (!session) return new Response("Unauthorized", { status: 401 });
+  const cfg = await readGlobalConfig();
+  return Response.json(cfg ?? {});
+};
+var PUT = async ({ request, cookies }) => {
+  const session = parseSession(cookies.get("setzkasten_session")?.value);
+  if (!session) return new Response("Unauthorized", { status: 401 });
+  if (session.user.role !== "admin") return new Response("Forbidden", { status: 403 });
+  let patch;
+  try {
+    patch = await request.json();
+  } catch {
+    return Response.json({ error: "Invalid request body" }, { status: 400 });
+  }
+  const current = await readGlobalConfig() ?? {};
+  const next = { ...current };
+  for (const [k, v] of Object.entries(patch)) {
+    if (v === null) delete next[k];
+    else next[k] = v;
+  }
+  await writeGlobalConfig(next);
+  return Response.json({ ok: true });
+};
+async function getStorageParams() {
+  const serverConfig = globalThis.__SETZKASTEN_CONFIG__;
+  const storage = resolveStorageConfig();
+  if (!storage) return null;
+  const tokenResult = await resolveConfigRepoToken();
+  if (!tokenResult.ok) return null;
+  return {
+    owner: storage.owner,
+    repo: storage.repo,
+    branch: storage.branch,
+    contentPath: serverConfig?.storage?.contentPath ?? "content",
+    token: tokenResult.value
+  };
+}
+async function readGlobalConfig() {
+  const params = await getStorageParams();
+  if (!params) return null;
+  const { owner, repo, branch, contentPath, token } = params;
+  const key = `global-config:${owner}/${repo}:${branch}`;
+  return cachedFetch(key, 5 * 6e4, async () => {
+    const res = await fetch(
+      `https://api.github.com/repos/${owner}/${repo}/contents/${GLOBAL_CONFIG_FILE(contentPath)}?ref=${branch}`,
+      { headers: { Authorization: `Bearer ${token}`, Accept: "application/vnd.github+json", "X-GitHub-Api-Version": "2022-11-28" } }
+    );
+    if (!res.ok) return null;
+    const data = await res.json();
+    const raw = data.encoding === "base64" ? Buffer.from(data.content, "base64").toString("utf-8") : data.content;
+    return JSON.parse(raw);
+  });
+}
+async function writeGlobalConfig(config) {
+  const params = await getStorageParams();
+  if (!params) throw new Error("Storage not configured");
+  const { owner, repo, branch, contentPath, token } = params;
+  invalidateCache(`global-config:${owner}/${repo}:${branch}`);
+  const filePath = GLOBAL_CONFIG_FILE(contentPath);
+  const headers = {
+    Authorization: `Bearer ${token}`,
+    Accept: "application/vnd.github+json",
+    "X-GitHub-Api-Version": "2022-11-28",
+    "Content-Type": "application/json"
+  };
+  let sha;
+  try {
+    const existing = await fetch(
+      `https://api.github.com/repos/${owner}/${repo}/contents/${filePath}?ref=${branch}`,
+      { headers }
+    );
+    if (existing.ok) {
+      const data = await existing.json();
+      sha = data.sha;
+    }
+  } catch {
+  }
+  const body = {
+    message: withTrailers("chore(config): update global config"),
+    content: Buffer.from(JSON.stringify(config, null, 2)).toString("base64"),
+    branch
+  };
+  if (sha) body.sha = sha;
+  const res = await fetch(
+    `https://api.github.com/repos/${owner}/${repo}/contents/${filePath}`,
+    { method: "PUT", headers, body: JSON.stringify(body) }
+  );
+  if (!res.ok) {
+    const text = await res.text();
+    throw new Error(`GitHub write failed: ${text}`);
+  }
+}
+
+export {
+  GET,
+  PUT,
+  readGlobalConfig,
+  writeGlobalConfig
+};

package/dist/chunk-FXNOTESI.js

@@ -0,0 +1,87 @@
+import {
+  withTrailers
+} from "./chunk-KH22FJO5.js";
+
+// src/api-routes/_pages-meta-store.ts
+import {
+  emptyPagesMeta,
+  err,
+  networkError,
+  ok,
+  parsePagesMeta,
+  setPageLastModified
+} from "@setzkasten-cms/core";
+var RELATIVE_PATH = "_pages-meta.json";
+var MAX_RETRIES = 3;
+function metaFilePath(contentPath) {
+  return `${contentPath}/${RELATIVE_PATH}`;
+}
+function ghHeaders(token) {
+  return {
+    Authorization: `Bearer ${token}`,
+    Accept: "application/vnd.github+json",
+    "X-GitHub-Api-Version": "2022-11-28",
+    "Content-Type": "application/json"
+  };
+}
+function ghContentsUrl(target) {
+  return `https://api.github.com/repos/${target.owner}/${target.repo}/contents/${metaFilePath(target.contentPath)}`;
+}
+async function readPagesMeta(target) {
+  try {
+    const res = await fetch(`${ghContentsUrl(target)}?ref=${target.branch}`, {
+      headers: ghHeaders(target.token)
+    });
+    if (res.status === 404) {
+      return ok({ meta: emptyPagesMeta(), sha: null });
+    }
+    if (!res.ok) {
+      return err(networkError(`GitHub returned ${res.status} reading ${RELATIVE_PATH}`));
+    }
+    const data = await res.json();
+    const decoded = Buffer.from(data.content, "base64").toString("utf-8");
+    const parsed = parsePagesMeta(decoded);
+    if (!parsed.ok) return parsed;
+    return ok({ meta: parsed.value, sha: data.sha });
+  } catch (cause) {
+    const message = cause instanceof Error ? cause.message : "Unknown error";
+    return err(networkError(`Failed to read ${RELATIVE_PATH}: ${message}`, cause));
+  }
+}
+async function writePagesMeta(target, next, previousSha) {
+  const body = {
+    message: withTrailers("chore(meta): update _pages-meta.json"),
+    content: Buffer.from(JSON.stringify(next, null, 2)).toString("base64"),
+    branch: target.branch
+  };
+  if (previousSha) body.sha = previousSha;
+  return fetch(ghContentsUrl(target), {
+    method: "PUT",
+    headers: ghHeaders(target.token),
+    body: JSON.stringify(body)
+  });
+}
+async function recordPageEdit(target, pageKey, timestamp = Date.now()) {
+  for (let attempt = 0; attempt < MAX_RETRIES; attempt++) {
+    const current = await readPagesMeta(target);
+    if (!current.ok) return current;
+    const next = setPageLastModified(current.value.meta, pageKey, timestamp);
+    let response;
+    try {
+      response = await writePagesMeta(target, next, current.value.sha);
+    } catch (cause) {
+      const message = cause instanceof Error ? cause.message : "Unknown error";
+      return err(networkError(`Failed to write ${RELATIVE_PATH}: ${message}`, cause));
+    }
+    if (response.ok) return ok(void 0);
+    if (response.status === 409 && attempt < MAX_RETRIES - 1) continue;
+    const text = await response.text().catch(() => "");
+    return err(networkError(`GitHub PUT failed: ${response.status} ${text}`));
+  }
+  return err(networkError(`recordPageEdit: exhausted ${MAX_RETRIES} retries`));
+}
+
+export {
+  readPagesMeta,
+  recordPageEdit
+};

package/dist/chunk-GHNK2GFE.js

@@ -0,0 +1,48 @@
+// src/api-routes/section-management.ts
+function removeFromPageConfig(config, sectionKey) {
+  const sections = config.sections.filter((s) => s.key !== sectionKey).map((s, i) => ({ ...s, order: i }));
+  return { ...config, sections };
+}
+function generateDuplicateKey(existingKeys, originalKey) {
+  const base = `${originalKey}--copy`;
+  if (!existingKeys.includes(base)) return base;
+  let n = 2;
+  while (existingKeys.includes(`${base}${n}`)) n++;
+  return `${base}${n}`;
+}
+function generateAddKey(existingKeys, type) {
+  if (!existingKeys.includes(type)) return type;
+  let n = 2;
+  while (existingKeys.includes(`${type}--${n}`)) n++;
+  return `${type}--${n}`;
+}
+function addToPageConfig(config, key, type) {
+  const entry = {
+    key,
+    enabled: true,
+    order: config.sections.length,
+    ...key !== type ? { type } : {}
+  };
+  return { ...config, sections: [...config.sections, entry] };
+}
+function duplicateInPageConfig(config, originalKey, newKey) {
+  const original = config.sections.find((s) => s.key === originalKey);
+  if (!original) return config;
+  const resolvedType = original.type ?? originalKey;
+  const copy = { ...original, key: newKey, enabled: true, type: resolvedType };
+  const insertAfter = config.sections.indexOf(original);
+  const sections = [
+    ...config.sections.slice(0, insertAfter + 1),
+    copy,
+    ...config.sections.slice(insertAfter + 1)
+  ].map((s, i) => ({ ...s, order: i }));
+  return { ...config, sections };
+}
+
+export {
+  removeFromPageConfig,
+  generateDuplicateKey,
+  generateAddKey,
+  addToPageConfig,
+  duplicateInPageConfig
+};

package/dist/chunk-GRG3LNKH.js

@@ -0,0 +1,37 @@
+import {
+  prefixPath
+} from "./chunk-6UIKVKED.js";
+
+// src/api-routes/catalog-helpers.ts
+import { registry } from "@setzkasten-cms/catalog";
+function buildCatalogResponse() {
+  return registry.list();
+}
+function validateCatalogAddBody(body) {
+  if (!body.templateName || typeof body.templateName !== "string") {
+    throw new Error("templateName is required");
+  }
+  if (!body.pageKey || typeof body.pageKey !== "string") {
+    throw new Error("pageKey is required");
+  }
+  registry.get(body.templateName);
+  return {
+    templateName: body.templateName,
+    pageKey: body.pageKey,
+    sectionKey: typeof body.sectionKey === "string" ? body.sectionKey : void 0
+  };
+}
+function buildCatalogAddCommit(opts) {
+  const sectionJsonPath = prefixPath(
+    `${opts.contentPath}/_sections/${opts.sectionKey}.json`,
+    opts.projectPrefix
+  );
+  const pageConfigPath = prefixPath(opts.pageConfigPath, opts.projectPrefix);
+  return { sectionJsonPath, pageConfigPath };
+}
+
+export {
+  buildCatalogResponse,
+  validateCatalogAddBody,
+  buildCatalogAddCommit
+};

package/dist/chunk-INIWFKQ3.js

@@ -0,0 +1,236 @@
+import {
+  resolveStorageConfig
+} from "./chunk-6UIKVKED.js";
+import {
+  gateFeature
+} from "./chunk-5PIMDP4N.js";
+import {
+  cachedFetch,
+  invalidateCache
+} from "./chunk-45ARVNT3.js";
+import {
+  resolveConfigRepoToken
+} from "./chunk-NKDATSPA.js";
+import {
+  withTrailers
+} from "./chunk-KH22FJO5.js";
+
+// src/api-routes/_auth-guard.ts
+import { canEditPage } from "@setzkasten-cms/auth";
+function parseSession(raw) {
+  if (!raw) return null;
+  try {
+    return JSON.parse(raw);
+  } catch {
+    return null;
+  }
+}
+function requireAdmin(rawSession) {
+  const session = parseSession(rawSession);
+  if (!session) {
+    return new Response(JSON.stringify({ error: "Unauthorized" }), {
+      status: 401,
+      headers: { "Content-Type": "application/json" }
+    });
+  }
+  if (session.user.role !== "admin") {
+    return new Response(JSON.stringify({ error: "Forbidden: admin role required" }), {
+      status: 403,
+      headers: { "Content-Type": "application/json" }
+    });
+  }
+  return null;
+}
+async function guardPageAccess(session, pageKey, fullConfig, request) {
+  if (!session) return new Response("Unauthorized", { status: 401 });
+  const editorsLookup = await resolveDynamicEditors();
+  if (!editorsLookup.ok) {
+    return new Response(
+      `Forbidden: editor permissions unavailable (${editorsLookup.error})`,
+      { status: 503 }
+    );
+  }
+  if (!canEditPage(session, pageKey, editorsLookup.editors)) {
+    return new Response("Forbidden: you do not have access to this page", { status: 403 });
+  }
+  if (request) {
+    const denied = await guardWebsiteAccess(session, request);
+    if (denied) return denied;
+  }
+  return null;
+}
+async function guardWebsiteAccess(session, request) {
+  if (session.user.role === "admin") return null;
+  const { resolveCurrentWebsite } = await import("./api-routes/_website-resolver.js");
+  const website = await resolveCurrentWebsite(request);
+  if (!website.ok) return null;
+  const allowed = website.value.allowedEmails;
+  if (!allowed || allowed.length === 0) return null;
+  if (!allowed.includes(session.user.email)) {
+    return new Response(
+      `Forbidden: not allowed on website "${website.value.id}"`,
+      { status: 403 }
+    );
+  }
+  return null;
+}
+async function resolveDynamicEditors() {
+  const storage = resolveStorageConfig();
+  if (!storage) return { ok: true, editors: void 0 };
+  const tokenResult = await resolveConfigRepoToken();
+  if (!tokenResult.ok) {
+    return { ok: false, error: `token: ${tokenResult.error.message}` };
+  }
+  const serverConfig = globalThis.__SETZKASTEN_CONFIG__;
+  const contentPath = serverConfig?.storage?.contentPath ?? "content";
+  const status = await readEditorsFileStatus(
+    storage.owner,
+    storage.repo,
+    storage.branch,
+    contentPath,
+    tokenResult.value
+  );
+  if (status.kind === "absent") return { ok: true, editors: void 0 };
+  if (status.kind === "present") return { ok: true, editors: status.editors };
+  return { ok: false, error: status.message };
+}
+
+// src/api-routes/editors.ts
+import { validateEditorsUpdate } from "@setzkasten-cms/core";
+var EDITORS_FILE = (contentPath) => `${contentPath}/_editors.json`;
+function configRepoStorage() {
+  const storage = resolveStorageConfig();
+  if (!storage) return null;
+  return { owner: storage.owner, repo: storage.repo, branch: storage.branch };
+}
+var GET = async ({ cookies }) => {
+  const session = parseSession(cookies.get("setzkasten_session")?.value);
+  if (!session) return new Response("Unauthorized", { status: 401 });
+  const tokenResult = await resolveConfigRepoToken();
+  if (!tokenResult.ok) return new Response("GitHub token not configured", { status: 500 });
+  const storage = configRepoStorage();
+  if (!storage) return Response.json({ error: "Could not resolve storage config" }, { status: 400 });
+  const serverConfig = globalThis.__SETZKASTEN_CONFIG__;
+  const contentPath = serverConfig?.storage?.contentPath ?? "content";
+  const { owner, repo, branch } = storage;
+  const raw = await readEditorsFile(owner, repo, branch, contentPath, tokenResult.value);
+  return Response.json(raw ?? []);
+};
+var PUT = async ({ request, cookies }) => {
+  const session = parseSession(cookies.get("setzkasten_session")?.value);
+  if (!session) return new Response("Unauthorized", { status: 401 });
+  if (session.user.role !== "admin") return new Response("Forbidden", { status: 403 });
+  const gate = gateFeature("editors");
+  if (gate) return gate;
+  const tokenResult = await resolveConfigRepoToken();
+  if (!tokenResult.ok) return new Response("GitHub token not configured", { status: 500 });
+  const storage = configRepoStorage();
+  if (!storage) return Response.json({ error: "Could not resolve storage config" }, { status: 400 });
+  const serverConfig = globalThis.__SETZKASTEN_CONFIG__;
+  const contentPath = serverConfig?.storage?.contentPath ?? "content";
+  const { owner, repo, branch } = storage;
+  let editors;
+  try {
+    editors = await request.json();
+    if (!Array.isArray(editors)) throw new Error("Expected array");
+  } catch {
+    return Response.json({ error: "Invalid request body" }, { status: 400 });
+  }
+  const validation = validateEditorsUpdate(editors, session.user.email);
+  if (!validation.ok) {
+    return Response.json(
+      { error: validation.message, code: validation.code },
+      { status: 400 }
+    );
+  }
+  const filePath = EDITORS_FILE(contentPath);
+  const fileContent = JSON.stringify(editors, null, 2);
+  const headers = {
+    Authorization: `Bearer ${tokenResult.value}`,
+    Accept: "application/vnd.github+json",
+    "X-GitHub-Api-Version": "2022-11-28",
+    "Content-Type": "application/json"
+  };
+  const existing = await fetchFileSha(owner, repo, branch, filePath, headers);
+  const body = {
+    message: withTrailers("chore(editors): update content editor permissions"),
+    content: Buffer.from(fileContent).toString("base64"),
+    branch
+  };
+  if (existing) body.sha = existing;
+  const res = await fetch(
+    `https://api.github.com/repos/${owner}/${repo}/contents/${filePath}`,
+    { method: "PUT", headers, body: JSON.stringify(body) }
+  );
+  if (!res.ok) {
+    const text = await res.text();
+    return Response.json({ error: `GitHub write failed: ${text}` }, { status: 502 });
+  }
+  invalidateCache(`editors:${owner}/${repo}:${branch}`);
+  return Response.json({ ok: true });
+};
+async function fetchFileSha(owner, repo, branch, path, headers) {
+  try {
+    const res = await fetch(
+      `https://api.github.com/repos/${owner}/${repo}/contents/${path}?ref=${branch}`,
+      { headers }
+    );
+    if (!res.ok) return null;
+    const data = await res.json();
+    return data.sha ?? null;
+  } catch {
+    return null;
+  }
+}
+async function readEditorsFile(owner, repo, branch, contentPath, token) {
+  const key = `editors:${owner}/${repo}:${branch}`;
+  return cachedFetch(key, 2 * 6e4, async () => {
+    const res = await fetch(
+      `https://api.github.com/repos/${owner}/${repo}/contents/${EDITORS_FILE(contentPath)}?ref=${branch}`,
+      { headers: { Authorization: `Bearer ${token}`, Accept: "application/vnd.github+json", "X-GitHub-Api-Version": "2022-11-28" } }
+    );
+    if (!res.ok) return null;
+    const data = await res.json();
+    const raw = data.encoding === "base64" ? Buffer.from(data.content, "base64").toString("utf-8") : data.content;
+    return JSON.parse(raw);
+  });
+}
+async function readEditorsFileStatus(owner, repo, branch, contentPath, token) {
+  let res;
+  try {
+    res = await fetch(
+      `https://api.github.com/repos/${owner}/${repo}/contents/${EDITORS_FILE(contentPath)}?ref=${branch}`,
+      {
+        headers: {
+          Authorization: `Bearer ${token}`,
+          Accept: "application/vnd.github+json",
+          "X-GitHub-Api-Version": "2022-11-28"
+        }
+      }
+    );
+  } catch (err) {
+    return { kind: "error", message: err instanceof Error ? err.message : "network error" };
+  }
+  if (res.status === 404) return { kind: "absent" };
+  if (!res.ok) {
+    return { kind: "error", message: `GitHub returned ${res.status}` };
+  }
+  try {
+    const data = await res.json();
+    const raw = data.encoding === "base64" ? Buffer.from(data.content, "base64").toString("utf-8") : data.content;
+    return { kind: "present", editors: JSON.parse(raw) };
+  } catch (err) {
+    return { kind: "error", message: err instanceof Error ? err.message : "parse error" };
+  }
+}
+
+export {
+  GET,
+  PUT,
+  readEditorsFile,
+  readEditorsFileStatus,
+  parseSession,
+  requireAdmin,
+  guardPageAccess,
+  guardWebsiteAccess
+};

package/dist/chunk-JHY6XTLL.js

@@ -0,0 +1,24 @@
+// src/api-routes/_session-cookie.ts
+var SESSION_MAX_AGE_SECONDS = 60 * 60 * 24 * 7;
+function sessionCookieOptions(secure) {
+  return {
+    httpOnly: true,
+    secure,
+    sameSite: "lax",
+    path: "/",
+    maxAge: SESSION_MAX_AGE_SECONDS,
+    ...resolveCookieDomain() ? { domain: resolveCookieDomain() } : {}
+  };
+}
+function resolveCookieDomain() {
+  const fullConfig = globalThis.__SETZKASTEN_FULL_CONFIG__;
+  const fromConfig = fullConfig?.auth?.cookieDomain;
+  if (typeof fromConfig === "string" && fromConfig) return fromConfig;
+  const fromEnv = process.env.SETZKASTEN_COOKIE_DOMAIN;
+  if (typeof fromEnv === "string" && fromEnv) return fromEnv;
+  return void 0;
+}
+
+export {
+  sessionCookieOptions
+};