@setzkasten-cms/astro-admin 1.4.0 → 1.4.1

package/dist/api-routes/setup-github-app-installed.js

@@ -0,0 +1,33 @@
+import {
+  getPublicOrigin
+} from "../chunk-5ZFTG4BW.js";
+
+// src/api-routes/setup-github-app-installed.ts
+var COOKIE_NAME = "sk_app_setup";
+var COOKIE_MAX_AGE = 600;
+var GET = async ({ url, request, cookies }) => {
+  const config = globalThis.__SETZKASTEN_CONFIG__;
+  const adminPath = config?.adminPath ?? "/admin";
+  const adminUrl = new URL(adminPath, getPublicOrigin(request));
+  const installationId = url.searchParams.get("installation_id");
+  const existing = cookies.get(COOKIE_NAME)?.value;
+  if (!installationId || !existing) {
+    adminUrl.searchParams.set("github-app-error", "missing_installation");
+    return new Response(null, { status: 302, headers: { Location: adminUrl.toString() } });
+  }
+  try {
+    const data = JSON.parse(existing);
+    cookies.set(
+      COOKIE_NAME,
+      JSON.stringify({ ...data, installationId }),
+      { httpOnly: false, sameSite: "lax", maxAge: COOKIE_MAX_AGE, path: "/" }
+    );
+  } catch {
+    adminUrl.searchParams.set("github-app-error", "invalid_session");
+    return new Response(null, { status: 302, headers: { Location: adminUrl.toString() } });
+  }
+  return new Response(null, { status: 302, headers: { Location: adminUrl.toString() } });
+};
+export {
+  GET
+};

package/dist/api-routes/setup-github-app-repos.d.ts

@@ -0,0 +1,17 @@
+import { APIRoute } from 'astro';
+
+/**
+ * GET /api/setzkasten/setup/github-app/repos
+ *
+ * Returns every repository the configured GitHub App can access, flattened
+ * across all installations. Each entry includes the installationId so the
+ * "Neue Website hinzufügen" form can record which installation owns the
+ * repo without a follow-up lookup.
+ *
+ * Admin-only — editors must not be able to enumerate repos across the
+ * organization. The endpoint uses the global App credentials from the env
+ * (GITHUB_APP_ID, GITHUB_APP_PRIVATE_KEY) so the user never has to type them.
+ */
+declare const GET: APIRoute;
+
+export { GET };

package/dist/api-routes/setup-github-app-repos.js

@@ -0,0 +1,41 @@
+import {
+  requireAdmin
+} from "../chunk-INIWFKQ3.js";
+import "../chunk-6UIKVKED.js";
+import "../chunk-5PIMDP4N.js";
+import "../chunk-45ARVNT3.js";
+import "../chunk-NKDATSPA.js";
+import "../chunk-TJNJKPUL.js";
+import "../chunk-KH22FJO5.js";
+
+// src/api-routes/setup-github-app-repos.ts
+import { listAccessibleRepos } from "@setzkasten-cms/github-adapter";
+var GET = async ({ cookies }) => {
+  const denied = requireAdmin(cookies.get("setzkasten_session")?.value);
+  if (denied) return denied;
+  const appId = process.env.GITHUB_APP_ID;
+  const privateKey = process.env.GITHUB_APP_PRIVATE_KEY;
+  if (!appId || !privateKey) {
+    return new Response(
+      JSON.stringify({
+        error: "GitHub App not configured. Set GITHUB_APP_ID and GITHUB_APP_PRIVATE_KEY."
+      }),
+      { status: 400, headers: { "Content-Type": "application/json" } }
+    );
+  }
+  const result = await listAccessibleRepos({ appId, privateKey });
+  if (!result.ok) {
+    const status = result.error.type === "auth" ? 401 : 502;
+    return new Response(JSON.stringify({ error: result.error.message }), {
+      status,
+      headers: { "Content-Type": "application/json" }
+    });
+  }
+  return new Response(JSON.stringify({ repos: result.value }), {
+    status: 200,
+    headers: { "Content-Type": "application/json" }
+  });
+};
+export {
+  GET
+};

package/dist/api-routes/setup-github-app.d.ts

@@ -0,0 +1,15 @@
+import { APIRoute } from 'astro';
+
+/**
+ * Setup-Wizard: GitHub App Integration
+ *
+ * GET  /api/setzkasten/setup/github-app  – Status abfragen
+ * POST /api/setzkasten/setup/github-app  – Verbindung testen
+ *
+ * Credentials werden NICHT persistiert – der Nutzer setzt die env vars manuell.
+ * Der POST-Endpunkt validiert die Verbindung durch einen echten Token-Request.
+ */
+declare const GET: APIRoute;
+declare const POST: APIRoute;
+
+export { GET, POST };

package/dist/api-routes/setup-github-app.js

@@ -0,0 +1,41 @@
+// src/api-routes/setup-github-app.ts
+import { GitHubAppClient } from "@setzkasten-cms/github-adapter";
+var GET = async () => {
+  const appId = process.env.GITHUB_APP_ID;
+  const privateKey = process.env.GITHUB_APP_PRIVATE_KEY;
+  const installationId = process.env.GITHUB_APP_INSTALLATION_ID;
+  const configured = Boolean(appId && privateKey && installationId);
+  return Response.json({ configured, ...configured ? { appId } : {} });
+};
+var POST = async ({ request }) => {
+  let body;
+  try {
+    body = await request.json();
+  } catch {
+    return Response.json({ error: "Invalid JSON body" }, { status: 400 });
+  }
+  const { appId, privateKey, installationId } = body ?? {};
+  if (!appId || !privateKey || !installationId) {
+    return Response.json(
+      { error: "appId, privateKey and installationId are required" },
+      { status: 400 }
+    );
+  }
+  const client = new GitHubAppClient(
+    {
+      appId: String(appId),
+      privateKey: String(privateKey),
+      installationId: String(installationId)
+    },
+    { owner: "", repo: "", branch: "" }
+  );
+  const result = await client.getInstallationToken();
+  if (!result.ok) {
+    return Response.json({ ok: false, error: result.error.message }, { status: 400 });
+  }
+  return Response.json({ ok: true });
+};
+export {
+  GET,
+  POST
+};

package/dist/api-routes/updater-check.d.ts

@@ -0,0 +1,10 @@
+import { APIRoute } from 'astro';
+
+/**
+ * Lightweight update check without re-registration.
+ *
+ * GET /api/setzkasten/updater/check?instanceId=X
+ */
+declare const GET: APIRoute;
+
+export { GET };

package/dist/api-routes/updater-check.js

@@ -0,0 +1,37 @@
+// src/api-routes/updater-check.ts
+var GET = async ({ cookies, url }) => {
+  const session = cookies.get("setzkasten_session")?.value;
+  if (!session) {
+    return new Response("Unauthorized", { status: 401 });
+  }
+  const config = globalThis.__SETZKASTEN_CONFIG__;
+  const updaterUrl = config?.updaterUrl;
+  if (!updaterUrl) {
+    return Response.json({
+      updateAvailable: false,
+      latestVersion: config?.version ?? "unknown",
+      releaseNotesUrl: ""
+    });
+  }
+  const instanceId = url.searchParams.get("instanceId") ?? "";
+  try {
+    const response = await fetch(
+      `${updaterUrl}/api/check-update?instanceId=${encodeURIComponent(instanceId)}`,
+      { signal: AbortSignal.timeout(5e3) }
+    );
+    if (!response.ok) {
+      throw new Error(`HTTP ${response.status}`);
+    }
+    const data = await response.json();
+    return Response.json(data);
+  } catch {
+    return Response.json({
+      updateAvailable: false,
+      latestVersion: config?.version ?? "unknown",
+      releaseNotesUrl: ""
+    });
+  }
+};
+export {
+  GET
+};

package/dist/api-routes/updater-register.d.ts

@@ -0,0 +1,14 @@
+import { APIRoute } from 'astro';
+
+/**
+ * Registers this Setzkasten instance with the central updater backend.
+ * Called on every Dashboard load. Returns update status and license tier.
+ *
+ * POST /api/setzkasten/updater/register
+ *
+ * Body (optional — for UI activation flow):
+ *   { licenseEmail: string, licenseKey: string }
+ */
+declare const POST: APIRoute;
+
+export { POST };

package/dist/api-routes/updater-register.js

@@ -0,0 +1,71 @@
+// src/api-routes/updater-register.ts
+var POST = async ({ cookies, request }) => {
+  const session = cookies.get("setzkasten_session")?.value;
+  if (!session) {
+    return new Response("Unauthorized", { status: 401 });
+  }
+  const buildConfig = typeof __SETZKASTEN_BUILD_CONFIG__ !== "undefined" ? __SETZKASTEN_BUILD_CONFIG__ : null;
+  const runtimeConfig = globalThis.__SETZKASTEN_CONFIG__;
+  const config = runtimeConfig ?? buildConfig;
+  const currentVersion = config?.version ?? "0.0.0";
+  const updaterUrl = config?.updaterUrl;
+  if (!updaterUrl) {
+    return Response.json({
+      instanceId: null,
+      updateAvailable: false,
+      currentVersion,
+      latestVersion: null,
+      releaseNotesUrl: "",
+      licenseTier: "free",
+      licenseValid: false
+    });
+  }
+  const owner = config?.storage?.owner ?? "";
+  const repo = config?.storage?.repo ?? "";
+  const repoUrl = owner && repo ? `${owner}/${repo}` : "";
+  const websiteUrl = config?.websiteUrl ?? "";
+  let licenseEmail;
+  let licenseKey;
+  try {
+    if (request.headers.get("content-type")?.includes("application/json")) {
+      const parsed = await request.json();
+      licenseEmail = parsed.licenseEmail?.trim() || void 0;
+      licenseKey = parsed.licenseKey?.trim() || void 0;
+    }
+  } catch {
+  }
+  try {
+    const response = await fetch(`${updaterUrl}/api/register`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        repoUrl,
+        websiteUrl,
+        currentVersion,
+        licenseEmail,
+        licenseKey,
+        telemetryEnabled: true,
+        managedWebsites: []
+      }),
+      signal: AbortSignal.timeout(5e3)
+    });
+    if (!response.ok) {
+      throw new Error(`HTTP ${response.status}`);
+    }
+    const data = await response.json();
+    return Response.json({ ...data, currentVersion, _firebaseConfig: data.firebaseConfig ?? null });
+  } catch {
+    return Response.json({
+      instanceId: null,
+      updateAvailable: false,
+      currentVersion,
+      latestVersion: null,
+      releaseNotesUrl: "",
+      licenseTier: "free",
+      licenseValid: false
+    });
+  }
+};
+export {
+  POST
+};

package/dist/api-routes/updater-transfer.d.ts

@@ -0,0 +1,11 @@
+import { APIRoute } from 'astro';
+
+/**
+ * Transfer a license to the current Setzkasten instance.
+ * The backend identifies the license by instanceId (computed from repoUrl + websiteUrl).
+ *
+ * POST /api/setzkasten/updater/transfer
+ */
+declare const POST: APIRoute;
+
+export { POST };

package/dist/api-routes/updater-transfer.js

@@ -0,0 +1,37 @@
+// src/api-routes/updater-transfer.ts
+import { createHash } from "crypto";
+var POST = async ({ cookies }) => {
+  const session = cookies.get("setzkasten_session")?.value;
+  if (!session) {
+    return new Response("Unauthorized", { status: 401 });
+  }
+  const config = globalThis.__SETZKASTEN_CONFIG__;
+  const updaterUrl = config?.updaterUrl;
+  if (!updaterUrl) {
+    return Response.json({ error: "Updater not configured" }, { status: 400 });
+  }
+  const owner = config?.storage?.owner ?? "";
+  const repo = config?.storage?.repo ?? "";
+  const repoUrl = owner && repo ? `${owner}/${repo}` : "";
+  const websiteUrl = config?.websiteUrl ?? "";
+  const raw = (repoUrl || "unknown") + "|" + (websiteUrl || "unknown");
+  const instanceId = createHash("sha256").update(raw).digest("hex").slice(0, 32);
+  try {
+    const response = await fetch(`${updaterUrl}/api/transfer`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        toInstanceId: instanceId,
+        toWebsiteUrl: websiteUrl
+      }),
+      signal: AbortSignal.timeout(5e3)
+    });
+    const data = await response.json();
+    return Response.json(data, { status: response.status });
+  } catch {
+    return Response.json({ error: "Transfer failed" }, { status: 500 });
+  }
+};
+export {
+  POST
+};

package/dist/api-routes/updater-unbind.d.ts

@@ -0,0 +1,17 @@
+import { APIRoute } from 'astro';
+
+/**
+ * Release the license binding for this Setzkasten instance.
+ *
+ * POST /api/setzkasten/updater/unbind
+ *
+ * Reads license credentials from either:
+ *   1. `setzkasten.config.ts` → license.{email,key}
+ *   2. Request body (UI removal flow): { licenseEmail, licenseKey }
+ *
+ * On success, Firebase clears `instance.licenseKey` and removes this
+ * instance from `license.boundTo` / `license.boundInstances`.
+ */
+declare const POST: APIRoute;
+
+export { POST };

package/dist/api-routes/updater-unbind.js

@@ -0,0 +1,35 @@
+// src/api-routes/updater-unbind.ts
+import { createHash } from "crypto";
+var POST = async ({ cookies, request }) => {
+  const session = cookies.get("setzkasten_session")?.value;
+  if (!session) {
+    return new Response("Unauthorized", { status: 401 });
+  }
+  const config = globalThis.__SETZKASTEN_CONFIG__;
+  const fullConfig = globalThis.__SETZKASTEN_FULL_CONFIG__;
+  const updaterUrl = config?.updaterUrl;
+  if (!updaterUrl) {
+    return Response.json({ error: "Updater not configured" }, { status: 400 });
+  }
+  const owner = config?.storage?.owner ?? "";
+  const repo = config?.storage?.repo ?? "";
+  const repoUrl = owner && repo ? `${owner}/${repo}` : "";
+  const websiteUrl = config?.websiteUrl ?? "";
+  const raw = (repoUrl || "unknown") + "|" + (websiteUrl || "unknown");
+  const instanceId = createHash("sha256").update(raw).digest("hex").slice(0, 32);
+  try {
+    const response = await fetch(`${updaterUrl}/api/unbind`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ instanceId }),
+      signal: AbortSignal.timeout(5e3)
+    });
+    const data = await response.json();
+    return Response.json(data, { status: response.status });
+  } catch {
+    return Response.json({ error: "Unbind failed" }, { status: 500 });
+  }
+};
+export {
+  POST
+};

package/dist/api-routes/webhooks-status.d.ts

@@ -0,0 +1,12 @@
+import { APIRoute } from 'astro';
+
+/**
+ * GET /api/setzkasten/webhooks/status
+ *
+ * Returns the in-memory status map (lastFiredAt + lastStatus per webhook
+ * id). Empty for cold-started instances; the UI handles that gracefully
+ * with "noch nie gefeuert".
+ */
+declare const GET: APIRoute;
+
+export { GET };

package/dist/api-routes/webhooks-status.js

@@ -0,0 +1,22 @@
+import {
+  getWebhookStatus
+} from "../chunk-W3QHY5GW.js";
+import {
+  requireAdmin
+} from "../chunk-INIWFKQ3.js";
+import "../chunk-6UIKVKED.js";
+import "../chunk-5PIMDP4N.js";
+import "../chunk-45ARVNT3.js";
+import "../chunk-NKDATSPA.js";
+import "../chunk-TJNJKPUL.js";
+import "../chunk-KH22FJO5.js";
+
+// src/api-routes/webhooks-status.ts
+var GET = async ({ cookies }) => {
+  const denied = requireAdmin(cookies.get("setzkasten_session")?.value);
+  if (denied) return denied;
+  return Response.json({ status: getWebhookStatus() });
+};
+export {
+  GET
+};

package/dist/api-routes/webhooks-test.d.ts

@@ -0,0 +1,13 @@
+import { APIRoute } from 'astro';
+
+/**
+ * POST /api/setzkasten/webhooks/test
+ * Body: { id: string }
+ *
+ * Fires a synthetic test payload at the configured URL and returns
+ * { ok, status, latencyMs }. Admin-only, Pro-gated. Used by the UI
+ * "Test-Fire"-Button to verify a webhook config end-to-end.
+ */
+declare const POST: APIRoute;
+
+export { POST };

package/dist/api-routes/webhooks-test.js

@@ -0,0 +1,124 @@
+import {
+  signPayload
+} from "../chunk-737TIZRU.js";
+import {
+  recordWebhookFire
+} from "../chunk-W3QHY5GW.js";
+import {
+  parseSession,
+  requireAdmin
+} from "../chunk-INIWFKQ3.js";
+import {
+  resolveStorageConfigForRequest
+} from "../chunk-6UIKVKED.js";
+import {
+  gateFeature
+} from "../chunk-5PIMDP4N.js";
+import "../chunk-45ARVNT3.js";
+import {
+  resolveGitHubTokenForRequest
+} from "../chunk-NKDATSPA.js";
+import "../chunk-TJNJKPUL.js";
+import "../chunk-KH22FJO5.js";
+
+// src/api-routes/webhooks-test.ts
+import {
+  parseWebhooksFile
+} from "@setzkasten-cms/core";
+var WEBHOOKS_FILE = (contentPath) => `${contentPath}/_webhooks.json`;
+var TEST_TIMEOUT_MS = 1e4;
+var POST = async ({ request, cookies }) => {
+  const denied = requireAdmin(cookies.get("setzkasten_session")?.value);
+  if (denied) return denied;
+  const gate = gateFeature("webhooks");
+  if (gate) return gate;
+  const session = parseSession(cookies.get("setzkasten_session")?.value);
+  if (!session) return new Response("Unauthorized", { status: 401 });
+  let body;
+  try {
+    body = await request.json();
+  } catch {
+    return Response.json({ error: "Invalid JSON" }, { status: 400 });
+  }
+  if (!body.id) {
+    return Response.json({ error: "id is required" }, { status: 400 });
+  }
+  const tokenResult = await resolveGitHubTokenForRequest(request);
+  if (!tokenResult.ok) return new Response(tokenResult.error.message, { status: 500 });
+  const storage = await resolveStorageConfigForRequest(request);
+  if (!storage) {
+    return Response.json({ error: "Could not resolve owner/repo" }, { status: 400 });
+  }
+  const { owner, repo, branch } = storage;
+  const serverConfig = globalThis.__SETZKASTEN_CONFIG__;
+  const contentPath = serverConfig?.storage?.contentPath ?? "content";
+  const fileRes = await fetch(
+    `https://api.github.com/repos/${owner}/${repo}/contents/${WEBHOOKS_FILE(contentPath)}?ref=${branch}`,
+    {
+      headers: {
+        Authorization: `Bearer ${tokenResult.value}`,
+        Accept: "application/vnd.github+json",
+        "X-GitHub-Api-Version": "2022-11-28"
+      }
+    }
+  );
+  if (fileRes.status === 404) {
+    return Response.json({ error: "No webhooks configured" }, { status: 404 });
+  }
+  if (!fileRes.ok) {
+    return Response.json({ error: "Could not read webhooks file" }, { status: 502 });
+  }
+  const data = await fileRes.json();
+  const raw = data.encoding === "base64" ? Buffer.from(data.content, "base64").toString("utf-8") : data.content;
+  const parsed = parseWebhooksFile(raw);
+  if (!parsed.ok) {
+    return Response.json({ error: "Webhooks file is malformed" }, { status: 502 });
+  }
+  const target = parsed.value.webhooks.find((w) => w.id === body.id);
+  if (!target) {
+    return Response.json({ error: `Webhook "${body.id}" not found` }, { status: 404 });
+  }
+  const payload = {
+    event: "content.save",
+    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    website: { id: owner, repo: `${owner}/${repo}`, branch },
+    user: { email: session.user.email, name: session.user.name },
+    commit: { sha: "0".repeat(40), message: "test webhook fire" },
+    files: [],
+    test: true
+  };
+  const payloadBody = JSON.stringify(payload);
+  const headers = {
+    "Content-Type": "application/json",
+    "X-Setzkasten-Event": "content.save",
+    "X-Setzkasten-Delivery": crypto.randomUUID(),
+    "X-Setzkasten-Test": "true"
+  };
+  if (target.secret) {
+    headers["X-Setzkasten-Signature"] = `sha256=${signPayload(payloadBody, target.secret)}`;
+  }
+  const startedAt = Date.now();
+  try {
+    const res = await fetch(target.url, {
+      method: "POST",
+      headers,
+      body: payloadBody,
+      signal: AbortSignal.timeout(TEST_TIMEOUT_MS)
+    });
+    const latencyMs = Date.now() - startedAt;
+    recordWebhookFire(target.id, res.status);
+    return Response.json({ ok: res.ok, status: res.status, latencyMs });
+  } catch (err) {
+    const latencyMs = Date.now() - startedAt;
+    recordWebhookFire(target.id, "error");
+    return Response.json({
+      ok: false,
+      status: "error",
+      latencyMs,
+      error: err instanceof Error ? err.message : "Unknown error"
+    });
+  }
+};
+export {
+  POST
+};

package/dist/api-routes/webhooks.d.ts

@@ -0,0 +1,6 @@
+import { APIRoute } from 'astro';
+
+declare const GET: APIRoute;
+declare const PUT: APIRoute;
+
+export { GET, PUT };