@setzkasten-cms/astro-admin 1.4.0 → 1.4.2

package/dist/api-routes/catalog-helpers.js

@@ -0,0 +1,11 @@
+import {
+  buildCatalogAddCommit,
+  buildCatalogResponse,
+  validateCatalogAddBody
+} from "../chunk-GRG3LNKH.js";
+import "../chunk-6UIKVKED.js";
+export {
+  buildCatalogAddCommit,
+  buildCatalogResponse,
+  validateCatalogAddBody
+};

package/dist/api-routes/catalog-list.d.ts

@@ -0,0 +1,11 @@
+import { APIRoute } from 'astro';
+
+/**
+ * GET /api/setzkasten/catalog
+ *
+ * Returns all available catalog templates (built-in registry).
+ * No authentication required — catalog is read-only metadata.
+ */
+declare const GET: APIRoute;
+
+export { GET };

package/dist/api-routes/catalog-list.js

@@ -0,0 +1,12 @@
+import {
+  buildCatalogResponse
+} from "../chunk-GRG3LNKH.js";
+import "../chunk-6UIKVKED.js";
+
+// src/api-routes/catalog-list.ts
+var GET = async () => {
+  return Response.json({ templates: buildCatalogResponse() });
+};
+export {
+  GET
+};

package/dist/api-routes/config.d.ts

@@ -0,0 +1,12 @@
+import { APIRoute } from 'astro';
+
+/**
+ * GET /api/setzkasten/config
+ *
+ * Returns the full SetzKastenConfig as JSON. Fields from GlobalConfig
+ * (stored in _global_config.json) are merged over the static config so
+ * admins can change theme and Firebase settings without a code deployment.
+ */
+declare const GET: APIRoute;
+
+export { GET };

package/dist/api-routes/config.js

@@ -0,0 +1,43 @@
+import {
+  readGlobalConfig
+} from "../chunk-AM4DZXXM.js";
+import "../chunk-INIWFKQ3.js";
+import "../chunk-6UIKVKED.js";
+import "../chunk-5PIMDP4N.js";
+import "../chunk-45ARVNT3.js";
+import "../chunk-NKDATSPA.js";
+import "../chunk-TJNJKPUL.js";
+import "../chunk-KH22FJO5.js";
+
+// src/api-routes/config.ts
+var GET = async () => {
+  const config = globalThis.__SETZKASTEN_FULL_CONFIG__ ?? {};
+  const ssrConfig = globalThis.__SETZKASTEN_CONFIG__;
+  const globalCfg = await readGlobalConfig().catch(() => null);
+  const staticTheme = config.theme ?? {};
+  const globalTheme = globalCfg?.theme ?? {};
+  const result = {
+    // Default fallback when no config is injected at build time. Real
+    // values are spread from `config` below.
+    storage: { kind: "local" },
+    auth: { providers: ["github"] },
+    products: {},
+    collections: {},
+    ...config,
+    // Global config theme overrides static config theme field by field
+    theme: { ...staticTheme, ...globalTheme },
+    // Include storage params so the client can create ProxyContentRepository
+    _storage: ssrConfig?.storage ?? void 0,
+    _hasGitHub: ssrConfig?.hasGitHub ?? false,
+    _hasGoogle: ssrConfig?.hasGoogle ?? false,
+    // SetzKastenLogin Firebase config (present only when license is valid)
+    _firebaseConfig: globalCfg?.firebaseConfig ?? null
+  };
+  return new Response(JSON.stringify(result), {
+    status: 200,
+    headers: { "Content-Type": "application/json" }
+  });
+};
+export {
+  GET
+};

package/dist/api-routes/deploy-hook.d.ts

@@ -0,0 +1,14 @@
+import { APIRoute } from 'astro';
+
+/**
+ * Triggers the configured deploy hook URL after a content commit.
+ * Called by the CMS UI after every successful GitHub commit.
+ *
+ * The deploy hook URL is set via:
+ *   setzkasten({ deployHook: { url: 'https://api.vercel.com/v1/integrations/deploy/...' } })
+ *
+ * Compatible with Vercel, Netlify, Cloudflare Pages and any URL that accepts a POST.
+ */
+declare const POST: APIRoute;
+
+export { POST };

package/dist/api-routes/deploy-hook.js

@@ -0,0 +1,52 @@
+// src/api-routes/deploy-hook.ts
+var POST = async ({ cookies }) => {
+  const session = cookies.get("setzkasten_session")?.value;
+  if (!session) {
+    return new Response("Unauthorized", { status: 401 });
+  }
+  const config = globalThis.__SETZKASTEN_CONFIG__;
+  if (!config?.deployHook?.url) {
+    return new Response(JSON.stringify({ skipped: true, reason: "Kein deployHook konfiguriert" }), {
+      status: 200,
+      headers: { "Content-Type": "application/json" }
+    });
+  }
+  const { url, secret } = config.deployHook;
+  try {
+    const headers = {
+      "Content-Type": "application/json",
+      "User-Agent": "setzkasten-cms"
+    };
+    if (secret) {
+      headers["X-Setzkasten-Secret"] = secret;
+    }
+    const response = await fetch(url, {
+      method: "POST",
+      headers,
+      body: JSON.stringify({
+        event: "content.commit",
+        timestamp: (/* @__PURE__ */ new Date()).toISOString()
+      })
+    });
+    if (!response.ok) {
+      console.warn(`[setzkasten] Deploy hook antwortete mit ${response.status}: ${url}`);
+      return new Response(
+        JSON.stringify({ ok: false, status: response.status }),
+        { status: 200, headers: { "Content-Type": "application/json" } }
+      );
+    }
+    return new Response(JSON.stringify({ ok: true }), {
+      status: 200,
+      headers: { "Content-Type": "application/json" }
+    });
+  } catch (error) {
+    console.error("[setzkasten] Deploy hook fehlgeschlagen:", error);
+    return new Response(
+      JSON.stringify({ ok: false, error: String(error) }),
+      { status: 200, headers: { "Content-Type": "application/json" } }
+    );
+  }
+};
+export {
+  POST
+};

package/dist/api-routes/editors.d.ts

@@ -0,0 +1,29 @@
+import { APIRoute } from 'astro';
+import { ContentEditorConfig } from '@setzkasten-cms/core';
+
+declare const GET: APIRoute;
+declare const PUT: APIRoute;
+declare function readEditorsFile(owner: string, repo: string, branch: string, contentPath: string, token: string): Promise<ContentEditorConfig[] | null>;
+/**
+ * Discriminated result for the editors-file fetch. Lets callers decide the
+ * fail-mode policy: the auth-guard wants to ALLOW when the file is genuinely
+ * absent (no restrictions configured) but DENY when the fetch errors out.
+ * The basic readEditorsFile() above returns null for both cases, which is
+ * unsafe for authorization checks.
+ *
+ * Caller is responsible for caching — this function never reads from or
+ * writes to the shared cache, because caching an "error" state would
+ * silently extend privilege-escalation windows.
+ */
+type EditorsStatus = {
+    kind: 'absent';
+} | {
+    kind: 'present';
+    editors: ContentEditorConfig[];
+} | {
+    kind: 'error';
+    message: string;
+};
+declare function readEditorsFileStatus(owner: string, repo: string, branch: string, contentPath: string, token: string): Promise<EditorsStatus>;
+
+export { type EditorsStatus, GET, PUT, readEditorsFile, readEditorsFileStatus };

package/dist/api-routes/editors.js

@@ -0,0 +1,18 @@
+import {
+  GET,
+  PUT,
+  readEditorsFile,
+  readEditorsFileStatus
+} from "../chunk-INIWFKQ3.js";
+import "../chunk-6UIKVKED.js";
+import "../chunk-5PIMDP4N.js";
+import "../chunk-45ARVNT3.js";
+import "../chunk-NKDATSPA.js";
+import "../chunk-TJNJKPUL.js";
+import "../chunk-KH22FJO5.js";
+export {
+  GET,
+  PUT,
+  readEditorsFile,
+  readEditorsFileStatus
+};

package/dist/api-routes/github-proxy.d.ts

@@ -0,0 +1,12 @@
+import { APIRoute } from 'astro';
+
+/**
+ * Server-side proxy for GitHub API calls.
+ * The GitHub App token stays server-side (never exposed to browser).
+ *
+ * Client calls: POST /api/setzkasten/github/repos/{owner}/{repo}/...
+ * Proxy forwards to: https://api.github.com/repos/{owner}/{repo}/...
+ */
+declare const ALL: APIRoute;
+
+export { ALL };

package/dist/api-routes/github-proxy.js

@@ -0,0 +1,82 @@
+import {
+  resolveGitHubTokenForRequest
+} from "../chunk-NKDATSPA.js";
+
+// src/api-routes/github-proxy.ts
+import { writeFile } from "fs/promises";
+import { join } from "path";
+var ALL = async ({ params, request, cookies }) => {
+  const session = cookies.get("setzkasten_session")?.value;
+  if (!session) {
+    return new Response("Unauthorized", { status: 401 });
+  }
+  const githubPath = params.path;
+  if (!githubPath) {
+    return new Response("Missing path", { status: 400 });
+  }
+  const tokenResult = await resolveGitHubTokenForRequest(request);
+  if (!tokenResult.ok) {
+    return new Response(tokenResult.error.message, { status: 500 });
+  }
+  const githubToken = tokenResult.value;
+  const githubUrl = `https://api.github.com/${githubPath}`;
+  try {
+    const headers = {
+      Authorization: `Bearer ${githubToken}`,
+      Accept: "application/vnd.github+json",
+      "X-GitHub-Api-Version": "2022-11-28"
+    };
+    const contentType = request.headers.get("content-type");
+    if (contentType) {
+      headers["Content-Type"] = contentType;
+    }
+    const body = request.method !== "GET" && request.method !== "HEAD" ? await request.text() : void 0;
+    const response = await fetch(githubUrl, {
+      method: request.method,
+      headers,
+      body
+    });
+    const responseHeaders = new Headers();
+    responseHeaders.set("Content-Type", response.headers.get("content-type") ?? "application/json");
+    const rateLimitHeaders = [
+      "x-ratelimit-limit",
+      "x-ratelimit-remaining",
+      "x-ratelimit-reset"
+    ];
+    for (const header of rateLimitHeaders) {
+      const value = response.headers.get(header);
+      if (value) responseHeaders.set(header, value);
+    }
+    const etag = response.headers.get("etag");
+    if (etag) responseHeaders.set("etag", etag);
+    const responseText = await response.text();
+    if (request.method === "PUT" && response.ok && body) {
+      try {
+        const repoRoot = globalThis.__SETZKASTEN_CONFIG__?.repoRoot;
+        if (repoRoot) {
+          const contentsMatch = githubPath.match(/^repos\/[^/]+\/[^/]+\/contents\/(.+)$/);
+          if (contentsMatch) {
+            const filePath = contentsMatch[1];
+            const parsed = JSON.parse(body);
+            if (parsed.content) {
+              const decoded = Buffer.from(parsed.content.replace(/\s/g, ""), "base64").toString("utf-8");
+              await writeFile(join(repoRoot, filePath), decoded, "utf-8").catch(() => {
+              });
+            }
+          }
+        }
+      } catch {
+      }
+    }
+    return new Response(responseText, {
+      status: response.status,
+      headers: responseHeaders
+    });
+  } catch (error) {
+    console.error("[setzkasten] GitHub proxy error:", error);
+    return new Response("GitHub API request failed", { status: 502 });
+  }
+};
+export {
+  ALL
+};

package/dist/api-routes/global-config.d.ts

@@ -0,0 +1,20 @@
+import { APIRoute } from 'astro';
+
+interface GlobalConfig {
+    firebaseConfig?: {
+        apiKey: string;
+        authDomain: string;
+        projectId: string;
+    };
+    theme?: {
+        primaryColor?: string;
+        brandName?: string;
+        logo?: string;
+    };
+}
+declare const GET: APIRoute;
+declare const PUT: APIRoute;
+declare function readGlobalConfig(): Promise<GlobalConfig | null>;
+declare function writeGlobalConfig(config: GlobalConfig): Promise<void>;
+
+export { GET, type GlobalConfig, PUT, readGlobalConfig, writeGlobalConfig };

package/dist/api-routes/global-config.js

@@ -0,0 +1,19 @@
+import {
+  GET,
+  PUT,
+  readGlobalConfig,
+  writeGlobalConfig
+} from "../chunk-AM4DZXXM.js";
+import "../chunk-INIWFKQ3.js";
+import "../chunk-6UIKVKED.js";
+import "../chunk-5PIMDP4N.js";
+import "../chunk-45ARVNT3.js";
+import "../chunk-NKDATSPA.js";
+import "../chunk-TJNJKPUL.js";
+import "../chunk-KH22FJO5.js";
+export {
+  GET,
+  PUT,
+  readGlobalConfig,
+  writeGlobalConfig
+};

package/dist/api-routes/history-rollback.d.ts

@@ -0,0 +1,22 @@
+import { APIRoute } from 'astro';
+
+/**
+ * POST /api/setzkasten/history/rollback
+ *
+ * Body: { path, sha, expectedHeadSha? }
+ *
+ * Restores `path` to the contents from `sha` by writing a new commit
+ * (no `git revert` — JSON content is set wholesale). The original SHA
+ * stays in history so users can roll forward again.
+ *
+ * Conflict semantics: the client passes the SHA they currently render in
+ * the file picker. If the file's HEAD has moved between page-load and the
+ * rollback click, we return 409 with `code: 'head-moved'` so the UI can
+ * tell the user to refresh.
+ *
+ * Admin-only — editors can edit, but rollback is destructive enough to
+ * warrant the audit-log control.
+ */
+declare const POST: APIRoute;
+
+export { POST };

package/dist/api-routes/history-rollback.js

@@ -0,0 +1,111 @@
+import {
+  parseSession,
+  requireAdmin
+} from "../chunk-INIWFKQ3.js";
+import {
+  resolveStorageConfigForRequest
+} from "../chunk-6UIKVKED.js";
+import "../chunk-5PIMDP4N.js";
+import {
+  invalidateCache
+} from "../chunk-45ARVNT3.js";
+import {
+  resolveGitHubTokenForRequest
+} from "../chunk-NKDATSPA.js";
+import "../chunk-TJNJKPUL.js";
+import {
+  withTrailers
+} from "../chunk-KH22FJO5.js";
+
+// src/api-routes/history-rollback.ts
+var POST = async ({ request, cookies }) => {
+  const denied = requireAdmin(cookies.get("setzkasten_session")?.value);
+  if (denied) return denied;
+  const session = parseSession(cookies.get("setzkasten_session")?.value);
+  if (!session) return new Response("Unauthorized", { status: 401 });
+  let body;
+  try {
+    body = await request.json();
+  } catch {
+    return Response.json({ error: "Invalid JSON body" }, { status: 400 });
+  }
+  const { path, sha, expectedHeadSha } = body;
+  if (!path || !sha) {
+    return Response.json({ error: "path and sha are required" }, { status: 400 });
+  }
+  const tokenResult = await resolveGitHubTokenForRequest(request);
+  if (!tokenResult.ok) return new Response(tokenResult.error.message, { status: 500 });
+  const storage = await resolveStorageConfigForRequest(request);
+  if (!storage) {
+    return Response.json({ error: "Could not resolve owner/repo" }, { status: 400 });
+  }
+  const { owner, repo, branch } = storage;
+  const headers = {
+    Authorization: `Bearer ${tokenResult.value}`,
+    Accept: "application/vnd.github+json",
+    "X-GitHub-Api-Version": "2022-11-28",
+    "Content-Type": "application/json"
+  };
+  const versionRes = await fetch(
+    `https://api.github.com/repos/${owner}/${repo}/contents/${path}?ref=${sha}`,
+    { headers }
+  );
+  if (versionRes.status === 404) {
+    return Response.json(
+      { error: "File did not exist at the requested sha", code: "version-not-found" },
+      { status: 404 }
+    );
+  }
+  if (!versionRes.ok) {
+    return Response.json(
+      { error: `Failed to read version: ${versionRes.status}` },
+      { status: 502 }
+    );
+  }
+  const versionData = await versionRes.json();
+  const targetContent = versionData.encoding === "base64" ? Buffer.from(versionData.content, "base64").toString("utf-8") : versionData.content;
+  const headRes = await fetch(
+    `https://api.github.com/repos/${owner}/${repo}/contents/${path}?ref=${branch}`,
+    { headers }
+  );
+  let currentSha = null;
+  if (headRes.ok) {
+    const data = await headRes.json();
+    currentSha = data.sha;
+  }
+  if (expectedHeadSha && currentSha && expectedHeadSha !== currentSha) {
+    return Response.json(
+      {
+        error: "Datei wurde inzwischen ge\xE4ndert. Bitte den Verlauf neu laden.",
+        code: "head-moved"
+      },
+      { status: 409 }
+    );
+  }
+  const shortSha = sha.slice(0, 7);
+  const fileName = path.split("/").pop() ?? path;
+  const message = withTrailers(
+    `revert(${fileName}): rollback to ${shortSha}`,
+    session.user.email
+  );
+  const putBody = {
+    message,
+    content: Buffer.from(targetContent).toString("base64"),
+    branch
+  };
+  if (currentSha) putBody.sha = currentSha;
+  const putRes = await fetch(
+    `https://api.github.com/repos/${owner}/${repo}/contents/${path}`,
+    { method: "PUT", headers, body: JSON.stringify(putBody) }
+  );
+  if (!putRes.ok) {
+    const text = await putRes.text();
+    return Response.json({ error: `Rollback write failed: ${text}` }, { status: 502 });
+  }
+  invalidateCache(`history:${owner}/${repo}:${branch}:${path}:head`);
+  const putData = await putRes.json();
+  return Response.json({ ok: true, commitSha: putData.commit.sha });
+};
+export {
+  POST
+};

package/dist/api-routes/history-version.d.ts

@@ -0,0 +1,11 @@
+import { APIRoute } from 'astro';
+
+/**
+ * GET /api/setzkasten/history/version?path=<file>&sha=<commit-sha>
+ *
+ * Returns the file content at a specific commit (for diff rendering).
+ * Cached per (path, sha) for 5 minutes — historical content is immutable.
+ */
+declare const GET: APIRoute;
+
+export { GET };

package/dist/api-routes/history-version.js

@@ -0,0 +1,57 @@
+import {
+  requireAdmin
+} from "../chunk-INIWFKQ3.js";
+import {
+  resolveStorageConfigForRequest
+} from "../chunk-6UIKVKED.js";
+import "../chunk-5PIMDP4N.js";
+import {
+  cachedFetch
+} from "../chunk-45ARVNT3.js";
+import {
+  resolveGitHubTokenForRequest
+} from "../chunk-NKDATSPA.js";
+import "../chunk-TJNJKPUL.js";
+import "../chunk-KH22FJO5.js";
+
+// src/api-routes/history-version.ts
+var GET = async ({ request, url, cookies }) => {
+  const denied = requireAdmin(cookies.get("setzkasten_session")?.value);
+  if (denied) return denied;
+  const path = url.searchParams.get("path");
+  const sha = url.searchParams.get("sha");
+  if (!path || !sha) {
+    return Response.json({ error: "Missing required `path` or `sha`." }, { status: 400 });
+  }
+  const tokenResult = await resolveGitHubTokenForRequest(request);
+  if (!tokenResult.ok) return new Response(tokenResult.error.message, { status: 500 });
+  const storage = await resolveStorageConfigForRequest(request);
+  if (!storage) {
+    return Response.json({ error: "Could not resolve owner/repo" }, { status: 400 });
+  }
+  const { owner, repo } = storage;
+  const cacheKey = `history-version:${owner}/${repo}:${path}:${sha}`;
+  const result = await cachedFetch(cacheKey, 5 * 6e4, async () => {
+    const u = new URL(
+      `https://api.github.com/repos/${owner}/${repo}/contents/${path}`
+    );
+    u.searchParams.set("ref", sha);
+    const res = await fetch(u, {
+      headers: {
+        Authorization: `Bearer ${tokenResult.value}`,
+        Accept: "application/vnd.github+json",
+        "X-GitHub-Api-Version": "2022-11-28"
+      }
+    });
+    if (res.status === 404) return { ok: false, status: 404, error: "File not found at given sha" };
+    if (!res.ok) return { ok: false, status: 502, error: `GitHub returned ${res.status}` };
+    const data = await res.json();
+    const raw = data.encoding === "base64" ? Buffer.from(data.content, "base64").toString("utf-8") : data.content;
+    return { ok: true, value: { content: raw, sha: data.sha } };
+  });
+  if (!result.ok) return Response.json({ error: result.error }, { status: result.status });
+  return Response.json(result.value);
+};
+export {
+  GET
+};

package/dist/api-routes/history.d.ts

@@ -0,0 +1,13 @@
+import { APIRoute } from 'astro';
+
+/**
+ * GET /api/setzkasten/history?path=<contentPath>&before=<sha>
+ *
+ * Returns up to 5 most recent commits affecting the given file. Pagination
+ * via `before=<sha>` returns 10 more older commits — clients call this on
+ * "Mehr laden". Admin-only — editors can read content but not the audit
+ * trail (and certainly not roll back).
+ */
+declare const GET: APIRoute;
+
+export { GET };

package/dist/api-routes/history.js

@@ -0,0 +1,85 @@
+import {
+  requireAdmin
+} from "../chunk-INIWFKQ3.js";
+import {
+  resolveStorageConfigForRequest
+} from "../chunk-6UIKVKED.js";
+import "../chunk-5PIMDP4N.js";
+import {
+  cachedFetch
+} from "../chunk-45ARVNT3.js";
+import {
+  resolveGitHubTokenForRequest
+} from "../chunk-NKDATSPA.js";
+import "../chunk-TJNJKPUL.js";
+import "../chunk-KH22FJO5.js";
+
+// src/api-routes/history.ts
+import { parseCoAuthorTrailers } from "@setzkasten-cms/core";
+var GET = async ({ request, url, cookies }) => {
+  const denied = requireAdmin(cookies.get("setzkasten_session")?.value);
+  if (denied) return denied;
+  const path = url.searchParams.get("path");
+  const before = url.searchParams.get("before");
+  if (!path) {
+    return Response.json({ error: "Missing required `path` parameter." }, { status: 400 });
+  }
+  const tokenResult = await resolveGitHubTokenForRequest(request);
+  if (!tokenResult.ok) return new Response(tokenResult.error.message, { status: 500 });
+  const storage = await resolveStorageConfigForRequest(request);
+  if (!storage) {
+    return Response.json({ error: "Could not resolve owner/repo" }, { status: 400 });
+  }
+  const { owner, repo, branch } = storage;
+  const perPage = before ? 10 : 5;
+  const cacheKey = `history:${owner}/${repo}:${branch}:${path}:${before ?? "head"}`;
+  const commits = await cachedFetch(
+    cacheKey,
+    6e4,
+    () => fetchCommits(owner, repo, branch, path, perPage, before, tokenResult.value)
+  );
+  if (!commits.ok) {
+    return Response.json({ error: commits.error }, { status: commits.status });
+  }
+  return Response.json({ commits: commits.value });
+};
+async function fetchCommits(owner, repo, branch, path, perPage, before, token) {
+  const sha = before ?? branch;
+  const u = new URL(`https://api.github.com/repos/${owner}/${repo}/commits`);
+  u.searchParams.set("path", path);
+  u.searchParams.set("sha", sha);
+  u.searchParams.set("per_page", String(before ? perPage + 1 : perPage));
+  const res = await fetch(u, {
+    headers: {
+      Authorization: `Bearer ${token}`,
+      Accept: "application/vnd.github+json",
+      "X-GitHub-Api-Version": "2022-11-28"
+    }
+  });
+  if (res.status === 404) return { ok: true, value: [] };
+  if (!res.ok) {
+    return { ok: false, status: 502, error: `GitHub returned ${res.status}` };
+  }
+  const data = await res.json();
+  const start = before ? 1 : 0;
+  const slice = data.slice(start, start + perPage);
+  const commits = slice.map((c) => {
+    const [firstLine, ...rest] = c.commit.message.split("\n");
+    const body = rest.join("\n");
+    return {
+      sha: c.sha,
+      shortSha: c.sha.slice(0, 7),
+      authoredAt: c.commit.author.date,
+      authorName: c.commit.author.name,
+      authorEmail: c.commit.author.email,
+      authorAvatarUrl: c.author?.avatar_url,
+      coAuthors: parseCoAuthorTrailers(body),
+      message: firstLine ?? "",
+      body
+    };
+  });
+  return { ok: true, value: commits };
+}
+export {
+  GET
+};