@setzkasten-cms/astro-admin 1.4.6 → 1.5.0

package/dist/api-routes/_auth-guard.d.ts

@@ -1,5 +1,14 @@
 import { AuthSession, SetzKastenConfig } from '@setzkasten-cms/core';
 
+/**
+ * Returns the verified session iff the cookie's HMAC signature matches
+ * the server secret AND `expiresAt` is in the future. Pre-C1 this used
+ * to do `JSON.parse` on whatever the client sent — any unauthenticated
+ * attacker could forge an admin session in 30 seconds.
+ *
+ * Single source of truth: every guard (`requireAdmin`, `guardPageAccess`)
+ * runs through this. No code path reads the cookie directly anymore.
+ */
 declare function parseSession(raw: string | undefined): AuthSession | null;
 /**
  * Returns 401 if the request has no valid session, 403 if the user is not
@@ -38,9 +47,24 @@ declare function guardPageAccess(session: AuthSession | null, pageKey: string, f
  * X-SK-Website header resolves to. Admins always pass; single-mode
  * skips this check entirely (no website context).
  *
- * Returns 403 on deny, null on allow. Resolver failures are
- * considered "no per-website restriction" — the global guard above
- * already covers fail-closed for editors-file errors.
+ * Default-deny semantics (post-C5): in multi-mode, an editor with no
+ * explicit `allowedEmails` entry on the target website is denied.
+ *
+ *   Pre-fix: an editor on website A could send `X-SK-Website: B` and
+ *   inherit access transitively from the global editors file, because
+ *   "no allowedEmails on B" was treated as "no restriction". That made
+ *   the global file the only effective gate — an editor for project A
+ *   could mutate project B by spoofing one HTTP header.
+ *
+ *   Now: empty / missing `allowedEmails` means "no editors allowed on
+ *   this website" — only admins pass. Set `allowedEmails: [editor@…]`
+ *   explicitly to grant access. Existing single-website-per-editor
+ *   setups need to add the email to the website entry; the migration
+ *   note in `docs/migration-single-to-multi.md` documents this.
+ *
+ * Returns 403 on deny, null on allow. Resolver failures (no website
+ * context) are still treated as "no check applies" so single-mode
+ * routes work unchanged.
  */
 declare function guardWebsiteAccess(session: AuthSession, request: Request): Promise<Response | null>;
 

package/dist/api-routes/_auth-guard.js

@@ -3,11 +3,14 @@ import {
   guardWebsiteAccess,
   parseSession,
   requireAdmin
-} from "../chunk-INIWFKQ3.js";
+} from "../chunk-Q5HV47DW.js";
+import "../chunk-QVCW6EF3.js";
+import "../chunk-KENFINT4.js";
 import "../chunk-6UIKVKED.js";
+import "../chunk-ONP6BRZO.js";
 import "../chunk-5PIMDP4N.js";
 import "../chunk-45ARVNT3.js";
-import "../chunk-NKDATSPA.js";
+import "../chunk-DP6RTINQ.js";
 import "../chunk-TJNJKPUL.js";
 import "../chunk-KH22FJO5.js";
 export {

package/dist/api-routes/_dev-session-secret.d.ts

@@ -0,0 +1,8 @@
+declare function ensureDevSessionSecret(): string;
+/**
+ * Test-only escape hatch: lets a test helper set the secret without
+ * touching the filesystem. Production code never calls this.
+ */
+declare function __setDevSessionSecretForTests(secret: string | null): void;
+
+export { __setDevSessionSecretForTests, ensureDevSessionSecret };

package/dist/api-routes/_dev-session-secret.js

@@ -0,0 +1,8 @@
+import {
+  __setDevSessionSecretForTests,
+  ensureDevSessionSecret
+} from "../chunk-ONP6BRZO.js";
+export {
+  __setDevSessionSecretForTests,
+  ensureDevSessionSecret
+};

package/dist/api-routes/_github-token.js

@@ -1,7 +1,7 @@
 import {
   resolveConfigRepoToken,
   resolveGitHubTokenForRequest
-} from "../chunk-NKDATSPA.js";
+} from "../chunk-DP6RTINQ.js";
 export {
   resolveConfigRepoToken,
   resolveGitHubTokenForRequest

package/dist/api-routes/_role-resolver.js

@@ -1,11 +1,14 @@
 import {
   makeRoleResolver
-} from "../chunk-ZQDGGWJP.js";
-import "../chunk-INIWFKQ3.js";
+} from "../chunk-5KMGSFCZ.js";
+import "../chunk-Q5HV47DW.js";
+import "../chunk-QVCW6EF3.js";
+import "../chunk-KENFINT4.js";
 import "../chunk-6UIKVKED.js";
+import "../chunk-ONP6BRZO.js";
 import "../chunk-5PIMDP4N.js";
 import "../chunk-45ARVNT3.js";
-import "../chunk-NKDATSPA.js";
+import "../chunk-DP6RTINQ.js";
 import "../chunk-TJNJKPUL.js";
 import "../chunk-KH22FJO5.js";
 export {

package/dist/api-routes/_session-secret.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Resolves the HMAC secret used to sign session cookies.
+ *
+ * Priority:
+ *   1. `SETZKASTEN_SESSION_SECRET` env var (production requirement)
+ *   2. `__SETZKASTEN_BUILD_CONFIG__.sessionSecret` (build-time injection)
+ *   3. **Dev-only:** persistent per-machine random secret in
+ *      `.setzkasten/dev-secret` (gitignored). Generated on first run,
+ *      reused thereafter. Never the same string across machines, never
+ *      checked into the repo.
+ *
+ * Pre-C1 there was no signing at all. Pre-this-fix the dev fallback was
+ * a hardcoded string in source — anyone reading the code could mint
+ * admin cookies against any deployment that accidentally ran without
+ * NODE_ENV=production. The fallback is now random per-machine.
+ */
+declare function resolveSessionSecret(): string;
+
+export { resolveSessionSecret };

package/dist/api-routes/_session-secret.js

@@ -0,0 +1,7 @@
+import {
+  resolveSessionSecret
+} from "../chunk-QVCW6EF3.js";
+import "../chunk-ONP6BRZO.js";
+export {
+  resolveSessionSecret
+};

package/dist/api-routes/_session-signing.d.ts

@@ -0,0 +1,45 @@
+import { AuthSession } from '@setzkasten-cms/core';
+
+/**
+ * Signed session cookies.
+ *
+ * Pre-C1 the session cookie was `JSON.stringify(session)` — readable and
+ * forgeable. An unauthenticated attacker could craft any role for any
+ * email and walk in. This module replaces that with HMAC-SHA256 over a
+ * canonical JSON payload, and refuses cookies whose signature doesn't
+ * match a known secret.
+ *
+ * Wire format:
+ *
+ *     <base64url(JSON.stringify(payload))>.<base64url(HMAC-SHA256(payload))>
+ *
+ * Two segments separated by a literal `.`. Both segments are base64url
+ * (no padding). Anything that doesn't decode to that shape is rejected.
+ *
+ * The secret is supplied per-call so this module stays pure and keeps
+ * the secret-resolution policy (env var, cookie domain, fail-closed in
+ * prod) at the integration layer.
+ */
+
+/**
+ * Produces the cookie value for a verified session. Throws on missing
+ * secret — the caller (always server-side) must have one resolved.
+ */
+declare function signSession(session: AuthSession, secret: string): string;
+type VerifyResult = {
+    readonly ok: true;
+    readonly value: AuthSession;
+} | {
+    readonly ok: false;
+    readonly reason: VerifyFailureReason;
+};
+type VerifyFailureReason = 'malformed' | 'bad-signature' | 'invalid-payload' | 'expired' | 'missing-expiry';
+/**
+ * Returns the parsed session iff the signature matches AND the payload
+ * has a numeric `expiresAt` in the future. Rejects everything else.
+ *
+ * @param now Override timestamp for tests. Defaults to `Date.now()`.
+ */
+declare function verifySessionCookie(raw: string, secret: string, now?: number): VerifyResult;
+
+export { type VerifyFailureReason, type VerifyResult, signSession, verifySessionCookie };

package/dist/api-routes/_session-signing.js

@@ -0,0 +1,8 @@
+import {
+  signSession,
+  verifySessionCookie
+} from "../chunk-KENFINT4.js";
+export {
+  signSession,
+  verifySessionCookie
+};

package/dist/api-routes/_webhook-dispatcher.js

@@ -1,9 +1,9 @@
-import {
-  signPayload
-} from "../chunk-737TIZRU.js";
 import {
   recordWebhookFire
 } from "../chunk-W3QHY5GW.js";
+import {
+  signPayload
+} from "../chunk-737TIZRU.js";
 import {
   resolveStorageConfigForRequest
 } from "../chunk-6UIKVKED.js";
@@ -12,7 +12,7 @@ import {
 } from "../chunk-45ARVNT3.js";
 import {
   resolveGitHubTokenForRequest
-} from "../chunk-NKDATSPA.js";
+} from "../chunk-DP6RTINQ.js";
 
 // src/api-routes/_webhook-dispatcher.ts
 import {

package/dist/api-routes/asset-proxy.js

@@ -1,6 +1,6 @@
 import {
   resolveGitHubTokenForRequest
-} from "../chunk-NKDATSPA.js";
+} from "../chunk-DP6RTINQ.js";
 
 // src/api-routes/asset-proxy.ts
 var GET = async ({ params, request, cookies }) => {

package/dist/api-routes/auth-callback.js

@@ -1,14 +1,21 @@
+import {
+  makeRoleResolver
+} from "../chunk-5KMGSFCZ.js";
 import {
   sessionCookieOptions
 } from "../chunk-JHY6XTLL.js";
+import "../chunk-Q5HV47DW.js";
 import {
-  makeRoleResolver
-} from "../chunk-ZQDGGWJP.js";
-import "../chunk-INIWFKQ3.js";
+  resolveSessionSecret
+} from "../chunk-QVCW6EF3.js";
+import {
+  signSession
+} from "../chunk-KENFINT4.js";
 import "../chunk-6UIKVKED.js";
+import "../chunk-ONP6BRZO.js";
 import "../chunk-5PIMDP4N.js";
 import "../chunk-45ARVNT3.js";
-import "../chunk-NKDATSPA.js";
+import "../chunk-DP6RTINQ.js";
 import "../chunk-TJNJKPUL.js";
 import "../chunk-KH22FJO5.js";
 
@@ -55,7 +62,7 @@ var GET = async ({ request, url, cookies, redirect }) => {
     const session = sessionResult.value;
     cookies.set(
       "setzkasten_session",
-      JSON.stringify({ user: session.user, expiresAt: session.expiresAt }),
+      signSession({ user: session.user, expiresAt: session.expiresAt }, resolveSessionSecret()),
       sessionCookieOptions(import.meta.env.PROD)
     );
     return redirect(adminPath);

package/dist/api-routes/auth-logout.d.ts

@@ -1,10 +1,10 @@
 import { APIRoute } from 'astro';
 
+declare const POST: APIRoute;
 /**
- * Logout – clears the session cookie and redirects to home.
- * Mirrors the same `domain` attribute used when the cookie was set so the
- * browser actually deletes it on subdomains in standalone-admin setups.
+ * Backwards-compat: a few existing UI links still hit GET. We keep the
+ * handler but log a deprecation warning so the SPA can be migrated.
  */
 declare const GET: APIRoute;
 
-export { GET };
+export { GET, POST };

package/dist/api-routes/auth-logout.js

@@ -3,11 +3,17 @@ import {
 } from "../chunk-JHY6XTLL.js";
 
 // src/api-routes/auth-logout.ts
-var GET = async ({ cookies, redirect }) => {
+async function handleLogout({ cookies, redirect }) {
   const opts = sessionCookieOptions(false);
   cookies.delete("setzkasten_session", { path: "/", domain: opts.domain });
   return redirect("/");
+}
+var POST = handleLogout;
+var GET = async (ctx) => {
+  console.warn("[setzkasten] GET /api/setzkasten/logout is deprecated \u2014 use POST");
+  return handleLogout(ctx);
 };
 export {
-  GET
+  GET,
+  POST
 };

package/dist/api-routes/auth-session.d.ts

@@ -3,6 +3,12 @@ import { APIRoute } from 'astro';
 /**
  * Session check – returns current user info or 401.
  * Used by the admin SPA to check if the user is logged in.
+ *
+ * Goes through `parseSession` so signature verification + expiry are
+ * enforced in exactly one place. Pre-C1 this route did its own
+ * `JSON.parse` — the only one that ever checked `expiresAt`, while
+ * `_auth-guard.parseSession` ignored it. Now both run through the
+ * same verifier.
  */
 declare const GET: APIRoute;
 

package/dist/api-routes/auth-session.js

@@ -1,30 +1,30 @@
+import {
+  parseSession
+} from "../chunk-Q5HV47DW.js";
+import "../chunk-QVCW6EF3.js";
+import "../chunk-KENFINT4.js";
+import "../chunk-6UIKVKED.js";
+import "../chunk-ONP6BRZO.js";
+import "../chunk-5PIMDP4N.js";
+import "../chunk-45ARVNT3.js";
+import "../chunk-DP6RTINQ.js";
+import "../chunk-TJNJKPUL.js";
+import "../chunk-KH22FJO5.js";
+
 // src/api-routes/auth-session.ts
 var GET = async ({ cookies }) => {
-  const session = cookies.get("setzkasten_session")?.value;
+  const raw = cookies.get("setzkasten_session")?.value;
+  const session = parseSession(raw);
   if (!session) {
+    if (raw) cookies.delete("setzkasten_session", { path: "/" });
     return new Response(JSON.stringify({ authenticated: false }), {
       status: 401,
       headers: { "Content-Type": "application/json" }
     });
   }
-  try {
-    const parsed = JSON.parse(session);
-    if (parsed.expiresAt < Date.now()) {
-      cookies.delete("setzkasten_session", { path: "/" });
-      return new Response(JSON.stringify({ authenticated: false, reason: "expired" }), {
-        status: 401,
-        headers: { "Content-Type": "application/json" }
-      });
-    }
-    return new Response(JSON.stringify({ authenticated: true, user: parsed.user }), {
-      headers: { "Content-Type": "application/json" }
-    });
-  } catch {
-    return new Response(JSON.stringify({ authenticated: false }), {
-      status: 401,
-      headers: { "Content-Type": "application/json" }
-    });
-  }
+  return new Response(JSON.stringify({ authenticated: true, user: session.user }), {
+    headers: { "Content-Type": "application/json" }
+  });
 };
 export {
   GET

package/dist/api-routes/auth-setzkasten-login.js

@@ -1,25 +1,32 @@
 import {
   readGlobalConfig
-} from "../chunk-AM4DZXXM.js";
+} from "../chunk-UJAFZEX2.js";
+import {
+  makeRoleResolver
+} from "../chunk-5KMGSFCZ.js";
 import {
   sessionCookieOptions
 } from "../chunk-JHY6XTLL.js";
-import {
-  makeRoleResolver
-} from "../chunk-ZQDGGWJP.js";
 import {
   readEditorsFile
-} from "../chunk-INIWFKQ3.js";
+} from "../chunk-Q5HV47DW.js";
+import {
+  resolveSessionSecret
+} from "../chunk-QVCW6EF3.js";
+import {
+  signSession
+} from "../chunk-KENFINT4.js";
 import {
   resolveStorageConfig
 } from "../chunk-6UIKVKED.js";
+import "../chunk-ONP6BRZO.js";
 import {
   gateFeature
 } from "../chunk-5PIMDP4N.js";
 import "../chunk-45ARVNT3.js";
 import {
   resolveConfigRepoToken
-} from "../chunk-NKDATSPA.js";
+} from "../chunk-DP6RTINQ.js";
 import "../chunk-TJNJKPUL.js";
 import "../chunk-KH22FJO5.js";
 
@@ -64,7 +71,7 @@ var POST = async ({ request, cookies }) => {
   const session = result.value;
   cookies.set(
     "setzkasten_session",
-    JSON.stringify({ user: session.user, expiresAt: session.expiresAt }),
+    signSession({ user: session.user, expiresAt: session.expiresAt }, resolveSessionSecret()),
     sessionCookieOptions(import.meta.env.PROD)
   );
   return Response.json({ ok: true });

package/dist/api-routes/catalog-add.js

@@ -9,16 +9,19 @@ import {
 import {
   guardPageAccess,
   parseSession
-} from "../chunk-INIWFKQ3.js";
+} from "../chunk-Q5HV47DW.js";
+import "../chunk-QVCW6EF3.js";
+import "../chunk-KENFINT4.js";
 import {
   prefixPath,
   resolveStorageConfigForRequest
 } from "../chunk-6UIKVKED.js";
+import "../chunk-ONP6BRZO.js";
 import "../chunk-5PIMDP4N.js";
 import "../chunk-45ARVNT3.js";
 import {
   resolveGitHubTokenForRequest
-} from "../chunk-NKDATSPA.js";
+} from "../chunk-DP6RTINQ.js";
 import "../chunk-TJNJKPUL.js";
 import {
   withTrailers
@@ -40,7 +43,10 @@ var POST = async ({ request, cookies }) => {
     try {
       validated = validateCatalogAddBody(body);
     } catch (e) {
-      return Response.json({ error: e instanceof Error ? e.message : "Invalid request" }, { status: 400 });
+      return Response.json(
+        { error: e instanceof Error ? e.message : "Invalid request" },
+        { status: 400 }
+      );
     }
     const { templateName, pageKey } = validated;
     const storage = await resolveStorageConfigForRequest(request, body);
@@ -49,7 +55,12 @@ var POST = async ({ request, cookies }) => {
     const serverConfig = globalThis.__SETZKASTEN_CONFIG__;
     const fullConfig = globalThis.__SETZKASTEN_FULL_CONFIG__;
     const contentPath = body.contentPath || serverConfig?.storage?.contentPath || "content";
-    const denied = await guardPageAccess(parseSession(cookies.get("setzkasten_session")?.value), pageKey, fullConfig, request);
+    const denied = await guardPageAccess(
+      parseSession(cookies.get("setzkasten_session")?.value),
+      pageKey,
+      fullConfig,
+      request
+    );
     if (denied) return denied;
     const headers = {
       Authorization: `Bearer ${githubToken}`,
@@ -66,7 +77,10 @@ var POST = async ({ request, cookies }) => {
     const existingKeys = (pageConfig.sections ?? []).map((s) => s.key);
     const sectionKey = validated.sectionKey ?? generateAddKey(existingKeys, templateName);
     if (existingKeys.includes(sectionKey)) {
-      return Response.json({ error: `Key "${sectionKey}" already exists on this page` }, { status: 409 });
+      return Response.json(
+        { error: `Key "${sectionKey}" already exists on this page` },
+        { status: 409 }
+      );
     }
     const template = registry.get(templateName);
     const { sectionJsonPath } = buildCatalogAddCommit({
@@ -106,7 +120,13 @@ async function fetchFileContent(owner, repo, branch, path, token) {
   try {
     const res = await fetch(
       `https://api.github.com/repos/${owner}/${repo}/contents/${path}?ref=${branch}`,
-      { headers: { Authorization: `Bearer ${token}`, Accept: "application/vnd.github+json", "X-GitHub-Api-Version": "2022-11-28" } }
+      {
+        headers: {
+          Authorization: `Bearer ${token}`,
+          Accept: "application/vnd.github+json",
+          "X-GitHub-Api-Version": "2022-11-28"
+        }
+      }
     );
     if (!res.ok) return null;
     const data = await res.json();
@@ -117,16 +137,34 @@ async function fetchFileContent(owner, repo, branch, path, token) {
 }
 async function batchCommit(owner, repo, branch, files, message, headers) {
   try {
-    const refRes = await fetch(`https://api.github.com/repos/${owner}/${repo}/git/refs/heads/${branch}`, { headers });
+    const refRes = await fetch(
+      `https://api.github.com/repos/${owner}/${repo}/git/refs/heads/${branch}`,
+      { headers }
+    );
     if (!refRes.ok) return { ok: false, error: `Failed to get HEAD: ${refRes.status}` };
-    const { object: { sha: headSha } } = await refRes.json();
-    const commitRes = await fetch(`https://api.github.com/repos/${owner}/${repo}/git/commits/${headSha}`, { headers });
+    const {
+      object: { sha: headSha }
+    } = await refRes.json();
+    const commitRes = await fetch(
+      `https://api.github.com/repos/${owner}/${repo}/git/commits/${headSha}`,
+      { headers }
+    );
     if (!commitRes.ok) return { ok: false, error: `Failed to get commit: ${commitRes.status}` };
-    const { tree: { sha: baseSha } } = await commitRes.json();
+    const {
+      tree: { sha: baseSha }
+    } = await commitRes.json();
     const treeRes = await fetch(`https://api.github.com/repos/${owner}/${repo}/git/trees`, {
       method: "POST",
       headers,
-      body: JSON.stringify({ base_tree: baseSha, tree: files.map((f) => ({ path: f.path, mode: "100644", type: "blob", content: f.content })) })
+      body: JSON.stringify({
+        base_tree: baseSha,
+        tree: files.map((f) => ({
+          path: f.path,
+          mode: "100644",
+          type: "blob",
+          content: f.content
+        }))
+      })
     });
     if (!treeRes.ok) return { ok: false, error: `Failed to create tree: ${treeRes.status}` };
     const { sha: treeSha } = await treeRes.json();
@@ -135,13 +173,17 @@ async function batchCommit(owner, repo, branch, files, message, headers) {
       headers,
       body: JSON.stringify({ tree: treeSha, parents: [headSha], message })
     });
-    if (!newCommitRes.ok) return { ok: false, error: `Failed to create commit: ${newCommitRes.status}` };
+    if (!newCommitRes.ok)
+      return { ok: false, error: `Failed to create commit: ${newCommitRes.status}` };
     const { sha: newSha } = await newCommitRes.json();
-    const updateRes = await fetch(`https://api.github.com/repos/${owner}/${repo}/git/refs/heads/${branch}`, {
-      method: "PATCH",
-      headers,
-      body: JSON.stringify({ sha: newSha })
-    });
+    const updateRes = await fetch(
+      `https://api.github.com/repos/${owner}/${repo}/git/refs/heads/${branch}`,
+      {
+        method: "PATCH",
+        headers,
+        body: JSON.stringify({ sha: newSha })
+      }
+    );
     if (!updateRes.ok) return { ok: false, error: `Failed to update ref: ${updateRes.status}` };
     return { ok: true, sha: newSha };
   } catch (error) {

package/dist/api-routes/catalog-export.js

@@ -4,7 +4,7 @@ import {
 } from "../chunk-6UIKVKED.js";
 import {
   resolveGitHubTokenForRequest
-} from "../chunk-NKDATSPA.js";
+} from "../chunk-DP6RTINQ.js";
 
 // src/api-routes/catalog-export.ts
 import { exportTemplate } from "@setzkasten-cms/catalog";
@@ -30,11 +30,15 @@ var POST = async ({ request, cookies }) => {
     const { sectionKey } = body;
     const sectionJsonPath = prefixPath(`${contentPath}/_sections/${sectionKey}.json`, projectPrefix);
     const contentRaw = await fetchFileContent(owner, repo, branch, sectionJsonPath, githubToken);
-    if (!contentRaw) return Response.json({ error: `Section content not found: ${sectionKey}` }, { status: 404 });
+    if (!contentRaw)
+      return Response.json({ error: `Section content not found: ${sectionKey}` }, { status: 404 });
     const content = JSON.parse(contentRaw);
     const sectionDef = findSectionDef(fullConfig, sectionKey);
     if (!sectionDef) {
-      return Response.json({ error: `Section definition not found for key: ${sectionKey}` }, { status: 404 });
+      return Response.json(
+        { error: `Section definition not found for key: ${sectionKey}` },
+        { status: 404 }
+      );
     }
     const templateJson = exportTemplate(sectionKey, sectionDef, content);
     return Response.json({ success: true, template: templateJson });
@@ -57,7 +61,13 @@ async function fetchFileContent(owner, repo, branch, path, token) {
   try {
     const res = await fetch(
       `https://api.github.com/repos/${owner}/${repo}/contents/${path}?ref=${branch}`,
-      { headers: { Authorization: `Bearer ${token}`, Accept: "application/vnd.github+json", "X-GitHub-Api-Version": "2022-11-28" } }
+      {
+        headers: {
+          Authorization: `Bearer ${token}`,
+          Accept: "application/vnd.github+json",
+          "X-GitHub-Api-Version": "2022-11-28"
+        }
+      }
     );
     if (!res.ok) return null;
     const data = await res.json();

package/dist/api-routes/config.d.ts

@@ -3,9 +3,16 @@ import { APIRoute } from 'astro';
 /**
  * GET /api/setzkasten/config
  *
- * Returns the full SetzKastenConfig as JSON. Fields from GlobalConfig
- * (stored in _global_config.json) are merged over the static config so
- * admins can change theme and Firebase settings without a code deployment.
+ * Returns the SetzKastenConfig as JSON. The login screen (pre-session)
+ * needs to know which auth providers are enabled and Firebase project
+ * id, so a *minimal public subset* is exposed unauthenticated. The full
+ * config (storage params, products, page schema, etc.) is only served
+ * to authenticated users — pre-fix anyone could harvest the deployment
+ * blueprint.
+ *
+ * Fields from GlobalConfig (`_global_config.json`) are merged over the
+ * static config so admins can change theme and Firebase settings
+ * without a code deployment.
  */
 declare const GET: APIRoute;
 

package/dist/api-routes/config.js

@@ -1,21 +1,43 @@
 import {
   readGlobalConfig
-} from "../chunk-AM4DZXXM.js";
-import "../chunk-INIWFKQ3.js";
+} from "../chunk-UJAFZEX2.js";
+import {
+  parseSession
+} from "../chunk-Q5HV47DW.js";
+import "../chunk-QVCW6EF3.js";
+import "../chunk-KENFINT4.js";
 import "../chunk-6UIKVKED.js";
+import "../chunk-ONP6BRZO.js";
 import "../chunk-5PIMDP4N.js";
 import "../chunk-45ARVNT3.js";
-import "../chunk-NKDATSPA.js";
+import "../chunk-DP6RTINQ.js";
 import "../chunk-TJNJKPUL.js";
 import "../chunk-KH22FJO5.js";
 
 // src/api-routes/config.ts
-var GET = async () => {
+var GET = async ({ cookies }) => {
   const config = globalThis.__SETZKASTEN_FULL_CONFIG__ ?? {};
   const ssrConfig = globalThis.__SETZKASTEN_CONFIG__;
   const globalCfg = await readGlobalConfig().catch(() => null);
   const staticTheme = config.theme ?? {};
   const globalTheme = globalCfg?.theme ?? {};
+  const session = parseSession(cookies?.get("setzkasten_session")?.value);
+  if (!session) {
+    return new Response(
+      JSON.stringify({
+        auth: config.auth ?? { providers: ["github"] },
+        theme: { ...staticTheme, ...globalTheme },
+        adminPath: ssrConfig?.adminPath ?? "/admin",
+        _firebaseConfig: globalCfg?.firebaseConfig ?? null,
+        _hasGitHub: ssrConfig?.hasGitHub ?? false,
+        _hasGoogle: ssrConfig?.hasGoogle ?? false
+      }),
+      {
+        status: 200,
+        headers: { "Content-Type": "application/json" }
+      }
+    );
+  }
   const result = {
     // Default fallback when no config is injected at build time. Real
     // values are spread from `config` below.