@setzkasten-cms/astro-admin 1.4.6 → 1.5.0

package/src/api-routes/__tests__/section-management.test.ts

@@ -8,13 +8,13 @@
  *   3. duplicateInPageConfig: adds duplicate entry after the original
  */
 
-import { describe, it, expect } from 'vitest'
+import { describe, expect, it } from 'vitest'
 import {
-  removeFromPageConfig,
-  generateDuplicateKey,
+  addToPageConfig,
   duplicateInPageConfig,
   generateAddKey,
-  addToPageConfig,
+  generateDuplicateKey,
+  removeFromPageConfig,
 } from '../section-management'
 
 // ---------------------------------------------------------------------------
@@ -36,7 +36,7 @@ const pageConfig = {
 describe('removeFromPageConfig', () => {
   it('removes the matching section entry', () => {
     const result = removeFromPageConfig(pageConfig, 'features')
-    expect(result.sections.map(s => s.key)).toEqual(['hero', 'cta'])
+    expect(result.sections.map((s) => s.key)).toEqual(['hero', 'cta'])
   })
 
   it('re-numbers order after removal', () => {
@@ -84,7 +84,9 @@ describe('generateDuplicateKey', () => {
   })
 
   it('does not conflict with unrelated keys containing copy', () => {
-    expect(generateDuplicateKey(['features', 'features--copycat'], 'features')).toBe('features--copy')
+    expect(generateDuplicateKey(['features', 'features--copycat'], 'features')).toBe(
+      'features--copy',
+    )
   })
 })
 
@@ -95,13 +97,13 @@ describe('generateDuplicateKey', () => {
 describe('duplicateInPageConfig', () => {
   it('inserts duplicate entry immediately after the original', () => {
     const result = duplicateInPageConfig(pageConfig, 'hero', 'hero--copy')
-    const keys = result.sections.map(s => s.key)
+    const keys = result.sections.map((s) => s.key)
     expect(keys).toEqual(['hero', 'hero--copy', 'features', 'cta'])
   })
 
   it('new entry is enabled regardless of original enabled state', () => {
     const result = duplicateInPageConfig(pageConfig, 'cta', 'cta--copy')
-    const copy = result.sections.find(s => s.key === 'cta--copy')!
+    const copy = result.sections.find((s) => s.key === 'cta--copy')!
     expect(copy.enabled).toBe(true)
   })
 
@@ -112,12 +114,10 @@ describe('duplicateInPageConfig', () => {
 
   it('preserves type field from original if present', () => {
     const withType = {
-      sections: [
-        { key: 'hero--about', type: 'hero', enabled: true, order: 0 },
-      ],
+      sections: [{ key: 'hero--about', type: 'hero', enabled: true, order: 0 }],
     }
     const result = duplicateInPageConfig(withType, 'hero--about', 'hero--about--copy')
-    const copy = result.sections.find(s => s.key === 'hero--about--copy')!
+    const copy = result.sections.find((s) => s.key === 'hero--about--copy')!
     expect((copy as any).type).toBe('hero')
   })
 
@@ -165,7 +165,7 @@ describe('generateAddKey', () => {
 describe('delete workflow', () => {
   it('removes section and renumbers order', () => {
     const after = removeFromPageConfig(pageConfig, 'features')
-    expect(after.sections.map(s => s.key)).toEqual(['hero', 'cta'])
+    expect(after.sections.map((s) => s.key)).toEqual(['hero', 'cta'])
     expect(after.sections[0]!.order).toBe(0)
     expect(after.sections[1]!.order).toBe(1)
   })
@@ -184,11 +184,11 @@ describe('delete workflow', () => {
 
 describe('duplicate workflow', () => {
   it('generates key and inserts copy right after original', () => {
-    const existingKeys = pageConfig.sections.map(s => s.key)
+    const existingKeys = pageConfig.sections.map((s) => s.key)
     const newKey = generateDuplicateKey(existingKeys, 'hero')
     const after = duplicateInPageConfig(pageConfig, 'hero', newKey)
     expect(newKey).toBe('hero--copy')
-    expect(after.sections.map(s => s.key)).toEqual(['hero', 'hero--copy', 'features', 'cta'])
+    expect(after.sections.map((s) => s.key)).toEqual(['hero', 'hero--copy', 'features', 'cta'])
     after.sections.forEach((s, i) => expect(s.order).toBe(i))
   })
 
@@ -199,11 +199,11 @@ describe('duplicate workflow', () => {
         { key: 'hero--copy', enabled: true, order: 1 },
       ],
     }
-    const existingKeys = withCopy.sections.map(s => s.key)
+    const existingKeys = withCopy.sections.map((s) => s.key)
     const newKey = generateDuplicateKey(existingKeys, 'hero')
     expect(newKey).toBe('hero--copy2')
     const after = duplicateInPageConfig(withCopy, 'hero', newKey)
-    expect(after.sections.map(s => s.key)).toEqual(['hero', 'hero--copy2', 'hero--copy'])
+    expect(after.sections.map((s) => s.key)).toEqual(['hero', 'hero--copy2', 'hero--copy'])
   })
 })
 
@@ -214,30 +214,30 @@ describe('duplicate workflow', () => {
 describe('addToPageConfig', () => {
   it('appends new entry at the end', () => {
     const result = addToPageConfig(pageConfig, 'testimonials', 'testimonials')
-    expect(result.sections.map(s => s.key)).toEqual(['hero', 'features', 'cta', 'testimonials'])
+    expect(result.sections.map((s) => s.key)).toEqual(['hero', 'features', 'cta', 'testimonials'])
   })
 
   it('new entry is enabled by default', () => {
     const result = addToPageConfig(pageConfig, 'testimonials', 'testimonials')
-    const entry = result.sections.find(s => s.key === 'testimonials')!
+    const entry = result.sections.find((s) => s.key === 'testimonials')!
     expect(entry.enabled).toBe(true)
   })
 
   it('sets type field when key differs from type', () => {
     const result = addToPageConfig(pageConfig, 'hero--2', 'hero')
-    const entry = result.sections.find(s => s.key === 'hero--2')!
+    const entry = result.sections.find((s) => s.key === 'hero--2')!
     expect((entry as any).type).toBe('hero')
   })
 
   it('omits type field when key equals type', () => {
     const result = addToPageConfig(pageConfig, 'testimonials', 'testimonials')
-    const entry = result.sections.find(s => s.key === 'testimonials')!
+    const entry = result.sections.find((s) => s.key === 'testimonials')!
     expect((entry as any).type).toBeUndefined()
   })
 
   it('assigns correct order (after last existing)', () => {
     const result = addToPageConfig(pageConfig, 'testimonials', 'testimonials')
-    const entry = result.sections.find(s => s.key === 'testimonials')!
+    const entry = result.sections.find((s) => s.key === 'testimonials')!
     expect(entry.order).toBe(3)
   })
 
@@ -255,22 +255,22 @@ describe('addToPageConfig', () => {
 
 describe('section-prepare contract', () => {
   it('generates key and returns updated config without touching GitHub', () => {
-    const existingKeys = pageConfig.sections.map(s => s.key)
-    const newKey = generateAddKey(existingKeys, 'features')   // 'features' is taken
+    const existingKeys = pageConfig.sections.map((s) => s.key)
+    const newKey = generateAddKey(existingKeys, 'features') // 'features' is taken
     expect(newKey).toBe('features--2')
     const updated = addToPageConfig(pageConfig, newKey, 'features')
     expect(updated.sections).toHaveLength(4)
-    const entry = updated.sections.find(s => s.key === 'features--2')!
+    const entry = updated.sections.find((s) => s.key === 'features--2')!
     expect((entry as any).type).toBe('features')
     expect(entry.enabled).toBe(true)
   })
 
   it('new section key is unique even after two pending adds of same type', () => {
-    let keys = pageConfig.sections.map(s => s.key)
-    const key1 = generateAddKey(keys, 'hero')     // hero is taken → hero--2
+    let keys = pageConfig.sections.map((s) => s.key)
+    const key1 = generateAddKey(keys, 'hero') // hero is taken → hero--2
     expect(key1).toBe('hero--2')
     keys = [...keys, key1]
-    const key2 = generateAddKey(keys, 'hero')     // hero + hero--2 taken → hero--3
+    const key2 = generateAddKey(keys, 'hero') // hero + hero--2 taken → hero--3
     expect(key2).toBe('hero--3')
   })
 

package/src/api-routes/__tests__/setup-github-app-callback.test.ts

@@ -8,17 +8,25 @@
  * @vitest-environment node
  */
 
-import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest'
+import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
+import { makeTestSessionCookie } from './_session-test-helper'
 
 // ---------------------------------------------------------------------------
 // Minimal Astro context mock
 // ---------------------------------------------------------------------------
 
-function makeCookies() {
-  const jar: Record<string, string> = {}
+const ADMIN_SESSION = makeTestSessionCookie({
+  user: { id: 'admin-1', email: 'admin@example.com', role: 'admin', provider: 'github' },
+  expiresAt: Date.now() + 60 * 60 * 1000,
+})
+
+function makeCookies(seed: Record<string, string> = {}) {
+  const jar: Record<string, string> = { ...seed }
   return {
-    set: vi.fn((name: string, value: string) => { jar[name] = value }),
-    get: vi.fn((name: string) => jar[name] ? { value: jar[name] } : undefined),
+    set: vi.fn((name: string, value: string) => {
+      jar[name] = value
+    }),
+    get: vi.fn((name: string) => (jar[name] ? { value: jar[name] } : undefined)),
     _jar: jar,
   }
 }
@@ -26,8 +34,16 @@ function makeCookies() {
 function makeCtx(code: string | null, headers: Record<string, string> = {}) {
   const search = code ? `?code=${code}` : ''
   const url = new URL(`https://localhost/api/setzkasten/setup/github-app/callback${search}`)
-  const request = new Request(url, { headers: { 'x-forwarded-host': 'setzkasten.vercel.app', 'x-forwarded-proto': 'https', ...headers } })
-  return { url, request, cookies: makeCookies() }
+  const request = new Request(url, {
+    headers: {
+      'x-forwarded-host': 'setzkasten.vercel.app',
+      'x-forwarded-proto': 'https',
+      ...headers,
+    },
+  })
+  // Tests need an admin session — the route refuses unauthenticated
+  // requests post-H1 (was an unauthenticated endpoint before).
+  return { url, request, cookies: makeCookies({ setzkasten_session: ADMIN_SESSION }) }
 }
 
 const GITHUB_RESPONSE = {
@@ -44,8 +60,13 @@ const GITHUB_RESPONSE = {
 // ---------------------------------------------------------------------------
 
 describe('setup-github-app-callback', () => {
-  beforeEach(() => { vi.stubGlobal('fetch', vi.fn()) })
-  afterEach(() => { vi.restoreAllMocks(); vi.resetModules() })
+  beforeEach(() => {
+    vi.stubGlobal('fetch', vi.fn())
+  })
+  afterEach(() => {
+    vi.restoreAllMocks()
+    vi.resetModules()
+  })
 
   it('setzt Cookie und leitet zum Standard-adminPath weiter bei erfolgreichem Code-Austausch', async () => {
     vi.mocked(fetch).mockResolvedValueOnce({
@@ -103,7 +124,11 @@ describe('setup-github-app-callback', () => {
   })
 
   it('leitet mit github-app-error=exchange_failed weiter wenn GitHub-API fehlschlägt', async () => {
-    vi.mocked(fetch).mockResolvedValueOnce({ ok: false, status: 422, json: async () => ({}) } as Response)
+    vi.mocked(fetch).mockResolvedValueOnce({
+      ok: false,
+      status: 422,
+      json: async () => ({}),
+    } as Response)
 
     const { GET } = await import('../setup-github-app-callback')
     const ctx = makeCtx('badcode')
@@ -115,10 +140,16 @@ describe('setup-github-app-callback', () => {
   })
 
   it('Redirect-URL enthält den echten Host aus x-forwarded-host', async () => {
-    vi.mocked(fetch).mockResolvedValueOnce({ ok: true, json: async () => GITHUB_RESPONSE } as Response)
+    vi.mocked(fetch).mockResolvedValueOnce({
+      ok: true,
+      json: async () => GITHUB_RESPONSE,
+    } as Response)
 
     const { GET } = await import('../setup-github-app-callback')
-    const ctx = makeCtx('abc123', { 'x-forwarded-host': 'meine-website.de', 'x-forwarded-proto': 'https' })
+    const ctx = makeCtx('abc123', {
+      'x-forwarded-host': 'meine-website.de',
+      'x-forwarded-proto': 'https',
+    })
     const res = await (GET as Function)(ctx)
 
     expect(res.headers.get('location')).toBe('https://meine-website.de/admin')
@@ -126,11 +157,19 @@ describe('setup-github-app-callback', () => {
 })
 
 describe('setup-github-app-callback – adminPath', () => {
-  beforeEach(() => { vi.stubGlobal('fetch', vi.fn()) })
-  afterEach(() => { vi.restoreAllMocks(); vi.resetModules() })
+  beforeEach(() => {
+    vi.stubGlobal('fetch', vi.fn())
+  })
+  afterEach(() => {
+    vi.restoreAllMocks()
+    vi.resetModules()
+  })
 
   it('verwendet /admin als Standard-Redirect wenn kein adminPath konfiguriert', async () => {
-    vi.mocked(fetch).mockResolvedValueOnce({ ok: true, json: async () => GITHUB_RESPONSE } as Response)
+    vi.mocked(fetch).mockResolvedValueOnce({
+      ok: true,
+      json: async () => GITHUB_RESPONSE,
+    } as Response)
     ;(globalThis as any).__SETZKASTEN_CONFIG__ = undefined
 
     const { GET } = await import('../setup-github-app-callback')
@@ -141,7 +180,10 @@ describe('setup-github-app-callback – adminPath', () => {
   })
 
   it('verwendet konfigurierten adminPath für den Redirect', async () => {
-    vi.mocked(fetch).mockResolvedValueOnce({ ok: true, json: async () => GITHUB_RESPONSE } as Response)
+    vi.mocked(fetch).mockResolvedValueOnce({
+      ok: true,
+      json: async () => GITHUB_RESPONSE,
+    } as Response)
     ;(globalThis as any).__SETZKASTEN_CONFIG__ = { adminPath: '/cms' }
 
     const { GET } = await import('../setup-github-app-callback')

package/src/api-routes/__tests__/setup-github-app-repos.test.ts

@@ -8,7 +8,8 @@
  */
 
 import { generateKeyPairSync } from 'node:crypto'
-import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest'
+import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
+import { makeTestSessionCookie } from './_session-test-helper'
 
 const { privateKey: KEY } = generateKeyPairSync('rsa', { modulusLength: 2048 })
 const PRIVATE_KEY_PEM = KEY.export({ type: 'pkcs8', format: 'pem' }) as string
@@ -17,7 +18,7 @@ const PRIVATE_KEY_PEM = KEY.export({ type: 'pkcs8', format: 'pem' }) as string
 // tests used to pass would now be rejected before reaching the GitHub layer.
 // Replace it with a real serialized admin session and let callers opt out
 // via session: null when they want to exercise the unauthenticated branch.
-const ADMIN_SESSION = JSON.stringify({
+const ADMIN_SESSION = makeTestSessionCookie({
   user: {
     id: 'u1',
     email: 'admin@example.com',
@@ -40,9 +41,7 @@ function makeCookies(session?: string) {
 }
 
 function makeCtx(opts: { session?: string; query?: string } = {}) {
-  const url = new URL(
-    `https://localhost/api/setzkasten/setup/github-app/repos${opts.query ?? ''}`,
-  )
+  const url = new URL(`https://localhost/api/setzkasten/setup/github-app/repos${opts.query ?? ''}`)
   return {
     url,
     cookies: makeCookies(opts.session),

package/src/api-routes/__tests__/setup-github-app.test.ts

@@ -9,17 +9,29 @@
  *   POST 5. Ungültige Credentials (Token-Fetch schlägt fehl) → { ok: false, error }
  */
 
-import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest'
 import { generateKeyPairSync } from 'node:crypto'
+import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
+import { makeTestSessionCookie } from './_session-test-helper'
 
 const { privateKey: TEST_KEY } = generateKeyPairSync('rsa', { modulusLength: 2048 })
 const TEST_PEM = TEST_KEY.export({ type: 'pkcs8', format: 'pem' }) as string
 
+const ADMIN_SESSION = makeTestSessionCookie({
+  user: { id: 'a', email: 'admin@example.com', role: 'admin', provider: 'github' },
+  expiresAt: Date.now() + 60_000,
+})
+
+function makeCookies() {
+  return {
+    get: (name: string) => (name === 'setzkasten_session' ? { value: ADMIN_SESSION } : undefined),
+  }
+}
+
 type MockRequest = { json: () => Promise<unknown> }
-type MockContext = { request: MockRequest }
+type MockContext = { request: MockRequest; cookies: ReturnType<typeof makeCookies> }
 
 function makeCtx(body: unknown): MockContext {
-  return { request: { json: async () => body } }
+  return { request: { json: async () => body }, cookies: makeCookies() }
 }
 
 function setEnv(vars: Record<string, string | undefined>) {
@@ -29,23 +41,31 @@ function setEnv(vars: Record<string, string | undefined>) {
 
 describe('setup-github-app GET', () => {
   afterEach(() => {
-    setEnv({ GITHUB_APP_ID: undefined, GITHUB_APP_PRIVATE_KEY: undefined, GITHUB_APP_INSTALLATION_ID: undefined })
+    setEnv({
+      GITHUB_APP_ID: undefined,
+      GITHUB_APP_PRIVATE_KEY: undefined,
+      GITHUB_APP_INSTALLATION_ID: undefined,
+    })
     vi.resetModules()
   })
 
   it('gibt configured: false zurück wenn App nicht konfiguriert', async () => {
     const { GET } = await import('../setup-github-app')
-    const res = await (GET as Function)({})
+    const res = await (GET as Function)({ cookies: makeCookies() })
     const body = await res.json()
     expect(res.status).toBe(200)
     expect(body.configured).toBe(false)
   })
 
   it('gibt configured: true + appId zurück wenn alle Vars gesetzt sind', async () => {
-    setEnv({ GITHUB_APP_ID: '99999', GITHUB_APP_PRIVATE_KEY: TEST_PEM, GITHUB_APP_INSTALLATION_ID: '11111' })
+    setEnv({
+      GITHUB_APP_ID: '99999',
+      GITHUB_APP_PRIVATE_KEY: TEST_PEM,
+      GITHUB_APP_INSTALLATION_ID: '11111',
+    })
     vi.resetModules()
     const { GET } = await import('../setup-github-app')
-    const res = await (GET as Function)({})
+    const res = await (GET as Function)({ cookies: makeCookies() })
     const body = await res.json()
     expect(res.status).toBe(200)
     expect(body.configured).toBe(true)

package/src/api-routes/__tests__/storage-config-for-request.test.ts

@@ -75,4 +75,87 @@ describe('resolveStorageConfigForRequest', () => {
     expect(result?.repo).toBe('forced')
     expect(result?.branch).toBe('main')
   })
+
+  // ---------------------------------------------------------------------
+  // projectPrefix inheritance (security regression — section template
+  // patcher used to fail silently because resolver hardcoded prefix='').
+  // ---------------------------------------------------------------------
+
+  it('inherits the build-time projectPrefix when body owner/repo match the build target', async () => {
+    ;(globalThis as Record<string, unknown>).__SETZKASTEN_STORAGE__ = {
+      owner: 'acme',
+      repo: 'site-a',
+      branch: 'main',
+      contentPath: 'content',
+      assetsPath: 'public/images',
+      projectPrefix: 'apps/website',
+    }
+    __resetWebsiteResolverForTests(null)
+    const req = new Request('https://cms.example.com/x')
+
+    const result = await resolveStorageConfigForRequest(req, {
+      owner: 'acme',
+      repo: 'site-a',
+    })
+
+    expect(result?.projectPrefix).toBe('apps/website')
+  })
+
+  it('does NOT leak the build-time prefix to a body override targeting a different repo', async () => {
+    ;(globalThis as Record<string, unknown>).__SETZKASTEN_STORAGE__ = {
+      owner: 'acme',
+      repo: 'site-a',
+      branch: 'main',
+      contentPath: 'content',
+      assetsPath: 'public/images',
+      projectPrefix: 'apps/website',
+    }
+    __resetWebsiteResolverForTests(null)
+    const req = new Request('https://cms.example.com/x')
+
+    const result = await resolveStorageConfigForRequest(req, {
+      owner: 'attacker',
+      repo: 'evil-fork',
+      branch: 'main',
+    })
+
+    // Attacker repo gets an empty prefix — refusing to compose
+    // `apps/website/...` paths against an unrelated repo.
+    expect(result?.owner).toBe('attacker')
+    expect(result?.projectPrefix).toBe('')
+  })
+
+  it('inherits the prefix only when the resolved-website owner/repo match the build target', async () => {
+    ;(globalThis as Record<string, unknown>).__SETZKASTEN_STORAGE__ = {
+      owner: 'acme',
+      repo: 'site-a',
+      branch: 'main',
+      contentPath: 'content',
+      assetsPath: 'public/images',
+      projectPrefix: 'apps/website',
+    }
+    __resetWebsiteResolverForTests({
+      mode: 'multi',
+      registry: makeRegistry([
+        ENTRY,
+        {
+          ...ENTRY,
+          id: 'site-b',
+          repo: 'acme/site-b',
+        },
+      ]),
+    })
+
+    const reqMatch = new Request('https://cms.example.com/x', {
+      headers: { 'x-sk-website': 'site-a' },
+    })
+    const resMatch = await resolveStorageConfigForRequest(reqMatch)
+    expect(resMatch?.projectPrefix).toBe('apps/website')
+
+    const reqOther = new Request('https://cms.example.com/x', {
+      headers: { 'x-sk-website': 'site-b' },
+    })
+    const resOther = await resolveStorageConfigForRequest(reqOther)
+    expect(resOther?.projectPrefix).toBe('')
+  })
 })