@setzkasten-cms/astro-admin 1.4.6 → 1.5.0

package/src/api-routes/init-migrate.ts

@@ -1,9 +1,10 @@
-import type { APIRoute } from 'astro'
 import type { SetzKastenConfig } from '@setzkasten-cms/core'
-import { prefixPath, resolveStorageConfigForRequest } from './_storage-config'
+import type { APIRoute } from 'astro'
 import { patchTemplateForFields } from '../init/template-patcher-v2'
+import { requireAdmin } from './_auth-guard'
 import { withTrailers } from './_commit-trailers'
 import { resolveGitHubTokenForRequest } from './_github-token'
+import { prefixPath, resolveStorageConfigForRequest } from './_storage-config'
 
 /**
  * POST /api/setzkasten/init/migrate
@@ -17,10 +18,8 @@ import { resolveGitHubTokenForRequest } from './_github-token'
  * Returns: { commitSha, patchedSource, originalSource }
  */
 export const POST: APIRoute = async ({ request, cookies }) => {
-  const session = cookies.get('setzkasten_session')?.value
-  if (!session) {
-    return new Response('Unauthorized', { status: 401 })
-  }
+  const denied = requireAdmin(cookies.get('setzkasten_session')?.value)
+  if (denied) return denied
 
   const tokenResult = await resolveGitHubTokenForRequest(request)
   if (!tokenResult.ok) {
@@ -29,7 +28,7 @@ export const POST: APIRoute = async ({ request, cookies }) => {
   const githubToken = tokenResult.value
 
   try {
-    const body = await request.json() as {
+    const body = (await request.json()) as {
       owner?: string
       repo?: string
       branch?: string
@@ -39,7 +38,12 @@ export const POST: APIRoute = async ({ request, cookies }) => {
 
     const storage = await resolveStorageConfigForRequest(request, body)
     if (!storage) {
-      return Response.json({ error: 'Could not resolve owner/repo. Set SETZKASTEN_OWNER and SETZKASTEN_REPO env vars.' }, { status: 400 })
+      return Response.json(
+        {
+          error: 'Could not resolve owner/repo. Set SETZKASTEN_OWNER and SETZKASTEN_REPO env vars.',
+        },
+        { status: 400 },
+      )
     }
     const { owner, repo, branch, projectPrefix } = storage
     const { sectionKey } = body
@@ -73,14 +77,20 @@ export const POST: APIRoute = async ({ request, cookies }) => {
     const sectionJsonPath = `${contentPath}/_sections/${sectionKey}.json`
     const sectionJson = await fetchFileContent(owner, repo, branch, sectionJsonPath, githubToken)
 
-    const fullConfig = (globalThis as any).__SETZKASTEN_FULL_CONFIG__ as SetzKastenConfig | undefined
+    const fullConfig = (globalThis as any).__SETZKASTEN_FULL_CONFIG__ as
+      | SetzKastenConfig
+      | undefined
     const fieldDefs = getFieldDefs(fullConfig, sectionKey)
 
     // Build fields: combine config field types with content JSON values
     const fields: Array<{ key: string; type: string; defaultValue?: unknown }> = []
     let contentData: Record<string, unknown> = {}
     if (sectionJson) {
-      try { contentData = JSON.parse(sectionJson) } catch { /* ignore */ }
+      try {
+        contentData = JSON.parse(sectionJson)
+      } catch {
+        /* ignore */
+      }
     }
 
     // Add fields from config definitions
@@ -155,10 +165,11 @@ function getFieldDefs(
 }
 
 function deriveComponentPath(sectionKey: string): string {
-  const componentName = sectionKey
-    .split('-')
-    .map(s => s.charAt(0).toUpperCase() + s.slice(1))
-    .join('') + 'Section'
+  const componentName =
+    sectionKey
+      .split('-')
+      .map((s) => s.charAt(0).toUpperCase() + s.slice(1))
+      .join('') + 'Section'
   return `src/components/sections/${componentName}.astro`
 }
 
@@ -181,7 +192,7 @@ async function fetchFileContent(
       },
     )
     if (!response.ok) return null
-    const data = await response.json() as { content: string; encoding: string }
+    const data = (await response.json()) as { content: string; encoding: string }
     return data.encoding === 'base64'
       ? Buffer.from(data.content, 'base64').toString('utf-8')
       : data.content
@@ -204,7 +215,7 @@ async function batchCommit(
       { headers },
     )
     if (!refRes.ok) return { ok: false, error: `Failed to get HEAD: ${refRes.status}` }
-    const refData = await refRes.json() as { object: { sha: string } }
+    const refData = (await refRes.json()) as { object: { sha: string } }
     const headSha = refData.object.sha
 
     const commitRes = await fetch(
@@ -212,41 +223,36 @@ async function batchCommit(
       { headers },
     )
     if (!commitRes.ok) return { ok: false, error: `Failed to get commit: ${commitRes.status}` }
-    const commitData = await commitRes.json() as { tree: { sha: string } }
+    const commitData = (await commitRes.json()) as { tree: { sha: string } }
 
-    const treeRes = await fetch(
-      `https://api.github.com/repos/${owner}/${repo}/git/trees`,
-      {
-        method: 'POST',
-        headers,
-        body: JSON.stringify({
-          base_tree: commitData.tree.sha,
-          tree: files.map((f) => ({
-            path: f.path,
-            mode: '100644',
-            type: 'blob',
-            content: f.content,
-          })),
-        }),
-      },
-    )
+    const treeRes = await fetch(`https://api.github.com/repos/${owner}/${repo}/git/trees`, {
+      method: 'POST',
+      headers,
+      body: JSON.stringify({
+        base_tree: commitData.tree.sha,
+        tree: files.map((f) => ({
+          path: f.path,
+          mode: '100644',
+          type: 'blob',
+          content: f.content,
+        })),
+      }),
+    })
     if (!treeRes.ok) return { ok: false, error: `Failed to create tree: ${treeRes.status}` }
-    const treeData = await treeRes.json() as { sha: string }
+    const treeData = (await treeRes.json()) as { sha: string }
 
-    const newCommitRes = await fetch(
-      `https://api.github.com/repos/${owner}/${repo}/git/commits`,
-      {
-        method: 'POST',
-        headers,
-        body: JSON.stringify({
-          tree: treeData.sha,
-          parents: [headSha],
-          message,
-        }),
-      },
-    )
-    if (!newCommitRes.ok) return { ok: false, error: `Failed to create commit: ${newCommitRes.status}` }
-    const newCommitData = await newCommitRes.json() as { sha: string }
+    const newCommitRes = await fetch(`https://api.github.com/repos/${owner}/${repo}/git/commits`, {
+      method: 'POST',
+      headers,
+      body: JSON.stringify({
+        tree: treeData.sha,
+        parents: [headSha],
+        message,
+      }),
+    })
+    if (!newCommitRes.ok)
+      return { ok: false, error: `Failed to create commit: ${newCommitRes.status}` }
+    const newCommitData = (await newCommitRes.json()) as { sha: string }
 
     const updateRes = await fetch(
       `https://api.github.com/repos/${owner}/${repo}/git/refs/heads/${branch}`,

package/src/api-routes/init-scan-page.ts

@@ -1,10 +1,11 @@
-import type { APIRoute } from 'astro'
 import type { SetzKastenConfig } from '@setzkasten-cms/core'
-import { prefixPath, resolveStorageConfigForRequest } from './_storage-config'
-import { extractSectionImports, extractLayoutImport } from '../init/astro-detector'
-import { analyzeAstroSection } from '../init/astro-section-analyzer-v2'
 import type { RepoFile } from '@setzkasten-cms/core/init'
+import type { APIRoute } from 'astro'
+import { extractLayoutImport, extractSectionImports } from '../init/astro-detector'
+import { analyzeAstroSection } from '../init/astro-section-analyzer-v2'
+import { requireAdmin } from './_auth-guard'
 import { resolveGitHubTokenForRequest } from './_github-token'
+import { prefixPath, resolveStorageConfigForRequest } from './_storage-config'
 
 // Build-time constant injected by the Vite define plugin — always available in
 // compiled API routes (unlike page-ssr injectScript which only runs for SSR pages).
@@ -20,8 +21,11 @@ declare const __SETZKASTEN_FULL_CONFIG__: SetzKastenConfig | null | undefined
  * (including _layout_header / _layout_footer) for re-adoption.
  */
 export function resolveFullConfig(): SetzKastenConfig | undefined {
-  const buildConfig = typeof __SETZKASTEN_FULL_CONFIG__ !== 'undefined' ? __SETZKASTEN_FULL_CONFIG__ : null
-  return (buildConfig ?? (globalThis as any).__SETZKASTEN_FULL_CONFIG__) as SetzKastenConfig | undefined
+  const buildConfig =
+    typeof __SETZKASTEN_FULL_CONFIG__ !== 'undefined' ? __SETZKASTEN_FULL_CONFIG__ : null
+  return (buildConfig ?? (globalThis as any).__SETZKASTEN_FULL_CONFIG__) as
+    | SetzKastenConfig
+    | undefined
 }
 
 /**
@@ -35,10 +39,8 @@ export function resolveFullConfig(): SetzKastenConfig | undefined {
  * Returns: { unmanagedSections: InferredSection[], managedUpdates: ManagedUpdate[] }
  */
 export const POST: APIRoute = async ({ request, cookies }) => {
-  const session = cookies.get('setzkasten_session')?.value
-  if (!session) {
-    return new Response('Unauthorized', { status: 401 })
-  }
+  const denied = requireAdmin(cookies.get('setzkasten_session')?.value)
+  if (denied) return denied
 
   const tokenResult = await resolveGitHubTokenForRequest(request)
   if (!tokenResult.ok) {
@@ -47,7 +49,7 @@ export const POST: APIRoute = async ({ request, cookies }) => {
   const githubToken = tokenResult.value
 
   try {
-    const body = await request.json() as {
+    const body = (await request.json()) as {
       owner?: string
       repo?: string
       branch?: string
@@ -57,7 +59,12 @@ export const POST: APIRoute = async ({ request, cookies }) => {
 
     const storage = await resolveStorageConfigForRequest(request, body)
     if (!storage) {
-      return Response.json({ error: 'Could not resolve owner/repo. Set SETZKASTEN_OWNER and SETZKASTEN_REPO env vars.' }, { status: 400 })
+      return Response.json(
+        {
+          error: 'Could not resolve owner/repo. Set SETZKASTEN_OWNER and SETZKASTEN_REPO env vars.',
+        },
+        { status: 400 },
+      )
     }
     const { owner, repo, branch, projectPrefix } = storage
     const { pagePath } = body
@@ -89,7 +96,7 @@ export const POST: APIRoute = async ({ request, cookies }) => {
       )
     }
 
-    const treeData = await treeResponse.json() as {
+    const treeData = (await treeResponse.json()) as {
       tree: Array<{ path: string; type: string }>
     }
     const files: RepoFile[] = treeData.tree.map((item) => ({
@@ -108,7 +115,10 @@ export const POST: APIRoute = async ({ request, cookies }) => {
       pageSource = await fetchFileContent(owner, repo, branch, fullPagePath, githubToken)
     }
     if (!pageSource) {
-      return Response.json({ error: `Could not read page source: ${fullPagePath}` }, { status: 404 })
+      return Response.json(
+        { error: `Could not read page source: ${fullPagePath}` },
+        { status: 404 },
+      )
     }
 
     // Extract section imports
@@ -131,7 +141,13 @@ export const POST: APIRoute = async ({ request, cookies }) => {
 
       if (!managedSections.has(imp.sectionKey)) {
         // Unmanaged section — full analysis
-        const sectionSource = await fetchFileContent(owner, repo, branch, imp.resolvedPath, githubToken)
+        const sectionSource = await fetchFileContent(
+          owner,
+          repo,
+          branch,
+          imp.resolvedPath,
+          githubToken,
+        )
         if (!sectionSource) continue
 
         const section = await analyzeAstroSection(
@@ -144,7 +160,13 @@ export const POST: APIRoute = async ({ request, cookies }) => {
       } else {
         // Managed section — check for missing fields
         const existingFieldKeys = managedSections.get(imp.sectionKey)!
-        const sectionSource = await fetchFileContent(owner, repo, branch, imp.resolvedPath, githubToken)
+        const sectionSource = await fetchFileContent(
+          owner,
+          repo,
+          branch,
+          imp.resolvedPath,
+          githubToken,
+        )
         if (!sectionSource) continue
 
         const inferred = await analyzeAstroSection(
@@ -157,7 +179,13 @@ export const POST: APIRoute = async ({ request, cookies }) => {
         // Load existing content to filter out fields whose value already exists
         // (e.g. template has ctaText="GitHub öffnen" but schema has buttonText with same value)
         const sectionJsonPath = `${contentPath}/_sections/${imp.sectionKey}.json`
-        const sectionJson = await fetchFileContent(owner, repo, branch, sectionJsonPath, githubToken)
+        const sectionJson = await fetchFileContent(
+          owner,
+          repo,
+          branch,
+          sectionJsonPath,
+          githubToken,
+        )
         const existingValues = new Set<string>()
         if (sectionJson) {
           try {
@@ -165,11 +193,13 @@ export const POST: APIRoute = async ({ request, cookies }) => {
             for (const val of Object.values(data)) {
               if (typeof val === 'string' && val.length >= 2) existingValues.add(val)
             }
-          } catch { /* ignore parse errors */ }
+          } catch {
+            /* ignore parse errors */
+          }
         }
 
         // Find fields that aren't in the schema AND whose value isn't already stored
-        const missingFields = inferred.fields.filter(f => {
+        const missingFields = inferred.fields.filter((f) => {
           if (existingFieldKeys.has(f.key)) return false
           if (typeof f.defaultValue === 'string' && existingValues.has(f.defaultValue)) return false
           return true
@@ -189,10 +219,11 @@ export const POST: APIRoute = async ({ request, cookies }) => {
     // Always analyze page-level inline content (in addition to imported sections).
     // A page can have imported sections AND inline content (headings, text, arrays).
     {
-      const pageKeyNorm = pagePath
-        .replace(/^src\/pages\//, '')
-        .replace(/\/(index)?\.astro$/, '')
-        .replace(/\.astro$/, '') || 'index'
+      const pageKeyNorm =
+        pagePath
+          .replace(/^src\/pages\//, '')
+          .replace(/\/(index)?\.astro$/, '')
+          .replace(/\.astro$/, '') || 'index'
       const sectionKey = '_page_' + pageKeyNorm.replace(/\//g, '_')
 
       const pageSection = await analyzeAstroSection(
@@ -213,7 +244,13 @@ export const POST: APIRoute = async ({ request, cookies }) => {
         // Already in config — check for new unbound fields
         const existingFieldKeys = managedSections.get(sectionKey)!
         const sectionJsonPath = `${contentPath}/_sections/${sectionKey}.json`
-        const sectionJson = await fetchFileContent(owner, repo, branch, sectionJsonPath, githubToken)
+        const sectionJson = await fetchFileContent(
+          owner,
+          repo,
+          branch,
+          sectionJsonPath,
+          githubToken,
+        )
         const existingValues = new Set<string>()
         if (sectionJson) {
           try {
@@ -221,9 +258,11 @@ export const POST: APIRoute = async ({ request, cookies }) => {
             for (const val of Object.values(data)) {
               if (typeof val === 'string' && val.length >= 2) existingValues.add(val)
             }
-          } catch { /* ignore */ }
+          } catch {
+            /* ignore */
+          }
         }
-        const missingFields = pageSection.fields.filter(f => {
+        const missingFields = pageSection.fields.filter((f) => {
           if (existingFieldKeys.has(f.key)) return false
           if (typeof f.defaultValue === 'string' && existingValues.has(f.defaultValue)) return false
           return true
@@ -246,7 +285,13 @@ export const POST: APIRoute = async ({ request, cookies }) => {
     {
       const layoutImport = extractLayoutImport(pageSource, fullPagePath, files, projectPrefix)
       if (layoutImport?.resolvedPath) {
-        const layoutSource = await fetchFileContent(owner, repo, branch, layoutImport.resolvedPath, githubToken)
+        const layoutSource = await fetchFileContent(
+          owner,
+          repo,
+          branch,
+          layoutImport.resolvedPath,
+          githubToken,
+        )
         if (layoutSource) {
           for (const region of extractLayoutRegions(layoutSource)) {
             const sectionKey = `_layout_${region.name}`
@@ -255,8 +300,10 @@ export const POST: APIRoute = async ({ request, cookies }) => {
             // Wrap the region in a minimal Astro file for the analyzer
             const regionSource = `---\n---\n\n${region.html}`
             const section = await analyzeAstroSection(
-              regionSource, sectionKey,
-              region.name, layoutImport.resolvedPath,
+              regionSource,
+              sectionKey,
+              region.name,
+              layoutImport.resolvedPath,
               { mode: 'page' },
             )
             ;(section as any).isPageLevel = true
@@ -346,7 +393,7 @@ async function fetchFileContent(
       token,
     )
     if (!response.ok) return null
-    const data = await response.json() as { content: string; encoding: string }
+    const data = (await response.json()) as { content: string; encoding: string }
     return data.encoding === 'base64'
       ? Buffer.from(data.content, 'base64').toString('utf-8')
       : data.content

package/src/api-routes/init-scan.ts

@@ -1,7 +1,8 @@
+import { type RepoFile, analyzeProject } from '@setzkasten-cms/core/init'
 import type { APIRoute } from 'astro'
-import { analyzeProject, type RepoFile } from '@setzkasten-cms/core/init'
-import { findAstroPages, extractSectionImports } from '../init/astro-detector'
+import { extractSectionImports, findAstroPages } from '../init/astro-detector'
 import { analyzeAstroSection } from '../init/astro-section-analyzer-v2'
+import { requireAdmin } from './_auth-guard'
 import { resolveGitHubTokenForRequest } from './_github-token'
 
 /**
@@ -11,11 +12,12 @@ import { resolveGitHubTokenForRequest } from './_github-token'
  * Body: { owner: string, repo: string, branch?: string }
  */
 export const POST: APIRoute = async ({ request, cookies }) => {
-  // Verify session
-  const session = cookies.get('setzkasten_session')?.value
-  if (!session) {
-    return new Response('Unauthorized', { status: 401 })
-  }
+  // Init wizard is admin-only — editors don't run it, and the route mints
+  // App-installation tokens against arbitrary repos from the body. Cookie-
+  // presence check used to be the only gate, which let any editor (or any
+  // forger pre-C1) probe / scan installations.
+  const denied = requireAdmin(cookies.get('setzkasten_session')?.value)
+  if (denied) return denied
 
   const tokenResult = await resolveGitHubTokenForRequest(request)
   if (!tokenResult.ok) {
@@ -24,7 +26,7 @@ export const POST: APIRoute = async ({ request, cookies }) => {
   const githubToken = tokenResult.value
 
   try {
-    const body = await request.json() as { owner: string; repo: string; branch?: string }
+    const body = (await request.json()) as { owner: string; repo: string; branch?: string }
     const { owner, repo, branch = 'main' } = body
 
     if (!owner || !repo) {
@@ -44,7 +46,7 @@ export const POST: APIRoute = async ({ request, cookies }) => {
       )
     }
 
-    const treeData = await treeResponse.json() as {
+    const treeData = (await treeResponse.json()) as {
       tree: Array<{ path: string; type: string; sha: string }>
     }
 
@@ -88,7 +90,13 @@ export const POST: APIRoute = async ({ request, cookies }) => {
         if (allSections.has(imp.sectionKey)) continue
         if (!imp.resolvedPath) continue
 
-        const sectionSource = await fetchFileContent(owner, repo, branch, imp.resolvedPath, githubToken)
+        const sectionSource = await fetchFileContent(
+          owner,
+          repo,
+          branch,
+          imp.resolvedPath,
+          githubToken,
+        )
         if (!sectionSource) continue
 
         const section = await analyzeAstroSection(
@@ -153,7 +161,7 @@ async function fetchFileContent(
     )
     if (!response.ok) return null
 
-    const data = await response.json() as { content: string; encoding: string }
+    const data = (await response.json()) as { content: string; encoding: string }
     if (data.encoding === 'base64') {
       return Buffer.from(data.content, 'base64').toString('utf-8')
     }

package/src/api-routes/pages.ts

@@ -1,8 +1,9 @@
 import type { APIRoute } from 'astro'
+import { parseSession } from './_auth-guard'
+import { cachedFetch } from './_github-cache'
 import { resolveGitHubTokenForRequest } from './_github-token'
-import { readPagesMeta, type PagesMetaTarget } from './_pages-meta-store'
+import { type PagesMetaTarget, readPagesMeta } from './_pages-meta-store'
 import { resolveStorageConfigForRequest } from './_storage-config'
-import { cachedFetch } from './_github-cache'
 
 interface PageInfo {
   path: string
@@ -29,7 +30,9 @@ declare const __SETZKASTEN_PAGES__: PageInfo[] | undefined
  */
 export function resolvePages(): PageInfo[] {
   const buildPages = typeof __SETZKASTEN_PAGES__ !== 'undefined' ? __SETZKASTEN_PAGES__ : null
-  return buildPages ?? (globalThis as Record<string, unknown>).__SETZKASTEN_PAGES__ as PageInfo[] ?? []
+  return (
+    buildPages ?? ((globalThis as Record<string, unknown>).__SETZKASTEN_PAGES__ as PageInfo[]) ?? []
+  )
 }
 
 /**
@@ -47,11 +50,16 @@ export function resolvePages(): PageInfo[] {
  * would see the admin's own page list — typically a single "index"
  * stub — instead of its real pages.
  */
-export const GET: APIRoute = async ({ request }) => {
+export const GET: APIRoute = async ({ request, cookies }) => {
+  // Authenticated users only — pre-fix this was an unauthenticated
+  // reconnaissance endpoint that also minted an installation token to
+  // crawl `src/pages/` of any website the App could reach.
+  if (!parseSession(cookies.get('setzkasten_session')?.value)) {
+    return new Response('Unauthorized', { status: 401 })
+  }
+
   const isMulti = request.headers.get('x-sk-website') !== null
-  const pages = isMulti
-    ? await fetchPagesFromGitHub(request).catch(() => [])
-    : resolvePages()
+  const pages = isMulti ? await fetchPagesFromGitHub(request).catch(() => []) : resolvePages()
 
   const enriched = await enrichWithLastModified(pages, request).catch(() => pages)
 
@@ -116,10 +124,7 @@ async function fetchPagesFromGitHub(request: Request): Promise<PageInfo[]> {
   })
 }
 
-async function enrichWithLastModified(
-  pages: PageInfo[],
-  request: Request,
-): Promise<PageInfo[]> {
+async function enrichWithLastModified(pages: PageInfo[], request: Request): Promise<PageInfo[]> {
   if (pages.length === 0) return pages
 
   const storage = await resolveStorageConfigForRequest(request)