@setzkasten-cms/astro-admin 1.4.6 → 1.5.0

package/src/api-routes/section-duplicate.ts

@@ -1,9 +1,10 @@
+import { isSafeKey } from '@setzkasten-cms/core'
 import type { APIRoute } from 'astro'
-import { prefixPath, resolveStorageConfigForRequest } from './_storage-config'
-import { generateDuplicateKey, duplicateInPageConfig } from './section-management'
-import { parseSession, guardPageAccess } from './_auth-guard'
+import { guardPageAccess, parseSession } from './_auth-guard'
 import { withTrailers } from './_commit-trailers'
 import { resolveGitHubTokenForRequest } from './_github-token'
+import { resolveStorageConfigForRequest } from './_storage-config'
+import { duplicateInPageConfig, generateDuplicateKey } from './section-management'
 
 /**
  * POST /api/setzkasten/sections/duplicate
@@ -26,7 +27,7 @@ export const POST: APIRoute = async ({ request, cookies }) => {
   const githubToken = tokenResult.value
 
   try {
-    const body = await request.json() as {
+    const body = (await request.json()) as {
       pageKey: string
       sectionKey: string
       owner?: string
@@ -47,8 +48,19 @@ export const POST: APIRoute = async ({ request, cookies }) => {
     if (!pageKey || !sectionKey) {
       return Response.json({ error: 'pageKey and sectionKey are required' }, { status: 400 })
     }
+    if (!isSafeKey(pageKey)) {
+      return Response.json({ error: 'invalid pageKey' }, { status: 400 })
+    }
+    if (!isSafeKey(sectionKey)) {
+      return Response.json({ error: 'invalid sectionKey' }, { status: 400 })
+    }
 
-    const denied = await guardPageAccess(parseSession(cookies.get('setzkasten_session')?.value), pageKey, fullConfig, request)
+    const denied = await guardPageAccess(
+      parseSession(cookies.get('setzkasten_session')?.value),
+      pageKey,
+      fullConfig,
+      request,
+    )
     if (denied) return denied
 
     const headers = {
@@ -73,7 +85,13 @@ export const POST: APIRoute = async ({ request, cookies }) => {
 
     // 3. Read original section content
     const originalJsonPath = `${contentPath}/_sections/${sectionKey}.json`
-    const originalContent = await fetchFileContent(owner, repo, branch, originalJsonPath, githubToken)
+    const originalContent = await fetchFileContent(
+      owner,
+      repo,
+      branch,
+      originalJsonPath,
+      githubToken,
+    )
 
     // 4. Build commit
     const updatedConfig = duplicateInPageConfig(pageConfig, sectionKey, newKey)
@@ -86,12 +104,17 @@ export const POST: APIRoute = async ({ request, cookies }) => {
       filesToCommit.push({ path: copyPath, content: originalContent })
     }
 
-    const commitResult = await batchCommit(owner, repo, branch, filesToCommit,
+    const commitResult = await batchCommit(
+      owner,
+      repo,
+      branch,
+      filesToCommit,
       withTrailers(
         `content: duplicate ${sectionKey} → ${newKey} on ${pageKey}`,
         parseSession(cookies.get('setzkasten_session')?.value)?.user?.email,
       ),
-      headers)
+      headers,
+    )
 
     if (!commitResult.ok) return Response.json({ error: commitResult.error }, { status: 500 })
 
@@ -111,50 +134,94 @@ export const POST: APIRoute = async ({ request, cookies }) => {
   }
 }
 
-async function fetchFileContent(owner: string, repo: string, branch: string, path: string, token: string): Promise<string | null> {
+async function fetchFileContent(
+  owner: string,
+  repo: string,
+  branch: string,
+  path: string,
+  token: string,
+): Promise<string | null> {
   try {
     const res = await fetch(
       `https://api.github.com/repos/${owner}/${repo}/contents/${path}?ref=${branch}`,
-      { headers: { Authorization: `Bearer ${token}`, Accept: 'application/vnd.github+json', 'X-GitHub-Api-Version': '2022-11-28' } },
+      {
+        headers: {
+          Authorization: `Bearer ${token}`,
+          Accept: 'application/vnd.github+json',
+          'X-GitHub-Api-Version': '2022-11-28',
+        },
+      },
     )
     if (!res.ok) return null
-    const data = await res.json() as { content: string; encoding: string }
-    return data.encoding === 'base64' ? Buffer.from(data.content, 'base64').toString('utf-8') : data.content
-  } catch { return null }
+    const data = (await res.json()) as { content: string; encoding: string }
+    return data.encoding === 'base64'
+      ? Buffer.from(data.content, 'base64').toString('utf-8')
+      : data.content
+  } catch {
+    return null
+  }
 }
 
 async function batchCommit(
-  owner: string, repo: string, branch: string,
+  owner: string,
+  repo: string,
+  branch: string,
   files: Array<{ path: string; content: string }>,
   message: string,
   headers: Record<string, string>,
 ): Promise<{ ok: true; sha: string } | { ok: false; error: string }> {
   try {
-    const refRes = await fetch(`https://api.github.com/repos/${owner}/${repo}/git/refs/heads/${branch}`, { headers })
+    const refRes = await fetch(
+      `https://api.github.com/repos/${owner}/${repo}/git/refs/heads/${branch}`,
+      { headers },
+    )
     if (!refRes.ok) return { ok: false, error: `Failed to get HEAD: ${refRes.status}` }
-    const { object: { sha: headSha } } = await refRes.json() as { object: { sha: string } }
+    const {
+      object: { sha: headSha },
+    } = (await refRes.json()) as { object: { sha: string } }
 
-    const commitRes = await fetch(`https://api.github.com/repos/${owner}/${repo}/git/commits/${headSha}`, { headers })
+    const commitRes = await fetch(
+      `https://api.github.com/repos/${owner}/${repo}/git/commits/${headSha}`,
+      { headers },
+    )
     if (!commitRes.ok) return { ok: false, error: `Failed to get commit: ${commitRes.status}` }
-    const { tree: { sha: baseSha } } = await commitRes.json() as { tree: { sha: string } }
+    const {
+      tree: { sha: baseSha },
+    } = (await commitRes.json()) as { tree: { sha: string } }
 
     const treeRes = await fetch(`https://api.github.com/repos/${owner}/${repo}/git/trees`, {
-      method: 'POST', headers,
-      body: JSON.stringify({ base_tree: baseSha, tree: files.map(f => ({ path: f.path, mode: '100644', type: 'blob', content: f.content })) }),
+      method: 'POST',
+      headers,
+      body: JSON.stringify({
+        base_tree: baseSha,
+        tree: files.map((f) => ({
+          path: f.path,
+          mode: '100644',
+          type: 'blob',
+          content: f.content,
+        })),
+      }),
     })
     if (!treeRes.ok) return { ok: false, error: `Failed to create tree: ${treeRes.status}` }
-    const { sha: treeSha } = await treeRes.json() as { sha: string }
+    const { sha: treeSha } = (await treeRes.json()) as { sha: string }
 
     const newCommitRes = await fetch(`https://api.github.com/repos/${owner}/${repo}/git/commits`, {
-      method: 'POST', headers,
+      method: 'POST',
+      headers,
       body: JSON.stringify({ tree: treeSha, parents: [headSha], message }),
     })
-    if (!newCommitRes.ok) return { ok: false, error: `Failed to create commit: ${newCommitRes.status}` }
-    const { sha: newSha } = await newCommitRes.json() as { sha: string }
-
-    const updateRes = await fetch(`https://api.github.com/repos/${owner}/${repo}/git/refs/heads/${branch}`, {
-      method: 'PATCH', headers, body: JSON.stringify({ sha: newSha }),
-    })
+    if (!newCommitRes.ok)
+      return { ok: false, error: `Failed to create commit: ${newCommitRes.status}` }
+    const { sha: newSha } = (await newCommitRes.json()) as { sha: string }
+
+    const updateRes = await fetch(
+      `https://api.github.com/repos/${owner}/${repo}/git/refs/heads/${branch}`,
+      {
+        method: 'PATCH',
+        headers,
+        body: JSON.stringify({ sha: newSha }),
+      },
+    )
     if (!updateRes.ok) return { ok: false, error: `Failed to update ref: ${updateRes.status}` }
 
     return { ok: true, sha: newSha }

package/src/api-routes/section-management.ts

@@ -21,7 +21,7 @@ interface PageConfig {
  */
 export function removeFromPageConfig(config: PageConfig, sectionKey: string): PageConfig {
   const sections = config.sections
-    .filter(s => s.key !== sectionKey)
+    .filter((s) => s.key !== sectionKey)
     .map((s, i) => ({ ...s, order: i }))
   return { ...config, sections }
 }
@@ -53,11 +53,7 @@ export function generateAddKey(existingKeys: string[], type: string): string {
  * Appends a new section entry at the end of the page config.
  * Sets `type` only when key differs from type (multi-instance case).
  */
-export function addToPageConfig(
-  config: PageConfig,
-  key: string,
-  type: string,
-): PageConfig {
+export function addToPageConfig(config: PageConfig, key: string, type: string): PageConfig {
   const entry: SectionEntry = {
     key,
     enabled: true,
@@ -76,7 +72,7 @@ export function duplicateInPageConfig(
   originalKey: string,
   newKey: string,
 ): PageConfig {
-  const original = config.sections.find(s => s.key === originalKey)
+  const original = config.sections.find((s) => s.key === originalKey)
   if (!original) return config
 
   // Always set type explicitly: copy key differs from type (e.g. 'testPricing--copy'),

package/src/api-routes/section-prepare-copy.ts

@@ -1,7 +1,8 @@
+import { isSafeKey } from '@setzkasten-cms/core'
 import type { APIRoute } from 'astro'
-import { resolveStorageConfigForRequest } from './_storage-config'
-import { generateDuplicateKey, duplicateInPageConfig } from './section-management'
 import { resolveGitHubTokenForRequest } from './_github-token'
+import { resolveStorageConfigForRequest } from './_storage-config'
+import { duplicateInPageConfig, generateDuplicateKey } from './section-management'
 
 /**
  * POST /api/setzkasten/sections/prepare-copy
@@ -34,7 +35,7 @@ export const POST: APIRoute = async ({ request, cookies }) => {
   const githubToken = tokenResult.value
 
   try {
-    const body = await request.json() as {
+    const body = (await request.json()) as {
       pageKey: string
       sectionKey: string
       owner?: string
@@ -54,6 +55,12 @@ export const POST: APIRoute = async ({ request, cookies }) => {
     if (!pageKey || !sectionKey) {
       return Response.json({ error: 'pageKey and sectionKey are required' }, { status: 400 })
     }
+    if (!isSafeKey(pageKey)) {
+      return Response.json({ error: 'invalid pageKey' }, { status: 400 })
+    }
+    if (!isSafeKey(sectionKey)) {
+      return Response.json({ error: 'invalid sectionKey' }, { status: 400 })
+    }
 
     // 1. Read current page config
     const configKey = '_' + pageKey.replace(/\//g, '_')
@@ -90,15 +97,29 @@ export const POST: APIRoute = async ({ request, cookies }) => {
 }
 
 async function fetchFileContent(
-  owner: string, repo: string, branch: string, path: string, token: string,
+  owner: string,
+  repo: string,
+  branch: string,
+  path: string,
+  token: string,
 ): Promise<string | null> {
   try {
     const res = await fetch(
       `https://api.github.com/repos/${owner}/${repo}/contents/${path}?ref=${branch}`,
-      { headers: { Authorization: `Bearer ${token}`, Accept: 'application/vnd.github+json', 'X-GitHub-Api-Version': '2022-11-28' } },
+      {
+        headers: {
+          Authorization: `Bearer ${token}`,
+          Accept: 'application/vnd.github+json',
+          'X-GitHub-Api-Version': '2022-11-28',
+        },
+      },
     )
     if (!res.ok) return null
-    const data = await res.json() as { content: string; encoding: string }
-    return data.encoding === 'base64' ? Buffer.from(data.content, 'base64').toString('utf-8') : data.content
-  } catch { return null }
+    const data = (await res.json()) as { content: string; encoding: string }
+    return data.encoding === 'base64'
+      ? Buffer.from(data.content, 'base64').toString('utf-8')
+      : data.content
+  } catch {
+    return null
+  }
 }

package/src/api-routes/section-prepare.ts

@@ -1,8 +1,9 @@
+import { isSafeKey } from '@setzkasten-cms/core'
 import type { APIRoute } from 'astro'
-import { prefixPath, resolveStorageConfigForRequest } from './_storage-config'
-import { generateAddKey } from './section-management'
-import { parseSession, guardPageAccess } from './_auth-guard'
+import { guardPageAccess, parseSession } from './_auth-guard'
 import { resolveGitHubTokenForRequest } from './_github-token'
+import { resolveStorageConfigForRequest } from './_storage-config'
+import { generateAddKey } from './section-management'
 
 /**
  * POST /api/setzkasten/sections/prepare
@@ -28,7 +29,7 @@ export const POST: APIRoute = async ({ request, cookies }) => {
   const githubToken = tokenResult.value
 
   try {
-    const body = await request.json() as {
+    const body = (await request.json()) as {
       pageKey: string
       sectionType: string
       owner?: string
@@ -49,8 +50,19 @@ export const POST: APIRoute = async ({ request, cookies }) => {
     if (!pageKey || !sectionType) {
       return Response.json({ error: 'pageKey and sectionType are required' }, { status: 400 })
     }
+    if (!isSafeKey(pageKey)) {
+      return Response.json({ error: 'invalid pageKey' }, { status: 400 })
+    }
+    if (!isSafeKey(sectionType)) {
+      return Response.json({ error: 'invalid sectionType' }, { status: 400 })
+    }
 
-    const denied = await guardPageAccess(parseSession(cookies.get('setzkasten_session')?.value), pageKey, fullConfig, request)
+    const denied = await guardPageAccess(
+      parseSession(cookies.get('setzkasten_session')?.value),
+      pageKey,
+      fullConfig,
+      request,
+    )
     if (denied) return denied
 
     // 1. Read current page config from GitHub to determine existing keys
@@ -116,14 +128,30 @@ function buildDefaultContent(fields: Record<string, any>): Record<string, unknow
   return result
 }
 
-async function fetchFileContent(owner: string, repo: string, branch: string, path: string, token: string): Promise<string | null> {
+async function fetchFileContent(
+  owner: string,
+  repo: string,
+  branch: string,
+  path: string,
+  token: string,
+): Promise<string | null> {
   try {
     const res = await fetch(
       `https://api.github.com/repos/${owner}/${repo}/contents/${path}?ref=${branch}`,
-      { headers: { Authorization: `Bearer ${token}`, Accept: 'application/vnd.github+json', 'X-GitHub-Api-Version': '2022-11-28' } },
+      {
+        headers: {
+          Authorization: `Bearer ${token}`,
+          Accept: 'application/vnd.github+json',
+          'X-GitHub-Api-Version': '2022-11-28',
+        },
+      },
     )
     if (!res.ok) return null
-    const data = await res.json() as { content: string; encoding: string }
-    return data.encoding === 'base64' ? Buffer.from(data.content, 'base64').toString('utf-8') : data.content
-  } catch { return null }
+    const data = (await res.json()) as { content: string; encoding: string }
+    return data.encoding === 'base64'
+      ? Buffer.from(data.content, 'base64').toString('utf-8')
+      : data.content
+  } catch {
+    return null
+  }
 }

package/src/api-routes/setup-github-app-bounce.ts

@@ -1,4 +1,5 @@
 import type { APIRoute } from 'astro'
+import { requireAdmin } from './_auth-guard'
 import { getPublicOrigin } from './_vercel-origin.js'
 
 /**
@@ -9,7 +10,12 @@ import { getPublicOrigin } from './_vercel-origin.js'
  * Generates the GitHub App manifest JSON using the server-known origin,
  * then returns a minimal HTML page that auto-submits a form to GitHub.
  */
-export const GET: APIRoute = async ({ url, request }) => {
+export const GET: APIRoute = async ({ url, request, cookies }) => {
+  // Admin-only — pre-fix any unauthenticated visitor could trigger the
+  // manifest redirect and probe the deployment's origin / setup state.
+  const denied = requireAdmin(cookies.get('setzkasten_session')?.value)
+  if (denied) return denied
+
   const name = url.searchParams.get('name')?.trim() || 'Setzkasten CMS'
   const origin = getPublicOrigin(request)
 

package/src/api-routes/setup-github-app-branches.ts

@@ -1,5 +1,5 @@
-import type { APIRoute } from 'astro'
 import { listRepoBranches } from '@setzkasten-cms/github-adapter'
+import type { APIRoute } from 'astro'
 import { requireAdmin } from './_auth-guard'
 
 /**
@@ -20,8 +20,7 @@ export const GET: APIRoute = async ({ cookies, url }) => {
   if (!appId || !privateKey) {
     return new Response(
       JSON.stringify({
-        error:
-          'GitHub App not configured. Set GITHUB_APP_ID and GITHUB_APP_PRIVATE_KEY.',
+        error: 'GitHub App not configured. Set GITHUB_APP_ID and GITHUB_APP_PRIVATE_KEY.',
       }),
       { status: 400, headers: { 'Content-Type': 'application/json' } },
     )
@@ -38,10 +37,10 @@ export const GET: APIRoute = async ({ cookies, url }) => {
 
   const slash = repoFull.indexOf('/')
   if (slash <= 0 || slash === repoFull.length - 1) {
-    return new Response(
-      JSON.stringify({ error: '?repo must be in "owner/name" format.' }),
-      { status: 400, headers: { 'Content-Type': 'application/json' } },
-    )
+    return new Response(JSON.stringify({ error: '?repo must be in "owner/name" format.' }), {
+      status: 400,
+      headers: { 'Content-Type': 'application/json' },
+    })
   }
   const owner = repoFull.slice(0, slash)
   const repo = repoFull.slice(slash + 1)

package/src/api-routes/setup-github-app-callback.ts

@@ -1,4 +1,5 @@
 import type { APIRoute } from 'astro'
+import { requireAdmin } from './_auth-guard'
 import { getPublicOrigin } from './_vercel-origin.js'
 
 const COOKIE_NAME = 'sk_app_setup'
@@ -15,6 +16,13 @@ const COOKIE_MAX_AGE = 600 // 10 minutes
  * the Set-Cookie header (TypeError: immutable).
  */
 export const GET: APIRoute = async ({ url, request, cookies }) => {
+  // GitHub redirects the admin's browser back here after the Manifest
+  // flow — the original session cookie travels with the top-level
+  // navigation. Without this gate, anyone could replay an older `?code`
+  // and force a re-write of the setup cookie. Admin-only.
+  const denied = requireAdmin(cookies.get('setzkasten_session')?.value)
+  if (denied) return denied
+
   const config = (globalThis as Record<string, unknown>).__SETZKASTEN_CONFIG__ as
     | { adminPath?: string }
     | undefined
@@ -64,7 +72,16 @@ export const GET: APIRoute = async ({ url, request, cookies }) => {
       clientId: data!.client_id,
       clientSecret: data!.client_secret,
     }),
-    { httpOnly: false, sameSite: 'lax', maxAge: COOKIE_MAX_AGE, path: '/' },
+    // httpOnly:true — pre-fix this was readable to any JS on origin (XSS,
+    // extensions). The SPA now reads via /api/setzkasten/setup/github-app/
+    // credentials (server reads the cookie, returns values).
+    {
+      httpOnly: true,
+      secure: import.meta.env.PROD,
+      sameSite: 'lax',
+      maxAge: COOKIE_MAX_AGE,
+      path: '/',
+    },
   )
 
   return new Response(null, { status: 302, headers: { Location: adminUrl.toString() } })

package/src/api-routes/setup-github-app-credentials.ts

@@ -0,0 +1,55 @@
+import type { APIRoute } from 'astro'
+import { requireAdmin } from './_auth-guard'
+
+const COOKIE_NAME = 'sk_app_setup'
+
+/**
+ * GET /api/setzkasten/setup/github-app/credentials
+ *
+ * Returns the freshly-minted GitHub App credentials so the admin SPA can
+ * display them (env-var copy step of the wizard). Pre-C6 the SPA read
+ * these directly from `document.cookie`, which required the cookie to
+ * be `httpOnly: false` — exposing the App private key to any JS on the
+ * origin (XSS, extensions, embedded widgets). Now the cookie is
+ * httpOnly and only this admin-gated endpoint can read it.
+ *
+ * The cookie itself stays for the wizard's full lifetime (10 min); this
+ * endpoint just makes the contents available without exposing them via
+ * the document.
+ */
+export const GET: APIRoute = async ({ cookies }) => {
+  const denied = requireAdmin(cookies.get('setzkasten_session')?.value)
+  if (denied) return denied
+
+  const raw = cookies.get(COOKIE_NAME)?.value
+  if (!raw) {
+    return Response.json({ available: false }, { status: 404 })
+  }
+
+  let parsed: unknown
+  try {
+    parsed = JSON.parse(raw)
+  } catch {
+    return Response.json({ available: false, error: 'malformed' }, { status: 500 })
+  }
+
+  if (!parsed || typeof parsed !== 'object') {
+    return Response.json({ available: false }, { status: 404 })
+  }
+
+  return Response.json({ available: true, credentials: parsed })
+}
+
+/**
+ * DELETE /api/setzkasten/setup/github-app/credentials
+ *
+ * Clears the setup cookie once the admin has copied the env vars and
+ * confirmed the deploy. Removes the credentials from the wire as soon
+ * as they're no longer needed.
+ */
+export const DELETE: APIRoute = async ({ cookies }) => {
+  const denied = requireAdmin(cookies.get('setzkasten_session')?.value)
+  if (denied) return denied
+  cookies.delete(COOKIE_NAME, { path: '/' })
+  return Response.json({ ok: true })
+}

package/src/api-routes/setup-github-app-installed.ts

@@ -1,4 +1,5 @@
 import type { APIRoute } from 'astro'
+import { requireAdmin } from './_auth-guard'
 import { getPublicOrigin } from './_vercel-origin.js'
 
 const COOKIE_NAME = 'sk_app_setup'
@@ -15,6 +16,9 @@ const COOKIE_MAX_AGE = 600
  * the Set-Cookie header (TypeError: immutable).
  */
 export const GET: APIRoute = async ({ url, request, cookies }) => {
+  const denied = requireAdmin(cookies.get('setzkasten_session')?.value)
+  if (denied) return denied
+
   const config = (globalThis as Record<string, unknown>).__SETZKASTEN_CONFIG__ as
     | { adminPath?: string }
     | undefined
@@ -33,7 +37,14 @@ export const GET: APIRoute = async ({ url, request, cookies }) => {
     cookies.set(
       COOKIE_NAME,
       JSON.stringify({ ...data, installationId }),
-      { httpOnly: false, sameSite: 'lax', maxAge: COOKIE_MAX_AGE, path: '/' },
+      // C6: same httpOnly hardening as the callback route.
+      {
+        httpOnly: true,
+        secure: import.meta.env.PROD,
+        sameSite: 'lax',
+        maxAge: COOKIE_MAX_AGE,
+        path: '/',
+      },
     )
   } catch {
     adminUrl.searchParams.set('github-app-error', 'invalid_session')

package/src/api-routes/setup-github-app-repos.ts

@@ -1,5 +1,5 @@
-import type { APIRoute } from 'astro'
 import { listAccessibleRepos } from '@setzkasten-cms/github-adapter'
+import type { APIRoute } from 'astro'
 import { requireAdmin } from './_auth-guard'
 
 /**
@@ -23,8 +23,7 @@ export const GET: APIRoute = async ({ cookies }) => {
   if (!appId || !privateKey) {
     return new Response(
       JSON.stringify({
-        error:
-          'GitHub App not configured. Set GITHUB_APP_ID and GITHUB_APP_PRIVATE_KEY.',
+        error: 'GitHub App not configured. Set GITHUB_APP_ID and GITHUB_APP_PRIVATE_KEY.',
       }),
       { status: 400, headers: { 'Content-Type': 'application/json' } },
     )

package/src/api-routes/setup-github-app.ts

@@ -1,5 +1,6 @@
-import type { APIRoute } from 'astro'
 import { GitHubAppClient } from '@setzkasten-cms/github-adapter'
+import type { APIRoute } from 'astro'
+import { requireAdmin } from './_auth-guard'
 
 /**
  * Setup-Wizard: GitHub App Integration
@@ -9,9 +10,16 @@ import { GitHubAppClient } from '@setzkasten-cms/github-adapter'
  *
  * Credentials werden NICHT persistiert – der Nutzer setzt die env vars manuell.
  * Der POST-Endpunkt validiert die Verbindung durch einen echten Token-Request.
+ *
+ * Both methods are admin-only. Pre-fix the GET let any unauthenticated
+ * visitor probe whether a deployment was configured (reconnaissance for
+ * targeting half-set-up instances).
  */
 
-export const GET: APIRoute = async () => {
+export const GET: APIRoute = async ({ cookies }) => {
+  const denied = requireAdmin(cookies.get('setzkasten_session')?.value)
+  if (denied) return denied
+
   const appId = process.env.GITHUB_APP_ID
   const privateKey = process.env.GITHUB_APP_PRIVATE_KEY
   const installationId = process.env.GITHUB_APP_INSTALLATION_ID
@@ -21,7 +29,9 @@ export const GET: APIRoute = async () => {
   return Response.json({ configured, ...(configured ? { appId } : {}) })
 }
 
-export const POST: APIRoute = async ({ request }) => {
+export const POST: APIRoute = async ({ request, cookies }) => {
+  const denied = requireAdmin(cookies.get('setzkasten_session')?.value)
+  if (denied) return denied
   let body: unknown
   try {
     body = await request.json()
@@ -29,8 +39,7 @@ export const POST: APIRoute = async ({ request }) => {
     return Response.json({ error: 'Invalid JSON body' }, { status: 400 })
   }
 
-  const { appId, privateKey, installationId } =
-    (body as Record<string, unknown>) ?? {}
+  const { appId, privateKey, installationId } = (body as Record<string, unknown>) ?? {}
 
   if (!appId || !privateKey || !installationId) {
     return Response.json(

package/src/api-routes/updater-check.ts

@@ -11,10 +11,12 @@ export const GET: APIRoute = async ({ cookies, url }) => {
     return new Response('Unauthorized', { status: 401 })
   }
 
-  const config = (globalThis as any).__SETZKASTEN_CONFIG__ as {
-    updaterUrl?: string
-    version?: string
-  } | undefined
+  const config = (globalThis as any).__SETZKASTEN_CONFIG__ as
+    | {
+        updaterUrl?: string
+        version?: string
+      }
+    | undefined
 
   const updaterUrl = config?.updaterUrl
   if (!updaterUrl) {