@setzkasten-cms/astro-admin 1.4.6 → 1.5.0

package/dist/api-routes/section-commit-pending.js

@@ -1,23 +1,26 @@
 import {
   convertToSetHtml
-} from "../chunk-Q3N336KR.js";
-import {
-  readPagesMeta
-} from "../chunk-FXNOTESI.js";
+} from "../chunk-CDXCYYQR.js";
 import {
   guardPageAccess,
   parseSession
-} from "../chunk-INIWFKQ3.js";
+} from "../chunk-Q5HV47DW.js";
+import "../chunk-QVCW6EF3.js";
+import "../chunk-KENFINT4.js";
 import {
   prefixPath,
   resolveStorageConfigForRequest
 } from "../chunk-6UIKVKED.js";
+import "../chunk-ONP6BRZO.js";
 import "../chunk-5PIMDP4N.js";
 import "../chunk-45ARVNT3.js";
 import {
   resolveGitHubTokenForRequest
-} from "../chunk-NKDATSPA.js";
+} from "../chunk-DP6RTINQ.js";
 import "../chunk-TJNJKPUL.js";
+import {
+  readPagesMeta
+} from "../chunk-FXNOTESI.js";
 import {
   withTrailers
 } from "../chunk-KH22FJO5.js";
@@ -25,7 +28,7 @@ import {
 // src/api-routes/section-commit-pending.ts
 import { writeFile } from "fs/promises";
 import { join } from "path";
-import { setPageLastModified } from "@setzkasten-cms/core";
+import { isSafeKey, setPageLastModified } from "@setzkasten-cms/core";
 var POST = async ({ request, cookies }) => {
   const session = cookies.get("setzkasten_session")?.value;
   if (!session) return new Response("Unauthorized", { status: 401 });
@@ -44,9 +47,30 @@ var POST = async ({ request, cookies }) => {
     const contentPath = body.contentPath || serverConfig?.storage?.contentPath || "content";
     const { pageKey, pageConfig, sections, edits = [] } = body;
     if (!pageKey || !pageConfig || !Array.isArray(sections)) {
-      return Response.json({ error: "pageKey, pageConfig, and sections are required" }, { status: 400 });
+      return Response.json(
+        { error: "pageKey, pageConfig, and sections are required" },
+        { status: 400 }
+      );
+    }
+    if (!isSafeKey(pageKey)) {
+      return Response.json({ error: "invalid pageKey" }, { status: 400 });
+    }
+    for (const s of sections) {
+      if (!isSafeKey(s?.key)) {
+        return Response.json({ error: `invalid section key: ${s?.key}` }, { status: 400 });
+      }
+    }
+    for (const e of edits) {
+      if (!isSafeKey(e?.key)) {
+        return Response.json({ error: `invalid edit key: ${e?.key}` }, { status: 400 });
+      }
     }
-    const denied = await guardPageAccess(parseSession(cookies.get("setzkasten_session")?.value), pageKey, fullConfig, request);
+    const denied = await guardPageAccess(
+      parseSession(cookies.get("setzkasten_session")?.value),
+      pageKey,
+      fullConfig,
+      request
+    );
     if (denied) return denied;
     const headers = {
       Authorization: `Bearer ${githubToken}`,
@@ -111,8 +135,10 @@ var POST = async ({ request, cookies }) => {
     const repoRoot = serverConfig?.repoRoot;
     if (repoRoot) {
       await Promise.all(
-        files.map((f) => writeFile(join(repoRoot, f.path), f.content, "utf-8").catch(() => {
-        }))
+        files.map(
+          (f) => writeFile(join(repoRoot, f.path), f.content, "utf-8").catch(() => {
+          })
+        )
       );
     }
     const { fireWebhooks } = await import("./_webhook-dispatcher.js");
@@ -171,16 +197,34 @@ async function fetchFileContent(owner, repo, branch, path, token) {
 }
 async function batchCommit(owner, repo, branch, files, message, headers) {
   try {
-    const refRes = await fetch(`https://api.github.com/repos/${owner}/${repo}/git/refs/heads/${branch}`, { headers });
+    const refRes = await fetch(
+      `https://api.github.com/repos/${owner}/${repo}/git/refs/heads/${branch}`,
+      { headers }
+    );
     if (!refRes.ok) return { ok: false, error: `Failed to get HEAD: ${refRes.status}` };
-    const { object: { sha: headSha } } = await refRes.json();
-    const commitRes = await fetch(`https://api.github.com/repos/${owner}/${repo}/git/commits/${headSha}`, { headers });
+    const {
+      object: { sha: headSha }
+    } = await refRes.json();
+    const commitRes = await fetch(
+      `https://api.github.com/repos/${owner}/${repo}/git/commits/${headSha}`,
+      { headers }
+    );
     if (!commitRes.ok) return { ok: false, error: `Failed to get commit: ${commitRes.status}` };
-    const { tree: { sha: baseSha } } = await commitRes.json();
+    const {
+      tree: { sha: baseSha }
+    } = await commitRes.json();
     const treeRes = await fetch(`https://api.github.com/repos/${owner}/${repo}/git/trees`, {
       method: "POST",
       headers,
-      body: JSON.stringify({ base_tree: baseSha, tree: files.map((f) => ({ path: f.path, mode: "100644", type: "blob", content: f.content })) })
+      body: JSON.stringify({
+        base_tree: baseSha,
+        tree: files.map((f) => ({
+          path: f.path,
+          mode: "100644",
+          type: "blob",
+          content: f.content
+        }))
+      })
     });
     if (!treeRes.ok) return { ok: false, error: `Failed to create tree: ${treeRes.status}` };
     const { sha: treeSha } = await treeRes.json();
@@ -189,13 +233,17 @@ async function batchCommit(owner, repo, branch, files, message, headers) {
       headers,
       body: JSON.stringify({ tree: treeSha, parents: [headSha], message })
     });
-    if (!newCommitRes.ok) return { ok: false, error: `Failed to create commit: ${newCommitRes.status}` };
+    if (!newCommitRes.ok)
+      return { ok: false, error: `Failed to create commit: ${newCommitRes.status}` };
     const { sha: newSha } = await newCommitRes.json();
-    const updateRes = await fetch(`https://api.github.com/repos/${owner}/${repo}/git/refs/heads/${branch}`, {
-      method: "PATCH",
-      headers,
-      body: JSON.stringify({ sha: newSha })
-    });
+    const updateRes = await fetch(
+      `https://api.github.com/repos/${owner}/${repo}/git/refs/heads/${branch}`,
+      {
+        method: "PATCH",
+        headers,
+        body: JSON.stringify({ sha: newSha })
+      }
+    );
     if (!updateRes.ok) return { ok: false, error: `Failed to update ref: ${updateRes.status}` };
     return { ok: true, sha: newSha };
   } catch (error) {

package/dist/api-routes/section-delete.js

@@ -4,21 +4,25 @@ import {
 import {
   guardPageAccess,
   parseSession
-} from "../chunk-INIWFKQ3.js";
+} from "../chunk-Q5HV47DW.js";
+import "../chunk-QVCW6EF3.js";
+import "../chunk-KENFINT4.js";
 import {
   resolveStorageConfigForRequest
 } from "../chunk-6UIKVKED.js";
+import "../chunk-ONP6BRZO.js";
 import "../chunk-5PIMDP4N.js";
 import "../chunk-45ARVNT3.js";
 import {
   resolveGitHubTokenForRequest
-} from "../chunk-NKDATSPA.js";
+} from "../chunk-DP6RTINQ.js";
 import "../chunk-TJNJKPUL.js";
 import {
   withTrailers
 } from "../chunk-KH22FJO5.js";
 
 // src/api-routes/section-delete.ts
+import { isSafeKey } from "@setzkasten-cms/core";
 var DELETE = async ({ request, cookies }) => {
   const session = cookies.get("setzkasten_session")?.value;
   if (!session) return new Response("Unauthorized", { status: 401 });
@@ -39,7 +43,18 @@ var DELETE = async ({ request, cookies }) => {
     if (!pageKey || !sectionKey) {
       return Response.json({ error: "pageKey and sectionKey are required" }, { status: 400 });
     }
-    const denied = await guardPageAccess(parseSession(cookies.get("setzkasten_session")?.value), pageKey, fullConfig, request);
+    if (!isSafeKey(pageKey)) {
+      return Response.json({ error: "invalid pageKey" }, { status: 400 });
+    }
+    if (!isSafeKey(sectionKey)) {
+      return Response.json({ error: "invalid sectionKey" }, { status: 400 });
+    }
+    const denied = await guardPageAccess(
+      parseSession(cookies.get("setzkasten_session")?.value),
+      pageKey,
+      fullConfig,
+      request
+    );
     if (denied) return denied;
     const headers = {
       Authorization: `Bearer ${githubToken}`,
@@ -98,7 +113,13 @@ async function fetchFileContent(owner, repo, branch, path, token) {
   try {
     const res = await fetch(
       `https://api.github.com/repos/${owner}/${repo}/contents/${path}?ref=${branch}`,
-      { headers: { Authorization: `Bearer ${token}`, Accept: "application/vnd.github+json", "X-GitHub-Api-Version": "2022-11-28" } }
+      {
+        headers: {
+          Authorization: `Bearer ${token}`,
+          Accept: "application/vnd.github+json",
+          "X-GitHub-Api-Version": "2022-11-28"
+        }
+      }
     );
     if (!res.ok) return null;
     const data = await res.json();
@@ -109,12 +130,22 @@ async function fetchFileContent(owner, repo, branch, path, token) {
 }
 async function batchCommitWithDeletions(owner, repo, branch, upserts, deletions, message, headers) {
   try {
-    const refRes = await fetch(`https://api.github.com/repos/${owner}/${repo}/git/refs/heads/${branch}`, { headers });
+    const refRes = await fetch(
+      `https://api.github.com/repos/${owner}/${repo}/git/refs/heads/${branch}`,
+      { headers }
+    );
     if (!refRes.ok) return { ok: false, error: `Failed to get HEAD: ${refRes.status}` };
-    const { object: { sha: headSha } } = await refRes.json();
-    const commitRes = await fetch(`https://api.github.com/repos/${owner}/${repo}/git/commits/${headSha}`, { headers });
+    const {
+      object: { sha: headSha }
+    } = await refRes.json();
+    const commitRes = await fetch(
+      `https://api.github.com/repos/${owner}/${repo}/git/commits/${headSha}`,
+      { headers }
+    );
     if (!commitRes.ok) return { ok: false, error: `Failed to get commit: ${commitRes.status}` };
-    const { tree: { sha: baseSha } } = await commitRes.json();
+    const {
+      tree: { sha: baseSha }
+    } = await commitRes.json();
     const tree = [
       ...upserts.map((f) => ({ path: f.path, mode: "100644", type: "blob", content: f.content })),
       ...deletions.map((path) => ({ path, mode: "100644", type: "blob", sha: null }))
@@ -131,13 +162,17 @@ async function batchCommitWithDeletions(owner, repo, branch, upserts, deletions,
       headers,
       body: JSON.stringify({ tree: treeSha, parents: [headSha], message })
     });
-    if (!newCommitRes.ok) return { ok: false, error: `Failed to create commit: ${newCommitRes.status}` };
+    if (!newCommitRes.ok)
+      return { ok: false, error: `Failed to create commit: ${newCommitRes.status}` };
     const { sha: newSha } = await newCommitRes.json();
-    const updateRes = await fetch(`https://api.github.com/repos/${owner}/${repo}/git/refs/heads/${branch}`, {
-      method: "PATCH",
-      headers,
-      body: JSON.stringify({ sha: newSha })
-    });
+    const updateRes = await fetch(
+      `https://api.github.com/repos/${owner}/${repo}/git/refs/heads/${branch}`,
+      {
+        method: "PATCH",
+        headers,
+        body: JSON.stringify({ sha: newSha })
+      }
+    );
     if (!updateRes.ok) return { ok: false, error: `Failed to update ref: ${updateRes.status}` };
     return { ok: true, sha: newSha };
   } catch (error) {

package/dist/api-routes/section-duplicate.js

@@ -5,21 +5,25 @@ import {
 import {
   guardPageAccess,
   parseSession
-} from "../chunk-INIWFKQ3.js";
+} from "../chunk-Q5HV47DW.js";
+import "../chunk-QVCW6EF3.js";
+import "../chunk-KENFINT4.js";
 import {
   resolveStorageConfigForRequest
 } from "../chunk-6UIKVKED.js";
+import "../chunk-ONP6BRZO.js";
 import "../chunk-5PIMDP4N.js";
 import "../chunk-45ARVNT3.js";
 import {
   resolveGitHubTokenForRequest
-} from "../chunk-NKDATSPA.js";
+} from "../chunk-DP6RTINQ.js";
 import "../chunk-TJNJKPUL.js";
 import {
   withTrailers
 } from "../chunk-KH22FJO5.js";
 
 // src/api-routes/section-duplicate.ts
+import { isSafeKey } from "@setzkasten-cms/core";
 var POST = async ({ request, cookies }) => {
   const session = cookies.get("setzkasten_session")?.value;
   if (!session) return new Response("Unauthorized", { status: 401 });
@@ -40,7 +44,18 @@ var POST = async ({ request, cookies }) => {
     if (!pageKey || !sectionKey) {
       return Response.json({ error: "pageKey and sectionKey are required" }, { status: 400 });
     }
-    const denied = await guardPageAccess(parseSession(cookies.get("setzkasten_session")?.value), pageKey, fullConfig, request);
+    if (!isSafeKey(pageKey)) {
+      return Response.json({ error: "invalid pageKey" }, { status: 400 });
+    }
+    if (!isSafeKey(sectionKey)) {
+      return Response.json({ error: "invalid sectionKey" }, { status: 400 });
+    }
+    const denied = await guardPageAccess(
+      parseSession(cookies.get("setzkasten_session")?.value),
+      pageKey,
+      fullConfig,
+      request
+    );
     if (denied) return denied;
     const headers = {
       Authorization: `Bearer ${githubToken}`,
@@ -56,7 +71,13 @@ var POST = async ({ request, cookies }) => {
     const existingKeys = (pageConfig.sections ?? []).map((s) => s.key);
     const newKey = generateDuplicateKey(existingKeys, sectionKey);
     const originalJsonPath = `${contentPath}/_sections/${sectionKey}.json`;
-    const originalContent = await fetchFileContent(owner, repo, branch, originalJsonPath, githubToken);
+    const originalContent = await fetchFileContent(
+      owner,
+      repo,
+      branch,
+      originalJsonPath,
+      githubToken
+    );
     const updatedConfig = duplicateInPageConfig(pageConfig, sectionKey, newKey);
     const filesToCommit = [
       { path: pageConfigPath, content: JSON.stringify(updatedConfig, null, 2) }
@@ -96,7 +117,13 @@ async function fetchFileContent(owner, repo, branch, path, token) {
   try {
     const res = await fetch(
       `https://api.github.com/repos/${owner}/${repo}/contents/${path}?ref=${branch}`,
-      { headers: { Authorization: `Bearer ${token}`, Accept: "application/vnd.github+json", "X-GitHub-Api-Version": "2022-11-28" } }
+      {
+        headers: {
+          Authorization: `Bearer ${token}`,
+          Accept: "application/vnd.github+json",
+          "X-GitHub-Api-Version": "2022-11-28"
+        }
+      }
     );
     if (!res.ok) return null;
     const data = await res.json();
@@ -107,16 +134,34 @@ async function fetchFileContent(owner, repo, branch, path, token) {
 }
 async function batchCommit(owner, repo, branch, files, message, headers) {
   try {
-    const refRes = await fetch(`https://api.github.com/repos/${owner}/${repo}/git/refs/heads/${branch}`, { headers });
+    const refRes = await fetch(
+      `https://api.github.com/repos/${owner}/${repo}/git/refs/heads/${branch}`,
+      { headers }
+    );
     if (!refRes.ok) return { ok: false, error: `Failed to get HEAD: ${refRes.status}` };
-    const { object: { sha: headSha } } = await refRes.json();
-    const commitRes = await fetch(`https://api.github.com/repos/${owner}/${repo}/git/commits/${headSha}`, { headers });
+    const {
+      object: { sha: headSha }
+    } = await refRes.json();
+    const commitRes = await fetch(
+      `https://api.github.com/repos/${owner}/${repo}/git/commits/${headSha}`,
+      { headers }
+    );
     if (!commitRes.ok) return { ok: false, error: `Failed to get commit: ${commitRes.status}` };
-    const { tree: { sha: baseSha } } = await commitRes.json();
+    const {
+      tree: { sha: baseSha }
+    } = await commitRes.json();
     const treeRes = await fetch(`https://api.github.com/repos/${owner}/${repo}/git/trees`, {
       method: "POST",
       headers,
-      body: JSON.stringify({ base_tree: baseSha, tree: files.map((f) => ({ path: f.path, mode: "100644", type: "blob", content: f.content })) })
+      body: JSON.stringify({
+        base_tree: baseSha,
+        tree: files.map((f) => ({
+          path: f.path,
+          mode: "100644",
+          type: "blob",
+          content: f.content
+        }))
+      })
     });
     if (!treeRes.ok) return { ok: false, error: `Failed to create tree: ${treeRes.status}` };
     const { sha: treeSha } = await treeRes.json();
@@ -125,13 +170,17 @@ async function batchCommit(owner, repo, branch, files, message, headers) {
       headers,
       body: JSON.stringify({ tree: treeSha, parents: [headSha], message })
     });
-    if (!newCommitRes.ok) return { ok: false, error: `Failed to create commit: ${newCommitRes.status}` };
+    if (!newCommitRes.ok)
+      return { ok: false, error: `Failed to create commit: ${newCommitRes.status}` };
     const { sha: newSha } = await newCommitRes.json();
-    const updateRes = await fetch(`https://api.github.com/repos/${owner}/${repo}/git/refs/heads/${branch}`, {
-      method: "PATCH",
-      headers,
-      body: JSON.stringify({ sha: newSha })
-    });
+    const updateRes = await fetch(
+      `https://api.github.com/repos/${owner}/${repo}/git/refs/heads/${branch}`,
+      {
+        method: "PATCH",
+        headers,
+        body: JSON.stringify({ sha: newSha })
+      }
+    );
     if (!updateRes.ok) return { ok: false, error: `Failed to update ref: ${updateRes.status}` };
     return { ok: true, sha: newSha };
   } catch (error) {

package/dist/api-routes/section-prepare-copy.js

@@ -7,9 +7,10 @@ import {
 } from "../chunk-6UIKVKED.js";
 import {
   resolveGitHubTokenForRequest
-} from "../chunk-NKDATSPA.js";
+} from "../chunk-DP6RTINQ.js";
 
 // src/api-routes/section-prepare-copy.ts
+import { isSafeKey } from "@setzkasten-cms/core";
 var POST = async ({ request, cookies }) => {
   const session = cookies.get("setzkasten_session")?.value;
   if (!session) return new Response("Unauthorized", { status: 401 });
@@ -29,6 +30,12 @@ var POST = async ({ request, cookies }) => {
     if (!pageKey || !sectionKey) {
       return Response.json({ error: "pageKey and sectionKey are required" }, { status: 400 });
     }
+    if (!isSafeKey(pageKey)) {
+      return Response.json({ error: "invalid pageKey" }, { status: 400 });
+    }
+    if (!isSafeKey(sectionKey)) {
+      return Response.json({ error: "invalid sectionKey" }, { status: 400 });
+    }
     const configKey = "_" + pageKey.replace(/\//g, "_");
     const pageConfigPath = `${contentPath}/pages/${configKey}.json`;
     const pageConfigRaw = await fetchFileContent(owner, repo, branch, pageConfigPath, githubToken);
@@ -55,7 +62,13 @@ async function fetchFileContent(owner, repo, branch, path, token) {
   try {
     const res = await fetch(
       `https://api.github.com/repos/${owner}/${repo}/contents/${path}?ref=${branch}`,
-      { headers: { Authorization: `Bearer ${token}`, Accept: "application/vnd.github+json", "X-GitHub-Api-Version": "2022-11-28" } }
+      {
+        headers: {
+          Authorization: `Bearer ${token}`,
+          Accept: "application/vnd.github+json",
+          "X-GitHub-Api-Version": "2022-11-28"
+        }
+      }
     );
     if (!res.ok) return null;
     const data = await res.json();

package/dist/api-routes/section-prepare.js

@@ -4,19 +4,23 @@ import {
 import {
   guardPageAccess,
   parseSession
-} from "../chunk-INIWFKQ3.js";
+} from "../chunk-Q5HV47DW.js";
+import "../chunk-QVCW6EF3.js";
+import "../chunk-KENFINT4.js";
 import {
   resolveStorageConfigForRequest
 } from "../chunk-6UIKVKED.js";
+import "../chunk-ONP6BRZO.js";
 import "../chunk-5PIMDP4N.js";
 import "../chunk-45ARVNT3.js";
 import {
   resolveGitHubTokenForRequest
-} from "../chunk-NKDATSPA.js";
+} from "../chunk-DP6RTINQ.js";
 import "../chunk-TJNJKPUL.js";
 import "../chunk-KH22FJO5.js";
 
 // src/api-routes/section-prepare.ts
+import { isSafeKey } from "@setzkasten-cms/core";
 var POST = async ({ request, cookies }) => {
   const session = cookies.get("setzkasten_session")?.value;
   if (!session) return new Response("Unauthorized", { status: 401 });
@@ -37,7 +41,18 @@ var POST = async ({ request, cookies }) => {
     if (!pageKey || !sectionType) {
       return Response.json({ error: "pageKey and sectionType are required" }, { status: 400 });
     }
-    const denied = await guardPageAccess(parseSession(cookies.get("setzkasten_session")?.value), pageKey, fullConfig, request);
+    if (!isSafeKey(pageKey)) {
+      return Response.json({ error: "invalid pageKey" }, { status: 400 });
+    }
+    if (!isSafeKey(sectionType)) {
+      return Response.json({ error: "invalid sectionType" }, { status: 400 });
+    }
+    const denied = await guardPageAccess(
+      parseSession(cookies.get("setzkasten_session")?.value),
+      pageKey,
+      fullConfig,
+      request
+    );
     if (denied) return denied;
     const configKey = "_" + pageKey.replace(/\//g, "_");
     const pageConfigPath = `${contentPath}/pages/${configKey}.json`;
@@ -90,7 +105,13 @@ async function fetchFileContent(owner, repo, branch, path, token) {
   try {
     const res = await fetch(
       `https://api.github.com/repos/${owner}/${repo}/contents/${path}?ref=${branch}`,
-      { headers: { Authorization: `Bearer ${token}`, Accept: "application/vnd.github+json", "X-GitHub-Api-Version": "2022-11-28" } }
+      {
+        headers: {
+          Authorization: `Bearer ${token}`,
+          Accept: "application/vnd.github+json",
+          "X-GitHub-Api-Version": "2022-11-28"
+        }
+      }
     );
     if (!res.ok) return null;
     const data = await res.json();

package/dist/api-routes/setup-github-app-bounce.js

@@ -1,9 +1,23 @@
 import {
   getPublicOrigin
 } from "../chunk-5ZFTG4BW.js";
+import {
+  requireAdmin
+} from "../chunk-Q5HV47DW.js";
+import "../chunk-QVCW6EF3.js";
+import "../chunk-KENFINT4.js";
+import "../chunk-6UIKVKED.js";
+import "../chunk-ONP6BRZO.js";
+import "../chunk-5PIMDP4N.js";
+import "../chunk-45ARVNT3.js";
+import "../chunk-DP6RTINQ.js";
+import "../chunk-TJNJKPUL.js";
+import "../chunk-KH22FJO5.js";
 
 // src/api-routes/setup-github-app-bounce.ts
-var GET = async ({ url, request }) => {
+var GET = async ({ url, request, cookies }) => {
+  const denied = requireAdmin(cookies.get("setzkasten_session")?.value);
+  if (denied) return denied;
   const name = url.searchParams.get("name")?.trim() || "Setzkasten CMS";
   const origin = getPublicOrigin(request);
   const manifest = JSON.stringify({

package/dist/api-routes/setup-github-app-branches.js

@@ -1,10 +1,13 @@
 import {
   requireAdmin
-} from "../chunk-INIWFKQ3.js";
+} from "../chunk-Q5HV47DW.js";
+import "../chunk-QVCW6EF3.js";
+import "../chunk-KENFINT4.js";
 import "../chunk-6UIKVKED.js";
+import "../chunk-ONP6BRZO.js";
 import "../chunk-5PIMDP4N.js";
 import "../chunk-45ARVNT3.js";
-import "../chunk-NKDATSPA.js";
+import "../chunk-DP6RTINQ.js";
 import "../chunk-TJNJKPUL.js";
 import "../chunk-KH22FJO5.js";
 
@@ -33,10 +36,10 @@ var GET = async ({ cookies, url }) => {
   }
   const slash = repoFull.indexOf("/");
   if (slash <= 0 || slash === repoFull.length - 1) {
-    return new Response(
-      JSON.stringify({ error: '?repo must be in "owner/name" format.' }),
-      { status: 400, headers: { "Content-Type": "application/json" } }
-    );
+    return new Response(JSON.stringify({ error: '?repo must be in "owner/name" format.' }), {
+      status: 400,
+      headers: { "Content-Type": "application/json" }
+    });
   }
   const owner = repoFull.slice(0, slash);
   const repo = repoFull.slice(slash + 1);

package/dist/api-routes/setup-github-app-callback.js

@@ -1,11 +1,25 @@
 import {
   getPublicOrigin
 } from "../chunk-5ZFTG4BW.js";
+import {
+  requireAdmin
+} from "../chunk-Q5HV47DW.js";
+import "../chunk-QVCW6EF3.js";
+import "../chunk-KENFINT4.js";
+import "../chunk-6UIKVKED.js";
+import "../chunk-ONP6BRZO.js";
+import "../chunk-5PIMDP4N.js";
+import "../chunk-45ARVNT3.js";
+import "../chunk-DP6RTINQ.js";
+import "../chunk-TJNJKPUL.js";
+import "../chunk-KH22FJO5.js";
 
 // src/api-routes/setup-github-app-callback.ts
 var COOKIE_NAME = "sk_app_setup";
 var COOKIE_MAX_AGE = 600;
 var GET = async ({ url, request, cookies }) => {
+  const denied = requireAdmin(cookies.get("setzkasten_session")?.value);
+  if (denied) return denied;
   const config = globalThis.__SETZKASTEN_CONFIG__;
   const adminPath = config?.adminPath ?? "/admin";
   const adminUrl = new URL(adminPath, getPublicOrigin(request));
@@ -36,7 +50,16 @@ var GET = async ({ url, request, cookies }) => {
       clientId: data.client_id,
       clientSecret: data.client_secret
     }),
-    { httpOnly: false, sameSite: "lax", maxAge: COOKIE_MAX_AGE, path: "/" }
+    // httpOnly:true — pre-fix this was readable to any JS on origin (XSS,
+    // extensions). The SPA now reads via /api/setzkasten/setup/github-app/
+    // credentials (server reads the cookie, returns values).
+    {
+      httpOnly: true,
+      secure: import.meta.env.PROD,
+      sameSite: "lax",
+      maxAge: COOKIE_MAX_AGE,
+      path: "/"
+    }
   );
   return new Response(null, { status: 302, headers: { Location: adminUrl.toString() } });
 };

package/dist/api-routes/setup-github-app-credentials.d.ts

@@ -0,0 +1,27 @@
+import { APIRoute } from 'astro';
+
+/**
+ * GET /api/setzkasten/setup/github-app/credentials
+ *
+ * Returns the freshly-minted GitHub App credentials so the admin SPA can
+ * display them (env-var copy step of the wizard). Pre-C6 the SPA read
+ * these directly from `document.cookie`, which required the cookie to
+ * be `httpOnly: false` — exposing the App private key to any JS on the
+ * origin (XSS, extensions, embedded widgets). Now the cookie is
+ * httpOnly and only this admin-gated endpoint can read it.
+ *
+ * The cookie itself stays for the wizard's full lifetime (10 min); this
+ * endpoint just makes the contents available without exposing them via
+ * the document.
+ */
+declare const GET: APIRoute;
+/**
+ * DELETE /api/setzkasten/setup/github-app/credentials
+ *
+ * Clears the setup cookie once the admin has copied the env vars and
+ * confirmed the deploy. Removes the credentials from the wire as soon
+ * as they're no longer needed.
+ */
+declare const DELETE: APIRoute;
+
+export { DELETE, GET };