@setzkasten-cms/astro 0.4.2

package/LICENSE

@@ -0,0 +1,37 @@
+Setzkasten Community License
+
+Copyright (c) 2026 Lilapixel
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to use,
+copy, modify, merge, publish, and distribute the Software, subject to the
+following conditions:
+
+1. The above copyright notice and this permission notice shall be included in
+   all copies or substantial portions of the Software.
+
+2. The Software may not be used for commercial purposes without a separate
+   commercial license from the copyright holder. "Commercial purposes" means
+   any use of the Software that is primarily intended for or directed toward
+   commercial advantage or monetary compensation. This includes, but is not
+   limited to:
+   - Using the Software to manage content for a commercial website or product
+   - Offering the Software as part of a paid service
+   - Using the Software within a for-profit organization
+
+3. Non-commercial use is permitted without restriction. This includes:
+   - Personal projects
+   - Open source projects
+   - Educational and academic use
+   - Non-profit organizations
+
+4. A commercial license ("Enterprise License") may be obtained by contacting
+   Lilapixel at hello@lilapixel.de.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/package.json

@@ -0,0 +1,33 @@
+{
+  "name": "@setzkasten-cms/astro",
+  "version": "0.4.2",
+  "type": "module",
+  "exports": {
+    ".": "./src/index.ts",
+    "./auth-login": "./src/api-routes/auth-login.ts",
+    "./auth-callback": "./src/api-routes/auth-callback.ts",
+    "./auth-logout": "./src/api-routes/auth-logout.ts",
+    "./auth-session": "./src/api-routes/auth-session.ts",
+    "./github-proxy": "./src/api-routes/github-proxy.ts",
+    "./asset-proxy": "./src/api-routes/asset-proxy.ts",
+    "./draft": "./src/api-routes/draft.ts",
+    "./preview-middleware": "./src/preview-middleware.ts",
+    "./config": "./src/api-routes/config.ts",
+    "./pages": "./src/api-routes/pages.ts",
+    "./admin-page": "./src/admin-page.astro"
+  },
+  "dependencies": {
+    "@setzkasten-cms/core": "0.4.2",
+    "@setzkasten-cms/ui": "0.4.2",
+    "@setzkasten-cms/github-adapter": "0.4.2",
+    "@setzkasten-cms/auth": "0.4.2"
+  },
+  "peerDependencies": {
+    "astro": "^5.0.0",
+    "react": "^19.0.0",
+    "react-dom": "^19.0.0"
+  },
+  "scripts": {
+    "typecheck": "tsc --noEmit"
+  }
+}

package/src/admin-page.astro

@@ -0,0 +1,146 @@
+---
+/**
+ * Admin SPA shell – served at /admin/[...path]
+ * Mounts the React-based AdminApp as a client-side SPA.
+ */
+---
+
+<!doctype html>
+<html lang="de">
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <meta name="robots" content="noindex, nofollow" />
+    <title>Setzkasten Admin</title>
+    <link rel="icon" type="image/svg+xml" href="/favicon.svg" />
+    <link rel="preconnect" href="https://fonts.googleapis.com" />
+    <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin />
+    <link href="https://fonts.googleapis.com/css2?family=DM+Sans:ital,opsz,wght@0,9..40,400;0,9..40,500;0,9..40,600;0,9..40,700;0,9..40,800;1,9..40,400&family=JetBrains+Mono:wght@400;500&display=swap" rel="stylesheet" />
+    <style>
+      * { box-sizing: border-box; margin: 0; padding: 0; }
+      body {
+        font-family: 'DM Sans', system-ui, sans-serif;
+        color: #1a1a2e;
+        background: #faf9f7;
+        -webkit-font-smoothing: antialiased;
+      }
+      .sk-boot-loading {
+        display: flex;
+        align-items: center;
+        justify-content: center;
+        min-height: 100vh;
+        flex-direction: column;
+        gap: 16px;
+      }
+      .sk-boot-spinner {
+        width: 32px;
+        height: 32px;
+        border: 3px solid #e2ddd7;
+        border-top-color: #c45d3e;
+        border-radius: 50%;
+        animation: sk-boot-spin 0.8s linear infinite;
+      }
+      @keyframes sk-boot-spin {
+        to { transform: rotate(360deg); }
+      }
+    </style>
+  </head>
+
+  <body>
+    <div id="setzkasten-admin">
+      <div class="sk-boot-loading">
+        <div class="sk-boot-spinner"></div>
+        <div style="font-size: 14px; color: #64748b;">Lade Setzkasten...</div>
+      </div>
+    </div>
+
+    <script>
+      import { createElement } from 'react'
+      import { createRoot } from 'react-dom/client'
+      import { SetzKastenProvider, AdminApp, ProxyContentRepository, ProxyAssetStore } from '@setzkasten-cms/ui'
+      import '@setzkasten-cms/ui/styles/admin.css'
+
+      async function boot() {
+        const root = document.getElementById('setzkasten-admin')
+        if (!root) return
+
+        try {
+          const injected = (globalThis as any).__SETZKASTEN_CONFIG__ ?? {}
+
+          const providers: Array<'github' | 'google'> = []
+          if (injected.hasGitHub) providers.push('github')
+          if (injected.hasGoogle) providers.push('google')
+          if (providers.length === 0) providers.push('github')
+
+          // Fetch the full user config from server
+          let userConfig: any = null
+          try {
+            const res = await fetch('/api/setzkasten/config')
+            if (res.ok) userConfig = await res.json()
+          } catch {}
+
+          const skConfig = userConfig ?? {
+            storage: { kind: 'github' as const },
+            auth: { providers },
+            theme: {},
+            products: {},
+            collections: {},
+          }
+
+          // Storage params come from the config API (server-injected via SSR)
+          const storage = userConfig?._storage ?? injected.storage ?? {}
+          const owner = storage.owner ?? ''
+          const repo = storage.repo ?? ''
+          const branch = storage.branch ?? 'main'
+          const contentPath = storage.contentPath ?? 'content'
+
+          const repository = new ProxyContentRepository({
+            proxyBaseUrl: '/api/setzkasten/github',
+            owner,
+            repo,
+            branch,
+            contentPath,
+          })
+
+          const assetsPath = storage.assetsPath ?? 'public/images'
+          const assets = new ProxyAssetStore({
+            proxyBaseUrl: '/api/setzkasten/github',
+            owner,
+            repo,
+            branch,
+            assetsPath,
+            publicUrlPrefix: '/images',
+          })
+
+          const auth = {
+            async login() { window.location.href = '/api/setzkasten/auth/login?provider=github' },
+            async logout() { window.location.href = '/api/setzkasten/auth/logout' },
+            async getSession() {
+              const res = await fetch('/api/setzkasten/auth/session')
+              return res.json()
+            },
+          }
+
+          const reactRoot = createRoot(root)
+          reactRoot.render(
+            createElement(
+              SetzKastenProvider,
+              { config: skConfig, repository, auth, assets },
+              createElement(AdminApp)
+            )
+          )
+        } catch (error) {
+          console.error('[setzkasten] Boot failed:', error)
+          root.innerHTML = `
+            <div style="display:flex;align-items:center;justify-content:center;min-height:100vh;flex-direction:column;gap:16px;">
+              <p style="color:#ef4444;font-size:14px;">Fehler beim Laden des Admin-Panels.</p>
+              <a href="/" style="color:#64748b;font-size:13px;">Zur Startseite</a>
+            </div>
+          `
+        }
+      }
+
+      boot()
+    </script>
+  </body>
+</html>

package/src/api-routes/asset-proxy.ts

@@ -0,0 +1,76 @@
+import type { APIRoute } from 'astro'
+
+/**
+ * Asset proxy – serves images from the private GitHub repo.
+ * Used by the admin UI to display image thumbnails without exposing the GitHub token.
+ *
+ * GET /api/setzkasten/asset/public/images/about/LP_Logo.png
+ * → fetches from GitHub API and returns the raw binary with correct Content-Type.
+ */
+export const GET: APIRoute = async ({ params, cookies }) => {
+  const session = cookies.get('setzkasten_session')?.value
+  if (!session) {
+    return new Response('Unauthorized', { status: 401 })
+  }
+
+  const assetPath = params.path
+  if (!assetPath) {
+    return new Response('Missing path', { status: 400 })
+  }
+
+  const githubToken = import.meta.env.GITHUB_TOKEN ?? process.env.GITHUB_TOKEN
+  if (!githubToken) {
+    return new Response('GitHub token not configured', { status: 500 })
+  }
+
+  const config = (globalThis as any).__SETZKASTEN_CONFIG__
+  if (!config?.storage) {
+    return new Response('Storage not configured', { status: 500 })
+  }
+
+  const { owner, repo, branch } = config.storage
+  const githubUrl = `https://api.github.com/repos/${owner}/${repo}/contents/${assetPath}?ref=${branch}`
+
+  try {
+    const response = await fetch(githubUrl, {
+      headers: {
+        Authorization: `Bearer ${githubToken}`,
+        Accept: 'application/vnd.github.raw+json',
+        'X-GitHub-Api-Version': '2022-11-28',
+      },
+    })
+
+    if (!response.ok) {
+      return new Response('Asset not found', { status: response.status })
+    }
+
+    const contentType = guessMimeType(assetPath)
+    const body = await response.arrayBuffer()
+
+    return new Response(body, {
+      status: 200,
+      headers: {
+        'Content-Type': contentType,
+        'Cache-Control': 'private, max-age=300',
+      },
+    })
+  } catch (error) {
+    console.error('[setzkasten] Asset proxy error:', error)
+    return new Response('Failed to fetch asset', { status: 502 })
+  }
+}
+
+function guessMimeType(path: string): string {
+  const ext = path.split('.').pop()?.toLowerCase()
+  const types: Record<string, string> = {
+    jpg: 'image/jpeg',
+    jpeg: 'image/jpeg',
+    png: 'image/png',
+    gif: 'image/gif',
+    webp: 'image/webp',
+    avif: 'image/avif',
+    svg: 'image/svg+xml',
+    pdf: 'application/pdf',
+  }
+  return types[ext ?? ''] ?? 'application/octet-stream'
+}

package/src/api-routes/auth-callback.ts

@@ -0,0 +1,105 @@
+import type { APIRoute } from 'astro'
+import { createGitHubAuth } from '@setzkasten-cms/auth'
+import { createGoogleAuth } from '@setzkasten-cms/auth'
+
+/**
+ * OAuth callback handler.
+ * Receives the authorization code from GitHub/Google, exchanges it for a
+ * session via the auth adapter, and sets a signed session cookie.
+ */
+export const GET: APIRoute = async ({ request, url, cookies, redirect }) => {
+  const code = url.searchParams.get('code')
+  const state = url.searchParams.get('state')
+
+  if (!code) {
+    return new Response('Missing authorization code', { status: 400 })
+  }
+
+  // Parse stored state (may contain provider info)
+  const storedRaw = cookies.get('setzkasten_oauth_state')?.value
+  let storedState: string | undefined
+  let provider = 'github'
+  if (storedRaw) {
+    try {
+      const parsed = JSON.parse(storedRaw)
+      storedState = parsed.state
+      provider = parsed.provider ?? 'github'
+    } catch {
+      storedState = storedRaw
+    }
+  }
+
+  // CSRF: verify state matches stored state
+  if (state && storedState && state !== storedState) {
+    return new Response('Invalid state parameter', { status: 400 })
+  }
+
+  // Clear the state cookie
+  cookies.delete('setzkasten_oauth_state', { path: '/' })
+
+  const config = (globalThis as Record<string, unknown>).__SETZKASTEN_CONFIG__ as
+    | { adminPath: string }
+    | undefined
+
+  const adminPath = config?.adminPath ?? '/admin'
+
+  // On Vercel, url.origin may resolve to localhost. Use the Host header instead.
+  const host = request.headers.get('x-forwarded-host') ?? request.headers.get('host') ?? url.host
+  const protocol = request.headers.get('x-forwarded-proto') ?? (url.protocol === 'https:' ? 'https' : 'http')
+  const origin = `${protocol}://${host}`
+  const redirectUri = `${origin}/api/setzkasten/auth/callback`
+
+  // Read allowed emails from env (comma-separated)
+  const allowedEmailsRaw = import.meta.env.SETZKASTEN_ALLOWED_EMAILS ?? process.env.SETZKASTEN_ALLOWED_EMAILS ?? ''
+  const allowedEmails = allowedEmailsRaw
+    ? allowedEmailsRaw.split(',').map((e: string) => e.trim())
+    : undefined
+
+  try {
+    let sessionResult
+
+    if (provider === 'google') {
+      const auth = createGoogleAuth({
+        clientId: import.meta.env.GOOGLE_CLIENT_ID ?? process.env.GOOGLE_CLIENT_ID ?? '',
+        clientSecret: import.meta.env.GOOGLE_CLIENT_SECRET ?? process.env.GOOGLE_CLIENT_SECRET ?? '',
+        redirectUri,
+        allowedEmails,
+      })
+      sessionResult = await auth.handleCallback(code, 'google')
+    } else {
+      const auth = createGitHubAuth({
+        clientId: import.meta.env.GITHUB_CLIENT_ID ?? process.env.GITHUB_CLIENT_ID ?? '',
+        clientSecret: import.meta.env.GITHUB_CLIENT_SECRET ?? process.env.GITHUB_CLIENT_SECRET ?? '',
+        redirectUri,
+        allowedEmails,
+      })
+      sessionResult = await auth.handleCallback(code, 'github')
+    }
+
+    if (!sessionResult.ok) {
+      console.error('[setzkasten] Auth failed:', sessionResult.error.message)
+      return new Response(`Authentication failed: ${sessionResult.error.message}`, { status: 403 })
+    }
+
+    const session = sessionResult.value
+
+    // Set session cookie with user info (HMAC-signed in production)
+    const sessionPayload = JSON.stringify({
+      user: session.user,
+      expiresAt: session.expiresAt,
+    })
+
+    cookies.set('setzkasten_session', sessionPayload, {
+      httpOnly: true,
+      secure: import.meta.env.PROD,
+      sameSite: 'lax',
+      path: '/',
+      maxAge: 60 * 60 * 24 * 7, // 7 days
+    })
+
+    return redirect(adminPath)
+  } catch (error) {
+    console.error('[setzkasten] Auth callback error:', error)
+    return new Response('Authentication failed', { status: 500 })
+  }
+}

package/src/api-routes/auth-login.ts

@@ -0,0 +1,87 @@
+import type { APIRoute } from 'astro'
+import { createGitHubAuth } from '@setzkasten-cms/auth'
+import { createGoogleAuth } from '@setzkasten-cms/auth'
+
+/**
+ * Login initiation – redirects the user to the chosen OAuth provider.
+ *
+ * GET /api/setzkasten/auth/login?provider=github|google
+ */
+export const GET: APIRoute = async ({ request, url, cookies, redirect }) => {
+  const provider = url.searchParams.get('provider') ?? 'github'
+
+  const config = (globalThis as Record<string, unknown>).__SETZKASTEN_CONFIG__ as
+    | { adminPath: string; hasGitHub: boolean; hasGoogle: boolean }
+    | undefined
+
+  const adminPath = config?.adminPath ?? '/admin'
+
+  // On Vercel, url.origin may resolve to localhost. Use the Host header instead.
+  const host = request.headers.get('x-forwarded-host') ?? request.headers.get('host') ?? url.host
+  const protocol = request.headers.get('x-forwarded-proto') ?? (url.protocol === 'https:' ? 'https' : 'http')
+  const origin = `${protocol}://${host}`
+  const redirectUri = `${origin}/api/setzkasten/auth/callback`
+
+  let loginUrl: string
+
+  if (provider === 'google') {
+    const googleClientId = import.meta.env.GOOGLE_CLIENT_ID ?? process.env.GOOGLE_CLIENT_ID ?? ''
+    const googleClientSecret = import.meta.env.GOOGLE_CLIENT_SECRET ?? process.env.GOOGLE_CLIENT_SECRET ?? ''
+
+    if (!googleClientId || !googleClientSecret) {
+      return new Response('Google OAuth not configured', { status: 500 })
+    }
+
+    const auth = createGoogleAuth({
+      clientId: googleClientId,
+      clientSecret: googleClientSecret,
+      redirectUri,
+    })
+
+    loginUrl = auth.getLoginUrl('google')
+
+    // Store the PKCE code verifier in a cookie for the callback
+    // Arctic generates it internally – we extract it from the URL
+    const urlObj = new URL(loginUrl)
+    const state = urlObj.searchParams.get('state')
+    if (state) {
+      cookies.set('setzkasten_oauth_state', JSON.stringify({ state, provider: 'google' }), {
+        httpOnly: true,
+        secure: true,
+        sameSite: 'lax',
+        path: '/',
+        maxAge: 600, // 10 min
+      })
+    }
+  } else {
+    // Default: GitHub
+    const ghClientId = import.meta.env.GITHUB_CLIENT_ID ?? process.env.GITHUB_CLIENT_ID ?? ''
+    const ghClientSecret = import.meta.env.GITHUB_CLIENT_SECRET ?? process.env.GITHUB_CLIENT_SECRET ?? ''
+
+    if (!ghClientId || !ghClientSecret) {
+      return new Response('GitHub OAuth not configured', { status: 500 })
+    }
+
+    const auth = createGitHubAuth({
+      clientId: ghClientId,
+      clientSecret: ghClientSecret,
+      redirectUri,
+    })
+
+    loginUrl = auth.getLoginUrl('github')
+
+    const urlObj = new URL(loginUrl)
+    const state = urlObj.searchParams.get('state')
+    if (state) {
+      cookies.set('setzkasten_oauth_state', JSON.stringify({ state, provider: 'github' }), {
+        httpOnly: true,
+        secure: true,
+        sameSite: 'lax',
+        path: '/',
+        maxAge: 600,
+      })
+    }
+  }
+
+  return redirect(loginUrl)
+}

package/src/api-routes/auth-logout.ts

@@ -0,0 +1,9 @@
+import type { APIRoute } from 'astro'
+
+/**
+ * Logout – clears the session cookie and redirects to home.
+ */
+export const GET: APIRoute = async ({ cookies, redirect }) => {
+  cookies.delete('setzkasten_session', { path: '/' })
+  return redirect('/')
+}

package/src/api-routes/auth-session.ts

@@ -0,0 +1,36 @@
+import type { APIRoute } from 'astro'
+
+/**
+ * Session check – returns current user info or 401.
+ * Used by the admin SPA to check if the user is logged in.
+ */
+export const GET: APIRoute = async ({ cookies }) => {
+  const session = cookies.get('setzkasten_session')?.value
+  if (!session) {
+    return new Response(JSON.stringify({ authenticated: false }), {
+      status: 401,
+      headers: { 'Content-Type': 'application/json' },
+    })
+  }
+
+  try {
+    const parsed = JSON.parse(session) as { user: unknown; expiresAt: number }
+
+    if (parsed.expiresAt < Date.now()) {
+      cookies.delete('setzkasten_session', { path: '/' })
+      return new Response(JSON.stringify({ authenticated: false, reason: 'expired' }), {
+        status: 401,
+        headers: { 'Content-Type': 'application/json' },
+      })
+    }
+
+    return new Response(JSON.stringify({ authenticated: true, user: parsed.user }), {
+      headers: { 'Content-Type': 'application/json' },
+    })
+  } catch {
+    return new Response(JSON.stringify({ authenticated: false }), {
+      status: 401,
+      headers: { 'Content-Type': 'application/json' },
+    })
+  }
+}

package/src/api-routes/config.ts

@@ -0,0 +1,30 @@
+import type { APIRoute } from 'astro'
+
+/**
+ * Returns the full SetzKastenConfig as JSON.
+ * The config is injected into globalThis by the integration at build time.
+ *
+ * GET /api/setzkasten/config
+ */
+export const GET: APIRoute = async () => {
+  const config = (globalThis as Record<string, unknown>).__SETZKASTEN_FULL_CONFIG__ ?? {}
+  const ssrConfig = (globalThis as Record<string, unknown>).__SETZKASTEN_CONFIG__ as Record<string, unknown> | undefined
+
+  const result = {
+    storage: { kind: 'github' },
+    auth: { providers: ['github'] },
+    theme: {},
+    products: {},
+    collections: {},
+    ...config,
+    // Include storage params so the client can create ProxyContentRepository
+    _storage: ssrConfig?.storage ?? undefined,
+    _hasGitHub: ssrConfig?.hasGitHub ?? false,
+    _hasGoogle: ssrConfig?.hasGoogle ?? false,
+  }
+
+  return new Response(JSON.stringify(result), {
+    status: 200,
+    headers: { 'Content-Type': 'application/json' },
+  })
+}

package/src/api-routes/draft.ts

@@ -0,0 +1,61 @@
+import type { APIRoute } from 'astro'
+import { setDraft, clearDraft } from '../draft-store'
+
+/**
+ * Draft content API for Live SSR Preview.
+ *
+ * POST /api/setzkasten/draft
+ *   Body: { section: string, values: Record<string, unknown> }
+ *   Stores draft section content for the current session.
+ *
+ * DELETE /api/setzkasten/draft
+ *   Body: { section?: string }
+ *   Clears draft(s) for the current session.
+ */
+export const POST: APIRoute = async ({ request, cookies }) => {
+  const session = cookies.get('setzkasten_session')?.value
+  if (!session) {
+    return new Response('Unauthorized', { status: 401 })
+  }
+
+  try {
+    const body = (await request.json()) as {
+      section: string
+      values: Record<string, unknown>
+    }
+
+    if (!body.section || typeof body.values !== 'object') {
+      return new Response('Bad Request: section and values required', { status: 400 })
+    }
+
+    setDraft(session, body.section, body.values)
+
+    return new Response(JSON.stringify({ ok: true }), {
+      status: 200,
+      headers: { 'Content-Type': 'application/json' },
+    })
+  } catch (error) {
+    console.error('[setzkasten] Draft API error:', error)
+    return new Response('Internal error', { status: 500 })
+  }
+}
+
+export const DELETE: APIRoute = async ({ request, cookies }) => {
+  const session = cookies.get('setzkasten_session')?.value
+  if (!session) {
+    return new Response('Unauthorized', { status: 401 })
+  }
+
+  try {
+    const body = (await request.json().catch(() => ({}))) as { section?: string }
+    clearDraft(session, body.section)
+
+    return new Response(JSON.stringify({ ok: true }), {
+      status: 200,
+      headers: { 'Content-Type': 'application/json' },
+    })
+  } catch (error) {
+    console.error('[setzkasten] Draft clear error:', error)
+    return new Response('Internal error', { status: 500 })
+  }
+}