@structcms/api 0.1.0 → 0.1.1

package/dist/index.js

@@ -215,6 +215,12 @@ var SANITIZE_OPTIONS = {
 function sanitizeString(value) {
   return sanitizeHtml(value, SANITIZE_OPTIONS);
 }
+function stripTags(value) {
+  return sanitizeHtml(value, {
+    allowedTags: [],
+    allowedAttributes: {}
+  });
+}
 function sanitizeValue(value) {
   if (typeof value === "string") {
     return sanitizeString(value);
@@ -281,10 +287,11 @@ var StorageValidationError = class extends Error {
   }
 };
 async function handleCreatePage(adapter, input) {
-  if (!input.title.trim()) {
+  const sanitizedTitle = stripTags(input.title).trim();
+  if (!sanitizedTitle) {
     throw new StorageValidationError("Page title must not be empty", "EMPTY_TITLE");
   }
-  const slug = input.slug?.trim() || generateSlug(input.title);
+  const slug = input.slug?.trim() || generateSlug(sanitizedTitle);
   if (!slug) {
     throw new StorageValidationError(
       "Could not generate a valid slug from the provided title",
@@ -297,6 +304,7 @@ async function handleCreatePage(adapter, input) {
   const sanitizedSections = input.sections ? sanitizeSectionData(input.sections) : void 0;
   return adapter.createPage({
     ...input,
+    title: sanitizedTitle,
     slug: uniqueSlug,
     sections: sanitizedSections
   });
@@ -305,8 +313,12 @@ async function handleUpdatePage(adapter, input) {
   if (!input.id.trim()) {
     throw new StorageValidationError("Page ID must not be empty", "EMPTY_ID");
   }
-  if (input.title !== void 0 && !input.title.trim()) {
-    throw new StorageValidationError("Page title must not be empty", "EMPTY_TITLE");
+  let sanitizedTitle;
+  if (input.title !== void 0) {
+    sanitizedTitle = stripTags(input.title).trim();
+    if (!sanitizedTitle) {
+      throw new StorageValidationError("Page title must not be empty", "EMPTY_TITLE");
+    }
   }
   if (input.slug !== void 0) {
     const slug = input.slug.trim();
@@ -319,7 +331,11 @@ async function handleUpdatePage(adapter, input) {
       throw new StorageValidationError(`Slug "${slug}" is already in use`, "DUPLICATE_SLUG");
     }
   }
-  const sanitizedInput = input.sections ? { ...input, sections: sanitizeSectionData(input.sections) } : input;
+  const sanitizedInput = {
+    ...input,
+    ...sanitizedTitle !== void 0 && { title: sanitizedTitle },
+    ...input.sections && { sections: sanitizeSectionData(input.sections) }
+  };
   return adapter.updatePage(sanitizedInput);
 }
 async function handleDeletePage(adapter, id) {
@@ -329,38 +345,46 @@ async function handleDeletePage(adapter, id) {
   return adapter.deletePage(id);
 }
 async function handleCreateNavigation(adapter, input) {
-  if (!input.name.trim()) {
+  const sanitizedName = stripTags(input.name).trim();
+  if (!sanitizedName) {
     throw new StorageValidationError("Navigation name must not be empty", "EMPTY_NAME");
   }
   const existingNavigations = await adapter.listNavigations();
   const existingNames = existingNavigations.map((n) => n.name);
-  if (existingNames.includes(input.name.trim())) {
+  if (existingNames.includes(sanitizedName)) {
     throw new StorageValidationError(
-      `Navigation name "${input.name.trim()}" is already in use`,
+      `Navigation name "${sanitizedName}" is already in use`,
       "DUPLICATE_NAME"
     );
   }
-  return adapter.createNavigation(input);
+  return adapter.createNavigation({
+    ...input,
+    name: sanitizedName
+  });
 }
 async function handleUpdateNavigation(adapter, input) {
   if (!input.id.trim()) {
     throw new StorageValidationError("Navigation ID must not be empty", "EMPTY_ID");
   }
+  let sanitizedName;
   if (input.name !== void 0) {
-    const name = input.name.trim();
-    if (!name) {
+    sanitizedName = stripTags(input.name).trim();
+    if (!sanitizedName) {
       throw new StorageValidationError("Navigation name must not be empty", "EMPTY_NAME");
     }
     const existingNavigations = await adapter.listNavigations();
     const existingNames = existingNavigations.filter((n) => n.id !== input.id).map((n) => n.name);
-    if (existingNames.includes(name)) {
+    if (existingNames.includes(sanitizedName)) {
       throw new StorageValidationError(
-        `Navigation name "${name}" is already in use`,
+        `Navigation name "${sanitizedName}" is already in use`,
         "DUPLICATE_NAME"
       );
     }
   }
-  return adapter.updateNavigation(input);
+  return adapter.updateNavigation({
+    ...input,
+    ...sanitizedName !== void 0 && { name: sanitizedName }
+  });
 }
 async function handleDeleteNavigation(adapter, id) {
   if (!id.trim()) {
@@ -369,12 +393,61 @@ async function handleDeleteNavigation(adapter, id) {
   return adapter.deleteNavigation(id);
 }
 
+// src/validation/schemas.ts
+import { z } from "zod";
+var MAX_FILE_SIZE = 50 * 1024 * 1024;
+var PageSectionSchema = z.object({
+  id: z.string().optional(),
+  type: z.string(),
+  data: z.record(z.unknown())
+});
+var CreatePageSchema = z.object({
+  title: z.string().max(200, "Title must not exceed 200 characters"),
+  pageType: z.string(),
+  slug: z.string().max(200, "Slug must not exceed 200 characters").optional(),
+  sections: z.array(PageSectionSchema).optional()
+});
+var UpdatePageSchema = CreatePageSchema.partial();
+var NavigationItemSchema = z.lazy(
+  () => z.object({
+    label: z.string(),
+    href: z.string(),
+    children: z.array(NavigationItemSchema).optional()
+  })
+);
+var CreateNavigationSchema = z.object({
+  name: z.string().max(100, "Name must not exceed 100 characters"),
+  items: z.array(NavigationItemSchema)
+});
+var UpdateNavigationSchema = CreateNavigationSchema.partial();
+var SignInSchema = z.object({
+  email: z.string().email("Invalid email address"),
+  password: z.string().min(1, "Password is required")
+});
+var MediaUploadSchema = z.object({
+  filename: z.string().max(255, "Filename must not exceed 255 characters"),
+  mimeType: z.string(),
+  size: z.number().max(MAX_FILE_SIZE, `File size must not exceed ${MAX_FILE_SIZE / 1024 / 1024}MB`),
+  data: z.instanceof(ArrayBuffer)
+});
+
 // src/media/resolve.ts
 var UUID_PATTERN = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
-var MEDIA_FIELD_SUFFIXES = ["_image", "_media", "_photo", "_thumbnail", "_avatar", "_icon"];
+var MEDIA_FIELD_SUFFIXES = [
+  "_image",
+  "_media",
+  "_photo",
+  "_thumbnail",
+  "_avatar",
+  "_icon",
+  "_file",
+  "_document",
+  "_attachment",
+  "_download"
+];
 function isMediaField(fieldName) {
   const lower = fieldName.toLowerCase();
-  if (lower === "image" || lower === "media" || lower === "photo" || lower === "thumbnail" || lower === "avatar" || lower === "icon") {
+  if (lower === "image" || lower === "media" || lower === "photo" || lower === "thumbnail" || lower === "avatar" || lower === "icon" || lower === "file" || lower === "document" || lower === "attachment" || lower === "download") {
     return true;
   }
   return MEDIA_FIELD_SUFFIXES.some((suffix) => lower.endsWith(suffix));
@@ -462,6 +535,7 @@ async function handleGetNavigation(adapter, name) {
 }
 
 // src/media/types.ts
+var MAX_FILE_SIZE2 = 50 * 1024 * 1024;
 var ALLOWED_MIME_TYPES = [
   "image/jpeg",
   "image/png",
@@ -469,8 +543,29 @@ var ALLOWED_MIME_TYPES = [
   "image/webp",
   "image/svg+xml"
 ];
+var ALLOWED_DOCUMENT_MIME_TYPES = [
+  "application/pdf",
+  "application/msword",
+  "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
+  "application/vnd.ms-excel",
+  "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
+  "application/vnd.ms-powerpoint",
+  "application/vnd.openxmlformats-officedocument.presentationml.presentation",
+  "text/plain",
+  "text/csv",
+  "application/zip",
+  "application/gzip"
+];
+var ALL_ALLOWED_MIME_TYPES = [
+  ...ALLOWED_MIME_TYPES,
+  ...ALLOWED_DOCUMENT_MIME_TYPES
+];
 
 // src/media/supabase-adapter.ts
+function deriveCategory(mimeType) {
+  const imageMimes = ALLOWED_MIME_TYPES;
+  return imageMimes.includes(mimeType) ? "image" : "document";
+}
 var MediaError = class extends Error {
   constructor(message, code, details) {
     super(message);
@@ -512,6 +607,7 @@ var SupabaseMediaAdapter = class {
       url: this.getPublicUrl(row.storage_path),
       mimeType: row.mime_type,
       size: row.size,
+      category: row.category,
       createdAt: new Date(row.created_at)
     };
   }
@@ -532,7 +628,8 @@ var SupabaseMediaAdapter = class {
       filename: input.filename,
       storage_path: storagePath,
       mime_type: input.mimeType,
-      size: input.size
+      size: input.size,
+      category: deriveCategory(input.mimeType)
     }).select().single();
     if (dbError) {
       await this.client.storage.from(this.bucketName).remove([storagePath]);
@@ -559,6 +656,9 @@ var SupabaseMediaAdapter = class {
     if (filter?.mimeType) {
       query = query.eq("mime_type", filter.mimeType);
     }
+    if (filter?.category) {
+      query = query.eq("category", filter.category);
+    }
     query = query.order("created_at", { ascending: false });
     if (filter?.limit) {
       query = query.limit(filter.limit);
@@ -608,16 +708,25 @@ var MediaValidationError = class extends Error {
   }
 };
 function validateMimeType(mimeType) {
-  const allowed = ALLOWED_MIME_TYPES;
+  const allowed = ALL_ALLOWED_MIME_TYPES;
   if (!allowed.includes(mimeType)) {
     throw new MediaValidationError(
-      `Invalid file type: ${mimeType}. Allowed types: ${ALLOWED_MIME_TYPES.join(", ")}`,
+      `Invalid file type: ${mimeType}. Allowed types: ${ALL_ALLOWED_MIME_TYPES.join(", ")}`,
       "INVALID_MIME_TYPE"
     );
   }
 }
+function validateFileSize(size) {
+  if (size > MAX_FILE_SIZE2) {
+    throw new MediaValidationError(
+      `File size exceeds maximum allowed size of ${MAX_FILE_SIZE2 / 1024 / 1024}MB`,
+      "FILE_TOO_LARGE"
+    );
+  }
+}
 async function handleUploadMedia(adapter, input) {
   validateMimeType(input.mimeType);
+  validateFileSize(input.size);
   return adapter.upload(input);
 }
 async function handleGetMedia(adapter, id) {
@@ -871,6 +980,82 @@ function createAuthMiddleware(config) {
   };
 }
 
+// src/auth/csrf.ts
+function generateCsrfToken() {
+  const bytes = new Uint8Array(32);
+  crypto.getRandomValues(bytes);
+  return Array.from(bytes, (b) => b.toString(16).padStart(2, "0")).join("");
+}
+function validateCsrfToken(cookieToken, headerToken) {
+  if (!cookieToken || !headerToken) {
+    return false;
+  }
+  if (cookieToken.trim() === "" || headerToken.trim() === "") {
+    return false;
+  }
+  return cookieToken === headerToken;
+}
+
+// src/auth/rate-limiter.ts
+function createRateLimiter(config) {
+  const { windowMs, maxRequests } = config;
+  const entries = /* @__PURE__ */ new Map();
+  function cleanupEntry(entry, now) {
+    const windowStart = now - windowMs;
+    entry.timestamps = entry.timestamps.filter((ts) => ts > windowStart);
+  }
+  function scheduleCleanup(key) {
+    const entry = entries.get(key);
+    if (!entry) return;
+    if (entry.timeoutId) {
+      clearTimeout(entry.timeoutId);
+    }
+    entry.timeoutId = setTimeout(() => {
+      const currentEntry = entries.get(key);
+      if (currentEntry) {
+        cleanupEntry(currentEntry, Date.now());
+        if (currentEntry.timestamps.length === 0) {
+          entries.delete(key);
+        } else {
+          scheduleCleanup(key);
+        }
+      }
+    }, windowMs);
+  }
+  return {
+    check(key) {
+      const now = Date.now();
+      let entry = entries.get(key);
+      if (!entry) {
+        entry = { timestamps: [] };
+        entries.set(key, entry);
+      }
+      cleanupEntry(entry, now);
+      if (entry.timestamps.length >= maxRequests) {
+        const oldestTimestamp = entry.timestamps[0] ?? now;
+        const retryAfterMs = oldestTimestamp + windowMs - now;
+        const retryAfterSeconds = Math.ceil(retryAfterMs / 1e3);
+        return {
+          allowed: false,
+          retryAfter: retryAfterSeconds
+        };
+      }
+      entry.timestamps.push(now);
+      scheduleCleanup(key);
+      return {
+        allowed: true
+      };
+    },
+    reset(key) {
+      const entry = entries.get(key);
+      if (entry?.timeoutId) {
+        clearTimeout(entry.timeoutId);
+      }
+      entries.delete(key);
+    }
+  };
+}
+
 // src/supabase/factory.ts
 function readEnv(name) {
   const processLike = globalThis.process;
@@ -1001,23 +1186,65 @@ async function handleExportSite(storageAdapter, mediaAdapter) {
     contentDisposition: contentDisposition("site-export.json")
   };
 }
+
+// src/audit/logger.ts
+var defaultSink = (entry) => {
+  const output = JSON.stringify(entry, null, 2);
+  globalThis.console?.log?.(output);
+};
+function createAuditLogger(sink = defaultSink) {
+  return {
+    log: async (entry) => {
+      await sink({
+        ...entry,
+        timestamp: /* @__PURE__ */ new Date()
+      });
+    }
+  };
+}
+function withAuditLog(handler, options, sink) {
+  const logger = createAuditLogger(sink);
+  return (async (...args) => {
+    const result = await handler(...args);
+    await logger.log({
+      action: options.action,
+      entity: options.entity,
+      entityId: options.extractEntityId(args),
+      userId: options.extractUserId?.(args),
+      metadata: options.metadata?.(args)
+    });
+    return result;
+  });
+}
 export {
+  ALLOWED_DOCUMENT_MIME_TYPES,
   ALLOWED_MIME_TYPES,
+  ALL_ALLOWED_MIME_TYPES,
   AuthError,
   AuthValidationError,
+  CreateNavigationSchema,
+  CreatePageSchema,
+  MAX_FILE_SIZE2 as MAX_FILE_SIZE,
   MediaError,
+  MediaUploadSchema,
   MediaValidationError,
+  SignInSchema,
   StorageError,
   StorageValidationError,
   SupabaseAuthAdapter,
   SupabaseMediaAdapter,
   SupabaseStorageAdapter,
+  UpdateNavigationSchema,
+  UpdatePageSchema,
+  createAuditLogger,
   createAuthAdapter,
   createAuthMiddleware,
   createMediaAdapter,
+  createRateLimiter,
   createStorageAdapter,
   createSupabaseAdapters,
   ensureUniqueSlug,
+  generateCsrfToken,
   generateSlug,
   handleCreateNavigation,
   handleCreatePage,
@@ -1042,6 +1269,9 @@ export {
   handleUpdatePage,
   handleUploadMedia,
   handleVerifySession,
-  resolveMediaReferences
+  resolveMediaReferences,
+  stripTags,
+  validateCsrfToken,
+  withAuditLog
 };
 //# sourceMappingURL=index.js.map