dineway 0.1.3 → 0.1.4

package/src/astro/routes/api/content/[collection]/[id].ts

@@ -0,0 +1,137 @@
+/**
+ * Single content item endpoints - injected by Dineway integration
+ *
+ * GET    /_dineway/api/content/{collection}/{id} - Get content
+ * PUT    /_dineway/api/content/{collection}/{id} - Update content
+ * DELETE /_dineway/api/content/{collection}/{id} - Delete content
+ */
+
+import { hasPermission, type Permission } from "@dineway-ai/auth";
+import type { APIRoute } from "astro";
+
+import { requirePerm, requireOwnerPerm } from "#api/authorize.js";
+import { apiError, mapErrorStatus, unwrapResult } from "#api/error.js";
+import { parseBody, isParseError } from "#api/parse.js";
+import { contentUpdateBody } from "#api/schemas.js";
+
+export const prerender = false;
+
+export const GET: APIRoute = async ({ params, url, locals }) => {
+	const { dineway, user } = locals;
+	const denied = requirePerm(user, "content:read");
+	if (denied) return denied;
+	const collection = params.collection!;
+	const id = params.id!;
+	const locale = url.searchParams.get("locale") || undefined;
+
+	if (!dineway?.handleContentGet) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+
+	const result = await dineway.handleContentGet(collection, id, locale);
+
+	return unwrapResult(result);
+};
+
+export const PUT: APIRoute = async ({ params, request, locals, cache }) => {
+	const { dineway, user } = locals;
+	const collection = params.collection!;
+	const id = params.id!;
+	const body = await parseBody(request, contentUpdateBody);
+	if (isParseError(body)) return body;
+
+	if (!dineway?.handleContentUpdate || !dineway?.handleContentGet) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+
+	// Fetch item to check ownership
+	const existing = await dineway.handleContentGet(collection, id);
+	if (!existing.success) {
+		return apiError(
+			existing.error?.code ?? "UNKNOWN_ERROR",
+			existing.error?.message ?? "Unknown error",
+			mapErrorStatus(existing.error?.code),
+		);
+	}
+
+	const existingData =
+		existing.data && typeof existing.data === "object"
+			? // eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- handler returns unknown data; narrowed by typeof check above
+				(existing.data as Record<string, unknown>)
+			: undefined;
+	// Handler returns { item, _rev } — extract the item for ownership and ID resolution
+	const existingItem =
+		existingData?.item && typeof existingData.item === "object"
+			? // eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- narrowed by typeof check above
+				(existingData.item as Record<string, unknown>)
+			: existingData;
+	const authorId = typeof existingItem?.authorId === "string" ? existingItem.authorId : "";
+	const editDenied = requireOwnerPerm(user, authorId, "content:edit_own", "content:edit_any");
+	if (editDenied) return editDenied;
+
+	// Use the resolved ID (handles slug → ID resolution)
+	const resolvedId = typeof existingItem?.id === "string" ? existingItem.id : id;
+
+	// Only allow authorId changes if user has content:edit_any permission (editor+)
+	const canChangeAuthor =
+		body.authorId !== undefined && user && hasPermission(user, "content:edit_any" as Permission);
+	const updateBody = canChangeAuthor ? body : { ...body, authorId: undefined };
+
+	// Pass _rev through for optimistic concurrency validation
+	const result = await dineway.handleContentUpdate(collection, resolvedId, {
+		...updateBody,
+		_rev: body._rev,
+	});
+
+	if (!result.success) return unwrapResult(result);
+
+	if (cache.enabled) await cache.invalidate({ tags: [collection, resolvedId] });
+
+	return unwrapResult(result);
+};
+
+export const DELETE: APIRoute = async ({ params, locals, cache }) => {
+	const { dineway, user } = locals;
+	const collection = params.collection!;
+	const id = params.id!;
+
+	if (!dineway?.handleContentDelete || !dineway?.handleContentGet) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+
+	// Fetch item to check ownership
+	const existing = await dineway.handleContentGet(collection, id);
+	if (!existing.success) {
+		return apiError(
+			existing.error?.code ?? "UNKNOWN_ERROR",
+			existing.error?.message ?? "Unknown error",
+			mapErrorStatus(existing.error?.code),
+		);
+	}
+
+	const deleteData =
+		existing.data && typeof existing.data === "object"
+			? // eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- handler returns unknown data; narrowed by typeof check above
+				(existing.data as Record<string, unknown>)
+			: undefined;
+	// Handler returns { item, _rev } — extract the item for ownership and ID resolution
+	const deleteItem =
+		deleteData?.item && typeof deleteData.item === "object"
+			? // eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- narrowed by typeof check above
+				(deleteData.item as Record<string, unknown>)
+			: deleteData;
+	const authorId = typeof deleteItem?.authorId === "string" ? deleteItem.authorId : "";
+	const deleteDenied = requireOwnerPerm(user, authorId, "content:delete_own", "content:delete_any");
+	if (deleteDenied) return deleteDenied;
+
+	// Use the resolved ID (handles slug → ID resolution)
+	const resolvedId = typeof deleteItem?.id === "string" ? deleteItem.id : id;
+
+	const result = await dineway.handleContentDelete(collection, resolvedId);
+
+	if (!result.success) return unwrapResult(result);
+
+	if (cache.enabled) await cache.invalidate({ tags: [collection, resolvedId] });
+
+	return unwrapResult(result);
+};

package/src/astro/routes/api/content/[collection]/index.ts

@@ -0,0 +1,59 @@
+/**
+ * Content list and create endpoints - injected by Dineway integration
+ *
+ * GET  /_dineway/api/content/{collection} - List content
+ * POST /_dineway/api/content/{collection} - Create content
+ */
+
+import type { APIRoute } from "astro";
+
+import { requirePerm } from "#api/authorize.js";
+import { apiError, unwrapResult } from "#api/error.js";
+import { parseBody, parseQuery, isParseError } from "#api/parse.js";
+import { contentListQuery, contentCreateBody } from "#api/schemas.js";
+
+export const prerender = false;
+
+export const GET: APIRoute = async ({ params, url, locals }) => {
+	const { dineway, user } = locals;
+	const denied = requirePerm(user, "content:read");
+	if (denied) return denied;
+	const collection = params.collection!;
+	const query = parseQuery(url, contentListQuery);
+	if (isParseError(query)) return query;
+
+	if (!dineway?.handleContentList) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+
+	const result = await dineway.handleContentList(collection, query);
+
+	return unwrapResult(result);
+};
+
+export const POST: APIRoute = async ({ params, request, locals, cache }) => {
+	const { dineway, user } = locals;
+	const denied = requirePerm(user, "content:create");
+	if (denied) return denied;
+	const collection = params.collection!;
+	const body = await parseBody(request, contentCreateBody);
+	if (isParseError(body)) return body;
+
+	if (!dineway?.handleContentCreate) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+
+	// Auto-set authorId to current user when creating content
+	const result = await dineway.handleContentCreate(collection, {
+		...body,
+		authorId: user?.id,
+		locale: body.locale,
+		translationOf: body.translationOf,
+	});
+
+	if (!result.success) return unwrapResult(result);
+
+	if (cache.enabled) await cache.invalidate({ tags: [collection] });
+
+	return unwrapResult(result, 201);
+};

package/src/astro/routes/api/content/[collection]/trash.ts

@@ -0,0 +1,33 @@
+/**
+ * Trash endpoints for content collection - injected by Dineway integration
+ *
+ * GET /_dineway/api/content/{collection}/trash - List trashed items
+ */
+
+import type { APIRoute } from "astro";
+
+import { requirePerm } from "#api/authorize.js";
+import { apiError, unwrapResult } from "#api/error.js";
+import { parseQuery, isParseError } from "#api/parse.js";
+import { contentTrashQuery } from "#api/schemas.js";
+
+export const prerender = false;
+
+export const GET: APIRoute = async ({ params, url, locals }) => {
+	const { dineway, user } = locals;
+	const collection = params.collection!;
+
+	const denied = requirePerm(user, "content:read");
+	if (denied) return denied;
+
+	if (!dineway?.handleContentListTrashed) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+
+	const query = parseQuery(url, contentTrashQuery);
+	if (isParseError(query)) return query;
+
+	const result = await dineway.handleContentListTrashed(collection, query);
+
+	return unwrapResult(result);
+};

package/src/astro/routes/api/dashboard.ts

@@ -0,0 +1,32 @@
+/**
+ * Dashboard stats endpoint
+ *
+ * GET /_dineway/api/dashboard - Collection counts, media/user counts, recent items
+ */
+
+import type { APIRoute } from "astro";
+
+import { requirePerm } from "#api/authorize.js";
+import { apiError, handleError, unwrapResult } from "#api/error.js";
+import { handleDashboardStats } from "#api/handlers/dashboard.js";
+
+export const prerender = false;
+
+export const GET: APIRoute = async ({ locals }) => {
+	const { dineway, user } = locals;
+
+	const denied = requirePerm(user, "content:read");
+	if (denied) return denied;
+
+	if (!dineway?.db) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+
+	try {
+		const result = await handleDashboardStats(dineway.db);
+
+		return unwrapResult(result);
+	} catch (error) {
+		return handleError(error, "Failed to load dashboard", "DASHBOARD_ERROR");
+	}
+};

package/src/astro/routes/api/dev/emails.ts

@@ -0,0 +1,36 @@
+/**
+ * GET /_dineway/api/dev/emails
+ * DELETE /_dineway/api/dev/emails
+ *
+ * Development-only endpoint to view and clear emails captured by
+ * the dev console email provider.
+ *
+ * ONLY available when import.meta.env.DEV is true.
+ *
+ */
+
+import type { APIRoute } from "astro";
+
+export const prerender = false;
+
+import { apiError, apiSuccess } from "#api/error.js";
+
+import { clearDevEmails, getDevEmails } from "../../../../plugins/email-console.js";
+
+export const GET: APIRoute = async () => {
+	if (!import.meta.env.DEV) {
+		return apiError("FORBIDDEN", "Dev emails endpoint is only available in development mode", 403);
+	}
+
+	const emails = getDevEmails();
+	return apiSuccess({ items: emails });
+};
+
+export const DELETE: APIRoute = async () => {
+	if (!import.meta.env.DEV) {
+		return apiError("FORBIDDEN", "Dev emails endpoint is only available in development mode", 403);
+	}
+
+	clearDevEmails();
+	return apiSuccess({ success: true });
+};

package/src/astro/routes/api/import/probe.ts

@@ -0,0 +1,47 @@
+/**
+ * URL probe endpoint
+ *
+ * POST /_dineway/api/import/probe
+ *
+ * Probes a URL to detect what import source can handle it.
+ */
+
+import type { APIRoute } from "astro";
+
+import { requirePerm } from "#api/authorize.js";
+import { apiError, apiSuccess, handleError } from "#api/error.js";
+import { isParseError, parseBody } from "#api/parse.js";
+import { importProbeBody } from "#api/schemas.js";
+import { probeUrl, type ProbeResult } from "#import/index.js";
+import { SsrfError } from "#import/ssrf.js";
+
+export const prerender = false;
+
+export interface ProbeResponse {
+	success: boolean;
+	result?: ProbeResult;
+	error?: { message: string };
+}
+
+export const POST: APIRoute = async ({ request, locals }) => {
+	const { user } = locals;
+	const denied = requirePerm(user, "import:execute");
+	if (denied) return denied;
+
+	try {
+		const body = await parseBody(request, importProbeBody);
+		if (isParseError(body)) return body;
+
+		const result = await probeUrl(body.url);
+
+		return apiSuccess({
+			success: true,
+			result,
+		});
+	} catch (error) {
+		if (error instanceof SsrfError) {
+			return apiError("SSRF_BLOCKED", error.message, 400);
+		}
+		return handleError(error, "Failed to probe URL", "PROBE_ERROR");
+	}
+};