domma-cms 0.1.0 → 0.2.1

package/scripts/setup.js

@@ -11,14 +11,14 @@
  *   3. Set site title and tagline
  *   4. Pick a theme
  */
-import { createInterface } from 'node:readline/promises';
-import { randomBytes }     from 'node:crypto';
-import { readFile, writeFile, readdir, mkdir } from 'node:fs/promises';
-import { existsSync }      from 'node:fs';
-import path                from 'node:path';
-import { fileURLToPath }   from 'node:url';
-import bcrypt              from 'bcryptjs';
-import { v4 as uuidv4 }   from 'uuid';
+import {createInterface} from 'node:readline/promises';
+import {randomBytes} from 'node:crypto';
+import {mkdir, readdir, readFile, writeFile} from 'node:fs/promises';
+import {existsSync} from 'node:fs';
+import path from 'node:path';
+import {fileURLToPath} from 'node:url';
+import bcrypt from 'bcryptjs';
+import {v4 as uuidv4} from 'uuid';
 
 const __dirname = path.dirname(fileURLToPath(import.meta.url));
 const ROOT      = path.resolve(__dirname, '..');
@@ -38,7 +38,10 @@ const THEMES = [
     'royal-dark',     'royal-light',
     'lemon-dark',     'lemon-light',
     'silver-dark',    'silver-light',
-    'grayve',
+  'grayve-dark', 'grayve-light',
+  'christmas-dark', 'christmas-light',
+  'unicorn-dark', 'unicorn-light',
+  'dreamy-dark', 'dreamy-light',
 ];
 
 // ---------------------------------------------------------------------------

package/server/routes/api/collections.js

@@ -0,0 +1,301 @@
+/**
+ * Collections API
+ *
+ * Admin endpoints (authenticated + collections role):
+ * GET    /collections                    - List all collections
+ * POST   /collections                    - Create collection
+ * GET    /collections/:slug              - Get schema
+ * PUT    /collections/:slug              - Update schema
+ * DELETE /collections/:slug              - Delete collection + data
+ * GET    /collections/:slug/entries      - List entries (paginated, searchable)
+ * GET    /collections/:slug/entries/:id  - Get single entry
+ * POST   /collections/:slug/entries      - Create entry
+ * PUT    /collections/:slug/entries/:id  - Update entry
+ * DELETE /collections/:slug/entries/:id  - Delete entry
+ * DELETE /collections/:slug/entries      - Clear all entries
+ * GET    /collections/:slug/export       - Export (?format=json|csv)
+ * POST   /collections/:slug/import       - Import (JSON body)
+ *
+ * Public endpoints (access controlled per collection api config):
+ * GET    /collections/:slug/public       - Read entries (if api.read enabled)
+ * GET    /collections/:slug/public/:id   - Read single entry
+ * POST   /collections/:slug/public       - Create entry (if api.create enabled)
+ * PUT    /collections/:slug/public/:id   - Update entry (if api.update enabled)
+ * DELETE /collections/:slug/public/:id   - Delete entry (if api.delete enabled)
+ */
+import {
+    listCollections, getCollection, createCollection, updateCollection, deleteCollection,
+    listEntries, getEntry, createEntry, updateEntry, deleteEntry, clearEntries,
+    exportEntries, importEntries
+} from '../../services/collections.js';
+import { authenticate, requireRole } from '../../middleware/auth.js';
+import { config } from '../../config.js';
+
+/**
+ * Resolve the role level number for a named role.
+ *
+ * @param {string} roleName
+ * @returns {number}
+ */
+function roleLevel(roleName) {
+    return config.auth.roles[roleName]?.level ?? 99;
+}
+
+/**
+ * Check public collection API access.
+ * Returns an error reply if access is denied, otherwise resolves (returns undefined).
+ *
+ * @param {object} schema
+ * @param {'create'|'read'|'update'|'delete'} operation
+ * @param {object} request - Fastify request
+ * @param {object} reply   - Fastify reply
+ * @returns {Promise<object|undefined>}
+ */
+async function checkPublicAccess(schema, operation, request, reply) {
+    const access = schema.api?.[operation];
+    if (!access?.enabled) {
+        return reply.status(403).send({ error: `Public ${operation} is disabled for this collection` });
+    }
+
+    if (access.access === 'public') return; // No auth needed
+
+    // Auth required — try to verify JWT
+    try {
+        await request.jwtVerify();
+    } catch {
+        return reply.status(401).send({ error: 'Unauthorised' });
+    }
+
+    const user = request.user;
+    const requiredLevel = roleLevel(access.access);
+    const userLevel     = roleLevel(user?.role);
+
+    if (userLevel > requiredLevel) {
+        return reply.status(403).send({ error: 'Insufficient permissions' });
+    }
+}
+
+export async function collectionsRoutes(fastify) {
+    const guard = { preHandler: [authenticate, requireRole(config.auth.permissions.collections)] };
+
+    // -------------------------------------------------------------------------
+    // Collection CRUD (schema management)
+    // -------------------------------------------------------------------------
+
+    fastify.get('/collections', guard, async () => {
+        return listCollections();
+    });
+
+    fastify.post('/collections', guard, async (request, reply) => {
+        const { title, slug, description, fields, api } = request.body || {};
+        if (!title) return reply.status(400).send({ error: 'title is required' });
+        try {
+            const schema = await createCollection({ title, slug, description, fields, api });
+            return reply.status(201).send(schema);
+        } catch (err) {
+            return reply.status(409).send({ error: err.message });
+        }
+    });
+
+    fastify.get('/collections/:slug', guard, async (request, reply) => {
+        const schema = await getCollection(request.params.slug);
+        if (!schema) return reply.status(404).send({ error: 'Collection not found' });
+        return schema;
+    });
+
+    fastify.put('/collections/:slug', guard, async (request, reply) => {
+        try {
+            return await updateCollection(request.params.slug, request.body || {});
+        } catch (err) {
+            return reply.status(404).send({ error: err.message });
+        }
+    });
+
+    fastify.delete('/collections/:slug', guard, async (request, reply) => {
+        try {
+            await deleteCollection(request.params.slug);
+            return { success: true };
+        } catch (err) {
+            return reply.status(404).send({ error: err.message });
+        }
+    });
+
+    // -------------------------------------------------------------------------
+    // Entry CRUD
+    // -------------------------------------------------------------------------
+
+    fastify.get('/collections/:slug/entries', guard, async (request, reply) => {
+        const schema = await getCollection(request.params.slug);
+        if (!schema) return reply.status(404).send({ error: 'Collection not found' });
+        const { page, limit, sort, order, search } = request.query;
+        return listEntries(request.params.slug, {
+            page:   parseInt(page, 10)  || 1,
+            limit:  parseInt(limit, 10) || 50,
+            sort:   sort   || 'createdAt',
+            order:  order  || 'desc',
+            search: search || undefined
+        });
+    });
+
+    fastify.get('/collections/:slug/entries/:id', guard, async (request, reply) => {
+        const entry = await getEntry(request.params.slug, request.params.id);
+        if (!entry) return reply.status(404).send({ error: 'Entry not found' });
+        return entry;
+    });
+
+    fastify.post('/collections/:slug/entries', guard, async (request, reply) => {
+        const user = request.user;
+        try {
+            const entry = await createEntry(request.params.slug, request.body?.data || {}, {
+                createdBy: user?.id || null,
+                source:    'admin'
+            });
+            return reply.status(201).send(entry);
+        } catch (err) {
+            return reply.status(400).send({ error: err.message });
+        }
+    });
+
+    fastify.put('/collections/:slug/entries/:id', guard, async (request, reply) => {
+        try {
+            return await updateEntry(request.params.slug, request.params.id, request.body?.data || {});
+        } catch (err) {
+            const status = err.message === 'Entry not found' ? 404 : 400;
+            return reply.status(status).send({ error: err.message });
+        }
+    });
+
+    fastify.delete('/collections/:slug/entries/:id', guard, async (request, reply) => {
+        try {
+            await deleteEntry(request.params.slug, request.params.id);
+            return { success: true };
+        } catch (err) {
+            return reply.status(404).send({ error: err.message });
+        }
+    });
+
+    // Clear all entries — DELETE /collections/:slug/entries (no :id)
+    fastify.delete('/collections/:slug/entries', guard, async (request, reply) => {
+        try {
+            await clearEntries(request.params.slug);
+            return { success: true };
+        } catch (err) {
+            return reply.status(404).send({ error: err.message });
+        }
+    });
+
+    // -------------------------------------------------------------------------
+    // Export / Import
+    // -------------------------------------------------------------------------
+
+    fastify.get('/collections/:slug/export', guard, async (request, reply) => {
+        const format = request.query.format === 'csv' ? 'csv' : 'json';
+        try {
+            const output = await exportEntries(request.params.slug, format);
+            if (format === 'csv') {
+                reply.header('Content-Type', 'text/csv');
+                reply.header('Content-Disposition', `attachment; filename="${request.params.slug}-entries.csv"`);
+            } else {
+                reply.header('Content-Type', 'application/json');
+                reply.header('Content-Disposition', `attachment; filename="${request.params.slug}-entries.json"`);
+            }
+            return reply.send(output);
+        } catch (err) {
+            return reply.status(404).send({ error: err.message });
+        }
+    });
+
+    fastify.post('/collections/:slug/import', guard, async (request, reply) => {
+        const user    = request.user;
+        const entries = request.body?.entries;
+        if (!Array.isArray(entries)) return reply.status(400).send({ error: 'entries must be an array' });
+        try {
+            const result = await importEntries(request.params.slug, entries, { createdBy: user?.id || null });
+            return reply.status(201).send(result);
+        } catch (err) {
+            return reply.status(400).send({ error: err.message });
+        }
+    });
+
+    // -------------------------------------------------------------------------
+    // Public access endpoints
+    // -------------------------------------------------------------------------
+
+    fastify.get('/collections/:slug/public', async (request, reply) => {
+        const schema = await getCollection(request.params.slug);
+        if (!schema) return reply.status(404).send({ error: 'Collection not found' });
+
+        const denied = await checkPublicAccess(schema, 'read', request, reply);
+        if (denied !== undefined) return;
+
+        const { page, limit, sort, order, search } = request.query;
+        return listEntries(request.params.slug, {
+            page:   parseInt(page, 10)  || 1,
+            limit:  parseInt(limit, 10) || 50,
+            sort:   sort   || 'createdAt',
+            order:  order  || 'desc',
+            search: search || undefined
+        });
+    });
+
+    fastify.get('/collections/:slug/public/:id', async (request, reply) => {
+        const schema = await getCollection(request.params.slug);
+        if (!schema) return reply.status(404).send({ error: 'Collection not found' });
+
+        const denied = await checkPublicAccess(schema, 'read', request, reply);
+        if (denied !== undefined) return;
+
+        const entry = await getEntry(request.params.slug, request.params.id);
+        if (!entry) return reply.status(404).send({ error: 'Entry not found' });
+        return entry;
+    });
+
+    fastify.post('/collections/:slug/public', async (request, reply) => {
+        const schema = await getCollection(request.params.slug);
+        if (!schema) return reply.status(404).send({ error: 'Collection not found' });
+
+        const denied = await checkPublicAccess(schema, 'create', request, reply);
+        if (denied !== undefined) return;
+
+        try {
+            const user  = request.user;
+            const entry = await createEntry(request.params.slug, request.body?.data || {}, {
+                createdBy: user?.id || null,
+                source:    'api'
+            });
+            return reply.status(201).send(entry);
+        } catch (err) {
+            return reply.status(400).send({ error: err.message });
+        }
+    });
+
+    fastify.put('/collections/:slug/public/:id', async (request, reply) => {
+        const schema = await getCollection(request.params.slug);
+        if (!schema) return reply.status(404).send({ error: 'Collection not found' });
+
+        const denied = await checkPublicAccess(schema, 'update', request, reply);
+        if (denied !== undefined) return;
+
+        try {
+            return await updateEntry(request.params.slug, request.params.id, request.body?.data || {});
+        } catch (err) {
+            const status = err.message === 'Entry not found' ? 404 : 400;
+            return reply.status(status).send({ error: err.message });
+        }
+    });
+
+    fastify.delete('/collections/:slug/public/:id', async (request, reply) => {
+        const schema = await getCollection(request.params.slug);
+        if (!schema) return reply.status(404).send({ error: 'Collection not found' });
+
+        const denied = await checkPublicAccess(schema, 'delete', request, reply);
+        if (denied !== undefined) return;
+
+        try {
+            await deleteEntry(request.params.slug, request.params.id);
+            return { success: true };
+        } catch (err) {
+            return reply.status(404).send({ error: err.message });
+        }
+    });
+}

package/server/routes/api/settings.js

@@ -1,11 +1,20 @@
 /**
  * Settings API
- * GET /api/settings      - get site settings
- * PUT /api/settings      - save site settings
+ * GET  /api/settings            - get site settings
+ * PUT  /api/settings            - save site settings
+ * POST /api/settings/test-email - send a test email using stored SMTP config
  */
 import { getConfig, saveConfig } from '../../config.js';
 import { authenticate, requireRole } from '../../middleware/auth.js';
 import { config } from '../../config.js';
+import nodemailer from 'nodemailer';
+import fs from 'fs/promises';
+import path from 'path';
+import {fileURLToPath} from 'url';
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+const CUSTOM_CSS_FILE = path.resolve(__dirname, '../../../content/custom.css');
+const CUSTOM_CSS_MAX  = 100 * 1024; // 100 KB
 
 export async function settingsRoutes(fastify) {
     const guard = { preHandler: [authenticate, requireRole(config.auth.permissions.settings)] };
@@ -22,4 +31,59 @@ export async function settingsRoutes(fastify) {
         saveConfig('site', data);
         return { success: true };
     });
+
+    fastify.post('/settings/test-email', guard, async (request, reply) => {
+        const smtp = getConfig('site')?.smtp;
+        if (!smtp?.host) {
+            return reply.status(400).send({ error: 'SMTP is not configured. Save your SMTP settings first.' });
+        }
+
+        const transporter = nodemailer.createTransport({
+            host:   smtp.host,
+            port:   smtp.port || 587,
+            secure: smtp.secure || false,
+            auth:   smtp.user ? { user: smtp.user, pass: smtp.pass } : undefined
+        });
+
+        const to = request.body?.to || smtp.fromAddress;
+        if (!to) {
+            return reply.status(400).send({ error: 'No recipient address. Provide "to" in the request body or set a From Address.' });
+        }
+
+        try {
+            await transporter.sendMail({
+                from:    smtp.fromName ? `"${smtp.fromName}" <${smtp.fromAddress}>` : smtp.fromAddress,
+                to,
+                subject: 'Domma CMS — Test Email',
+                text:    'This is a test email sent from Domma CMS to verify your SMTP configuration.',
+                html:    '<p>This is a test email sent from <strong>Domma CMS</strong> to verify your SMTP configuration.</p>'
+            });
+            return { success: true, message: `Test email sent to ${to}` };
+        } catch (err) {
+            return reply.status(500).send({ error: `Failed to send email: ${err.message}` });
+        }
+    });
+
+    // GET /api/settings/custom-css — return current CSS as JSON
+    fastify.get('/settings/custom-css', guard, async () => {
+        try {
+            const css = await fs.readFile(CUSTOM_CSS_FILE, 'utf8');
+            return { css };
+        } catch {
+            return { css: '' };
+        }
+    });
+
+    // PUT /api/settings/custom-css — save CSS to content/custom.css
+    fastify.put('/settings/custom-css', guard, async (request, reply) => {
+        const { css } = request.body || {};
+        if (typeof css !== 'string') {
+            return reply.status(400).send({ error: 'css must be a string.' });
+        }
+        if (Buffer.byteLength(css, 'utf8') > CUSTOM_CSS_MAX) {
+            return reply.status(400).send({ error: 'CSS exceeds the 100 KB limit.' });
+        }
+        await fs.writeFile(CUSTOM_CSS_FILE, css, 'utf8');
+        return { success: true };
+    });
 }

package/server/server.js

@@ -75,12 +75,14 @@ await app.register(staticPlugin, {
 });
 
 // Ensure required directories exist
-const mediaDir = path.join(ROOT, config.content.mediaDir);
-const usersDir = path.join(ROOT, config.content.usersDir);
-const pluginsDir = path.join(ROOT, 'plugins');
-await fs.mkdir(mediaDir, { recursive: true });
-await fs.mkdir(usersDir, { recursive: true });
-await fs.mkdir(pluginsDir, { recursive: true });
+const mediaDir       = path.join(ROOT, config.content.mediaDir);
+const usersDir       = path.join(ROOT, config.content.usersDir);
+const collectionsDir = path.join(ROOT, config.content.collectionsDir);
+const pluginsDir     = path.join(ROOT, 'plugins');
+await fs.mkdir(mediaDir,       { recursive: true });
+await fs.mkdir(usersDir,       { recursive: true });
+await fs.mkdir(collectionsDir, { recursive: true });
+await fs.mkdir(pluginsDir,     { recursive: true });
 
 // Serve uploaded media files
 await app.register(staticPlugin, {
@@ -131,15 +133,17 @@ const { layoutsRoutes }    = await import('./routes/api/layouts.js');
 const { navigationRoutes } = await import('./routes/api/navigation.js');
 const { mediaRoutes }      = await import('./routes/api/media.js');
 const { usersRoutes }      = await import('./routes/api/users.js');
-const { pluginsRoutes }    = await import('./routes/api/plugins.js');
-
-await app.register(pagesRoutes,      { prefix: '/api' });
-await app.register(settingsRoutes,   { prefix: '/api' });
-await app.register(layoutsRoutes,    { prefix: '/api' });
-await app.register(navigationRoutes, { prefix: '/api' });
-await app.register(mediaRoutes,      { prefix: '/api' });
-await app.register(usersRoutes,      { prefix: '/api' });
-await app.register(pluginsRoutes,    { prefix: '/api' });
+const { pluginsRoutes }     = await import('./routes/api/plugins.js');
+const { collectionsRoutes } = await import('./routes/api/collections.js');
+
+await app.register(pagesRoutes,       { prefix: '/api' });
+await app.register(settingsRoutes,    { prefix: '/api' });
+await app.register(layoutsRoutes,     { prefix: '/api' });
+await app.register(navigationRoutes,  { prefix: '/api' });
+await app.register(mediaRoutes,       { prefix: '/api' });
+await app.register(usersRoutes,       { prefix: '/api' });
+await app.register(pluginsRoutes,     { prefix: '/api' });
+await app.register(collectionsRoutes, { prefix: '/api' });
 
 // ---------------------------------------------------------------------------
 // CMS Plugins (server-side Fastify plugins from plugins/ directory)