domma-cms 0.1.0

package/plugins/form-builder/email.js

@@ -0,0 +1,103 @@
+/**
+ * Form Builder Plugin — Email Helper
+ * Nodemailer transport factory and generic form email sending utility.
+ */
+import nodemailer from 'nodemailer';
+
+/**
+ * Escape HTML special characters for safe use in email bodies.
+ *
+ * @param {string} str
+ * @returns {string}
+ */
+export function escapeHtml(str) {
+    return String(str)
+        .replace(/&/g, '&')
+        .replace(/</g, '&lt;')
+        .replace(/>/g, '&gt;')
+        .replace(/"/g, '&quot;')
+        .replace(/'/g, '&#39;');
+}
+
+/**
+ * Create a nodemailer transport.
+ * Falls back to an Ethereal test account when no SMTP host is configured.
+ *
+ * @param {{ host: string, port: number, secure: boolean, user: string, pass: string }} smtp
+ * @returns {Promise<import('nodemailer').Transporter>}
+ * @throws {Error} If Ethereal test account creation fails.
+ */
+export async function createTransport(smtp) {
+    if (smtp?.host) {
+        return nodemailer.createTransport({
+            host: smtp.host,
+            port: smtp.port || 587,
+            secure: smtp.secure || false,
+            auth: smtp.user ? { user: smtp.user, pass: smtp.pass } : undefined
+        });
+    }
+
+    // No SMTP configured — use Ethereal for dev/demo
+    const testAccount = await nodemailer.createTestAccount();
+    console.log('[form-builder] No SMTP configured. Using Ethereal test account:', testAccount.user);
+    return nodemailer.createTransport({
+        host: 'smtp.ethereal.email',
+        port: 587,
+        secure: false,
+        auth: { user: testAccount.user, pass: testAccount.pass }
+    });
+}
+
+/**
+ * Send an HTML + plain-text form submission notification email.
+ * Builds a generic table of field→value pairs from the submitted data.
+ *
+ * @param {import('nodemailer').Transporter} transport
+ * @param {{ from: string, fromName: string, to: string, subject: string, formTitle: string, fields: Array<{name: string, label: string}>, data: Record<string, unknown> }} opts
+ * @returns {Promise<void>}
+ * @throws {Error} If sending the email fails.
+ */
+export async function sendFormEmail(transport, { from, fromName, to, subject, formTitle, fields, data }) {
+    const rows = fields.map(field => {
+        const val  = data[field.name] ?? '';
+        const safe = escapeHtml(String(val)).replace(/\n/g, '<br>');
+        const safeLabel = escapeHtml(field.label || field.name);
+        return `
+        <tr>
+            <td style="padding:8px 12px;font-weight:600;background:#f9f9f9;border:1px solid #eee;white-space:nowrap;vertical-align:top;">${safeLabel}</td>
+            <td style="padding:8px 12px;border:1px solid #eee;vertical-align:top;">${safe}</td>
+        </tr>`.trim();
+    }).join('\n');
+
+    const plainRows = fields.map(field => {
+        const val = data[field.name] ?? '';
+        return `${field.label || field.name}: ${val}`;
+    }).join('\n');
+
+    const html = `
+<!DOCTYPE html>
+<html>
+<body style="font-family:sans-serif;max-width:640px;margin:0 auto;padding:20px;">
+    <h2 style="color:#333;margin-bottom:4px;">New Form Submission</h2>
+    <p style="color:#888;margin-top:0;font-size:.9rem;">${escapeHtml(formTitle)}</p>
+    <table style="width:100%;border-collapse:collapse;margin-top:16px;">
+        ${rows}
+    </table>
+</body>
+</html>`.trim();
+
+    const text = `New form submission: ${formTitle}\n\n${plainRows}`;
+
+    const info = await transport.sendMail({
+        from: `"${fromName}" <${from}>`,
+        to,
+        subject,
+        text,
+        html
+    });
+
+    const previewUrl = nodemailer.getTestMessageUrl(info);
+    if (previewUrl) {
+        console.log('[form-builder] Email preview URL:', previewUrl);
+    }
+}

package/plugins/form-builder/plugin.js

@@ -0,0 +1,454 @@
+/**
+ * Form Builder Plugin — Server
+ * Handles form CRUD, public submission, submissions management, and SMTP settings.
+ *
+ * Endpoints (prefix: /api/plugins/form-builder):
+ *   GET    /forms                         — admin: list all forms
+ *   POST   /forms                         — admin: create new form
+ *   GET    /forms/:slug                   — admin: get form definition
+ *   GET    /forms/:slug/public            — public: get form (no actions block)
+ *   PUT    /forms/:slug                   — admin: update form definition
+ *   DELETE /forms/:slug                   — admin: delete form + submissions
+ *   GET    /forms/:slug/submissions       — admin: list submissions (newest first)
+ *   GET    /forms/:slug/submissions/export — admin: CSV export
+ *   DELETE /forms/:slug/submissions       — admin: clear all submissions
+ *   DELETE /forms/:slug/submissions/:id   — admin: delete one submission
+ *   POST   /submit/:slug                  — public: accept submission
+ *   GET    /settings                      — admin: read global settings
+ *   PUT    /settings                      — admin: save global settings
+ *   POST   /test-email                    — admin: send test email
+ */
+import fs from 'fs/promises';
+import path from 'path';
+import crypto from 'crypto';
+import { fileURLToPath } from 'url';
+import { getPluginSettings, savePluginState } from '../../server/services/plugins.js';
+import { getConfig } from '../../server/config.js';
+import { createTransport, sendFormEmail } from './email.js';
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+const FORMS_DIR       = path.join(__dirname, 'data', 'forms');
+const SUBMISSIONS_DIR = path.join(__dirname, 'data', 'submissions');
+
+// Per-slug rate limit store: slug → Map<ip, timestamp[]>
+const rateLimitMap = new Map();
+
+// ---------------------------------------------------------------------------
+// File helpers
+// ---------------------------------------------------------------------------
+
+async function readForm(slug) {
+    const file = path.join(FORMS_DIR, `${slug}.json`);
+    return JSON.parse(await fs.readFile(file, 'utf8'));
+}
+
+async function writeForm(slug, data) {
+    const file = path.join(FORMS_DIR, `${slug}.json`);
+    await fs.writeFile(file, JSON.stringify(data, null, 4) + '\n', 'utf8');
+}
+
+async function listForms() {
+    let entries;
+    try {
+        entries = await fs.readdir(FORMS_DIR);
+    } catch {
+        return [];
+    }
+    const forms = [];
+    for (const entry of entries.filter(e => e.endsWith('.json'))) {
+        try {
+            const data = JSON.parse(await fs.readFile(path.join(FORMS_DIR, entry), 'utf8'));
+            forms.push(data);
+        } catch {
+            // skip malformed
+        }
+    }
+    return forms;
+}
+
+async function readSubmissions(slug) {
+    try {
+        return JSON.parse(await fs.readFile(path.join(SUBMISSIONS_DIR, `${slug}.json`), 'utf8'));
+    } catch {
+        return [];
+    }
+}
+
+async function writeSubmissions(slug, submissions) {
+    await fs.mkdir(SUBMISSIONS_DIR, { recursive: true });
+    await fs.writeFile(
+        path.join(SUBMISSIONS_DIR, `${slug}.json`),
+        JSON.stringify(submissions, null, 2) + '\n',
+        'utf8'
+    );
+}
+
+function isRateLimited(slug, ip, limitPerMinute) {
+    const now       = Date.now();
+    const windowMs  = 60 * 1000;
+    if (!rateLimitMap.has(slug)) rateLimitMap.set(slug, new Map());
+    const slugMap   = rateLimitMap.get(slug);
+    const timestamps = (slugMap.get(ip) || []).filter(t => now - t < windowMs);
+    if (timestamps.length >= limitPerMinute) return true;
+    timestamps.push(now);
+    slugMap.set(ip, timestamps);
+    return false;
+}
+
+function slugify(str) {
+    return str.toLowerCase().replace(/[^a-z0-9]+/g, '-').replace(/^-|-$/g, '');
+}
+
+function submissionsToCSV(form, submissions) {
+    const fields = form.fields || [];
+    const headers = [...fields.map(f => `"${f.label || f.name}"`), '"Date"'];
+    const rows = submissions.map(s => {
+        const cols = fields.map(f => {
+            const val = String(s.data?.[f.name] ?? '').replace(/"/g, '""');
+            return `"${val}"`;
+        });
+        cols.push(`"${s.meta?.createdAt || ''}"`);
+        return cols.join(',');
+    });
+    return [headers.join(','), ...rows].join('\n');
+}
+
+// ---------------------------------------------------------------------------
+// Plugin registration
+// ---------------------------------------------------------------------------
+
+export default async function formBuilderPlugin(fastify, options) {
+    const { authenticate, requireAdmin } = options.auth;
+
+    // Ensure data dirs exist
+    await fs.mkdir(FORMS_DIR, { recursive: true });
+    await fs.mkdir(SUBMISSIONS_DIR, { recursive: true });
+
+    // -----------------------------------------------------------------------
+    // GET /forms — list all form definitions
+    // -----------------------------------------------------------------------
+    fastify.get('/forms', { preHandler: [authenticate, requireAdmin] }, async () => {
+        const forms = await listForms();
+        // Attach submission count to each form
+        const result = await Promise.all(forms.map(async form => {
+            const subs = await readSubmissions(form.slug);
+            return { ...form, submissionCount: subs.length };
+        }));
+        return result;
+    });
+
+    // -----------------------------------------------------------------------
+    // POST /forms — create new form
+    // -----------------------------------------------------------------------
+    fastify.post('/forms', { preHandler: [authenticate, requireAdmin] }, async (request, reply) => {
+        const { title, slug: rawSlug } = request.body || {};
+        if (!title?.trim()) {
+            return reply.status(400).send({ error: 'Title is required.' });
+        }
+        const slug = rawSlug ? slugify(rawSlug) : slugify(title);
+        if (!slug) {
+            return reply.status(400).send({ error: 'Could not generate a valid slug.' });
+        }
+
+        // Check for existing form with same slug
+        try {
+            await fs.access(path.join(FORMS_DIR, `${slug}.json`));
+            return reply.status(409).send({ error: `A form with slug "${slug}" already exists.` });
+        } catch {
+            // Does not exist — good
+        }
+
+        const now  = new Date().toISOString();
+        const form = {
+            slug,
+            title: title.trim(),
+            description: '',
+            fields: [],
+            settings: {
+                submitText: 'Submit',
+                successMessage: 'Thank you for your submission.',
+                layout: 'stacked',
+                honeypot: true,
+                rateLimitPerMinute: 3
+            },
+            actions: {
+                email:   { enabled: false, recipients: '', subjectPrefix: `[${title.trim()}]` },
+                webhook: { enabled: false, url: '', method: 'POST' }
+            },
+            createdAt: now,
+            updatedAt: now
+        };
+
+        await writeForm(slug, form);
+        await writeSubmissions(slug, []);
+        return reply.status(201).send(form);
+    });
+
+    // -----------------------------------------------------------------------
+    // GET /forms/:slug — get single form (admin, includes actions)
+    // -----------------------------------------------------------------------
+    fastify.get('/forms/:slug', { preHandler: [authenticate, requireAdmin] }, async (request, reply) => {
+        try {
+            return await readForm(request.params.slug);
+        } catch {
+            return reply.status(404).send({ error: 'Form not found.' });
+        }
+    });
+
+    // -----------------------------------------------------------------------
+    // GET /forms/:slug/public — get form for public rendering (no actions)
+    // -----------------------------------------------------------------------
+    fastify.get('/forms/:slug/public', async (request, reply) => {
+        try {
+            const form = await readForm(request.params.slug);
+            // Strip sensitive actions block before returning to browser
+            const { actions: _actions, ...safe } = form;
+            return safe;
+        } catch {
+            return reply.status(404).send({ error: 'Form not found.' });
+        }
+    });
+
+    // -----------------------------------------------------------------------
+    // PUT /forms/:slug — update form definition
+    // -----------------------------------------------------------------------
+    fastify.put('/forms/:slug', { preHandler: [authenticate, requireAdmin] }, async (request, reply) => {
+        const { slug } = request.params;
+        let existing;
+        try {
+            existing = await readForm(slug);
+        } catch {
+            return reply.status(404).send({ error: 'Form not found.' });
+        }
+
+        const body = request.body || {};
+        const updated = {
+            ...existing,
+            ...body,
+            slug,                                      // slug is immutable via this route
+            createdAt: existing.createdAt,
+            updatedAt: new Date().toISOString()
+        };
+        await writeForm(slug, updated);
+        return updated;
+    });
+
+    // -----------------------------------------------------------------------
+    // DELETE /forms/:slug — delete form and its submissions
+    // -----------------------------------------------------------------------
+    fastify.delete('/forms/:slug', { preHandler: [authenticate, requireAdmin] }, async (request, reply) => {
+        const { slug } = request.params;
+        try {
+            await fs.unlink(path.join(FORMS_DIR, `${slug}.json`));
+        } catch {
+            return reply.status(404).send({ error: 'Form not found.' });
+        }
+        try {
+            await fs.unlink(path.join(SUBMISSIONS_DIR, `${slug}.json`));
+        } catch {
+            // Submissions file may not exist — not an error
+        }
+        return { ok: true };
+    });
+
+    // -----------------------------------------------------------------------
+    // GET /forms/:slug/submissions — list submissions (newest first)
+    // -----------------------------------------------------------------------
+    fastify.get('/forms/:slug/submissions', { preHandler: [authenticate, requireAdmin] }, async (request) => {
+        const submissions = await readSubmissions(request.params.slug);
+        return submissions.slice().reverse();
+    });
+
+    // -----------------------------------------------------------------------
+    // GET /forms/:slug/submissions/export — CSV download
+    // -----------------------------------------------------------------------
+    fastify.get('/forms/:slug/submissions/export', { preHandler: [authenticate, requireAdmin] }, async (request, reply) => {
+        const { slug } = request.params;
+        let form;
+        try {
+            form = await readForm(slug);
+        } catch {
+            return reply.status(404).send({ error: 'Form not found.' });
+        }
+        const submissions = await readSubmissions(slug);
+        const csv = submissionsToCSV(form, submissions);
+        reply
+            .header('Content-Type', 'text/csv; charset=utf-8')
+            .header('Content-Disposition', `attachment; filename="${slug}-submissions.csv"`);
+        return csv;
+    });
+
+    // -----------------------------------------------------------------------
+    // GET /forms/:slug/submissions/export/json — JSON download
+    // -----------------------------------------------------------------------
+    fastify.get('/forms/:slug/submissions/export/json', { preHandler: [authenticate, requireAdmin] }, async (request, reply) => {
+        const { slug } = request.params;
+        try {
+            await readForm(slug);
+        } catch {
+            return reply.status(404).send({ error: 'Form not found.' });
+        }
+        const submissions = await readSubmissions(slug);
+        reply
+            .header('Content-Type', 'application/json; charset=utf-8')
+            .header('Content-Disposition', `attachment; filename="${slug}-submissions.json"`);
+        return JSON.stringify(submissions, null, 2);
+    });
+
+    // -----------------------------------------------------------------------
+    // DELETE /forms/:slug/submissions — clear all submissions
+    // -----------------------------------------------------------------------
+    fastify.delete('/forms/:slug/submissions', { preHandler: [authenticate, requireAdmin] }, async (request) => {
+        await writeSubmissions(request.params.slug, []);
+        return { ok: true };
+    });
+
+    // -----------------------------------------------------------------------
+    // DELETE /forms/:slug/submissions/:id — delete one submission
+    // -----------------------------------------------------------------------
+    fastify.delete('/forms/:slug/submissions/:id', { preHandler: [authenticate, requireAdmin] }, async (request, reply) => {
+        const { slug, id } = request.params;
+        const submissions = await readSubmissions(slug);
+        const filtered    = submissions.filter(s => s.id !== id);
+        if (filtered.length === submissions.length) {
+            return reply.status(404).send({ error: 'Submission not found.' });
+        }
+        await writeSubmissions(slug, filtered);
+        return { ok: true };
+    });
+
+    // -----------------------------------------------------------------------
+    // POST /submit/:slug — public form submission
+    // -----------------------------------------------------------------------
+    fastify.post('/submit/:slug', async (request, reply) => {
+        const { slug } = request.params;
+        let form;
+        try {
+            form = await readForm(slug);
+        } catch {
+            return reply.status(404).send({ error: 'Form not found.' });
+        }
+
+        const body     = request.body || {};
+        const settings = form.settings || {};
+
+        // Honeypot check — silently accept if filled (bot detected)
+        if (settings.honeypot && body._hp) {
+            return { ok: true, message: settings.successMessage };
+        }
+
+        // Validate required fields
+        const missingFields = (form.fields || [])
+            .filter(f => f.required && !body[f.name]?.toString().trim())
+            .map(f => f.label || f.name);
+        if (missingFields.length) {
+            return reply.status(400).send({ error: `Required fields missing: ${missingFields.join(', ')}.` });
+        }
+
+        // Rate limit by IP
+        const ip    = request.ip || request.socket?.remoteAddress || 'unknown';
+        const limit = settings.rateLimitPerMinute || 3;
+        if (isRateLimited(slug, ip, limit)) {
+            return reply.status(429).send({ error: 'Too many submissions. Please try again later.' });
+        }
+
+        // Build generic submission data map from defined fields
+        const data = {};
+        for (const field of form.fields || []) {
+            const val = body[field.name];
+            if (val !== undefined) {
+                data[field.name] = typeof val === 'string' ? val.trim() : val;
+            }
+        }
+
+        const submission = {
+            id:   crypto.randomUUID(),
+            data,
+            meta: { ip, createdAt: new Date().toISOString() }
+        };
+
+        const submissions = await readSubmissions(slug);
+        submissions.push(submission);
+        await writeSubmissions(slug, submissions);
+
+        // Email action
+        const emailAction = form.actions?.email;
+        if (emailAction?.enabled && emailAction.recipients) {
+            try {
+                const smtp      = getConfig('site').smtp || {};
+                const transport = await createTransport(smtp);
+                await sendFormEmail(transport, {
+                    from:      smtp.fromAddress,
+                    fromName:  smtp.fromName,
+                    to:        emailAction.recipients,
+                    subject:   `${emailAction.subjectPrefix || `[${form.title}]`} New submission`,
+                    formTitle: form.title,
+                    fields:    form.fields,
+                    data
+                });
+            } catch (err) {
+                fastify.log.warn(`[form-builder] Email send failed for "${slug}": ${err.message}`);
+            }
+        }
+
+        // Webhook action
+        const webhookAction = form.actions?.webhook;
+        if (webhookAction?.enabled && webhookAction.url) {
+            try {
+                await fetch(webhookAction.url, {
+                    method:  webhookAction.method || 'POST',
+                    headers: { 'Content-Type': 'application/json' },
+                    body:    JSON.stringify({ form: slug, submission })
+                });
+            } catch (err) {
+                fastify.log.warn(`[form-builder] Webhook failed for "${slug}": ${err.message}`);
+            }
+        }
+
+        return { ok: true, message: settings.successMessage || 'Thank you for your submission.' };
+    });
+
+    // -----------------------------------------------------------------------
+    // GET /settings — global plugin settings (SMTP)
+    // -----------------------------------------------------------------------
+    fastify.get('/settings', { preHandler: [authenticate, requireAdmin] }, async () => {
+        return getPluginSettings('form-builder');
+    });
+
+    // -----------------------------------------------------------------------
+    // PUT /settings — save global settings
+    // -----------------------------------------------------------------------
+    fastify.put('/settings', { preHandler: [authenticate, requireAdmin] }, async (request) => {
+        savePluginState('form-builder', { settings: request.body || {} });
+        return { ok: true };
+    });
+
+    // -----------------------------------------------------------------------
+    // POST /test-email — send a test email
+    // -----------------------------------------------------------------------
+    fastify.post('/test-email', { preHandler: [authenticate, requireAdmin] }, async (request, reply) => {
+        const smtp = getConfig('site').smtp || {};
+        const to   = (request.body?.to) || smtp.fromAddress || 'test@ethereal.email';
+        try {
+            const transport = await createTransport(smtp);
+            await sendFormEmail(transport, {
+                from:      smtp.fromAddress,
+                fromName:  smtp.fromName,
+                to,
+                subject:   '[Form Builder] Test Email',
+                formTitle: 'Test Form',
+                fields:    [
+                    { name: 'name',    label: 'Name' },
+                    { name: 'message', label: 'Message' }
+                ],
+                data: {
+                    name:    'Test Sender',
+                    message: 'This is a test email from your Domma CMS Form Builder plugin. If you received this, your SMTP settings are working correctly.'
+                }
+            });
+            return { ok: true, message: `Test email sent to ${to}` };
+        } catch (err) {
+            return reply.status(500).send({ error: `Failed to send test email: ${err.message}` });
+        }
+    });
+}

package/plugins/form-builder/plugin.json

@@ -0,0 +1,56 @@
+{
+    "name": "form-builder",
+    "displayName": "Form Builder",
+    "version": "1.0.0",
+    "description": "Visual form builder with arbitrary field types, submission storage, email and webhook actions.",
+    "author": "Darryl Waterhouse",
+    "date": "2026-03-03",
+    "icon": "layout",
+    "admin": {
+        "sidebar": [
+            {
+                "id": "form-builder-forms",
+                "text": "Forms",
+                "icon": "layout",
+                "url": "#/plugins/form-builder",
+                "section": "#/plugins/form-builder"
+            },
+            {
+                "id": "form-builder-settings",
+                "text": "Form Settings",
+                "icon": "settings",
+                "url": "#/plugins/form-builder/settings",
+                "section": "#/plugins/form-builder/settings"
+            }
+        ],
+        "routes": [
+            { "path": "/plugins/form-builder",             "view": "plugin-fb-forms-list",     "title": "Forms - Domma CMS" },
+            { "path": "/plugins/form-builder/new",         "view": "plugin-fb-form-editor",    "title": "New Form - Domma CMS" },
+            { "path": "/plugins/form-builder/edit/:slug",  "view": "plugin-fb-form-editor",    "title": "Edit Form - Domma CMS" },
+            { "path": "/plugins/form-builder/:slug/submissions", "view": "plugin-fb-form-submissions", "title": "Submissions - Domma CMS" },
+            { "path": "/plugins/form-builder/settings",    "view": "plugin-fb-form-settings",  "title": "Form Builder Settings - Domma CMS" }
+        ],
+        "views": {
+            "plugin-fb-forms-list": {
+                "entry": "form-builder/admin/views/forms-list.js",
+                "exportName": "formsListView"
+            },
+            "plugin-fb-form-editor": {
+                "entry": "form-builder/admin/views/form-editor.js",
+                "exportName": "formEditorView"
+            },
+            "plugin-fb-form-submissions": {
+                "entry": "form-builder/admin/views/form-submissions.js",
+                "exportName": "formSubmissionsView"
+            },
+            "plugin-fb-form-settings": {
+                "entry": "form-builder/admin/views/form-settings.js",
+                "exportName": "formSettingsView"
+            }
+        }
+    },
+    "inject": {
+        "head": "public/inject-head.html",
+        "bodyEnd": "public/inject-body.html"
+    }
+}