domma-cms 0.1.0

package/scripts/setup.js

@@ -0,0 +1,263 @@
+#!/usr/bin/env node
+/**
+ * Domma CMS — Interactive Setup Wizard
+ *
+ * Run once after cloning: npm run setup
+ * Operates directly on files — does NOT import the Fastify server.
+ *
+ * Steps:
+ *   1. Generate JWT_SECRET (skips if already set)
+ *   2. Create admin account (skips if users already exist)
+ *   3. Set site title and tagline
+ *   4. Pick a theme
+ */
+import { createInterface } from 'node:readline/promises';
+import { randomBytes }     from 'node:crypto';
+import { readFile, writeFile, readdir, mkdir } from 'node:fs/promises';
+import { existsSync }      from 'node:fs';
+import path                from 'node:path';
+import { fileURLToPath }   from 'node:url';
+import bcrypt              from 'bcryptjs';
+import { v4 as uuidv4 }   from 'uuid';
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+const ROOT      = path.resolve(__dirname, '..');
+
+const ENV_FILE    = path.join(ROOT, '.env');
+const SITE_CONFIG = path.join(ROOT, 'config', 'site.json');
+const NAV_CONFIG  = path.join(ROOT, 'config', 'navigation.json');
+const USERS_DIR   = path.join(ROOT, 'content', 'users');
+
+const BCRYPT_ROUNDS = 10;
+
+const THEMES = [
+    'charcoal-dark',  'charcoal-light',
+    'ocean-dark',     'ocean-light',
+    'forest-dark',    'forest-light',
+    'sunset-dark',    'sunset-light',
+    'royal-dark',     'royal-light',
+    'lemon-dark',     'lemon-light',
+    'silver-dark',    'silver-light',
+    'grayve',
+];
+
+// ---------------------------------------------------------------------------
+// Utilities
+// ---------------------------------------------------------------------------
+
+function section(title) {
+    console.log(`\n  ${title}`);
+    console.log(`  ${'─'.repeat(title.length)}`);
+}
+
+/** Read password from stdin with character masking (*). */
+function readPassword(label) {
+    return new Promise((resolve) => {
+        process.stdout.write(`  ${label}: `);
+        const chars = [];
+
+        process.stdin.setRawMode(true);
+        process.stdin.setEncoding('utf8');
+        process.stdin.resume();
+
+        const handler = (key) => {
+            if (key === '\r' || key === '\n') {
+                process.stdin.setRawMode(false);
+                process.stdin.pause();
+                process.stdin.off('data', handler);
+                process.stdout.write('\n');
+                resolve(chars.join(''));
+            } else if (key === '\u007F' || key === '\b') {
+                if (chars.length > 0) {
+                    chars.pop();
+                    process.stdout.write('\b \b');
+                }
+            } else if (key === '\u0003') {
+                process.stdout.write('\n');
+                process.exit(1);
+            } else {
+                chars.push(key);
+                process.stdout.write('*');
+            }
+        };
+
+        process.stdin.on('data', handler);
+    });
+}
+
+/** Read the current .env as a key→value map. */
+async function readEnv() {
+    if (!existsSync(ENV_FILE)) return {};
+    const lines = (await readFile(ENV_FILE, 'utf8')).split('\n');
+    return Object.fromEntries(
+        lines
+            .filter(l => l.includes('=') && !l.trimStart().startsWith('#'))
+            .map(l => {
+                const idx = l.indexOf('=');
+                return [l.slice(0, idx).trim(), l.slice(idx + 1).trim()];
+            })
+    );
+}
+
+/** Write an env map back to .env (preserves order). */
+async function writeEnv(env) {
+    const lines = Object.entries(env).map(([k, v]) => `${k}=${v}`);
+    await writeFile(ENV_FILE, lines.join('\n') + '\n', 'utf8');
+}
+
+/** Count .json files in the users directory. */
+async function countUsers() {
+    try {
+        const files = await readdir(USERS_DIR);
+        return files.filter(f => f.endsWith('.json')).length;
+    } catch {
+        return 0;
+    }
+}
+
+// ---------------------------------------------------------------------------
+// Main
+// ---------------------------------------------------------------------------
+
+console.log('');
+console.log('  ┌────────────────────────────┐');
+console.log('  │   Domma CMS Setup Wizard   │');
+console.log('  └────────────────────────────┘');
+
+// ---------------------------------------------------------------------------
+// Step 1 — JWT Secret
+// ---------------------------------------------------------------------------
+section('1. JWT Secret');
+
+const env            = await readEnv();
+const existingSecret = env.JWT_SECRET ?? '';
+const isPlaceholder  = !existingSecret
+    || existingSecret.toLowerCase().startsWith('change')
+    || existingSecret.length < 32;
+
+if (!isPlaceholder) {
+    console.log('  ✓ JWT_SECRET already configured — skipping.');
+} else {
+    const secret = randomBytes(48).toString('hex');
+    env.JWT_SECRET = secret;
+    if (!env.NODE_ENV) env.NODE_ENV = 'development';
+    await writeEnv(env);
+    console.log('  ✓ Secure JWT_SECRET generated and written to .env');
+}
+
+// ---------------------------------------------------------------------------
+// Step 2 — Admin Account
+// ---------------------------------------------------------------------------
+section('2. Admin Account');
+
+const userCount = await countUsers();
+if (userCount > 0) {
+    console.log(`  ✓ ${userCount} user(s) already exist — skipping admin creation.`);
+} else {
+    console.log('  No users found. Create the first admin account.\n');
+
+    let rl = createInterface({ input: process.stdin, output: process.stdout });
+    const name  = (await rl.question('  Full name     : ')).trim();
+    const email = (await rl.question('  Email address : ')).trim();
+    rl.close();
+
+    const password = await readPassword('Password (min. 8 chars)');
+
+    if (!name || !email || !password) {
+        console.error('\n  Error: all fields are required.\n');
+        process.exit(1);
+    }
+    if (password.length < 8) {
+        console.error('\n  Error: password must be at least 8 characters.\n');
+        process.exit(1);
+    }
+
+    process.stdout.write('\n  Hashing password…');
+    const hash = await bcrypt.hash(password, BCRYPT_ROUNDS);
+    const now  = new Date().toISOString();
+
+    const user = {
+        id:        uuidv4(),
+        email:     email.toLowerCase(),
+        name,
+        password:  hash,
+        role:      'admin',
+        isActive:  true,
+        createdAt: now,
+        updatedAt: now,
+        lastLogin: null
+    };
+
+    await mkdir(USERS_DIR, { recursive: true });
+    await writeFile(
+        path.join(USERS_DIR, `${user.id}.json`),
+        JSON.stringify(user, null, 2) + '\n',
+        'utf8'
+    );
+
+    console.log(` done.\n  ✓ Admin account created for ${email}`);
+}
+
+// ---------------------------------------------------------------------------
+// Step 3 — Site Identity
+// ---------------------------------------------------------------------------
+section('3. Site Identity');
+
+{
+    const rl = createInterface({ input: process.stdin, output: process.stdout });
+
+    const siteTitle = (await rl.question('  Site title : ')).trim();
+    const tagline   = (await rl.question('  Tagline    : ')).trim();
+
+    rl.close();
+
+    const site = JSON.parse(await readFile(SITE_CONFIG, 'utf8'));
+    if (siteTitle) site.title = siteTitle;
+    if (tagline)   site.tagline = tagline;
+    site.seo = site.seo ?? {};
+    if (siteTitle) site.seo.defaultTitle = siteTitle;
+    await writeFile(SITE_CONFIG, JSON.stringify(site, null, 4) + '\n', 'utf8');
+
+    const nav = JSON.parse(await readFile(NAV_CONFIG, 'utf8'));
+    nav.brand      = nav.brand ?? {};
+    if (siteTitle) nav.brand.text = siteTitle;
+    await writeFile(NAV_CONFIG, JSON.stringify(nav, null, 4) + '\n', 'utf8');
+
+    console.log('  ✓ Updated config/site.json and config/navigation.json');
+}
+
+// ---------------------------------------------------------------------------
+// Step 4 — Theme
+// ---------------------------------------------------------------------------
+section('4. Theme');
+
+THEMES.forEach((t, i) => {
+    const num = String(i + 1).padStart(2);
+    process.stdout.write(`  [${num}] ${t.padEnd(18)}`);
+    if ((i + 1) % 3 === 0 || i === THEMES.length - 1) process.stdout.write('\n');
+});
+
+{
+    const rl = createInterface({ input: process.stdin, output: process.stdout });
+    const choice = (await rl.question(`\n  Choice (1–${THEMES.length}, Enter = charcoal-dark): `)).trim();
+    rl.close();
+
+    const idx   = parseInt(choice, 10) - 1;
+    const theme = (idx >= 0 && idx < THEMES.length) ? THEMES[idx] : 'charcoal-dark';
+
+    const site = JSON.parse(await readFile(SITE_CONFIG, 'utf8'));
+    site.theme = theme;
+    await writeFile(SITE_CONFIG, JSON.stringify(site, null, 4) + '\n', 'utf8');
+
+    console.log(`  ✓ Theme set to "${theme}"`);
+}
+
+// ---------------------------------------------------------------------------
+// Done
+// ---------------------------------------------------------------------------
+console.log('');
+console.log('  ══════════════════════════════════════');
+console.log('  Setup complete!  Start the server with:');
+console.log('  npm start');
+console.log('  ══════════════════════════════════════');
+console.log('');

package/server/config.js

@@ -0,0 +1,56 @@
+/**
+ * Config Loader
+ * Loads configuration from config/ JSON files.
+ *
+ * Structural config (server, auth, content) is loaded once at startup.
+ * Admin-editable config (site, navigation, presets, plugins) uses
+ * getConfig()/saveConfig() to read/write fresh from disk on each call.
+ */
+import fs from 'fs';
+import path from 'path';
+
+const CONFIG_DIR = path.resolve('config');
+
+/**
+ * Synchronously load and parse a JSON config file.
+ *
+ * @param {string} name - File name without extension
+ * @returns {object}
+ */
+function loadJson(name) {
+    return JSON.parse(fs.readFileSync(path.join(CONFIG_DIR, `${name}.json`), 'utf8'));
+}
+
+/**
+ * Read a config JSON file from disk (always fresh).
+ *
+ * @param {string} name - File name without extension
+ * @returns {object}
+ */
+export function getConfig(name) {
+    return JSON.parse(fs.readFileSync(path.join(CONFIG_DIR, `${name}.json`), 'utf8'));
+}
+
+/**
+ * Write a config JSON file to disk.
+ *
+ * @param {string} name - File name without extension
+ * @param {object} data
+ * @returns {void}
+ */
+export function saveConfig(name, data) {
+    fs.writeFileSync(path.join(CONFIG_DIR, `${name}.json`), JSON.stringify(data, null, 2) + '\n');
+}
+
+/**
+ * Structural config — loaded once at startup.
+ * Do not use for admin-editable settings (site, navigation, presets, plugins).
+ */
+const serverConfig = loadJson('server');
+if (process.env.PORT) serverConfig.port = parseInt(process.env.PORT, 10);
+
+export const config = {
+  server: serverConfig,
+    auth: loadJson('auth'),
+    content: loadJson('content')
+};

package/server/middleware/auth.js

@@ -0,0 +1,97 @@
+/**
+ * Authentication Middleware
+ * JWT-based authentication with role guards for Domma CMS.
+ */
+import { config } from '../config.js';
+
+const { roles } = config.auth;
+
+/**
+ * Role hierarchy ordered from most to least privileged.
+ * Used by canManageUser() to compare privilege levels.
+ */
+export const ROLE_HIERARCHY = Object.entries(roles)
+    .sort((a, b) => a[1].level - b[1].level)
+    .map(([key]) => key);
+
+export const ROLES = Object.fromEntries(
+    Object.entries(roles).map(([key]) => [key.toUpperCase(), key])
+);
+
+/**
+ * Verify JWT Bearer token. Populates request.user on success.
+ *
+ * @param {FastifyRequest} request
+ * @param {FastifyReply} reply
+ * @returns {Promise<void>}
+ */
+export async function authenticate(request, reply) {
+    try {
+        await request.jwtVerify();
+    } catch {
+        return reply.code(401).send({
+            statusCode: 401,
+            error: 'Unauthorised',
+            message: 'Invalid or missing authentication token'
+        });
+    }
+}
+
+/**
+ * Return a preHandler that enforces one of the specified roles.
+ * Must be used after authenticate.
+ *
+ * @param {string[]} allowedRoles
+ * @returns {Function}
+ */
+export function requireRole(allowedRoles) {
+    const allowed = Array.isArray(allowedRoles) ? allowedRoles : [allowedRoles];
+
+    return async (request, reply) => {
+        if (!request.user) {
+            return reply.code(401).send({
+                statusCode: 401,
+                error: 'Unauthorised',
+                message: 'Authentication required'
+            });
+        }
+
+        if (!allowed.includes(request.user.role)) {
+            return reply.code(403).send({
+                statusCode: 403,
+                error: 'Forbidden',
+                message: `Access denied. Required role: ${allowed.join(' or ')}`
+            });
+        }
+    };
+}
+
+/**
+ * Shorthand preHandler — admin only.
+ *
+ * @param {FastifyRequest} request
+ * @param {FastifyReply} reply
+ * @returns {Promise<void>}
+ */
+export async function requireAdmin(request, reply) {
+    if (!request.user) {
+        return reply.code(401).send({ statusCode: 401, error: 'Unauthorised', message: 'Authentication required' });
+    }
+    if (request.user.role !== 'admin') {
+        return reply.code(403).send({ statusCode: 403, error: 'Forbidden', message: 'Admin access required' });
+    }
+}
+
+/**
+ * Determine whether an actor can manage a target user.
+ * Managers cannot create, edit, or delete admins.
+ *
+ * @param {string} actorRole - Role of the user performing the action
+ * @param {string} targetRole - Role of the user being acted upon
+ * @returns {boolean}
+ */
+export function canManageUser(actorRole, targetRole) {
+    const actorLevel = roles[actorRole]?.level ?? Infinity;
+    const targetLevel = roles[targetRole]?.level ?? Infinity;
+    return actorLevel < targetLevel;
+}

package/server/routes/api/auth.js

@@ -0,0 +1,116 @@
+/**
+ * Auth API
+ * GET  /api/auth/setup-status  - check if any users exist
+ * POST /api/auth/setup         - create initial admin (only when 0 users)
+ * POST /api/auth/login         - { email, password } → { token, refreshToken, user }
+ * GET  /api/auth/me            - return current user from token
+ * POST /api/auth/refresh       - { refreshToken } → { token }
+ */
+import { config } from '../../config.js';
+import { authenticate } from '../../middleware/auth.js';
+import {
+    countUsers,
+    createUser,
+    getUserByEmail,
+    getUserById,
+    touchLastLogin,
+    validatePassword
+} from '../../services/users.js';
+
+const { accessTokenExpiry, refreshTokenExpiry } = config.auth;
+
+export async function authRoutes(fastify) {
+    // GET /api/auth/setup-status
+    fastify.get('/auth/setup-status', async () => {
+        const count = await countUsers();
+        return { needsSetup: count === 0 };
+    });
+
+    // POST /api/auth/setup — create the very first admin (only allowed when no users exist)
+    fastify.post('/auth/setup', async (request, reply) => {
+        const count = await countUsers();
+        if (count > 0) {
+            return reply.status(403).send({ error: 'Setup already complete' });
+        }
+
+        const { name, email, password } = request.body || {};
+        if (!name || !email || !password) {
+            return reply.status(400).send({ error: 'name, email and password are required' });
+        }
+        if (password.length < 8) {
+            return reply.status(400).send({ error: 'Password must be at least 8 characters' });
+        }
+
+        const user = await createUser({ name, email, password, role: 'admin' });
+        const { token, refreshToken } = signTokens(fastify, user);
+        return reply.status(201).send({ token, refreshToken, user });
+    });
+
+    // POST /api/auth/login
+    fastify.post('/auth/login', async (request, reply) => {
+        const { email, password } = request.body || {};
+        if (!email || !password) {
+            return reply.status(400).send({ error: 'email and password are required' });
+        }
+
+        const user = await getUserByEmail(email);
+        if (!user || !user.isActive) {
+            return reply.status(401).send({ error: 'Invalid credentials' });
+        }
+
+        const valid = await validatePassword(password, user.password);
+        if (!valid) {
+            return reply.status(401).send({ error: 'Invalid credentials' });
+        }
+
+        await touchLastLogin(user.id);
+
+        const safeUser = { id: user.id, name: user.name, email: user.email, role: user.role };
+        const { token, refreshToken } = signTokens(fastify, safeUser);
+        return { token, refreshToken, user: safeUser };
+    });
+
+    // GET /api/auth/me
+    fastify.get('/auth/me', { preHandler: [authenticate] }, async (request, reply) => {
+        const user = await getUserById(request.user.id);
+        if (!user) return reply.status(404).send({ error: 'User not found' });
+        return user;
+    });
+
+    // POST /api/auth/refresh
+    fastify.post('/auth/refresh', async (request, reply) => {
+        const { refreshToken } = request.body || {};
+        if (!refreshToken) {
+            return reply.status(400).send({ error: 'refreshToken is required' });
+        }
+
+        let payload;
+        try {
+            payload = fastify.jwt.verify(refreshToken);
+        } catch {
+            return reply.status(401).send({ error: 'Invalid or expired refresh token' });
+        }
+
+        const user = await getUserById(payload.id);
+        if (!user || !user.isActive) {
+            return reply.status(401).send({ error: 'User not found or inactive' });
+        }
+
+        const safeUser = { id: user.id, name: user.name, email: user.email, role: user.role };
+        const token = fastify.jwt.sign(safeUser, { expiresIn: accessTokenExpiry });
+        return { token };
+    });
+}
+
+/**
+ * Sign both access and refresh tokens for a user payload.
+ *
+ * @param {object} fastify
+ * @param {object} payload
+ * @returns {{ token: string, refreshToken: string }}
+ */
+function signTokens(fastify, payload) {
+    const token = fastify.jwt.sign(payload, { expiresIn: accessTokenExpiry });
+    const refreshToken = fastify.jwt.sign(payload, { expiresIn: refreshTokenExpiry });
+    return { token, refreshToken };
+}

package/server/routes/api/layouts.js

@@ -0,0 +1,25 @@
+/**
+ * Layouts (Presets) API
+ * GET /api/layouts       - get all layout presets
+ * PUT /api/layouts       - save layout presets
+ */
+import { getConfig, saveConfig } from '../../config.js';
+import { authenticate, requireRole } from '../../middleware/auth.js';
+import { config } from '../../config.js';
+
+export async function layoutsRoutes(fastify) {
+    const guard = { preHandler: [authenticate, requireRole(config.auth.permissions.layouts)] };
+
+    fastify.get('/layouts', guard, async () => {
+        return getConfig('presets');
+    });
+
+    fastify.put('/layouts', guard, async (request, reply) => {
+        const data = request.body;
+        if (!data || typeof data !== 'object') {
+            return reply.status(400).send({ error: 'Invalid presets data' });
+        }
+        saveConfig('presets', data);
+        return { success: true };
+    });
+}

package/server/routes/api/media.js

@@ -0,0 +1,93 @@
+/**
+ * Media API
+ * GET    /api/media       - list media files
+ * POST   /api/media       - upload a file
+ * DELETE /api/media/:name - delete a file
+ */
+import path from 'path';
+import {deleteMedia, listMedia, renameMedia, saveMedia} from '../../services/content.js';
+import {getImageInfo, isEditableImage, transformImage} from '../../services/images.js';
+import {authenticate, requireRole} from '../../middleware/auth.js';
+import {config} from '../../config.js';
+
+// Safe filename: strip path traversal and restrict to alphanumeric + safe chars
+function sanitiseFilename(name) {
+    return path.basename(name).replace(/[^a-zA-Z0-9._-]/g, '_');
+}
+
+export async function mediaRoutes(fastify) {
+    const guard = { preHandler: [authenticate, requireRole(config.auth.permissions.media)] };
+
+    fastify.get('/media', guard, async () => {
+        return listMedia();
+    });
+
+    fastify.post('/media', guard, async (request, reply) => {
+      const results = [];
+      for await (const data of request.files()) {
+        const filename = sanitiseFilename(data.filename);
+        const chunks = [];
+        for await (const chunk of data.file) {
+          chunks.push(chunk);
+        }
+        results.push(await saveMedia(filename, Buffer.concat(chunks)));
+      }
+      if (!results.length) return reply.status(400).send({error: 'No file uploaded'});
+      return reply.status(201).send(results.length === 1 ? results[0] : results);
+    });
+
+  fastify.patch('/media/:name', guard, async (request, reply) => {
+    const oldName = sanitiseFilename(request.params.name);
+    const newName = sanitiseFilename(request.body?.newName ?? '');
+    if (!newName) return reply.status(400).send({error: 'newName is required.'});
+    if (oldName === newName) return reply.status(400).send({error: 'New name is the same as the current name.'});
+    try {
+      return await renameMedia(oldName, newName);
+    } catch (err) {
+      return reply.status(409).send({error: err.message});
+    }
+  });
+
+    fastify.delete('/media/:name', guard, async (request, reply) => {
+        const name = sanitiseFilename(request.params.name);
+        await deleteMedia(name);
+        return { success: true };
+    });
+
+  fastify.get('/media/:name/info', guard, async (request, reply) => {
+    const name = sanitiseFilename(request.params.name);
+    if (!isEditableImage(name)) {
+      return reply.status(400).send({error: 'Not an editable image format'});
+    }
+    try {
+      return await getImageInfo(name);
+    } catch {
+      return reply.status(404).send({error: 'File not found'});
+    }
+  });
+
+  fastify.post('/media/:name/transform', guard, async (request, reply) => {
+    const name = sanitiseFilename(request.params.name);
+    if (!isEditableImage(name)) {
+      return reply.status(400).send({error: 'Not an editable image format'});
+    }
+
+    const {operations = {}, saveAs} = request.body ?? {};
+
+    // Sanitise fields that reference filesystem paths
+    if (operations.watermark?.image) {
+      operations.watermark.image = sanitiseFilename(operations.watermark.image);
+    }
+    if (operations._deleteOriginal) {
+      operations._deleteOriginal = sanitiseFilename(operations._deleteOriginal);
+    }
+
+    const outputFilename = saveAs ? sanitiseFilename(saveAs) : null;
+
+    try {
+      return await transformImage(name, operations, outputFilename);
+    } catch (err) {
+      return reply.status(500).send({error: err.message});
+    }
+  });
+}

package/server/routes/api/navigation.js

@@ -0,0 +1,37 @@
+/**
+ * Navigation API
+ * GET /api/navigation    - get navigation config
+ * PUT /api/navigation    - save navigation config
+ */
+import { getConfig, saveConfig } from '../../config.js';
+import { authenticate, requireRole } from '../../middleware/auth.js';
+import { config } from '../../config.js';
+
+export async function navigationRoutes(fastify) {
+    const guard = { preHandler: [authenticate, requireRole(config.auth.permissions.navigation)] };
+
+    fastify.get('/navigation', guard, async () => {
+        return getConfig('navigation');
+    });
+
+    fastify.put('/navigation', guard, async (request, reply) => {
+        const data = request.body;
+        if (!data || typeof data !== 'object') {
+            return reply.status(400).send({ error: 'Invalid navigation data' });
+        }
+        // Normalise child key: Domma navbar expects `items`, not `children`
+        if (Array.isArray(data.items)) {
+            data.items = data.items.map(item => {
+                const children = item.items || item.children;
+                if (children?.length) {
+                    const { children: _c, ...rest } = item;
+                    return { ...rest, items: children };
+                }
+                const { children: _c, ...rest } = item;
+                return rest;
+            });
+        }
+        saveConfig('navigation', data);
+        return { success: true };
+    });
+}