domma-cms 0.1.0

package/server/routes/api/pages.js

@@ -0,0 +1,118 @@
+/**
+ * Pages API
+ * GET    /api/pages          - list all pages
+ * GET    /api/pages/*        - get single page by URL path
+ * POST   /api/pages          - create page
+ * PUT    /api/pages/*        - update page
+ * DELETE /api/pages/*        - delete page
+ */
+import {createPage, deletePage, getPage, listPages, renamePage, updatePage} from '../../services/content.js';
+import {parseMarkdown} from '../../services/markdown.js';
+import {authenticate, requireRole} from '../../middleware/auth.js';
+import {config, getConfig, saveConfig} from '../../config.js';
+
+export async function pagesRoutes(fastify) {
+    const guard = { preHandler: [authenticate, requireRole(config.auth.permissions.pages)] };
+
+  // Render markdown preview (shortcodes + sanitize, no frontmatter)
+  fastify.post('/pages/preview', guard, async (request, reply) => {
+    const {markdown} = request.body;
+    if (typeof markdown !== 'string') return reply.status(400).send({error: 'markdown must be a string'});
+    const {html} = parseMarkdown(`---\ntitle: preview\n---\n${markdown}`);
+    return {html};
+  });
+
+    // List all pages
+    fastify.get('/pages', guard, async (request, reply) => {
+        const pages = await listPages();
+        return pages.map(p => ({
+            urlPath: p.urlPath,
+            title: p.title,
+            slug: p.slug,
+            status: p.status,
+            layout: p.layout,
+            showInNav: p.showInNav,
+            sortOrder: p.sortOrder,
+          category: p.category || null,
+          visibility: p.visibility || 'public',
+            updatedAt: p.updatedAt,
+            createdAt: p.createdAt
+        }));
+    });
+
+    // Get single page
+    fastify.get('/pages/*', guard, async (request, reply) => {
+        const urlPath = '/' + request.params['*'];
+        const page = await getPage(urlPath);
+        if (!page) return reply.status(404).send({ error: 'Page not found' });
+        return page;
+    });
+
+    // Create page
+    fastify.post('/pages', guard, async (request, reply) => {
+        const { urlPath, frontmatter, body } = request.body;
+        if (!urlPath) return reply.status(400).send({ error: 'urlPath is required' });
+
+        const existing = await getPage(urlPath);
+        if (existing) return reply.status(409).send({ error: 'Page already exists at that path' });
+
+        const page = await createPage(urlPath, frontmatter || {}, body || '');
+        return reply.status(201).send(page);
+    });
+
+    // Update page (optionally rename to a new URL path)
+    fastify.put('/pages/*', guard, async (request, reply) => {
+        const urlPath = '/' + request.params['*'];
+        const { frontmatter, body, newUrlPath } = request.body;
+
+        const existing = await getPage(urlPath);
+        if (!existing) return reply.status(404).send({ error: 'Page not found' });
+
+        if (newUrlPath && newUrlPath !== urlPath) {
+            const conflict = await getPage(newUrlPath);
+            if (conflict) return reply.status(409).send({ error: 'A page already exists at that path' });
+
+            await renamePage(urlPath, newUrlPath);
+            await rewriteNavLinks(urlPath, newUrlPath);
+
+            const page = await updatePage(newUrlPath, frontmatter || {}, body);
+            return page;
+        }
+
+        const page = await updatePage(urlPath, frontmatter || {}, body);
+        return page;
+    });
+
+    // Delete page
+    fastify.delete('/pages/*', guard, async (request, reply) => {
+        const urlPath = '/' + request.params['*'];
+        const existing = await getPage(urlPath);
+        if (!existing) return reply.status(404).send({ error: 'Page not found' });
+
+        await deletePage(urlPath);
+        return { success: true };
+    });
+}
+
+/**
+ * Rewrite any navigation item URLs that match oldUrlPath to newUrlPath,
+ * then persist the updated navigation config.
+ *
+ * @param {string} oldUrlPath
+ * @param {string} newUrlPath
+ * @returns {Promise<void>}
+ */
+async function rewriteNavLinks(oldUrlPath, newUrlPath) {
+    const nav = getConfig('navigation');
+    if (!nav?.items?.length) return;
+
+    let changed = false;
+    for (const item of nav.items) {
+        if (item.url === oldUrlPath) { item.url = newUrlPath; changed = true; }
+        for (const child of item.children || []) {
+            if (child.url === oldUrlPath) { child.url = newUrlPath; changed = true; }
+        }
+    }
+
+    if (changed) await saveConfig('navigation', nav);
+}

package/server/routes/api/plugins.js

@@ -0,0 +1,46 @@
+/**
+ * Plugins API
+ * GET /api/plugins              - list all discovered plugins + state (admin only)
+ * PUT /api/plugins/:name        - enable/disable, update settings (admin only)
+ * GET /api/plugins/admin-config - sidebar/routes/views for enabled plugins (authenticated)
+ */
+import { authenticate, requireAdmin } from '../../middleware/auth.js';
+import { discoverPlugins, getPluginStates, savePluginState, getAdminPluginConfig } from '../../services/plugins.js';
+
+export async function pluginsRoutes(fastify) {
+    // List all plugins with their current state
+    fastify.get('/plugins', { preHandler: [authenticate, requireAdmin] }, async () => {
+        const manifests = await discoverPlugins();
+        const states = getPluginStates();
+
+        return manifests.map(manifest => ({
+            name: manifest.name,
+            displayName: manifest.displayName || manifest.name,
+            version: manifest.version || '1.0.0',
+            description: manifest.description || '',
+            author: manifest.author || '',
+            date: manifest.date || '',
+            icon: manifest.icon || 'package',
+            enabled: !!(states[manifest.name]?.enabled),
+            settings: states[manifest.name]?.settings || {}
+        }));
+    });
+
+    // Enable/disable or update settings for a plugin
+    fastify.put('/plugins/:name', { preHandler: [authenticate, requireAdmin] }, async (request, reply) => {
+        const { name } = request.params;
+        const { enabled, settings } = request.body || {};
+
+        const manifests = await discoverPlugins();
+        const manifest = manifests.find(m => m.name === name);
+        if (!manifest) return reply.status(404).send({ error: 'Plugin not found' });
+
+        savePluginState(name, { enabled: !!enabled, settings: settings || {} });
+        return { success: true };
+    });
+
+    // Return merged admin config (sidebar, routes, views) for enabled plugins
+    fastify.get('/plugins/admin-config', { preHandler: [authenticate] }, async () => {
+        return getAdminPluginConfig();
+    });
+}

package/server/routes/api/settings.js

@@ -0,0 +1,25 @@
+/**
+ * Settings API
+ * GET /api/settings      - get site settings
+ * PUT /api/settings      - save site settings
+ */
+import { getConfig, saveConfig } from '../../config.js';
+import { authenticate, requireRole } from '../../middleware/auth.js';
+import { config } from '../../config.js';
+
+export async function settingsRoutes(fastify) {
+    const guard = { preHandler: [authenticate, requireRole(config.auth.permissions.settings)] };
+
+    fastify.get('/settings', guard, async () => {
+        return getConfig('site');
+    });
+
+    fastify.put('/settings', guard, async (request, reply) => {
+        const data = request.body;
+        if (!data || typeof data !== 'object') {
+            return reply.status(400).send({ error: 'Invalid settings data' });
+        }
+        saveConfig('site', data);
+        return { success: true };
+    });
+}

package/server/routes/api/users.js

@@ -0,0 +1,110 @@
+/**
+ * Users API
+ * GET    /api/users      - list all users (admin, manager)
+ * GET    /api/users/:id  - single user (admin, manager, or self)
+ * POST   /api/users      - create user (admin, manager — manager cannot create admin)
+ * PUT    /api/users/:id  - update user (admin, manager — manager cannot edit admin)
+ * DELETE /api/users/:id  - delete user (admin, manager — manager cannot delete admin, no self-delete)
+ */
+import { authenticate, requireRole, canManageUser } from '../../middleware/auth.js';
+import { config } from '../../config.js';
+import {
+    listUsers,
+    getUserById,
+    createUser,
+    updateUser,
+    deleteUser
+} from '../../services/users.js';
+
+const { permissions } = config.auth;
+
+export async function usersRoutes(fastify) {
+    const guard = [authenticate, requireRole(permissions.users)];
+
+    // List all users
+    fastify.get('/users', { preHandler: guard }, async () => {
+        return listUsers();
+    });
+
+    // Get single user (admin, manager, or the user themselves)
+    fastify.get('/users/:id', { preHandler: [authenticate] }, async (request, reply) => {
+        const { id } = request.params;
+        const actor = request.user;
+
+        const isSelf = actor.id === id;
+        const canManage = permissions.users.includes(actor.role);
+
+        if (!isSelf && !canManage) {
+            return reply.code(403).send({ error: 'Forbidden' });
+        }
+
+        const user = await getUserById(id);
+        if (!user) return reply.status(404).send({ error: 'User not found' });
+        return user;
+    });
+
+    // Create user
+    fastify.post('/users', { preHandler: guard }, async (request, reply) => {
+        const { name, email, password, role } = request.body || {};
+        if (!name || !email || !password) {
+            return reply.status(400).send({ error: 'name, email and password are required' });
+        }
+        if (password.length < 8) {
+            return reply.status(400).send({ error: 'Password must be at least 8 characters' });
+        }
+
+        const targetRole = role || 'editor';
+        if (!canManageUser(request.user.role, targetRole)) {
+            return reply.code(403).send({ error: 'You cannot create a user with that role' });
+        }
+
+        try {
+            const user = await createUser({ name, email, password, role: targetRole });
+            return reply.status(201).send(user);
+        } catch (err) {
+            return reply.status(409).send({ error: err.message });
+        }
+    });
+
+    // Update user
+    fastify.put('/users/:id', { preHandler: guard }, async (request, reply) => {
+        const { id } = request.params;
+        const actor = request.user;
+
+        const target = await getUserById(id);
+        if (!target) return reply.status(404).send({ error: 'User not found' });
+
+        if (!canManageUser(actor.role, target.role)) {
+            return reply.code(403).send({ error: 'You cannot edit a user with that role' });
+        }
+
+        const updates = request.body || {};
+        // Prevent role escalation beyond what the actor can manage
+        if (updates.role && !canManageUser(actor.role, updates.role)) {
+            return reply.code(403).send({ error: 'You cannot assign that role' });
+        }
+
+        const user = await updateUser(id, updates);
+        return user;
+    });
+
+    // Delete user
+    fastify.delete('/users/:id', { preHandler: guard }, async (request, reply) => {
+        const { id } = request.params;
+        const actor = request.user;
+
+        if (actor.id === id) {
+            return reply.code(403).send({ error: 'You cannot delete your own account' });
+        }
+
+        const target = await getUserById(id);
+        if (!target) return reply.status(404).send({ error: 'User not found' });
+
+        if (!canManageUser(actor.role, target.role)) {
+            return reply.code(403).send({ error: 'You cannot delete a user with that role' });
+        }
+
+        await deleteUser(id);
+        return { success: true };
+    });
+}

package/server/routes/public.js

@@ -0,0 +1,108 @@
+/**
+ * Public Site Routes
+ * Catch-all that resolves URL paths to Markdown pages and renders them server-side.
+ * Draft pages are not served publicly.
+ * The admin panel is excluded (handled by static serving).
+ */
+import {getPage} from '../services/content.js';
+import {renderPage} from '../services/renderer.js';
+import {config} from '../config.js';
+
+export async function publicRoutes(fastify) {
+    // Admin panel: serve index.html for all /admin/* paths (SPA fallback)
+    fastify.get('/admin', async (request, reply) => {
+        return reply.redirect('/admin/');
+    });
+
+    // Health check
+    fastify.get('/api/health', async () => ({ status: 'ok' }));
+
+    // Public pages catch-all
+    fastify.get('/*', async (request, reply) => {
+        const rawPath = request.params['*'];
+
+        // Skip non-page paths (assets handled by static plugin)
+        if (rawPath.includes('.')) {
+            return reply.callNotFound();
+        }
+
+        const urlPath = '/' + (rawPath || '');
+
+        // Try exact path first, then with /index suffix for directory-style URLs
+        let page = await getPage(urlPath);
+
+        // Try fetching index of a directory path
+        if (!page && !urlPath.endsWith('/index')) {
+            page = await getPage(urlPath.replace(/\/$/, '') || '/');
+        }
+
+        if (!page) {
+            reply.status(404);
+            return reply.type('text/html').send(await render404(urlPath));
+        }
+
+        // Don't serve draft pages publicly
+        if (page.status !== 'published') {
+            reply.status(404);
+            return reply.type('text/html').send(await render404(urlPath));
+        }
+
+      // Enforce page visibility
+      if (page.visibility && page.visibility !== 'public') {
+        let userRole = null;
+        try {
+          const decoded = await request.jwtVerify();
+          userRole = decoded.role;
+        } catch { /* no token — treat as unauthenticated */
+        }
+
+        const roles = config.auth.roles;
+        const userLevel = roles[userRole]?.level ?? Infinity;
+        const requiredLevel = roles[page.visibility]?.level ?? 0;
+
+        if (userLevel > requiredLevel) {
+          reply.status(403);
+          return reply.type('text/html').send(accessDeniedHtml(urlPath));
+        }
+      }
+
+        const html = await renderPage(page);
+        return reply.type('text/html').send(html);
+    });
+}
+
+/**
+ * Render a 404 response — tries content/pages/404.md first, falls back to
+ * a minimal inline page so the site theme is applied when possible.
+ */
+async function render404(urlPath) {
+    try {
+        const page404 = await getPage('/404');
+        if (page404 && page404.status === 'published') {
+            return await renderPage(page404);
+        }
+    } catch { /* fall through */ }
+    return notFoundHtml(urlPath);
+}
+
+function accessDeniedHtml(urlPath) {
+  return `<!DOCTYPE html>
+<html lang="en-GB">
+<head><meta charset="UTF-8"><title>403 Access Denied</title>
+<style>body{font-family:system-ui,sans-serif;display:flex;align-items:center;justify-content:center;min-height:100vh;margin:0;background:#111;color:#eee;}
+.box{text-align:center;} h1{font-size:6rem;margin:0;color:#666;} p{color:#999;}</style>
+</head>
+<body><div class="box"><h1>403</h1><p>You don't have permission to view <code>${urlPath}</code></p><p><a href="/" style="color:#aaa">Go home</a></p></div></body>
+</html>`;
+}
+
+function notFoundHtml(urlPath) {
+    return `<!DOCTYPE html>
+<html lang="en-GB">
+<head><meta charset="UTF-8"><title>404 Not Found</title>
+<style>body{font-family:system-ui,sans-serif;display:flex;align-items:center;justify-content:center;min-height:100vh;margin:0;background:#111;color:#eee;}
+.box{text-align:center;} h1{font-size:6rem;margin:0;color:#666;} p{color:#999;}</style>
+</head>
+<body><div class="box"><h1>404</h1><p>No page found at <code>${urlPath}</code></p><p><a href="/" style="color:#aaa">Go home</a></p></div></body>
+</html>`;
+}

package/server/server.js

@@ -0,0 +1,169 @@
+/**
+ * Domma CMS - Fastify Server
+ * Serves the admin SPA, public site, REST API, and static assets.
+ * Domma dist files are served directly from node_modules/domma-js/public/dist.
+ */
+import 'dotenv/config';
+import Fastify from 'fastify';
+import jwt from '@fastify/jwt';
+import staticPlugin from '@fastify/static';
+import cors from '@fastify/cors';
+import multipart from '@fastify/multipart';
+import path from 'path';
+import fs from 'fs/promises';
+import {fileURLToPath} from 'url';
+import {createRequire} from 'module';
+import {config} from './config.js';
+import {registerPlugins} from './services/plugins.js';
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+const ROOT = path.resolve(__dirname, '..');
+
+// Resolve domma-js package location via require resolution
+const require = createRequire(import.meta.url);
+const dommaPackageDir = path.dirname(require.resolve('domma-js/package.json'));
+const DOMMA_DIST = path.join(dommaPackageDir, 'public', 'dist');
+
+const { server: serverConfig, auth: authConfig } = config;
+
+// Validate JWT_SECRET before starting — prevents silent auth failures
+const JWT_SECRET = process.env.JWT_SECRET;
+if (!JWT_SECRET || JWT_SECRET === 'CHANGE_ME' || JWT_SECRET.length < 32) {
+    console.error('');
+    console.error('  ERROR: JWT_SECRET is not set or is insecure.');
+    console.error('  Run `npm run setup` or set a secure JWT_SECRET in .env');
+    console.error('  (minimum 32 characters, not "CHANGE_ME")');
+    console.error('');
+    process.exit(1);
+}
+
+const app = Fastify({
+    logger: { level: process.env.NODE_ENV === 'development' ? 'info' : 'warn' }
+});
+
+// ---------------------------------------------------------------------------
+// Core Plugins
+// ---------------------------------------------------------------------------
+
+await app.register(jwt, { secret: process.env.JWT_SECRET });
+await app.register(cors, serverConfig.cors);
+await app.register(multipart, { limits: { fileSize: serverConfig.uploads.maxFileSize } });
+
+// ---------------------------------------------------------------------------
+// Static Assets
+// ---------------------------------------------------------------------------
+
+// Serve Domma dist files from npm package (shared by admin + public)
+await app.register(staticPlugin, {
+    root: DOMMA_DIST,
+    prefix: '/dist/domma/',
+    decorateReply: false
+});
+
+// Serve public site assets (CSS, JS, images, etc.)
+await app.register(staticPlugin, {
+    root: path.join(ROOT, 'public'),
+    prefix: '/public/',
+    decorateReply: false
+});
+
+// Serve admin panel assets
+await app.register(staticPlugin, {
+    root: path.join(ROOT, 'admin'),
+    prefix: '/admin/',
+    decorateReply: false
+});
+
+// Ensure required directories exist
+const mediaDir = path.join(ROOT, config.content.mediaDir);
+const usersDir = path.join(ROOT, config.content.usersDir);
+const pluginsDir = path.join(ROOT, 'plugins');
+await fs.mkdir(mediaDir, { recursive: true });
+await fs.mkdir(usersDir, { recursive: true });
+await fs.mkdir(pluginsDir, { recursive: true });
+
+// Serve uploaded media files
+await app.register(staticPlugin, {
+    root: mediaDir,
+    prefix: '/media/',
+    decorateReply: false
+});
+
+// Serve plugin admin/ and public/ subdirs only — block plugin.js, config.js, data/, etc.
+await app.register(async function pluginStaticScope(instance) {
+  instance.addHook('onRequest', (request, reply, done) => {
+    const relative = request.url.replace(/^\/plugins\//, '').split('?')[0];
+    const segments = relative.split('/');
+
+    if (relative.includes('..')) {
+      reply.code(403).send({error: 'Forbidden'});
+      return;
+    }
+    // Must be: {pluginName}/{admin|public}/{file...}
+    if (segments.length < 3 || !['admin', 'public'].includes(segments[1])) {
+      reply.code(404).send({error: 'Not found'});
+      return;
+    }
+    done();
+  });
+
+  await instance.register(staticPlugin, {
+    root: pluginsDir,
+    prefix: '/plugins/',
+    decorateReply: false
+  });
+});
+
+// ---------------------------------------------------------------------------
+// Auth API Routes (no authentication required on these endpoints themselves)
+// ---------------------------------------------------------------------------
+
+const { authRoutes } = await import('./routes/api/auth.js');
+await app.register(authRoutes, { prefix: '/api' });
+
+// ---------------------------------------------------------------------------
+// Protected API Routes
+// ---------------------------------------------------------------------------
+
+const { pagesRoutes }      = await import('./routes/api/pages.js');
+const { settingsRoutes }   = await import('./routes/api/settings.js');
+const { layoutsRoutes }    = await import('./routes/api/layouts.js');
+const { navigationRoutes } = await import('./routes/api/navigation.js');
+const { mediaRoutes }      = await import('./routes/api/media.js');
+const { usersRoutes }      = await import('./routes/api/users.js');
+const { pluginsRoutes }    = await import('./routes/api/plugins.js');
+
+await app.register(pagesRoutes,      { prefix: '/api' });
+await app.register(settingsRoutes,   { prefix: '/api' });
+await app.register(layoutsRoutes,    { prefix: '/api' });
+await app.register(navigationRoutes, { prefix: '/api' });
+await app.register(mediaRoutes,      { prefix: '/api' });
+await app.register(usersRoutes,      { prefix: '/api' });
+await app.register(pluginsRoutes,    { prefix: '/api' });
+
+// ---------------------------------------------------------------------------
+// CMS Plugins (server-side Fastify plugins from plugins/ directory)
+// ---------------------------------------------------------------------------
+
+await registerPlugins(app);
+
+// ---------------------------------------------------------------------------
+// Public Site (catch-all — must be last)
+// ---------------------------------------------------------------------------
+
+const { publicRoutes } = await import('./routes/public.js');
+await app.register(publicRoutes);
+
+// ---------------------------------------------------------------------------
+// Start
+// ---------------------------------------------------------------------------
+
+try {
+    await app.listen({ port: serverConfig.port, host: serverConfig.host });
+    console.log(`Domma CMS running at http://localhost:${serverConfig.port}`);
+    console.log(`  Admin:  http://localhost:${serverConfig.port}/admin/`);
+    console.log(`  Public: http://localhost:${serverConfig.port}/`);
+} catch (err) {
+    app.log.error(err);
+    process.exit(1);
+}