domma-cms 0.2.1 → 0.5.0

package/server/routes/public.js

@@ -1,108 +1,124 @@
-/**
- * Public Site Routes
- * Catch-all that resolves URL paths to Markdown pages and renders them server-side.
- * Draft pages are not served publicly.
- * The admin panel is excluded (handled by static serving).
- */
-import {getPage} from '../services/content.js';
-import {renderPage} from '../services/renderer.js';
-import {config} from '../config.js';
-
-export async function publicRoutes(fastify) {
-    // Admin panel: serve index.html for all /admin/* paths (SPA fallback)
-    fastify.get('/admin', async (request, reply) => {
-        return reply.redirect('/admin/');
-    });
-
-    // Health check
-    fastify.get('/api/health', async () => ({ status: 'ok' }));
-
-    // Public pages catch-all
-    fastify.get('/*', async (request, reply) => {
-        const rawPath = request.params['*'];
-
-        // Skip non-page paths (assets handled by static plugin)
-        if (rawPath.includes('.')) {
-            return reply.callNotFound();
-        }
-
-        const urlPath = '/' + (rawPath || '');
-
-        // Try exact path first, then with /index suffix for directory-style URLs
-        let page = await getPage(urlPath);
-
-        // Try fetching index of a directory path
-        if (!page && !urlPath.endsWith('/index')) {
-            page = await getPage(urlPath.replace(/\/$/, '') || '/');
-        }
-
-        if (!page) {
-            reply.status(404);
-            return reply.type('text/html').send(await render404(urlPath));
-        }
-
-        // Don't serve draft pages publicly
-        if (page.status !== 'published') {
-            reply.status(404);
-            return reply.type('text/html').send(await render404(urlPath));
-        }
-
-      // Enforce page visibility
-      if (page.visibility && page.visibility !== 'public') {
-        let userRole = null;
-        try {
-          const decoded = await request.jwtVerify();
-          userRole = decoded.role;
-        } catch { /* no token — treat as unauthenticated */
-        }
-
-        const roles = config.auth.roles;
-        const userLevel = roles[userRole]?.level ?? Infinity;
-        const requiredLevel = roles[page.visibility]?.level ?? 0;
-
-        if (userLevel > requiredLevel) {
-          reply.status(403);
-          return reply.type('text/html').send(accessDeniedHtml(urlPath));
-        }
-      }
-
-        const html = await renderPage(page);
-        return reply.type('text/html').send(html);
-    });
-}
-
-/**
- * Render a 404 response — tries content/pages/404.md first, falls back to
- * a minimal inline page so the site theme is applied when possible.
- */
-async function render404(urlPath) {
-    try {
-        const page404 = await getPage('/404');
-        if (page404 && page404.status === 'published') {
-            return await renderPage(page404);
-        }
-    } catch { /* fall through */ }
-    return notFoundHtml(urlPath);
-}
-
-function accessDeniedHtml(urlPath) {
-  return `<!DOCTYPE html>
-<html lang="en-GB">
-<head><meta charset="UTF-8"><title>403 Access Denied</title>
-<style>body{font-family:system-ui,sans-serif;display:flex;align-items:center;justify-content:center;min-height:100vh;margin:0;background:#111;color:#eee;}
-.box{text-align:center;} h1{font-size:6rem;margin:0;color:#666;} p{color:#999;}</style>
-</head>
-<body><div class="box"><h1>403</h1><p>You don't have permission to view <code>${urlPath}</code></p><p><a href="/" style="color:#aaa">Go home</a></p></div></body>
-</html>`;
-}
-
-function notFoundHtml(urlPath) {
-    return `<!DOCTYPE html>
-<html lang="en-GB">
-<head><meta charset="UTF-8"><title>404 Not Found</title>
-<style>body{font-family:system-ui,sans-serif;display:flex;align-items:center;justify-content:center;min-height:100vh;margin:0;background:#111;color:#eee;}
-.box{text-align:center;} h1{font-size:6rem;margin:0;color:#666;} p{color:#999;}</style>
-</head>
-<body><div class="box"><h1>404</h1><p>No page found at <code>${urlPath}</code></p><p><a href="/" style="color:#aaa">Go home</a></p></div></body>
-</html>`;
-}
+/**
+ * Public Site Routes
+ * Catch-all that resolves URL paths to Markdown pages and renders them server-side.
+ * Draft pages are not served publicly.
+ * The admin panel is excluded (handled by static serving).
+ */
+import {getPage} from '../services/content.js';
+import {renderPage} from '../services/renderer.js';
+import {getRoleLevel} from '../services/roles.js';
+
+/**
+ * Escape user-controlled strings before interpolating into HTML.
+ * Prevents reflected XSS in error pages.
+ *
+ * @param {string} str
+ * @returns {string}
+ */
+function escapeHtml(str) {
+    return String(str)
+        .replace(/&/g, '&amp;')
+        .replace(/</g, '&lt;')
+        .replace(/>/g, '&gt;')
+        .replace(/"/g, '&quot;')
+        .replace(/'/g, '&#39;');
+}
+
+export async function publicRoutes(fastify) {
+    // Admin panel: serve index.html for all /admin/* paths (SPA fallback)
+    fastify.get('/admin', async (request, reply) => {
+        return reply.redirect('/admin/');
+    });
+
+    // Health check
+    fastify.get('/api/health', async () => ({ status: 'ok' }));
+
+    // Public pages catch-all
+    fastify.get('/*', async (request, reply) => {
+        const rawPath = request.params['*'];
+
+        // Skip non-page paths (assets handled by static plugin)
+        if (rawPath.includes('.')) {
+            return reply.callNotFound();
+        }
+
+        const urlPath = '/' + (rawPath || '');
+
+        // Try exact path first, then with /index suffix for directory-style URLs
+        let page = await getPage(urlPath);
+
+        // Try fetching index of a directory path
+        if (!page && !urlPath.endsWith('/index')) {
+            page = await getPage(urlPath.replace(/\/$/, '') || '/');
+        }
+
+        if (!page) {
+            reply.status(404);
+            return reply.type('text/html').send(await render404(urlPath));
+        }
+
+        // Don't serve draft pages publicly
+        if (page.status !== 'published') {
+            reply.status(404);
+            return reply.type('text/html').send(await render404(urlPath));
+        }
+
+        // Enforce page visibility
+        if (page.visibility && page.visibility !== 'public') {
+            let userRole = null;
+            try {
+                const decoded = await request.jwtVerify();
+                userRole = decoded.role;
+            } catch { /* no token — treat as unauthenticated */
+            }
+
+            const userLevel = getRoleLevel(userRole);
+            const visibilityLevel = getRoleLevel(page.visibility);
+            const requiredLevel = visibilityLevel === Infinity ? 0 : visibilityLevel;
+
+            if (userLevel > requiredLevel) {
+                reply.status(403);
+                return reply.type('text/html').send(accessDeniedHtml(urlPath));
+            }
+        }
+
+        const html = await renderPage(page);
+        return reply.type('text/html').send(html);
+    });
+}
+
+/**
+ * Render a 404 response — tries content/pages/404.md first, falls back to
+ * a minimal inline page so the site theme is applied when possible.
+ */
+async function render404(urlPath) {
+    try {
+        const page404 = await getPage('/404');
+        if (page404 && page404.status === 'published') {
+            return await renderPage(page404);
+        }
+    } catch { /* fall through */ }
+    return notFoundHtml(urlPath);
+}
+
+function accessDeniedHtml(urlPath) {
+    return `<!DOCTYPE html>
+<html lang="en-GB">
+<head><meta charset="UTF-8"><title>403 Access Denied</title>
+<style>body{font-family:system-ui,sans-serif;display:flex;align-items:center;justify-content:center;min-height:100vh;margin:0;background:#111;color:#eee;}
+.box{text-align:center;} h1{font-size:6rem;margin:0;color:#666;} p{color:#999;}</style>
+</head>
+<body><div class="box"><h1>403</h1><p>You don't have permission to view <code>${escapeHtml(urlPath)}</code></p><p><a href="/" style="color:#aaa">Go home</a></p></div></body>
+</html>`;
+}
+
+function notFoundHtml(urlPath) {
+    return `<!DOCTYPE html>
+<html lang="en-GB">
+<head><meta charset="UTF-8"><title>404 Not Found</title>
+<style>body{font-family:system-ui,sans-serif;display:flex;align-items:center;justify-content:center;min-height:100vh;margin:0;background:#111;color:#eee;}
+.box{text-align:center;} h1{font-size:6rem;margin:0;color:#666;} p{color:#999;}</style>
+</head>
+<body><div class="box"><h1>404</h1><p>No page found at <code>${escapeHtml(urlPath)}</code></p><p><a href="/" style="color:#aaa">Go home</a></p></div></body>
+</html>`;
+}