domma-cms 0.23.0 → 0.24.0

package/server/routes/public.js

@@ -1,202 +1,202 @@
-/**
- * Public Site Routes
- * Catch-all that resolves URL paths to Markdown pages and renders them server-side.
- * Draft pages are not served publicly.
- * The admin panel is excluded (handled by static serving).
- */
-import {getPage} from '../services/content.js';
-import {renderPage} from '../services/renderer.js';
-import {buildRobotsTxt, generate as generateSitemap} from '../services/sitemap.js';
-import {checkVisibility} from '../middleware/auth.js';
-import {hooks} from '../services/hooks.js';
-import {getConfig} from '../config.js';
-import * as cache from '../services/cache/index.js';
-
-/**
- * Derive the absolute origin for the current request.
- *
- * Honours `site.baseUrl` as an explicit override (useful when the CMS sits
- * behind infrastructure that doesn't forward Host correctly). Otherwise
- * builds it from `request.protocol` + `request.host` — both of which Fastify
- * resolves from `X-Forwarded-*` headers when `trustProxy` is on. `request.host`
- * includes the port for non-default ports (e.g. `localhost:4096` in dev) and
- * omits it for the standard 80/443.
- *
- * @param {import('fastify').FastifyRequest} request
- * @returns {string} e.g. 'https://example.com' (no trailing slash)
- */
-function getBaseUrl(request) {
-    const override = (getConfig('site') || {}).baseUrl;
-    if (override) return override.toString().trim().replace(/\/+$/, '');
-    const host = request.host || request.headers.host || request.hostname;
-    return `${request.protocol}://${host}`;
-}
-
-/**
- * Escape user-controlled strings before interpolating into HTML.
- * Prevents reflected XSS in error pages.
- *
- * @param {string} str
- * @returns {string}
- */
-function escapeHtml(str) {
-    return String(str)
-        .replace(/&/g, '&')
-        .replace(/</g, '&lt;')
-        .replace(/>/g, '&gt;')
-        .replace(/"/g, '&quot;')
-        .replace(/'/g, '&#39;');
-}
-
-export async function publicRoutes(fastify) {
-    // Admin panel: serve index.html for all /admin/* paths (SPA fallback)
-    fastify.get('/admin', async (request, reply) => {
-        return reply.redirect('/admin/');
-    });
-
-    // Health check
-    fastify.get('/api/health', async () => ({ status: 'ok' }));
-
-    // SEO: sitemap.xml — cached per origin (so a single CMS responding on
-    // multiple domains gets the right absolute URLs); invalidated by page
-    // CRUD via the 'sitemap' tag.
-    fastify.get('/sitemap.xml', async (request, reply) => {
-        const baseUrl = getBaseUrl(request);
-        const xml = await cache.wrap(
-            `sitemap:xml:${baseUrl}`,
-            () => generateSitemap(baseUrl),
-            {tags: ['sitemap']}
-        );
-        return reply.type('application/xml').send(xml);
-    });
-
-    // SEO: robots.txt — cheap to build, no cache wrap needed.
-    fastify.get('/robots.txt', async (request, reply) => {
-        return reply.type('text/plain').send(buildRobotsTxt(getBaseUrl(request)));
-    });
-
-    // Public pages catch-all
-    fastify.get('/*', async (request, reply) => {
-        const rawPath = request.params['*'];
-
-        // Skip non-page paths (assets handled by static plugin)
-        if (rawPath.includes('.')) {
-            return reply.callNotFound();
-        }
-
-        const urlPath = '/' + (rawPath || '');
-
-        // First-pass page lookup — used only for the visibility decision
-        // (metadata-only is sufficient). We re-fetch below with `user` once
-        // it is resolved so the body's [menu] shortcode renders against the
-        // correct role.
-        let page = await getPage(urlPath);
-
-        // Try fetching index of a directory path
-        if (!page && !urlPath.endsWith('/index')) {
-            page = await getPage(urlPath.replace(/\/$/, '') || '/');
-        }
-
-        if (!page) {
-            reply.status(404);
-            return reply.type('text/html').send(await render404(urlPath));
-        }
-
-        // Don't serve draft pages publicly
-        if (page.status !== 'published') {
-            reply.status(404);
-            return reply.type('text/html').send(await render404(urlPath));
-        }
-
-        // Enforce page visibility — role only resolved for gated pages,
-        // so public pages share a single cache entry keyed `roleanon`.
-        //
-        // `visibility` may be a string ('public' | 'private' | role name) or
-        // an array of role names — see checkVisibility() for full semantics.
-        // Effectively-public values (missing, 'public', or an array containing
-        // 'public') skip JWT verification entirely so anonymous traffic hits
-        // the shared cache without auth cost.
-        // For per-role cache keying we use the primary role only — multi-role
-        // users still see correctly-gated content (checkVisibility consults
-        // additionalRoles too) but the cache key stays bounded to one entry
-        // per primary role rather than 2^N per role combination. The fallback
-        // is correctness: any user whose access depends on an additional role
-        // is granted, but their served HTML is the variant cached for their
-        // primary role's tier — fine for the public-site use case.
-        let userRole = null;
-        let userObj  = null;
-        const vis      = page.visibility;
-        const isPublic = !vis
-            || vis === 'public'
-            || (Array.isArray(vis) && (vis.length === 0 || vis.includes('public')));
-
-        if (!isPublic) {
-            try {
-                const decoded = await request.jwtVerify();
-                if (decoded.type === 'access') {
-                    userRole = decoded.role;
-                    userObj  = { role: decoded.role, additionalRoles: decoded.additionalRoles || [] };
-                }
-            } catch { /* no token — treat as unauthenticated */ }
-
-            if (!checkVisibility(userObj, vis)) {
-                reply.status(403);
-                return reply.type('text/html').send(accessDeniedHtml(urlPath));
-            }
-        }
-
-        const baseUrl = getBaseUrl(request);
-        const cacheKey = `page:${urlPath}:role${userRole ?? 'anon'}:o${baseUrl}`;
-        const cacheTags = [`page:${urlPath}`, ...(page.tags || []), 'nav', 'site'];
-        const html = await cache.wrap(
-            cacheKey,
-            async () => {
-                // Re-parse with user context so the body's [menu] shortcode
-                // sees the visitor's role for visibility filtering. The first
-                // getPage() above was anonymous because we hadn't decoded the
-                // JWT yet; this second pass uses the resolved userObj.
-                const pageForRole = await getPage(page.urlPath, {user: userObj}) || page;
-                return renderPage(pageForRole, {baseUrl, user: userObj});
-            },
-            {tags: cacheTags}
-        );
-        hooks.emit('content:pageViewed', {urlPath, title: page.title || ''});
-        return reply.type('text/html').send(html);
-    });
-}
-
-/**
- * Render a 404 response — tries content/pages/404.md first, falls back to
- * a minimal inline page so the site theme is applied when possible.
- */
-async function render404(urlPath) {
-    try {
-        const page404 = await getPage('/404');
-        if (page404 && page404.status === 'published') {
-            return await renderPage(page404);
-        }
-    } catch { /* fall through */ }
-    return notFoundHtml(urlPath);
-}
-
-function accessDeniedHtml(urlPath) {
-    return `<!DOCTYPE html>
-<html lang="en-GB">
-<head><meta charset="UTF-8"><title>403 Access Denied</title>
-<style>body{font-family:system-ui,sans-serif;display:flex;align-items:center;justify-content:center;min-height:100vh;margin:0;background:#111;color:#eee;}
-.box{text-align:center;} h1{font-size:6rem;margin:0;color:#666;} p{color:#999;}</style>
-</head>
-<body><div class="box"><h1>403</h1><p>You don't have permission to view <code>${escapeHtml(urlPath)}</code></p><p><a href="/" style="color:#aaa">Go home</a></p></div></body>
-</html>`;
-}
-
-function notFoundHtml(urlPath) {
-    return `<!DOCTYPE html>
-<html lang="en-GB">
-<head><meta charset="UTF-8"><title>404 Not Found</title>
-<style>body{font-family:system-ui,sans-serif;display:flex;align-items:center;justify-content:center;min-height:100vh;margin:0;background:#111;color:#eee;}
-.box{text-align:center;} h1{font-size:6rem;margin:0;color:#666;} p{color:#999;}</style>
-</head>
-<body><div class="box"><h1>404</h1><p>No page found at <code>${escapeHtml(urlPath)}</code></p><p><a href="/" style="color:#aaa">Go home</a></p></div></body>
-</html>`;
-}
+/**
+ * Public Site Routes
+ * Catch-all that resolves URL paths to Markdown pages and renders them server-side.
+ * Draft pages are not served publicly.
+ * The admin panel is excluded (handled by static serving).
+ */
+import {getPage} from '../services/content.js';
+import {renderPage} from '../services/renderer.js';
+import {buildRobotsTxt, generate as generateSitemap} from '../services/sitemap.js';
+import {checkVisibility} from '../middleware/auth.js';
+import {hooks} from '../services/hooks.js';
+import {getConfig} from '../config.js';
+import * as cache from '../services/cache/index.js';
+
+/**
+ * Derive the absolute origin for the current request.
+ *
+ * Honours `site.baseUrl` as an explicit override (useful when the CMS sits
+ * behind infrastructure that doesn't forward Host correctly). Otherwise
+ * builds it from `request.protocol` + `request.host` — both of which Fastify
+ * resolves from `X-Forwarded-*` headers when `trustProxy` is on. `request.host`
+ * includes the port for non-default ports (e.g. `localhost:4096` in dev) and
+ * omits it for the standard 80/443.
+ *
+ * @param {import('fastify').FastifyRequest} request
+ * @returns {string} e.g. 'https://example.com' (no trailing slash)
+ */
+function getBaseUrl(request) {
+    const override = (getConfig('site') || {}).baseUrl;
+    if (override) return override.toString().trim().replace(/\/+$/, '');
+    const host = request.host || request.headers.host || request.hostname;
+    return `${request.protocol}://${host}`;
+}
+
+/**
+ * Escape user-controlled strings before interpolating into HTML.
+ * Prevents reflected XSS in error pages.
+ *
+ * @param {string} str
+ * @returns {string}
+ */
+function escapeHtml(str) {
+    return String(str)
+        .replace(/&/g, '&amp;')
+        .replace(/</g, '&lt;')
+        .replace(/>/g, '&gt;')
+        .replace(/"/g, '&quot;')
+        .replace(/'/g, '&#39;');
+}
+
+export async function publicRoutes(fastify) {
+    // Admin panel: serve index.html for all /admin/* paths (SPA fallback)
+    fastify.get('/admin', async (request, reply) => {
+        return reply.redirect('/admin/');
+    });
+
+    // Health check
+    fastify.get('/api/health', async () => ({ status: 'ok' }));
+
+    // SEO: sitemap.xml — cached per origin (so a single CMS responding on
+    // multiple domains gets the right absolute URLs); invalidated by page
+    // CRUD via the 'sitemap' tag.
+    fastify.get('/sitemap.xml', async (request, reply) => {
+        const baseUrl = getBaseUrl(request);
+        const xml = await cache.wrap(
+            `sitemap:xml:${baseUrl}`,
+            () => generateSitemap(baseUrl),
+            {tags: ['sitemap']}
+        );
+        return reply.type('application/xml').send(xml);
+    });
+
+    // SEO: robots.txt — cheap to build, no cache wrap needed.
+    fastify.get('/robots.txt', async (request, reply) => {
+        return reply.type('text/plain').send(buildRobotsTxt(getBaseUrl(request)));
+    });
+
+    // Public pages catch-all
+    fastify.get('/*', async (request, reply) => {
+        const rawPath = request.params['*'];
+
+        // Skip non-page paths (assets handled by static plugin)
+        if (rawPath.includes('.')) {
+            return reply.callNotFound();
+        }
+
+        const urlPath = '/' + (rawPath || '');
+
+        // First-pass page lookup — used only for the visibility decision
+        // (metadata-only is sufficient). We re-fetch below with `user` once
+        // it is resolved so the body's [menu] shortcode renders against the
+        // correct role.
+        let page = await getPage(urlPath);
+
+        // Try fetching index of a directory path
+        if (!page && !urlPath.endsWith('/index')) {
+            page = await getPage(urlPath.replace(/\/$/, '') || '/');
+        }
+
+        if (!page) {
+            reply.status(404);
+            return reply.type('text/html').send(await render404(urlPath));
+        }
+
+        // Don't serve draft pages publicly
+        if (page.status !== 'published') {
+            reply.status(404);
+            return reply.type('text/html').send(await render404(urlPath));
+        }
+
+        // Enforce page visibility — role only resolved for gated pages,
+        // so public pages share a single cache entry keyed `roleanon`.
+        //
+        // `visibility` may be a string ('public' | 'private' | role name) or
+        // an array of role names — see checkVisibility() for full semantics.
+        // Effectively-public values (missing, 'public', or an array containing
+        // 'public') skip JWT verification entirely so anonymous traffic hits
+        // the shared cache without auth cost.
+        // For per-role cache keying we use the primary role only — multi-role
+        // users still see correctly-gated content (checkVisibility consults
+        // additionalRoles too) but the cache key stays bounded to one entry
+        // per primary role rather than 2^N per role combination. The fallback
+        // is correctness: any user whose access depends on an additional role
+        // is granted, but their served HTML is the variant cached for their
+        // primary role's tier — fine for the public-site use case.
+        let userRole = null;
+        let userObj  = null;
+        const vis      = page.visibility;
+        const isPublic = !vis
+            || vis === 'public'
+            || (Array.isArray(vis) && (vis.length === 0 || vis.includes('public')));
+
+        if (!isPublic) {
+            try {
+                const decoded = await request.jwtVerify();
+                if (decoded.type === 'access') {
+                    userRole = decoded.role;
+                    userObj  = { role: decoded.role, additionalRoles: decoded.additionalRoles || [] };
+                }
+            } catch { /* no token — treat as unauthenticated */ }
+
+            if (!checkVisibility(userObj, vis)) {
+                reply.status(403);
+                return reply.type('text/html').send(accessDeniedHtml(urlPath));
+            }
+        }
+
+        const baseUrl = getBaseUrl(request);
+        const cacheKey = `page:${urlPath}:role${userRole ?? 'anon'}:o${baseUrl}`;
+        const cacheTags = [`page:${urlPath}`, ...(page.tags || []), 'nav', 'site'];
+        const html = await cache.wrap(
+            cacheKey,
+            async () => {
+                // Re-parse with user context so the body's [menu] shortcode
+                // sees the visitor's role for visibility filtering. The first
+                // getPage() above was anonymous because we hadn't decoded the
+                // JWT yet; this second pass uses the resolved userObj.
+                const pageForRole = await getPage(page.urlPath, {user: userObj}) || page;
+                return renderPage(pageForRole, {baseUrl, user: userObj});
+            },
+            {tags: cacheTags}
+        );
+        hooks.emit('content:pageViewed', {urlPath, title: page.title || ''});
+        return reply.type('text/html').send(html);
+    });
+}
+
+/**
+ * Render a 404 response — tries content/pages/404.md first, falls back to
+ * a minimal inline page so the site theme is applied when possible.
+ */
+async function render404(urlPath) {
+    try {
+        const page404 = await getPage('/404');
+        if (page404 && page404.status === 'published') {
+            return await renderPage(page404);
+        }
+    } catch { /* fall through */ }
+    return notFoundHtml(urlPath);
+}
+
+function accessDeniedHtml(urlPath) {
+    return `<!DOCTYPE html>
+<html lang="en-GB">
+<head><meta charset="UTF-8"><title>403 Access Denied</title>
+<style>body{font-family:system-ui,sans-serif;display:flex;align-items:center;justify-content:center;min-height:100vh;margin:0;background:#111;color:#eee;}
+.box{text-align:center;} h1{font-size:6rem;margin:0;color:#666;} p{color:#999;}</style>
+</head>
+<body><div class="box"><h1>403</h1><p>You don't have permission to view <code>${escapeHtml(urlPath)}</code></p><p><a href="/" style="color:#aaa">Go home</a></p></div></body>
+</html>`;
+}
+
+function notFoundHtml(urlPath) {
+    return `<!DOCTYPE html>
+<html lang="en-GB">
+<head><meta charset="UTF-8"><title>404 Not Found</title>
+<style>body{font-family:system-ui,sans-serif;display:flex;align-items:center;justify-content:center;min-height:100vh;margin:0;background:#111;color:#eee;}
+.box{text-align:center;} h1{font-size:6rem;margin:0;color:#666;} p{color:#999;}</style>
+</head>
+<body><div class="box"><h1>404</h1><p>No page found at <code>${escapeHtml(urlPath)}</code></p><p><a href="/" style="color:#aaa">Go home</a></p></div></body>
+</html>`;
+}

package/server/server.js

@@ -202,8 +202,13 @@ try {
 }
 
 try {
-    const {runMigration: runSidebarMigration} = await import('./services/sidebar-migration.js');
+    const {runMigration: runSidebarMigration, ensureSidebarItem} = await import('./services/sidebar-migration.js');
     await runSidebarMigration();
+    // Surface admin pages added after first boot on existing installs.
+    await ensureSidebarItem({
+        groupText: 'System',
+        item: {text: 'API Tokens', url: '#/api-tokens', icon: 'key', permission: 'api-tokens'}
+    });
 } catch (err) {
     app.log.warn(`[admin-sidebar] Migration skipped: ${err.message}`);
 }
@@ -279,6 +284,7 @@ const { navigationRoutes } = await import('./routes/api/navigation.js');
 const {menusRoutes}         = await import('./routes/api/menus.js');
 const {menuLocationsRoutes} = await import('./routes/api/menu-locations.js');
 const {projectsRoutes}      = await import('./routes/api/projects.js');
+const {apiTokensRoutes}     = await import('./routes/api/api-tokens.js');
 const {sidebarRoutes}       = await import('./routes/api/sidebar.js');
 const { mediaRoutes }      = await import('./routes/api/media.js');
 const { usersRoutes }      = await import('./routes/api/users.js');
@@ -304,6 +310,7 @@ await app.register(navigationRoutes,  { prefix: '/api' });
 await app.register(menusRoutes,         {prefix: '/api'});
 await app.register(menuLocationsRoutes, {prefix: '/api'});
 await app.register(projectsRoutes,      {prefix: '/api'});
+await app.register(apiTokensRoutes,     {prefix: '/api'});
 await app.register(sidebarRoutes,       {prefix: '/api'});
 await app.register(mediaRoutes,       { prefix: '/api' });
 await app.register(usersRoutes,       { prefix: '/api' });