domma-cms 0.3.0 → 0.5.2

package/server/routes/api/auth.js

@@ -1,146 +1,292 @@
-/**
- * Auth API
- * GET  /api/auth/setup-status  - check if any users exist
- * POST /api/auth/setup         - create initial admin (only when 0 users)
- * POST /api/auth/login         - { email, password } → { token, refreshToken, user }
- * GET  /api/auth/me            - return current user from token
- * POST /api/auth/refresh       - { refreshToken } → { token }
- * POST /api/auth/logout        - { refreshToken } → { ok: true } — blacklists the refresh token
- */
-import {config} from '../../config.js';
-import {authenticate} from '../../middleware/auth.js';
-import {
-  countUsers,
-  createUser,
-  getUserByEmail,
-  getUserById,
-  touchLastLogin,
-  validatePassword
-} from '../../services/users.js';
-
-const { accessTokenExpiry, refreshTokenExpiry } = config.auth;
-
-/** In-memory blacklist of invalidated refresh tokens (cleared on server restart). */
-const blacklistedRefreshTokens = new Set();
-
-// Purge expired tokens every 15 minutes to avoid unbounded growth.
-setInterval(() => {
-  for (const token of blacklistedRefreshTokens) {
-    try {
-      fastifyRef.jwt.verify(token);
-    } catch {
-      blacklistedRefreshTokens.delete(token);
-    }
-  }
-}, 15 * 60 * 1000);
-
-/** Holds the fastify instance once routes are registered (needed by the cleanup interval). */
-let fastifyRef;
-
-export async function authRoutes(fastify) {
-  fastifyRef = fastify;
-    // GET /api/auth/setup-status
-    fastify.get('/auth/setup-status', async () => {
-        const count = await countUsers();
-        return { needsSetup: count === 0 };
-    });
-
-    // POST /api/auth/setup — create the very first admin (only allowed when no users exist)
-    fastify.post('/auth/setup', async (request, reply) => {
-        const count = await countUsers();
-        if (count > 0) {
-            return reply.status(403).send({ error: 'Setup already complete' });
-        }
-
-        const { name, email, password } = request.body || {};
-        if (!name || !email || !password) {
-            return reply.status(400).send({ error: 'name, email and password are required' });
-        }
-        if (password.length < 8) {
-            return reply.status(400).send({ error: 'Password must be at least 8 characters' });
-        }
-
-        const user = await createUser({ name, email, password, role: 'admin' });
-        const { token, refreshToken } = signTokens(fastify, user);
-        return reply.status(201).send({ token, refreshToken, user });
-    });
-
-    // POST /api/auth/login
-    fastify.post('/auth/login', async (request, reply) => {
-        const { email, password } = request.body || {};
-        if (!email || !password) {
-            return reply.status(400).send({ error: 'email and password are required' });
-        }
-
-        const user = await getUserByEmail(email);
-        if (!user || !user.isActive) {
-            return reply.status(401).send({ error: 'Invalid credentials' });
-        }
-
-        const valid = await validatePassword(password, user.password);
-        if (!valid) {
-            return reply.status(401).send({ error: 'Invalid credentials' });
-        }
-
-        await touchLastLogin(user.id);
-
-        const safeUser = { id: user.id, name: user.name, email: user.email, role: user.role };
-        const { token, refreshToken } = signTokens(fastify, safeUser);
-        return { token, refreshToken, user: safeUser };
-    });
-
-    // GET /api/auth/me
-    fastify.get('/auth/me', { preHandler: [authenticate] }, async (request, reply) => {
-        const user = await getUserById(request.user.id);
-        if (!user) return reply.status(404).send({ error: 'User not found' });
-        return user;
-    });
-
-  // POST /api/auth/logout — blacklists the refresh token (fire-and-forget safe: no auth required)
-  fastify.post('/auth/logout', async (request) => {
-    const {refreshToken} = request.body || {};
-    if (refreshToken) blacklistedRefreshTokens.add(refreshToken);
-    return {ok: true};
-  });
-
-    // POST /api/auth/refresh
-    fastify.post('/auth/refresh', async (request, reply) => {
-        const { refreshToken } = request.body || {};
-        if (!refreshToken) {
-            return reply.status(400).send({ error: 'refreshToken is required' });
-        }
-
-      if (blacklistedRefreshTokens.has(refreshToken)) {
-        return reply.status(401).send({error: 'Refresh token has been revoked'});
-      }
-
-        let payload;
-        try {
-            payload = fastify.jwt.verify(refreshToken);
-        } catch {
-            return reply.status(401).send({ error: 'Invalid or expired refresh token' });
-        }
-
-        const user = await getUserById(payload.id);
-        if (!user || !user.isActive) {
-            return reply.status(401).send({ error: 'User not found or inactive' });
-        }
-
-        const safeUser = { id: user.id, name: user.name, email: user.email, role: user.role };
-        const token = fastify.jwt.sign(safeUser, { expiresIn: accessTokenExpiry });
-        return { token };
-    });
-}
-
-/**
- * Sign both access and refresh tokens for a user payload.
- *
- * @param {object} fastify
- * @param {object} payload
- * @returns {{ token: string, refreshToken: string }}
- */
-function signTokens(fastify, payload) {
-    const token = fastify.jwt.sign(payload, { expiresIn: accessTokenExpiry });
-    const refreshToken = fastify.jwt.sign(payload, { expiresIn: refreshTokenExpiry });
-    return { token, refreshToken };
-}
+/**
+ * Auth API
+ * GET  /api/auth/setup-status  - check if any users exist
+ * POST /api/auth/setup         - create initial admin (only when 0 users)
+ * POST /api/auth/login         - { email, password } → { token, refreshToken, user }
+ * GET  /api/auth/me            - return current user from token
+ * POST /api/auth/refresh       - { refreshToken } → { token }
+ * POST /api/auth/logout        - { refreshToken } → { ok: true } — blacklists the refresh token
+ */
+import crypto from 'node:crypto';
+import {config, getConfig} from '../../config.js';
+import {authenticate, getPermissionsForRole} from '../../middleware/auth.js';
+import {GROUP_ORDER, REGISTRY} from '../../services/permissionRegistry.js';
+import {
+    clearResetToken,
+    countUsers,
+    createUser,
+    getUserByEmail,
+    getUserById,
+    getUserByResetToken,
+    setResetToken,
+    touchLastLogin,
+    updateUser,
+    validatePassword
+} from '../../services/users.js';
+import {getProfile, updateProfile} from '../../services/userProfiles.js';
+import {createTransport, sendEmail} from '../../services/email.js';
+
+const { accessTokenExpiry, refreshTokenExpiry } = config.auth;
+
+/** In-memory blacklist of invalidated refresh tokens (cleared on server restart). */
+const blacklistedRefreshTokens = new Set();
+
+// Purge expired tokens every 15 minutes to avoid unbounded growth.
+setInterval(() => {
+  for (const token of blacklistedRefreshTokens) {
+    try {
+      fastifyRef.jwt.verify(token);
+    } catch {
+      blacklistedRefreshTokens.delete(token);
+    }
+  }
+}, 15 * 60 * 1000);
+
+/** Holds the fastify instance once routes are registered (needed by the cleanup interval). */
+let fastifyRef;
+
+export async function authRoutes(fastify) {
+  fastifyRef = fastify;
+    // GET /api/auth/setup-status
+    fastify.get('/auth/setup-status', async () => {
+        const count = await countUsers();
+        return { needsSetup: count === 0 };
+    });
+
+    // POST /api/auth/setup — create the very first admin (only allowed when no users exist)
+    fastify.post('/auth/setup', async (request, reply) => {
+        const count = await countUsers();
+        if (count > 0) {
+            return reply.status(403).send({ error: 'Setup already complete' });
+        }
+
+        const { name, email, password } = request.body || {};
+        if (!name || !email || !password) {
+            return reply.status(400).send({ error: 'name, email and password are required' });
+        }
+        if (password.length < 8) {
+            return reply.status(400).send({ error: 'Password must be at least 8 characters' });
+        }
+
+        const user = await createUser({ name, email, password, role: 'admin' });
+        const { token, refreshToken } = signTokens(fastify, user);
+        return reply.status(201).send({ token, refreshToken, user });
+    });
+
+    // POST /api/auth/login
+    fastify.post('/auth/login', { config: { rateLimit: { max: 5, timeWindow: '1 minute' } } }, async (request, reply) => {
+        const { email, password } = request.body || {};
+        if (!email || !password) {
+            return reply.status(400).send({ error: 'email and password are required' });
+        }
+
+        const user = await getUserByEmail(email);
+        if (!user || !user.isActive) {
+            return reply.status(401).send({ error: 'Invalid credentials' });
+        }
+
+        const valid = await validatePassword(password, user.password);
+        if (!valid) {
+            return reply.status(401).send({ error: 'Invalid credentials' });
+        }
+
+        await touchLastLogin(user.id);
+
+        const safeUser = { id: user.id, name: user.name, email: user.email, role: user.role };
+        const { token, refreshToken } = signTokens(fastify, safeUser);
+        return { token, refreshToken, user: safeUser };
+    });
+
+    // GET /api/auth/permissions — returns the raw permissions array for the authenticated user's role
+    fastify.get('/auth/permissions', {preHandler: [authenticate]}, async (request) => {
+        const permissions = getPermissionsForRole(request.user.role);
+        return {permissions};
+    });
+
+    // GET /api/auth/permissions-registry — returns the full permissions registry
+    fastify.get('/auth/permissions-registry', {preHandler: [authenticate]}, async () => {
+        return {groups: GROUP_ORDER, resources: REGISTRY};
+    });
+
+    // GET /api/auth/me
+    fastify.get('/auth/me', { preHandler: [authenticate] }, async (request, reply) => {
+        const user = await getUserById(request.user.id);
+        if (!user) return reply.status(404).send({ error: 'User not found' });
+        const profileEntry = await getProfile(request.user.id);
+        return {...user, profile: profileEntry?.data || {}};
+    });
+
+    // PUT /api/auth/me — self-service update (name, email, password, profile)
+    fastify.put('/auth/me', {preHandler: [authenticate]}, async (request, reply) => {
+        const id = request.user.id;
+        const {name, email, password, profile} = request.body || {};
+
+        if (password && password.length < 8) {
+            return reply.status(400).send({error: 'Password must be at least 8 characters'});
+        }
+
+        const coreUpdates = {};
+        if (name) coreUpdates.name = name;
+        if (email) coreUpdates.email = email;
+        if (password) coreUpdates.password = password;
+
+        const user = await updateUser(id, coreUpdates);
+
+        if (profile && typeof profile === 'object') {
+            await updateProfile(id, profile);
+        }
+
+        const profileEntry = await getProfile(id);
+        return {...user, profile: profileEntry?.data || {}};
+    });
+
+    // POST /api/auth/forgot-password — send a password reset email (no auth)
+    fastify.post('/auth/forgot-password', { config: { rateLimit: { max: 3, timeWindow: '1 hour' } } }, async (request) => {
+        const {email} = request.body || {};
+        if (!email) return {ok: true}; // always ok — prevents enumeration
+
+        try {
+            const user = await getUserByEmail(email);
+            if (!user || !user.isActive) return {ok: true};
+
+            const token = crypto.randomBytes(32).toString('hex');
+            const hash = crypto.createHash('sha256').update(token).digest('hex');
+
+            const authCfg = getConfig('auth');
+            const expiryMs = parseDuration(authCfg.resetTokenExpiry || '1h');
+            const expiry = new Date(Date.now() + expiryMs).toISOString();
+
+            await setResetToken(user.id, hash, expiry);
+
+            const siteConfig = getConfig('site');
+            const smtp = siteConfig.smtp || {};
+            const sitePort = config.server.port || 4096;
+            const resetUrl = `${request.protocol}://${request.hostname}:${sitePort}/admin/#/reset-password?token=${token}`;
+
+            const transport = await createTransport(smtp);
+            const from = smtp.fromAddress || 'noreply@example.com';
+            const fromName = smtp.fromName || siteConfig.title || 'Domma CMS';
+
+            await sendEmail(transport, {
+                from,
+                fromName,
+                to: user.email,
+                subject: 'Reset your password',
+                html: `
+<!DOCTYPE html>
+<html>
+<body style="font-family:sans-serif;max-width:560px;margin:0 auto;padding:24px;">
+    <h2 style="color:#333;">Password Reset</h2>
+    <p>Hi ${user.name},</p>
+    <p>We received a request to reset your password. Click the link below — it expires in 1 hour.</p>
+    <p style="margin:24px 0;">
+        <a href="${resetUrl}" style="background:#5b8cff;color:#fff;padding:12px 24px;border-radius:6px;text-decoration:none;display:inline-block;">Reset Password</a>
+    </p>
+    <p style="color:#888;font-size:.85rem;">If you didn't request this, you can safely ignore this email.</p>
+    <p style="color:#bbb;font-size:.8rem;">${resetUrl}</p>
+</body>
+</html>`.trim(),
+                text: `Hi ${user.name},\n\nReset your password here:\n${resetUrl}\n\nThis link expires in 1 hour.\n\nIf you didn't request this, ignore this email.`
+            });
+        } catch (err) {
+            console.error('[auth] forgot-password error:', err.message);
+        }
+
+        return {ok: true};
+    });
+
+    // POST /api/auth/reset-password — consume token and set new password (no auth)
+    fastify.post('/auth/reset-password', { config: { rateLimit: { max: 5, timeWindow: '1 minute' } } }, async (request, reply) => {
+        const {token, password} = request.body || {};
+        if (!token || !password) {
+            return reply.status(400).send({error: 'token and password are required'});
+        }
+        if (password.length < 8) {
+            return reply.status(400).send({error: 'Password must be at least 8 characters'});
+        }
+
+        const hash = crypto.createHash('sha256').update(token).digest('hex');
+        const user = await getUserByResetToken(hash);
+        if (!user) {
+            return reply.status(400).send({error: 'Invalid or expired reset link'});
+        }
+        if (new Date(user.resetTokenExpiry) < new Date()) {
+            await clearResetToken(user.id);
+            return reply.status(400).send({error: 'Invalid or expired reset link'});
+        }
+
+        await updateUser(user.id, {password});
+        await clearResetToken(user.id);
+        return {ok: true};
+    });
+
+  // POST /api/auth/logout — blacklists the refresh token (fire-and-forget safe: no auth required)
+  fastify.post('/auth/logout', async (request) => {
+    const {refreshToken} = request.body || {};
+    if (refreshToken) blacklistedRefreshTokens.add(refreshToken);
+    return {ok: true};
+  });
+
+    // POST /api/auth/refresh
+    fastify.post('/auth/refresh', async (request, reply) => {
+        const { refreshToken } = request.body || {};
+        if (!refreshToken) {
+            return reply.status(400).send({ error: 'refreshToken is required' });
+        }
+
+      if (blacklistedRefreshTokens.has(refreshToken)) {
+        return reply.status(401).send({error: 'Refresh token has been revoked'});
+      }
+
+        let payload;
+        try {
+            payload = fastify.jwt.verify(refreshToken);
+        } catch {
+            return reply.status(401).send({ error: 'Invalid or expired refresh token' });
+        }
+
+        if (payload.type !== 'refresh') {
+            return reply.status(401).send({ error: 'Invalid token type' });
+        }
+
+        const user = await getUserById(payload.id);
+        if (!user || !user.isActive) {
+            return reply.status(401).send({ error: 'User not found or inactive' });
+        }
+
+        const safeUser = { id: user.id, name: user.name, email: user.email, role: user.role };
+        const token = fastify.jwt.sign({ ...safeUser, type: 'access' }, { expiresIn: accessTokenExpiry });
+        return { token };
+    });
+}
+
+/**
+ * Parse a duration string into milliseconds.
+ * Supports "Nm" (minutes), "Nh" (hours), "Nd" (days).
+ *
+ * @param {string} str - e.g. "1h", "30m", "1d"
+ * @returns {number} Milliseconds
+ */
+function parseDuration(str) {
+    const match = String(str).match(/^(\d+)([mhd])$/);
+    if (!match) return 3_600_000; // default 1h
+    const n = parseInt(match[1], 10);
+    const unit = match[2];
+    if (unit === 'm') return n * 60_000;
+    if (unit === 'h') return n * 3_600_000;
+    if (unit === 'd') return n * 86_400_000;
+    return 3_600_000;
+}
+
+/**
+ * Sign both access and refresh tokens for a user payload.
+ *
+ * @param {object} fastify
+ * @param {object} payload
+ * @returns {{ token: string, refreshToken: string }}
+ */
+function signTokens(fastify, payload) {
+    const token = fastify.jwt.sign({ ...payload, type: 'access' }, { expiresIn: accessTokenExpiry });
+    const refreshToken = fastify.jwt.sign({ id: payload.id, type: 'refresh' }, { expiresIn: refreshTokenExpiry });
+    return { token, refreshToken };
+}

package/server/routes/api/blocks.js

@@ -0,0 +1,84 @@
+/**
+ * Blocks API
+ * CRUD for reusable HTML block templates stored in content/blocks/*.html.
+ * GET    /api/blocks         - list all blocks
+ * GET    /api/blocks/:name   - get block content
+ * PUT    /api/blocks/:name   - create or update block
+ * DELETE /api/blocks/:name   - delete block
+ */
+import path from 'path';
+import fs from 'fs/promises';
+import {fileURLToPath} from 'url';
+import {authenticate, requirePermission} from '../../middleware/auth.js';
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+const ROOT = path.resolve(__dirname, '../../..');
+const BLOCKS_DIR = path.join(ROOT, 'content', 'blocks');
+
+const NAME_RE = /^[a-z0-9][a-z0-9-]*$/;
+
+function blockPath(name) {
+    return path.join(BLOCKS_DIR, `${name}.html`);
+}
+
+export async function blocksRoutes(fastify) {
+    const canRead = {preHandler: [authenticate, requirePermission('pages', 'read')]};
+    const canUpdate = {preHandler: [authenticate, requirePermission('pages', 'update')]};
+    const canDelete = {preHandler: [authenticate, requirePermission('pages', 'delete')]};
+
+    // List all blocks
+    fastify.get('/blocks', canRead, async () => {
+        await fs.mkdir(BLOCKS_DIR, {recursive: true});
+        const files = await fs.readdir(BLOCKS_DIR);
+        const blocks = [];
+        for (const file of files.filter(f => f.endsWith('.html'))) {
+            const name = file.slice(0, -5);
+            const stat = await fs.stat(path.join(BLOCKS_DIR, file)).catch(() => null);
+            blocks.push({
+                name,
+                size: stat?.size ?? 0,
+                updatedAt: stat?.mtime?.toISOString() ?? null
+            });
+        }
+        return blocks.sort((a, b) => a.name.localeCompare(b.name));
+    });
+
+    // Get single block
+    fastify.get('/blocks/:name', canRead, async (request, reply) => {
+        const {name} = request.params;
+        if (!NAME_RE.test(name)) return reply.status(400).send({error: 'Invalid block name'});
+
+        try {
+            const content = await fs.readFile(blockPath(name), 'utf8');
+            return {name, content};
+        } catch {
+            return reply.status(404).send({error: 'Block not found'});
+        }
+    });
+
+    // Create or update block
+    fastify.put('/blocks/:name', canUpdate, async (request, reply) => {
+        const {name} = request.params;
+        if (!NAME_RE.test(name)) return reply.status(400).send({error: 'Invalid block name. Use lowercase letters, digits, and hyphens only.'});
+
+        const {content} = request.body || {};
+        if (typeof content !== 'string') return reply.status(400).send({error: 'content (string) is required'});
+
+        await fs.mkdir(BLOCKS_DIR, {recursive: true});
+        await fs.writeFile(blockPath(name), content, 'utf8');
+        return {success: true, name};
+    });
+
+    // Delete block
+    fastify.delete('/blocks/:name', canDelete, async (request, reply) => {
+        const {name} = request.params;
+        if (!NAME_RE.test(name)) return reply.status(400).send({error: 'Invalid block name'});
+
+        try {
+            await fs.unlink(blockPath(name));
+            return reply.status(204).send();
+        } catch {
+            return reply.status(404).send({error: 'Block not found'});
+        }
+    });
+}